f3be1b2fa58fca1e478d18c992d3261566350f392bdd813eaa63f8265304e4c7

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
Size

186KB
MD5

68671bda5a8af1e69521590614c39b61
SHA1

ee94523f75c634471eeb8481a5c0db64d27b18fa
SHA256

f3be1b2fa58fca1e478d18c992d3261566350f392bdd813eaa63f8265304e4c7
SHA512

47f7c6ebee835c06aa324a66bf740fb77b4d7a040d4cbc9a8ec916e1f9b01cdfc5f463943546bbb6f46285d73bfadee901912ca1302d02a0a0d7d55ea50abf5e
SSDEEP

3072:gRQcGe0ul4OJ2mzmlTGtas1Q1XPNQGKNl0XWq4/eU5XbM3cOpzs6l2+wRm4fkuZt:gRYe0Wx2Emlatas1Q1XPNQGKNl0XWq49

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (63) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dasQkEsg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation	dasQkEsg.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3056 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

dasQkEsg.exegGEgocgQ.exe

pid process

1672 dasQkEsg.exe
3064 gGEgocgQ.exe

pid	process
3056	cmd.exe

Loads dropped DLL 20 IoCs

Processes:

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exedasQkEsg.exe

pid	process
2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exedasQkEsg.exegGEgocgQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dasQkEsg.exe = "C:\\Users\\Admin\\qcAQUokk\\dasQkEsg.exe"	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gGEgocgQ.exe = "C:\\ProgramData\\leUEYcsA\\gGEgocgQ.exe"	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dasQkEsg.exe = "C:\\Users\\Admin\\qcAQUokk\\dasQkEsg.exe"	dasQkEsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gGEgocgQ.exe = "C:\\ProgramData\\leUEYcsA\\gGEgocgQ.exe"	gGEgocgQ.exe

Drops file in Windows directory 1 IoCs

Processes:

dasQkEsg.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico dasQkEsg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	dasQkEsg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1756	reg.exe
2584	reg.exe
1960	reg.exe
1156	reg.exe
1460	reg.exe
2852	reg.exe
2804	reg.exe
3068	reg.exe
2348	reg.exe
1636	reg.exe
284	reg.exe
2792	reg.exe
1640	reg.exe
1500	reg.exe
2520	reg.exe
2656	reg.exe
2008	reg.exe
352	reg.exe
1904	reg.exe
2664	reg.exe
608	reg.exe
2872	reg.exe
2460	reg.exe
1156	reg.exe
2412	reg.exe
1124	reg.exe
2012	reg.exe
776	reg.exe
1596	reg.exe
2760	reg.exe
976	reg.exe
2564	reg.exe
928	reg.exe
2724	reg.exe
1920	reg.exe
836	reg.exe
2460	reg.exe
2956	reg.exe
2472	reg.exe
2792	reg.exe
2312	reg.exe
1264	reg.exe
1796	reg.exe
2840	reg.exe
1472	reg.exe
1880	reg.exe
2432	reg.exe
2512	reg.exe
2296	reg.exe
1628	reg.exe
2300	reg.exe
2328	reg.exe
888	reg.exe
1624	reg.exe
2336	reg.exe
3032	reg.exe
1568	reg.exe
1696	reg.exe
2996	reg.exe
328	reg.exe
1852	reg.exe
1472	reg.exe
628	reg.exe
412	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe

pid	process
2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2800	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2800	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1600	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1600	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
796	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
796	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1720	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1720	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1960	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1960	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2772	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2772	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2812	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2812	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2800	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2800	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2520	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2520	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
612	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
612	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2732	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2732	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
112	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
112	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2772	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2772	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
108	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
108	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2808	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2808	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1436	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1436	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2736	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2736	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2740	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2740	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
112	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
112	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1524	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1524	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
108	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
108	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2656	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2656	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2600	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2600	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2736	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2736	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1508	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1508	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1584	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1584	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1416	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1416	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1232	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1232	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1860	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1860	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1628	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1628	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dasQkEsg.exe

pid process

1672 dasQkEsg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dasQkEsg.exe

pid	process
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe
1672	dasQkEsg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.execmd.execmd.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2080 wrote to memory of 1672	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	dasQkEsg.exe
PID 2080 wrote to memory of 1672	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	dasQkEsg.exe
PID 2080 wrote to memory of 1672	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	dasQkEsg.exe
PID 2080 wrote to memory of 1672	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	dasQkEsg.exe
PID 2080 wrote to memory of 3064	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	gGEgocgQ.exe
PID 2080 wrote to memory of 3064	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	gGEgocgQ.exe
PID 2080 wrote to memory of 3064	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	gGEgocgQ.exe
PID 2080 wrote to memory of 3064	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	gGEgocgQ.exe
PID 2080 wrote to memory of 2760	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2080 wrote to memory of 2760	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2080 wrote to memory of 2760	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2080 wrote to memory of 2760	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2080 wrote to memory of 2888	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2888	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2888	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2888	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2884	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2884	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2884	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2884	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2612	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2612	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2612	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2612	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2080 wrote to memory of 2632	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2080 wrote to memory of 2632	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2080 wrote to memory of 2632	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2080 wrote to memory of 2632	2080	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2760 wrote to memory of 2724	2760	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 2760 wrote to memory of 2724	2760	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 2760 wrote to memory of 2724	2760	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 2760 wrote to memory of 2724	2760	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	cscript.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	cscript.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	cscript.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	cscript.exe
PID 2724 wrote to memory of 2708	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2724 wrote to memory of 2708	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2724 wrote to memory of 2708	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2724 wrote to memory of 2708	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 2724 wrote to memory of 2816	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2816	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2816	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2816	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2628	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2628	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2628	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2628	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2664	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2664	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2664	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 2664	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 2724 wrote to memory of 1564	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2724 wrote to memory of 1564	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2724 wrote to memory of 1564	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 2724 wrote to memory of 1564	2724	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 1564 wrote to memory of 2328	1564	cmd.exe	cscript.exe
PID 1564 wrote to memory of 2328	1564	cmd.exe	cscript.exe
PID 1564 wrote to memory of 2328	1564	cmd.exe	cscript.exe
PID 1564 wrote to memory of 2328	1564	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\qcAQUokk\dasQkEsg.exe
"C:\Users\Admin\qcAQUokk\dasQkEsg.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1672

C:\ProgramData\leUEYcsA\gGEgocgQ.exe
"C:\ProgramData\leUEYcsA\gGEgocgQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
6⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
8⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
10⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
12⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
14⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
16⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
18⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
20⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
22⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
24⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
26⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
28⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
30⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
32⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
34⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
36⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
38⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
40⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
42⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
44⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
46⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
48⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
50⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
52⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
54⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
56⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
58⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
60⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
62⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
64⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
65⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
66⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
67⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
68⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
69⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
70⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
71⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
72⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
73⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
74⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
75⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
76⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
77⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
78⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
79⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
80⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
81⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
82⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
83⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
84⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
85⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
86⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
87⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
88⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
89⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
90⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
91⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
92⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
93⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
94⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
95⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
96⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
97⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
98⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
99⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
100⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
101⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
102⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
103⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
104⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
105⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
106⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
107⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
108⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
109⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
110⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
111⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
112⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
113⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
114⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
115⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
116⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
117⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
118⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
119⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
120⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
121⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
122⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
123⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
124⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
125⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
126⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
127⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
128⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
129⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
130⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
131⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
132⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
133⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
134⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
135⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
136⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
137⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
138⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
139⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
140⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
141⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
142⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
143⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
144⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
145⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
146⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
147⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
148⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
149⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
150⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
151⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
152⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
153⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
154⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
155⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
156⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
157⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
158⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
159⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
160⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
161⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
162⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
163⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
164⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
165⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
166⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
167⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
168⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
169⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
170⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
171⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
172⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
173⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
174⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
175⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
176⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
177⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
178⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
179⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
180⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
181⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
182⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
183⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
184⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
185⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
186⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
187⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
188⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
189⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
190⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
191⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
192⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
193⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
194⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
195⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
196⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
197⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
198⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
199⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
200⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
201⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
202⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
203⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
204⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
205⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
206⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
207⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
208⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
209⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
210⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
211⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
212⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
213⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
214⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
215⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
216⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
217⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
218⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
219⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
220⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
221⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
222⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
223⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
224⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
225⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
226⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
227⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
228⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
229⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
230⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
231⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
232⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
233⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
234⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
235⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
236⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
237⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
238⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
239⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
240⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
241⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
242⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
243⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
244⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
245⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
246⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
247⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
248⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
249⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
250⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
251⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
252⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
253⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
254⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
255⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
256⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
257⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
258⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
259⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
260⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
261⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
262⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
263⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
264⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
265⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
- UAC bypass
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies registry key
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQEEMMsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
264⤵
- Deletes itself
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies visibility of file extensions in Explorer
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
- Modifies registry key
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- UAC bypass
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYokMUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
262⤵
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\piQUQoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
260⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkEgEYss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
258⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iQIQcwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
256⤵
PID:1932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEoYUEcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
254⤵
PID:336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\guQQkwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
252⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XygAEQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
250⤵
PID:692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies registry key
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUAksQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
248⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
- Modifies registry key
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYsUAsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
246⤵
PID:3044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAUkgMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
244⤵
PID:2604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fcIgcgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
242⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoEUQswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
240⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kioEkgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
238⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuIswIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
236⤵
PID:2648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgwYIsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
234⤵
PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies registry key
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
- Modifies registry key
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- Modifies registry key
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEIkAIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
232⤵
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccokYYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
230⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEwIcwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
228⤵
PID:2592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PCgkEgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
226⤵
PID:2436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\paQMoUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
224⤵
PID:2836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
- Modifies registry key
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- Modifies registry key
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUIEsoYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
222⤵
PID:2740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
- Modifies registry key
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqEMgIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
220⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
- Modifies registry key
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WiYQkIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
218⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCwsAgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
216⤵
PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEEUckcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
214⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xEIgcAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
212⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BKMwwook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
210⤵
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwIwMMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
208⤵
PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYwEkoQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
206⤵
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoMsEgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
204⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MaYYcIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
202⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oisMocEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
200⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcAMoMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
198⤵
PID:612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYcUMogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
196⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkEgsQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
194⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DmsIIYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
192⤵
PID:284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUoEIwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
190⤵
PID:384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYwIoEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
188⤵
PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOooAkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
186⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGAsksME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
184⤵
PID:2552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAQEYAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
182⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KswkUMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
180⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- Modifies registry key
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsEAEYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
178⤵
PID:2520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkkkMccE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
176⤵
PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
- Modifies registry key
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEkgMwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
174⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIsMEgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
172⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiMEkEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
170⤵
PID:2128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUcAEcoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
168⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEkcEoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
166⤵
PID:2504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EksQkQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
164⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAsQkAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
162⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KasQocMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
160⤵
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuoEkwIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
158⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:400

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwwgMUQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
156⤵
PID:2332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies registry key
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGoIgQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
154⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- Modifies registry key
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWkMgUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
152⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
- Modifies registry key
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUAYYssc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
150⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAgkkwEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
148⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWUMQYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
146⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
- Modifies registry key
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIsAMUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
144⤵
PID:292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIMwQkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
142⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUgkskcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
140⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies registry key
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\paMQYAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
138⤵
PID:1892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUMkooQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
136⤵
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAQgEckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
134⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- Modifies registry key
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMooIsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
132⤵
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IusIMYAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
130⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\goIQEIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
128⤵
PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
- Modifies registry key
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eMUgcMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
126⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nsEMggcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
124⤵
PID:2660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqcQAokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
122⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\duQEEoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
120⤵
PID:2112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- Modifies registry key
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\poYgwIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
118⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YiMIwQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
116⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkUEQgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
114⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMYEUEYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
112⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GIcUYEYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
110⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEkgwYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
108⤵
PID:268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAYwsgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
106⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYsUIkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
104⤵
PID:2644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NuAMAswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
102⤵
PID:1936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMEEQwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
100⤵
PID:1284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCoEsMcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
98⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\myUwgMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
96⤵
PID:108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGAUMEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
94⤵
PID:584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XSQIgcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
92⤵
PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- Modifies registry key
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwEQYYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
90⤵
PID:824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\heUMIYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
88⤵
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wugAkowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
86⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCoQgsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
84⤵
PID:2592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies registry key
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykgYYcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
82⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\muMsgAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
80⤵
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewMwMoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
78⤵
PID:2888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIUEgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
76⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWkcMQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
74⤵
PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMEEEIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
72⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rosEggAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
70⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqIwscgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
68⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies registry key
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKIcMgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
66⤵
PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYUEgYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
64⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYcogEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
62⤵
PID:2524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcgQogso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
60⤵
PID:2452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaAIksEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
58⤵
PID:2416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWoEQwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
56⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROscAkIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
54⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TgkoQYss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
52⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQMQIAYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
50⤵
PID:2700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGkYwcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
48⤵
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkssAkwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
46⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIAAsUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
44⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIkkUoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
42⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\joIMAoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
40⤵
PID:1248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEEoMoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
38⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyYgAgUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
36⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\skkgkkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
34⤵
PID:2160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciQkUQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
32⤵
PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSIUwEsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
30⤵
PID:2040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QqwEoUkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
28⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuUcUwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
26⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwwUsoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
24⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fiUcEQoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
22⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VgMcYowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
20⤵
PID:2996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOAUAcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
18⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IAkwcskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
16⤵
PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAUkMIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
14⤵
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yCQEgIoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
12⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYkMkEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
10⤵
PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQMkEcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
8⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VuIYkUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
6⤵
PID:2128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWIUUIgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWUIEAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
324KB

MD5
57f47e7634ff83296addce82c5aa42c2

SHA1
e15c091f0c632fb2b2dc961edce9975507a49eb4

SHA256
c25bfca9e09da878d058d49840a012d29ba038de5a414be70f7980e194061ba2

SHA512
a2a733d920df53becd31d169632c765445b72446f95d527e5604a21f7864ae1b07f9f5827e27233c588c169762656004a2de390001dd55a9440a0e9413dc1563

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe
Filesize
233KB

MD5
911cd5e8065fc9a2094da84a119bddcf

SHA1
12360e6cea003d1d500d14ab45cc80dc3585445e

SHA256
0c62fa76dd1d8854b3c4be6fe8ea596f0f42eaaf19320a64bd62528fcd68e7a2

SHA512
c74820bd63975980cf64a4398b7e0cc8aaea958e65fce9fe17c3cf30a65016feefd6473a4d307a00d504a98154196c4ed142d67e45a513a4640b8726b46f7f01

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
Filesize
248KB

MD5
8af7088d43f4a9a1987c6827a9ade46e

SHA1
52633111b5bc743faec296f9267408e4440fb4b2

SHA256
5ba2f1991a4cd0cd0a1caba79ad1351aeb21c60b5335092831550b669a587777

SHA512
b976dd9fc66f90e007ae52d216d0086154170a7b5398c5c3d211d9091956b7e2aa79d7a8b5dc0f201de3fc8d1d3c56a4f57f8d32f0388837b5ea92e45b8a682c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe
Filesize
250KB

MD5
973701290a97ee3a4e1b3f802b14e961

SHA1
fdcd46fa8ca89fcdb1af09959187a9ab3bd5fff1

SHA256
526f220323887963b6218048e138a398a4d3ce1a4d503e42abbee698bf5028f5

SHA512
8b19eac9b27923704b1d4ccd17a9847d9c4b5fe8b18d9bcac6f72d75e8fd5f694b3461fb7abd6cc3a3dad13c0f0649f00b8f55aac86555a51c20ba0e48c236f6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
Filesize
253KB

MD5
0d0e9cbe6742546737caf8ef652976f0

SHA1
7a847f24f40543a2880a7a2433d8922db85713c3

SHA256
9fcbe49f817b993e6c1d005ca29e69b8d2e0435930bd344f76a9f061bc0d5491

SHA512
d14b3950d01d3ea7e817adf18df259abd4056144daf1999de3ec9a58fd191d4d3245569ab7eba19e8f66ae5a5f85c51aacc2ce300b77fbe04473e32d555ff98b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe
Filesize
236KB

MD5
cedd066095af32cf73a570e2d5f41d81

SHA1
d02af2fb00523cd11d982594c8432496b72ed3c8

SHA256
9c38743da9d33f1f25ba9489b2170e59c267eb58eccd0d6cecac4fa08122e675

SHA512
8867356270a28b3891341f0d4c916e27deb98e8023e05a30f87ec4524b2eba62edafeabc00abe12cd1e9b09cbf7508c1bee58637774fb69406bfaaaf115ae700

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
Filesize
245KB

MD5
634c958e00b1678c4fde14a2ffbe1ad2

SHA1
3d621ad19f4ad735769a7ddd4356964f20e495a0

SHA256
3b7f8c662436c5dd7fc0c146ddde3edbf4c0ebd3e5d643d5b6d75246022596bb

SHA512
34935c0a99a08ae749e3e959612e11eb376168e65bcd6a78a5d52350c8ce54609f88a948cbaa8b8b3a6028f774be727cd20554574f83345271e4ed13f498cc10

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
Filesize
237KB

MD5
57ddb286fb9275874a8bdb0e38c8b5c2

SHA1
fd40857061a01e30970f1bbd3fc63ddc0ee9c354

SHA256
5b5f247243292cf082fa3b2d60d581d21804a52b2d3b5bba2c24e18aae0c4906

SHA512
e2f4c473e48b9ee3d307bf550432419e45581411cb13aa3188ad0369f81c9e4fd7112b8c427a393b47d2446e2a4e42b96dd6d10b65838bbee3f2ee4dfe8a8f9e

Download Submit
C:\ProgramData\leUEYcsA\gGEgocgQ.exe
Filesize
178KB

MD5
a15768c3d166ce95442206196d6a9fb6

SHA1
e9724ab28b896316a44840cdea5806b35791c953

SHA256
a80458b95bc29945097b8e4d09b29c0429514c2764f5a597d39b55f9d5ac9787

SHA512
e3fbe09045d75fb9efd6e34c1e1c5e7a5eda904dc2d41c927beccbc6a3b45989427471ec890d3179eca007a3213ebde6f912dc9ebd8ac4b1378d7df2d7ff5908

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
Filesize
2KB

MD5
598ea3255fb276209072332552903ed8

SHA1
ccd234d34d488634569a4064a65d643e070e80ed

SHA256
fbe10c0c7d282e3136341735aa4a5716f2c32133828bca64f700c572d7492550

SHA512
3b80198ff6bbf9146d1f942d37ab3b1a01edcf634c89e4abeb36c29d7a80afb45f3e30d72ca3246f066c62fa1cac9ea6c3c9627ce5ccd4ca655516c0414632a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAYs.exe
Filesize
251KB

MD5
e00997e7a2e0dae5946370157f1d8137

SHA1
c8284d3eb332f66b2ff866f190ef973dbd74e1ce

SHA256
68d9f318bebaebb7775fece364357f54be085b8b22cd61f89a7ffd97ba1139d0

SHA512
e71ca47793b63c3e67bda5fba16121c69cc907a8ef1bd29a205a974cbb5aab1a2200a896bccb78a02484d5b289966c8d7136a87cfadf5b0c90c8e493c238737c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAcksQUs.bat
Filesize
4B

MD5
b03c0a6a045226b3e027488015d64bc6

SHA1
bde3cf343cd25fd8da944dca45c96c431697f7e7

SHA256
53f520aa7749d88362efd284e03b67fb74ed3020f2e58c0038090c6ab592ebb6

SHA512
7a617011e61f4a5b9b190379466b1c9780cb2cb15be05aaaed3e292ecb3999cb34484d303df57438aa6787533a40bf67fe8d62f2700de3adaef6e82398d55c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEIS.exe
Filesize
1.4MB

MD5
f76527624f1267b18572c21ad7dfe764

SHA1
0914719f63d164d57b7586237dace38b394cd4f8

SHA256
98b860bb9541f5e20770569c688f32bd07cd4e6e434f02af151047f114984e5e

SHA512
c7e073c4aeff962faef2d5783a6fa71d291e79b9409b7af1726e8133c898938ffcb7a466df8fdb60209aa79c797e5b14dc4426e431e4d7596edaf05f3289723c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEcY.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMQy.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMkW.exe
Filesize
253KB

MD5
7b1780c0bda5caaeb0abab05aa7c1918

SHA1
a6c3de7d071a1d10cf0c195e0715f997666a4b01

SHA256
ac1a63d818cb15a1521363cfef5cbf3365abb9b7406cb745da046894bda22b28

SHA512
101964ebdeacbdda1c91da64b8336c360429abeb9d0fbdedefe591882aa188217a2a2b37cec100afced3ae1dd042504c6be8057dcf6ac5fc4a82a54efa715eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQIMMYYE.bat
Filesize
4B

MD5
b7d3a2ad4c3b07a01f1aba0fe5a656bc

SHA1
3e573bfb5d0d250e2f86bf17b390a9a1b4f9ef4b

SHA256
e3f1ac722120452195bfa3f4268ce18abad643cf791f823ed1bae4314c53d63a

SHA512
5230a15779d968b1981983b031c7b4d143b047bb35d2279cfd4acc7b920477e11dfcdf86983c2692d85f9a62cfa8eb68931a91ad2659719d35de4be30496c404

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQME.exe
Filesize
951KB

MD5
328a73e3935943a375d12e77fc7c7550

SHA1
a301801dc6e21e2c3d86b6c9c10d770581c756fa

SHA256
4c6119b6957b546ddd676bb29319fcb27e5922fddd9ee74fa790045bf4a470c9

SHA512
2d88a8f97711aa9409a8fe07603c033779b510f6e454acae216df7494eefe43e8b662d6f73a50fcde7902b7a3abe9b4e0ca93411e68fff95d2e0f89e087c33c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUEU.exe
Filesize
651KB

MD5
7bed83cbeec74f5169e989694f1e2f07

SHA1
2349e1fee038a3635a6f852ed05d035bb18e6f57

SHA256
08fcbccba827d84f11105189ed21ea18b3ad3eb73a7436ed8e855c43e9b507e2

SHA512
57a7cefe7ee829c7d6c82e65b9cfe8cb0e737c482c83c1231ae535ba9e4fdd8f264961d856714a4a0ba4fc108ba0b57255ba6daf9f2dc26b0ffadfbe47615150

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUUq.exe
Filesize
241KB

MD5
b6e47afe1372e794f304bd2eca6bfdce

SHA1
c0c326b88dc1b4d899e4eb812d75bdb7e2b24b36

SHA256
8dbe774c348c6652fd3d65b92f55fd596e4052d5fd5c626bcae1c434b54fce53

SHA512
1d223e74bd8f7364f261d7145fb3d2fc3a854c8e4e183d7a97a9f452487b7252dfe61a40fdbad6dd8ddc4fa543c36bb6a347f7398feee6d2b635b0504e34821f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUcG.exe
Filesize
208KB

MD5
b2b26c8aee922a32541ca63dc5bad491

SHA1
cc4d98f047c6c6697b5a512ef0723605c3ab3b0b

SHA256
3ac13f978f3722de9e1333b8c1a462913f4008590ccb597061a877817b0b614f

SHA512
d3f79e0343ada21b62e681fab550797ce533d74b57ddb4551a8036e952d82d46cfd7fe0b7fab3816a79ffd4583416840c0011f615e80a54c9080f323a12604a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUcq.exe
Filesize
207KB

MD5
dddba1ebd7d013ee71d42f2f2c39d85d

SHA1
eaa8063f90c4ea7ab2cf215582d31a2082cc4b40

SHA256
7db4b4bff302a230f50a6338c44db4ec5f3fa237988cb20dfd313530bdfbeb7a

SHA512
b4d1a919f9d786d8481a4352a43a80710e3a6f7908040318605270bce440a44f0f87872b8f36c43813a682c2cd98577d749ceed75b7a70deed3b4d032a0e7a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIM.exe
Filesize
204KB

MD5
bb227d1c26466bbeb061efcc4b1179e4

SHA1
4ad9e762510165ba32e6dc134350d45eb7d468d1

SHA256
366cef846e937fa399738fb2ebeb356134f3421c585d2bbde963b0c6c1bac315

SHA512
6b08d417aa8be0ed4c732ac8bfe0c87dba2b7df97bec85b6087e1a9223afec7bedcefcf3f1c27b7b33b6a868cdc8b6eba7d660bfffe7c7ba3cb1e9c6488c1ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoUm.exe
Filesize
238KB

MD5
a06203390dc9e3ca43a1d234d6d0af04

SHA1
f8bc71951803fda5d8d7087a2df0bace67c918fd

SHA256
6f7ada4783beac9ac2e918c2bce313cb7948d04eb24c28f30508826622eebf68

SHA512
b1013a7fe8ea743eea3f6af7a060e310c799b5050996d0a88874848561993e1cc69b84b608baa019a993ea88904869a4cda26131f139169834f5b9ad25e1c15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqMwAsIQ.bat
Filesize
4B

MD5
812bb4ab2314c343f04d3c8db0ce2c55

SHA1
278bccd01f94f52b6b5f8c377518e5690564b370

SHA256
9d3fb504e189fa4a821d77892a6d5cb12cb943220c4a3fc428155f9621ab846b

SHA512
b5da37f5839cf3964658243cb6ee8c3874fece130db5141aaf512fe1f3a21f144c40cb94aae9c17ad556732bc0d933f562697052e0e10801198efdf93a63a5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGEsokQM.bat
Filesize
4B

MD5
ee5933d4505b49eea96225463185c306

SHA1
6ca475f0b5db8900b13e39429ac1980f3ddfc94b

SHA256
8001a66c0a7ee373e6d5d0ac61d9c6712d33e6215f94248a4af54a00960644e7

SHA512
f54c707c910d6fb3e298e6ec82406a55ad6849ef6c975dfe9605ed59927a509dc9a17776b1afe839253b14daa5de5fbb7e7c75f7866929713905ed599b19cbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIcQwUEk.bat
Filesize
4B

MD5
b4abda92ee38a856b34374f92154d8ca

SHA1
ca3c913f0a4ea12c7458c228237d611e17932163

SHA256
9f096bcebac0d65f14e0da6514b64d2b90dad2390c1e47ccace9c615d9c46233

SHA512
bc3992c3b66f8c3f210e6629a29711f79ff78457445c655bacc1b30c519e4ea6839008d0e9cd40f33bd373d1f3b27d2fbe82459aaae577c7e4475435e859fff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQYgMUsY.bat
Filesize
4B

MD5
f0e5c0597275b529b4445cea9678224d

SHA1
ce1d33a9b656e0160782c5247fe0ca2a720e83f8

SHA256
aa86e0afa118255b4d5fb9e3851a771d83a1d295a8ba771f511bd1ba026405eb

SHA512
2aed9ddf14ce84ed1ce1b8f59e1174a40ef58db99c1d56e7076c5286ebb85ce2cc583ae295206a87a919ed371908cdb2758018004b00bf1a5d6dab4d44fc3eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkQMMEgQ.bat
Filesize
4B

MD5
8887bd0290cca589232c095c9cdcaffd

SHA1
d613a4bf62eb55ef7a090b5564e82278586cfbd0

SHA256
5afd37eabafcbabfee5416d9febf2be3d42dfc8547c1bc73ed6e91771c56fbee

SHA512
23033b499da9d5cccc30ba1ef6f19eb7ad7cbfdd698de0f78d2c983f059c2b4fa21e6d598a11ab4f2eb0099dbc6e1489f99efefb473cfcf186e1cf71281bade9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEowwwgk.bat
Filesize
4B

MD5
3471cffbeb9d37c9660e47e38c189b6c

SHA1
c1ba730428d0e262da24b52acb3a159237cf6fb9

SHA256
c274c7d9dfed1343e882cbb43630927143a743c863e7efe0e7aceed41f328bb2

SHA512
71a6512c0370ebaf1058806f0a73e1b226fefbd6da67468403906129546063e6074c53811322a7ae5a6603fd640c8c113956e828b167984aba973cbaab02b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYMUgIEk.bat
Filesize
4B

MD5
f848dca8c575aeabdb74f057d49c7447

SHA1
9a0738648effb9d4644378b834454774296e7d5f

SHA256
eb3f4aa6a21ac640e09013551b257b346fd8f878fadc28fffb8e95b5a75983d1

SHA512
eb458b0635012d7d9ab3739f290363c2c252f37de73458e392f09590c0e9ddc9741c8d3f57e4a191438488075152019cc784424481ac9e9c78d4ca1c17cd564f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CccEcwII.bat
Filesize
4B

MD5
d2284430cec5b57c3d52b13ef9874d03

SHA1
1bf6d57b23e4087de91370efabec3eb9b08d1b40

SHA256
789f281010246b69b39c9a137d4e5919ba370d0e885a2b2cfea7ac08e0e1e2e4

SHA512
7a33b5a78163e45bff04d290b2a3515c8f03ec83d4bdb97dc46ccce52bb4836abb7cebb04bac65590644797657e3d9f0c404d0488f8b8e5627251e0fdb669b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgUG.exe
Filesize
226KB

MD5
45646369708efe657eedc0d56b2f4ed0

SHA1
ca951e4d46d93161957570c0aa709268cf6c65ff

SHA256
ad6e9a2115604a4081fca542389db81665a7d40852d5e2c3025fe5b871e312ff

SHA512
2a420b2c14a773b4d4fe764ecf500e45003389fa2b92ed845e6abedaea356375b8808cc7b5985541bd759ed803be0b9563d48b4e3e211d2b54421f04010e050b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CigkQsYk.bat
Filesize
4B

MD5
01c8e4f54601011addd9af860af132fd

SHA1
fe883d942bdd2630c840a6934356c6b8f745eff2

SHA256
1a9040c3e574ce57b3444763411e51c69238ea881b866ad3839c5b3bab197a47

SHA512
926123c2a2b0ac426c896c54df7e1b556544e7f5d6c48cdd80f132efff4d972ecb75ac2697d7ba9ebe553dc60f1d0db2a44a9ffc0cf69d5791e11ce463a86fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoQU.exe
Filesize
291KB

MD5
9aeb0f7800ebd58944d0a63b24604ea0

SHA1
d525d17ba1069b792e5ea976f2d0d461e9adf36a

SHA256
de5c5e9af60a42c9b6a2086ffb35226663de1c009ca6b3512c8691b710861085

SHA512
d182d45f979ff18ad705255c4a72659dbbebb75f995d4fcf80c74ce5ef6b29338f0be2d2b4ff7b3323e6396c19416ba11b2731d35c79b42495a87599c2ea1326

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqYsAQss.bat
Filesize
4B

MD5
5bff8a2734e6dcb956830909804e77b8

SHA1
ec3cc4fbce04a369fb3d40633e3144243dc808df

SHA256
b1add59ed3eeddadfed64fe350e5b6b2903fe13cc959511bcd3659fbeb0664ba

SHA512
4a023999d782a232cb3b44dea2d2caf2802c0f76521c41a3ff8075bf6fb1b46a242fffe00b6b31fb8c099617aa16177cbde84d72dcc69fd8ff73f8aec3ab1900

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsoA.exe
Filesize
189KB

MD5
8ef5d9d37b59caee4455b6b8e757900f

SHA1
58c7dd49e4cf52e71dd993f2b90ca8495ee2e4ef

SHA256
ae6daf19b1e159a6ba79e64f03a8b4f5c6a73eb400512d2fbfc40bb2caebbfa3

SHA512
bdfa147f9bd3ae56722166fb68be2c1de4f64046960585323ecb06d46103966f0fcef030d34e496b63830c4da51e1e87e069ab8b66a2d42d19dd06057c19b26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DKwEoMsI.bat
Filesize
4B

MD5
606e42e7ca5d7a0dfa721532f8f3fd01

SHA1
d7b51ad8f0c1113775b8046f3bb03ddae2128a4e

SHA256
afa8661f24aa1db4e2ced805674b8db449df4befd6429fa1036e2dadb6e5d287

SHA512
906c1953d3d387e00c831717b3bac67e726eed7122b1fdca5e9735f3823ea6190f92351d55e17a1294e13bea1df4d3894fecdfab685bd68f25490e2dba656100

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOUMscgs.bat
Filesize
4B

MD5
b9ef188ec319caeab96b514db953fbd3

SHA1
723b4f4f692f20a0c099b953305cabd2ccfaa8ba

SHA256
d63adf87bb5f04a997fb1be12e86e09e3b4623df27a79e7194db0f6f1dc765d8

SHA512
c278a5aec93e69d7a5a893fc9d2108d172f6cf1a21bbaa07e65d5099211cdfe14a8b10d03e34c7cad2bfdb9c6eccd062e79a7e18a514078a205a5ed316b7ef0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgUQQEkc.bat
Filesize
4B

MD5
e599418f60f0a7384b5281bc1e256004

SHA1
0fc78ba62ee5cf42c8e3468370e69afa0d0c2231

SHA256
5161ffa730bf731138a4fddd773072465fd7142fa362f27c2f0b7eb520a472be

SHA512
d8e447f5a696f27942dbaf8b7fb512abc36ec2b53582d50081c24392339f7f37ed8c2914a4ff13788f74b6213251f6d4adac84250c602d7f9559ff14dd6ab31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgoAscAs.bat
Filesize
4B

MD5
449c86c8b7477839c0eb761675876d69

SHA1
08f71ddb9f0ca526869ef4235bfd4e02fbea5f08

SHA256
fc0aac6df38670579a7e8958201a413f8e493878b0a9a689653f5518d2f71cd0

SHA512
94ddd6348493ae73852ce4c8d9267bfdfda1e7c4a9e1bcf7889aed7c6be11fb076277f311911fb72f202c601bb80144effb507a3e439c971c62a8a59b5420417

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAEK.exe
Filesize
639KB

MD5
ae788be0b35b86c42c80c41f21d33ba9

SHA1
0dba8ba6d3bc09b94ef4dd2f64d9712fe6a9509b

SHA256
f3773ea3024d5f1a3276425f4f4ef9269631991f69c7129f98b2cb2d5b9f2d52

SHA512
484b732eacdc2cffb33211086273d37a1ab52638b1f36161107542f53eb7e0bccd7c588704ea819c5be22eb06b77596e18f8d94588e3b94f9a0b3eee55d8435a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAIc.exe
Filesize
489KB

MD5
d1de44f4cce16324f0dd540319c6d8a5

SHA1
63e8be02faed09facc4c3b701db3653922686e95

SHA256
cfc94216a2862290eae06f7a2820874d47967d077ceda9a7109e6acb1d55eadd

SHA512
38c23b7da5f47d7591c3dd8060c0abc454dfa3ba6574aad4a2ef4897ae5620522e70ef7f9937b08fff9f73f494d55700848f57952cb55ec4db04e19ff905b2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECAYwQAI.bat
Filesize
4B

MD5
b83ef946416b4e37945140512ed9d0cc

SHA1
00f4fa9df75a302cc19fd97d21a23544894b59d1

SHA256
0ff717a86a9adfee77c750a3014415a76dbcc6eb0ed05334f13678add7d9c55c

SHA512
553acc2b73a71e1d51ee0ddfd7a28bfdf8a2cbc82dcbff7dca67fb7b95955c4fd20099dc3be980d9905f1a409d0c79ba5b0c1b31c24ec91810be19f0e579295c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEMo.exe
Filesize
207KB

MD5
4fa2fabf72704453c44717c08c19b7bc

SHA1
2e14badeacbe71b1bcad51c8167223d100c511c8

SHA256
f5e71bd427f13faf5b8817c9b9e38ec9e16a04406807ab77d7d75054a3e9b61a

SHA512
c2dca79911dd3b742abb04608607d2f54082851028ffeffb8b6ffb672d2edbbaa028b1147949b7d602766ce86cd1bc68729e7eaea58828e5bde0019e43735e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEki.exe
Filesize
252KB

MD5
c311257fda87339efefe44e268c0b571

SHA1
8c2ec583eb2d800906722bd4f30f6cef9c9cb662

SHA256
9614bfc3a330d1dfc9837a77d6a92751bb6ab784b2c89540b85c8bf993d41adf

SHA512
6ace0199d85403a03eded6d1bc38c4272abfc3b40abf7a2fbb36ebd261718490419e850ed498f84227b5bef9672583825a8360373a78d27a25468521d30f4a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEwe.exe
Filesize
240KB

MD5
d61a7c43ad0f2565b8a228adee78b754

SHA1
c589543104f41a3c26478689ab83c16c396ef7c9

SHA256
1d47787d003cb8d3e8cac29edee8021afbc8cff02157eb4f8fc93bc5a8d13901

SHA512
0634eea1d6132965202666ff96af87e4c5de6aca4e28c4ccf5643f9a4837d6fc4e8cebc3c17f0aa787f8e285aaae0ff696c31af9a619e91c47b37c3802aefc2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMAa.exe
Filesize
187KB

MD5
61a8db13dbfa1cbc932804b00a3268b8

SHA1
72913d4b686ec434132131db2316ad4d6017cad3

SHA256
2a7d3cf69e5c111b8ceb390174a271099987d2fcdd82241c53df870610805a81

SHA512
ee31721034d09a0c601073ae862087bd59b4bba7761be39989738ff7ab4c76ea88bc137098585c32f2e40d13d5a4e46fb853dea89988ee26e79d846f7522aea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQE.exe
Filesize
252KB

MD5
36832f44b37ab28ba484b04aefa4f782

SHA1
5efb2ef597d6736bfaf181c2cf847262920d1d1b

SHA256
2509b18448fd11fe6a2afd9bfba70ac76741ce0389b788bc1a8fb294ed1df5d6

SHA512
2ece47412fa6d20fa3cf8fad2cf06122b8308f6e58afea19dc34754be42838612f04976aafb7e3006d4a46cc25cbdcc61f8687d11c61045810eee326903095c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQEMcYk.bat
Filesize
4B

MD5
a6b383d9df70b210e40e947557ba8b80

SHA1
32546914dcfa76be7fea3585666aa33454ac1760

SHA256
dd37d79544830dacc2bdf4b411800106f1593ff24c113d63740fb803db08dc36

SHA512
ffcf7d58669d4b5eb30a5881f3c972d49ac6a6ef7ba7ed715790068ed4cdbaab100e25c8e947f49fb41037ff8eba7384a8233097a4533b7cf63308b3b5e07a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwcG.exe
Filesize
229KB

MD5
f303897d4a7172102f5530a1685d8ca5

SHA1
c4083a2a4ef1f968699ef68328aa6ae3ab281136

SHA256
786784dce98d76e21a11e421621045df0b17033d7d918524b85dee136e23869b

SHA512
e02a187c53ce9195715fcf40bdcc0546f14cdadf147aa48e2aa5d1f5bae637dcd7092c9c325beba8afed36483b62e9b4ffd00c36d202591e4e973bc24e611592

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEEAsUEM.bat
Filesize
4B

MD5
42e593b1a8f573532cce5c4109a4cb64

SHA1
08be726887da2e2956ac5a1e140daca0fda83498

SHA256
aad630e4540f69860e02c4c72b4ebd1712492ae11074951332c79d13e26a85bb

SHA512
62f81855f1cf62d4aeca4a807fe98ef12c2f2943de8c1518b57e6d434e8e4e8be20c234a253192a428c3ed92e0105746585b866a3385ea641a80b3c296a8c627

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUAUEQgM.bat
Filesize
4B

MD5
1ac165619c6aa8420b8e2166e3f2276f

SHA1
8e78d229b659fa65c729bb0b09bfaf41d72c3e9b

SHA256
983baaf9a7b572be01930b1381ad1a387dc9a30eff9bf6b40ac93f906a4f2714

SHA512
dd12ccf10475804e9015dd92930d894001c20f708e72f5f3ce2014356321590cfc075bbe5a4f727b80b0c2ee545bd128ffd11b69aaa5824495d3c9a97ceea2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcwMUgwA.bat
Filesize
4B

MD5
3ad800d6545dfc8b7a4f48fa4dca0eb7

SHA1
2864d9b87d3e58f8e1e204d7c66f33dad4dac2ee

SHA256
8cbfb7fc57e1f595d1bbc46972335ee62aef90152fd2e5277e586c4dfb510bb7

SHA512
90160a1703906e3e7fae921eb49bf1e0e64e39e26f04bdfaf835c5a05e682ecf5b5091fda41170a65f5e9f52405d8adfa8a4ab5c4a248c85b647e14a9e149b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAsu.exe
Filesize
233KB

MD5
4e746e7edc2b4da95360a7b8f29e8b42

SHA1
dd553c55df5f4a8bf454d7eb61bca878d2bb33dc

SHA256
0f719b8d50870f79fba716d795e07088b91323df4173babc1f7c46073d3d1614

SHA512
9c012c86fce240a7421d43431815b9b29ca851dd07e67ba8f92441cbdd9df2a45a6f88527de33fe888ea6c67b1ca1e4bb42301c699b618760d8144a4ff6155cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAws.exe
Filesize
189KB

MD5
bd44d1130561ae016856b439e2be50df

SHA1
f89b547c70f1b5ac30fcfd69aa62d361ffc885cd

SHA256
c9b4f8964a8383804fdcb0ab8e0e9e795b8002e69dc019aedc658b62aa6578b6

SHA512
e3ef101e76774ab8de5fc6e60c03c31f81fab2f86f1f7ec647dcbc6a92a2e82ff05a8834f754a6de6eab1478a4c337ff244033b8fa325bbb48697616aae1f679

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYK.exe
Filesize
218KB

MD5
7647fb3d607691d53166b3e2ddc38a11

SHA1
250d81b2842a00b0f22a1a9d50a830f75851ddf9

SHA256
4345076e950c0d86f8634b961d8540ffa8ba6ce63b93b4cfd195d93f92aa8e0c

SHA512
0e65365ff4bd13a245afb726825561641603d0807dd65b910ca7c318c81030d87e8bf9f30342180816c456a9e1994d595488ffcc9b7ac194f5f87914ba789f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUEW.exe
Filesize
236KB

MD5
6db5d91f8b0fb1f28002e0c4ef756045

SHA1
3dda765c59506ae05fc97c273793932b60e57226

SHA256
b587b249c727bf0dcbf4f9d54b63cc98d1be50c82493de4ee90c50a1f17673b9

SHA512
63f2b81f44dd4a18e3e118cc9dc69eefaae78c98effcccf80869730aa9bf2966ac746ac416aa3058f622c3a5b86513dacaf0baa5ea67a26e42c7b0c971ecfdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUgw.exe
Filesize
236KB

MD5
40fcdc83d9ab392449c79d352c2081bc

SHA1
1440bb0cb0023a1994025631849e9d081766a7ba

SHA256
409db9c16ebc1d8f7b7be5e4e72848026e1cce17c08c0bf071bd5c495eb47598

SHA512
dd520a66d1a778c5a53efbf40c090f16d257fe4838a8242974e05bb1fdd878c84cd0fee2f8003f1cc2f643ab67d434cc7fb0c82b123e98ac5efd7aa14ff624b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUsa.exe
Filesize
241KB

MD5
f0aacb431b2f8876252269fabe5fcbf3

SHA1
c1a3042ecf69fe77c705b140ba2b5c3fc51c534c

SHA256
d654de7175e50a9f40497eee8fb9f7c5a46af562043a101fe534266a60e4bce4

SHA512
077d55bd99be746c8d6569c79719df9559a08e7f52db07219a1dc164705d929fc862fa43553e69639b69e2ebd402c5f7a6f5c3de5d9985904acf34a67c01eb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYIi.exe
Filesize
205KB

MD5
50e3a16e5b9e82b96761c1bbd3909849

SHA1
ef7359ce41144e46e35e3f0cc0883cb236761928

SHA256
2817754a6bac9e72a9fcc4b542a7552905438c37927929e7354fc6e1b8dae401

SHA512
82af4d0a64511030724ce350c52855c5a5eafe6bc4a81e8aec5b9c1fb8c8c9facf27953139e295ead2fe4a733b3b072f399aa3530445e0ab1fe058030fa7cc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GascYooE.bat
Filesize
4B

MD5
cd30e19b3d58b046c087fccdfd613d64

SHA1
c88165bcd18689906d41db229f507c4143a1fb7d

SHA256
6ce775e837154486c48c346c0e70cf36efa1f93a16ee5e6094eede7b1fcd3e7b

SHA512
ac5fb4cee5e50656118787fff85427ccc8cf1209e726798e20cb5b244eb4389f7beeb48098d5ad22bd8b7357b603a2a903a691d46ae56a49bd28aa6c319aa5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcEQ.exe
Filesize
4.8MB

MD5
4c1bf273ded81da9485f868cda1a32a5

SHA1
926609df817e0d656081a5e3f60e8302ed822b6b

SHA256
8c99b233cb095f80d8e3f83473079f4b70c4450ac146e58649e81221e6139cca

SHA512
eef59a6df543b9015b7ff5a4497fed5f9fff3072886381ffcb12e47085bbb40ff22c147c23d1e41da4dee2adbb5ad1ad9c0ec2ccaf2d4efa6ed72526426074bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcggUcUM.bat
Filesize
4B

MD5
316eb7c8366e87242c79db51f503a82e

SHA1
a60fc3b8e948ca95689f08c619f19b3a07e33b94

SHA256
9bb203b374024f4071cfde7ebf7a44cae82fa985d3c62d2486e963c828907ba8

SHA512
630aec14ac59f9d1a680ca740c7c0af68a00a806cd5def7e0bb7e50182b80d25f5ba3d2b2c2c3a0f53fd902f53aabc6ad748c8b7321d8f3bfe18e4c3f3f32b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gowo.exe
Filesize
239KB

MD5
65afb78c9fca931f9f757e04e89b6846

SHA1
8c73e88dee6186580b80ec1cc29a98ada3a231bb

SHA256
5989200fce35508628588fe1803969ce491ef0699a01a4b66252fe67d491291a

SHA512
d818f7caec7847892973264a3732e8520d1a3bd0952f10eac0b5936ea07bb1b20c382f6840aac56fa1438a77ad1850ed23d77a879c6fb6da0db16c738f1eaf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAUQMoso.bat
Filesize
4B

MD5
23f3900559646ef251071f26ce37e55f

SHA1
362729f49f252149ee2c19e37c75e6b9938722e9

SHA256
d9dabc59d37e4cf2e7bb280c2d305a5301a4f4facbddd8732ed9199883270c22

SHA512
0f4784483b3351ebabcef93718cba4c05549b42637dced3e4b2b56405b1c6e47535ec9baaae125ca7c1767d77a0ecf93e7fa0404838ca2f1fe17f133bee283a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEgy.exe
Filesize
246KB

MD5
12f2add66cc874e06daaa228c4d11352

SHA1
ef7a134834ef8af0f7abf23ac08d04d06e6b5dfe

SHA256
51bc06de1ef9fb24d53cb4822e0a998c299b94f0062be759d26affb51ae12cc2

SHA512
51e2156e85fc03e4c6a00d788314cf2469c4ebebf2a6baba0322a0626b71e1c80ad4de0806a9dd67c738ce957f12e5b4a9bfea5cc7db4e488bb9f6c02c4fe6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEoA.exe
Filesize
1.2MB

MD5
5501e0ac91d21c836ebebfe2b315de27

SHA1
fb0f8103b55d7966369542078d804dcd5162d05c

SHA256
298f1659e229c5d186af51d2ea8c8d1efdc9462af59c5e49085ebcec60ebbebb

SHA512
d8bc1374873870ec2d5b6a8ab197bff2faf520e824d07fd9b65634193cd66d39a84870b4c8218b9c3f4df86e7fb8005757be35d3821cb27321d5a24e41b3c42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYYs.exe
Filesize
227KB

MD5
94c01ca246d27fd9f00716be7b2dc9c3

SHA1
46c38d1d65ea2481368c0ca97d6cc021fffd32f0

SHA256
2edb84ec3102f7e08812bd2f1a24a43e28d70c89963f47be226b318d945048f7

SHA512
f9374cfd67f29691bf08aeeeb3eda7682d799ce6ad9e729f4c27f96848954b49686146ed9db787bd9b4f7971e3652118afd1e829fc849ce9e547e1f626164d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcUMMgoQ.bat
Filesize
4B

MD5
043c84fc1b95732c3429606241c76912

SHA1
90209f9c4c9f79ee4a5d89a6869977b5ff2319b9

SHA256
ebf1389fe18cbe158688bbda574432a69cfb68784fa43b36fef23d70a643ecb0

SHA512
99fd41342e02c46ac3f601056dbd9e50b8302363fb7291426cbfeacc7b0923e2d1f8f34731e3001687360b6684291b9e4b6d0df2c2283cdd92f54930c0ecdecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icks.exe
Filesize
234KB

MD5
e18dd1ce10e89eed6df8c2841ddf4567

SHA1
1fcde620ac1387bb37aba14c909f87873c978979

SHA256
815455faf0b0a5eca78dcf8c3c4a520d90dd4566e8ac17cf0d9bf0e71b3b011d

SHA512
569d112e50adaae0d27c5fa76398f40d201b49bbab1221103fb341ff648e3c002f739a90a01eab99ea43410a7e10f8b93f2024c2f41da0d3ed939986b9331495

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgQc.exe
Filesize
405KB

MD5
412de916d02756553dd0f2d14219b835

SHA1
c7e873b67d465bce843e95e6be2f582acd4fd00c

SHA256
2105c179667e7ce09ff8c1fe4044999bda6ab82fc11bd87e4aa7111fc8287aaa

SHA512
59036476a82db99e075939626759d0c215336d2426acd70836d0ba9f6725d2aa37abaa844ea4d50c61b715b18c12c456266b0e4a12210d76bf1780eaff8c6362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsoM.exe
Filesize
324KB

MD5
7645a5e627e9eff45fd48255d530bffd

SHA1
169f6740cdde8ad16be34e528752b96a5b31f8d3

SHA256
17e63a79fbb7d01e6d9c38cdd303cb39a035c9427667bbf65e302ba960da6cf6

SHA512
84ea10772330dacf2d1baa27377d98fa9b4eabcedd06db8cc3baf7a3c0bedc17e56ae327071dabeceb131ff5a9bc9892458ac23ed37a6693378085fad4eeb29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwIg.exe
Filesize
236KB

MD5
a6b809860002d743652031588fa9b7ac

SHA1
0da618c90954f82d624449d7016082ef551c17c4

SHA256
c46630d1b90ca9cdd243c139b75251a275e0c5f85f1724c425f1d8b1010fe4c5

SHA512
1ca5edde7365802279750cc09bc4c2fbb91779164a36b97ee8838489fe7e887649c1fbc53c9d78468036a7f6f78aeb321ead93f6209054e5b2e7a3e1f9834e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IyUUAwUo.bat
Filesize
4B

MD5
3718eced5e87f56b5629c21e6388275d

SHA1
2a0cfaf02aeeec2c4d42c77caee721f25d867714

SHA256
6a971eb65293752c357912910c2163882fe0918e19fb166e76cd6f15ee3e4ebf

SHA512
9f94a1d642c05250ea954caf4d5dd7afb9aa231dfacabeae04821b3830655e3bbc9396c36b13c1792b41e57221b8b509f9fdefa5feb070b86140077831c6853f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCEMIEso.bat
Filesize
4B

MD5
963ba19236956fbe9d94a495c8f06be7

SHA1
98d6ade3421281322825e8f61cb2188d1bf6a0cd

SHA256
eb802dd758c60132b961346950b7cfc1b0b8d436a251c5438f3ce2b1fdea8080

SHA512
ae2ed7d529c5bb939620ceae3b6720e9af42d93f7a8f214759dd63ca2d4e167cdbc904bf78f5198e2a698b32db214796c020082541dc0c8907894aefb7c48143

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEwUoAkU.bat
Filesize
4B

MD5
844fc3c9696ba97eca93dbf03b48a138

SHA1
fda2567650b8a9d353a946aaa7803ea7b7f62091

SHA256
2dde4bd13f4e39a786e10c3e27008b5ac35ad7bcf6d978d0c8e5ac8b3fe9491f

SHA512
9a6ff9af4643411fcbb5d5d3b24e1e95232f8a2749248dd908633c127b943985932fa2884d784c722fd87d98e38a87b5614ceb88257536cb1cedcd18b6aace99

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKcYIYQo.bat
Filesize
4B

MD5
d793bbf119b40e33ccf697a46c54ea6c

SHA1
0d5aca0b26d868f291b7001dc9d77742d0358bce

SHA256
5f4541103fd697b1520a0fc672a64b75e5f1d4cadac4be0984815f0104b4a34e

SHA512
7d1e24831dfa559578e22de9e8972dc160fa29a8205ac6b50555f15b99f31f239ae64bf549776c14edf0704fdbed9dcbaa42573dadb4b849b37a77781ae7dd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\JesUUYAs.bat
Filesize
4B

MD5
b96a0a61395bbe5d39944fb25a0465f9

SHA1
07bc3162039c9dbffd46a693db4e7786d45db4cb

SHA256
53de023116b60d212e225d4a176ac0f43c6a66a5930f4b77be8ab5aa7380af6c

SHA512
d3054d55f8f187f855e2ceeadc1c47ef9ffc935ec92bc70da3dc658d27922a2dde878bdfc7794b1c143bfeb3b8c4ed3f615fe156eb01b1a6412c63c273e1b127

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkgooAgI.bat
Filesize
4B

MD5
826d58aa99f2a35898255a6a2b1c6f6e

SHA1
09db80d9e9c01336f600ef9d0a8d34f78ded0124

SHA256
93b639d06d80696a46516434655c5355aef89c240bf870cacf42a8fad595a52f

SHA512
28ebc76d621243bca97e1a355b9631dd8b691f10998f9787a1731cb031a6da54529971c2240c89df053b1942df5a6a67d77742be6579ce426cf25373df56e241

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCwgEcMA.bat
Filesize
4B

MD5
225cde6613a47726aa4f5996406bcd69

SHA1
f4584e25204e82f197d170c9bc484dd373447c2c

SHA256
c78932682d8614e912496b547d2d7df5abb29dd9482d849ba1e8b8e6394989c3

SHA512
71023d68132d0cef5b2a4ad00a4d46157855b8f7f0c5bc52b2a4c80cf879472ccf1a286f96f1972767510dbd714f805a64ce55adbea8ebd312b1da972a907b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQQk.exe
Filesize
238KB

MD5
7c543ceee423c34403737ba49ddb1968

SHA1
7864856c9cca579cf94e60866ebeffe6d8139cec

SHA256
27ef25d324817aff284c27ae9e7af75a3ae4ef7709914cb9782337f81857c8b5

SHA512
cc87141b297d9bc594fc1d5bef90b862611486fe639481c06292a21c8882f51fa2f23d9d047a970ef51cab1422aac503f7c68f07090e967ac2774c5902ec2b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcEEwkso.bat
Filesize
4B

MD5
66e62c0abfeeabd9ad99de532dcf8462

SHA1
789a0982031421d6cd6dbde49280a34c58169659

SHA256
d62aec310acdd6171e4eb8200d7df0090e522e579b2912b8e077fd3f3dca1c3c

SHA512
d5100f70de820fe2c0ebbf0e4557b3cb1c5a922e8a86213b28fdd9faab2f42b244170c2a4135f2e3e92342b67ebe4573749f7f3438dab26fff181dda0f2c60ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkMckgEc.bat
Filesize
4B

MD5
55f48d90f65cf62c061f264a8c38a5ff

SHA1
65514ec7935770e149d8ed0b20308faac0327e09

SHA256
2129d0263e50d279e3c21ff0b9140b4955d91e63839d0922a5d26fe41d4c1447

SHA512
95954fbea7f1847a16240b4aa61c751dc844958662ec2f30872c3d02397a21ef5e49cdd2dc79e0ac3fceb80b76cd893896799f04af534f20fdbd44d0b90a5a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoYM.exe
Filesize
957KB

MD5
add808bf65967271ad48324141d7cc35

SHA1
dae37a4b4e2e46c95b0ab401e1697b3cb720e6e1

SHA256
7f704d45c6352619447a04db20d7a3554cef447d639dd9b327197d194a953e0f

SHA512
df0fd78aa19957e0b7efeb4370d54e820e0d71b91ad2685d055ca7558e0e367faf98e394bf75c346da243a34569a5c4875b5d6298ae807c6018024381a488ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksci.exe
Filesize
526KB

MD5
95d02471714fbb3ef75058eb4465c3f7

SHA1
f75f87bc831fffd8b3a040ded574909f33bbfff5

SHA256
ac80d6bcefcbdbc1840ad7209b681ca85b19d143d6cd2230adad46604c146a6d

SHA512
71c3543a1098e693f488ef609947a0d703a5a51efc11415dd752fee8fdd19065b13552bc0d4a247fcdbd41ae249e05dfc878569260384db6e0158a109461bb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kskm.exe
Filesize
242KB

MD5
7002801a4670f82da7ce8929dffb2d01

SHA1
62e8fccb8b243b7421965e526288f912ec5321f1

SHA256
99d182538bcb553cc82d68ad86e16839f6e881858d8de2d7b770c2a9de0b40b5

SHA512
fd0148e6dbc7cfa84bd2a1c7b7c25449feb305efd8058681928c8256db760ac937e26009c6212ac936e70e808614184e03a7fd0a85a52371ecf11223b84a2a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGUYUEsg.bat
Filesize
4B

MD5
a3243400d58b8595355839e6376fabf6

SHA1
64bbdcb8e91ead9d0ec1218c8a96475cbec07483

SHA256
2793702969c0ea0dedeb74a4006eda7b164335a951d6d6a543043c86eec3bafc

SHA512
77717e075d7d3195565422e7d6c2941256b0af5fff2574b2cafac24871c029b102b7ec2d5b7d6c849c19fd36b5651d7ac4d036991a34619ccf6a927293157b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQEgMEkQ.bat
Filesize
4B

MD5
3f26c1207f4d58f625ef25c307372e46

SHA1
1a5c67e9853a0f742998bbf588ca7607be87e4c4

SHA256
57320f159cd872661fc053f4795f485acd1ec9836dfc8c1ee535ea47eb17f99f

SHA512
8b0cb6b9fe6014eea0824c036e3cb9fb952e1919595be329f667c4a8340a634519fb81784460a1a4244ceebc731c99d1fd3eee6687a8b83c2738fd446afa15ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoookMYA.bat
Filesize
4B

MD5
80515796484698bd96eb68345edb9279

SHA1
347540b44a447b1272455c3c68c6af40c2f0c6be

SHA256
65b17661432caaa28667ddfeb46e5f2cf56bfbd9ee1a6cdaa53c87f595adfcf1

SHA512
4c5766c16b74298b0082de6c234c19be44e478dab74197cdcf1cd7d35a468e3bdceacc924aca23499583e848dcd9b65fff5c137f54346ce9c37b2bba0eff814c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAQe.exe
Filesize
194KB

MD5
53aebf254459623b340e945e8ed2a4d6

SHA1
3b7dfb3d66ef7d897af302fa77d7212e1de00ff4

SHA256
1ddb6b3b49dd528e6892af4c21c045dd6c3cc3f70f354c705b89aa767ab8217d

SHA512
f0e58ed42f01ed2a65284d6d5a3aab7b130b3e5884ed34a37252a472c83481ded16e9ffbe48c67be7f13297d010a7b97ac5d94c5a09238ea8e3682cbd4e4e16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYEsUcQc.bat
Filesize
4B

MD5
74ce2e57d924287b1b90f0ea1290d851

SHA1
472d8d7db2cce86d887195bf5560c4131570927e

SHA256
693d81575becc91aea851bf32b540b2acd47661fb104badd0e60beb4784632da

SHA512
6e4943cfe74666a22abf3e3fde6f627bae074f3fc143a14064f13f6b534909e7b1098a473f2137f554834d42f940ea0e2881f4f311d2fbfdec8033dd4e57120c

Download Submit
C:\Users\Admin\AppData\Local\Temp\McQC.exe
Filesize
195KB

MD5
af115a31dc10342cbcd6794876c232e9

SHA1
dd76c17a98a9acf5276145dbd339b6f003368957

SHA256
afad41197ff58f6803ddea2eb6a02c0cdc6c5bf21b7ae381cef705e3ca34bbe0

SHA512
3dabeaa7b14f18dc62f85ef9a1c8ae2d15ba217effec5ce3d8d865be65fc09944c59d53b3b5db9d7e6a450c27519cac809166d6f2516292f911df0eb4b00a669

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msck.exe
Filesize
235KB

MD5
0352da089d5de9ff614cae7216f0e6d5

SHA1
712a6866714ec2f46009efcc2a973102046b8dfa

SHA256
d7377a2bb2772d457fa40aa44ae8d4dc24b0d71fc5520d57f36f837cb603b7f7

SHA512
05867481bdb45f9ea65898afec9ceb5ea8f21311ff40dbf114aeea4f4cad9f55863f94c8ba95494cb0144d2209758407f8e52baefff86831b3bd2ddd4a19c1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsoY.exe
Filesize
238KB

MD5
d40647792fb2709e5162bd0759a23087

SHA1
efeb5e2b2ec52b0eab973d2c03a6e7ddfd5043a3

SHA256
6b0295ada38883b20004db0e8ad1fd7e9a5c3a6c55cc2f46568733c8081e3f5f

SHA512
f0a70228a3149582be99c6cdb7dad7ac7c10df1a9f2303919ee9b1419f374f8313a507c1726590501df948bfb2bfb8f7d5d1ac626e2f2082c5632fe0974996b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAwYwMEk.bat
Filesize
4B

MD5
5a100fb74bde2801d7015a3749a9947e

SHA1
238cc96c2443d2869e0e6d51c77ff7c7e331506a

SHA256
9b0fc5d68a3a828466e9c1d49656a0d66ebeb701bd50127b663359b68b2783d1

SHA512
58ac9e98603ac4449fc22c0cf83a10142a55988c3a7f35c3d3028bb524957f677e60211ccf21ea4f73ff95dd684ed0d6235188b32f233919810f71e484662c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkEMQAIA.bat
Filesize
4B

MD5
8356fafceeb1375f70e9e50b82c045de

SHA1
81be5273ed2cc933be4c6f4ef0ee8b2b14fcd4a6

SHA256
947071c82c7108e0a3bd2c29f5b5ce33de9bc7b6f86e6d25ac629f359febf143

SHA512
8a6554f655607205fa1d6e7c2905836bc041d69ec0a3695e1677b6f1dfc0e68ac1a7b4723ad808978845412c710c2e7aff017236bc92456925eaccaf8ab8d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmgUkgwE.bat
Filesize
4B

MD5
124b1aab58ac404c398d453b57b475fa

SHA1
f4c4f9a82cfaf56996b12f03cfb8f7b4dcf2f149

SHA256
ae7666fd07883e25753ccc5a154b4f791e0f12f87e6c3b5f7dcecea09433d1f0

SHA512
cd004d31d58fc71a3362919eac91e63c9cceb04af6b8371f866fc58db1097107095cd344ad43ae754aa64a3013da4dc0164626ef3e7c3303ae17dfca8449b33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCUEIsUs.bat
Filesize
4B

MD5
e76e4748b423f76fd656a3f7db9ce1cc

SHA1
516a5faaf10d943e9c46d853a071df10c5fd9003

SHA256
892fc4f220c22288e51f57048dd4ae87c644c37918158ffab809223c6413797e

SHA512
b24b4fda1d03aed51ebf90f6d538c551bc158074ef2fe7037c9a58e5db75a36ce92affd76e9061af7b24ac8a98b037bb90e3d5802890d7534a0be6a7f375f839

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEccscgY.bat
Filesize
4B

MD5
dd1b2821550e8098c61835314346bdbf

SHA1
eb5defa4c24fec1a0f8f1af30ec80d701f982d0c

SHA256
352fc6e9ec944bd9ebde3c233a45b96943b5808a510ab7e286c83bfd1ce54406

SHA512
9b865706e4235d8ea6da23afe2fc9bd11bd50867e1cfbc79ce7b27027e7e29d80a8c2322c4437451ddc07fef17ba65f9a43c3b32bde5505503df56f6d4ad9cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIIU.exe
Filesize
251KB

MD5
121e7ba53a7b96b94f316f7bfca40cd0

SHA1
3c86067183fc435b017a626375fdb323c67c44d9

SHA256
249f85ecde3ccdb795b21c282d17b602ebc412f36abbdd782aeaff38cf20b6f2

SHA512
94833cf9cf6751c89d6b0ac29aad91058ca80ed4efd53effc5094d7dadd7a69e09764d94bf0f967d142f7b5269363b5df783bb102c3b3e26ca75af4c1f0bcbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIgk.exe
Filesize
225KB

MD5
4252642eea848691c5f5a32f51a751f9

SHA1
7950ae325668172abcdb1441d1c548f410a509a8

SHA256
531520bcd9fd7fc730ae0fccedb2cdf0a9f07051429ecba19a40a9ebdc169d6d

SHA512
84e7556e9c4582a6cf2f04c0ff91ec8388a6c7614f4cc78d5d51edfaa45f27dbd77f226f013b5a4617cd7647b677a1922c8d3e96da83c0517091b6684d8b6c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYYu.exe
Filesize
236KB

MD5
55d8e522cbde70ae16349ef5100d0bc2

SHA1
e2b45c77f4e0da7f1a96ce7af4d899a989f6bdf1

SHA256
024bd1fbc3d8c868b49237e0f777f280ebf6e966e2a96489cb6910443ba258ba

SHA512
6b63bf80c4f988a0947228e28c63ba6575a6a8ecdb7b485a42d108f725be8c84fafab47d70bb2d8ff49db938574acacfc25fcbfc0febb041a498cedcd99a387b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oggs.exe
Filesize
226KB

MD5
5650dc875f6da88f6c1f08591729ecce

SHA1
0f7f9dfcbd9fbc8e0a2248b2373518bda5b917d6

SHA256
461effdeff9a024c8a89e8297c36d2fd3aeecf0b20993e70a656515ec12160c5

SHA512
dc4f25eefed2686e5d9fdaa95ded2a885172cfc2c4844c77996b7aa3d56872c74ac933bd8d72711f939fb6a6c79c69236391da7429a94e176c6775dea87de797

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMsccIUM.bat
Filesize
4B

MD5
ad52d1dc6a7ecf0d50ca695a62bfce96

SHA1
4bda5ce0b6a27c93f3b06d7a6e8dc1653a25d63c

SHA256
fb1803e5bafbc15437cb8f49f3e9b37512853d76d3060f2b128df62c6071848f

SHA512
46b6bf8fd3ef961a6b1fff96056c42fd4ae77f15cbbafbae74dc8886d7292d05c0de4bbf788a687da7d83fbd0473233c957264ffc716655eb6cf8f5061b029e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMwi.exe
Filesize
992KB

MD5
d169abcb7da675b90640b3006ec541fa

SHA1
fdd37bd7d2a77dfcffcd64172462bd7daa9b15e7

SHA256
5f8e82f6b7361124eaff6e361cd1f63115b1129855a1c35d3b57e3b650b85087

SHA512
e52a29c35b5fd33d2927c1e318e10c1afc8caab197e2dfb36f85b25f24771b78d8546fefd3c3b9117245379915a6825af14874e93278f511ef9526ea97a77e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQgU.exe
Filesize
236KB

MD5
d2ebe07c009f9d38b5c2bd5b065f869b

SHA1
d4639088add81b4c08c251b4a83b4a67060000c0

SHA256
0e38266971dd52224ecabe45aa3479ed40d7df186ea088d91872b73b572d0be7

SHA512
6cd454d794331be81d797e07e71a6384c5dd897dee370d457a62262cd152f749f6318a4e820f9d9b2b47dfdda3c3c4a3a02e6b2ee63d20e9c62b30a1c5eb9f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUIi.exe
Filesize
1.7MB

MD5
a15a6df51247cb08394f788883dcd026

SHA1
dcf8c7b793e45ea0d5afc66301f6cfa02d4735fd

SHA256
61ec613279a5ad10c8d12073ece54b1e5824de89eca2f3d05174b510468255ee

SHA512
4b2723fd395249fa38ea8765ee9e2632627b2017fc064c1685d7d74bc18a2735d1a3e06502887ee59f8c9607cd597b0033301fc3c64d1ea7346c04aea6d12478

Download Submit
C:\Users\Admin\AppData\Local\Temp\QckE.exe
Filesize
181KB

MD5
8c832b8e747c7d58076da4314094d088

SHA1
374f5b00935d7880d6f79654371815e46082bda3

SHA256
cc6378eaad66bdd75e752ea70d6798d2f0d985864cac6d97d120bfa78eafeb0d

SHA512
9f29ebc3011d385c7d88bda8c08eab2820ef209f9cf98b796b5cedb2b591f92275f7efde7d441247f780174439e6b36d8ec231f3011e571d1f48b1948e44f09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QesgEAks.bat
Filesize
4B

MD5
a7de2cf3bbb6f76465f767d00793fcde

SHA1
fe35887e915982a3ccb87c5aa3a0dc275b61b611

SHA256
5f532400ade9d2a085114dbbc2d6ca84f40f711015101d278984040851829082

SHA512
d4dc5d0ba2552597ecc45f9e7ebfa45dbacef336f06db646cc63f3b526ab148b99ac559d987e736be5d01f21eb9e047c7377e1f9aadc4d48b21a60370775085d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QosG.exe
Filesize
201KB

MD5
07a6b720b3765c2bfbfb2670d8bce398

SHA1
d42dd8733d133e6521dc83909f536855712fc312

SHA256
9a5bbf1c643a1acad4126fbb80830b4be056f886a25906c4c9d155651b697ff5

SHA512
b0773c43425e32393beadf538f732e9b814fb4315674a1028e0f98847d874634d788e66798847caba00a95012f856336721b001b477fd05bf96f399bc79782de

Download Submit
C:\Users\Admin\AppData\Local\Temp\REooUIcM.bat
Filesize
4B

MD5
3adf938eb3b6faf43ac0c49a5d0ae770

SHA1
960d42ce23d91d39d1611938a9c13957b4e8cf0c

SHA256
55a174c138352bc1ad88fb92ac1ea89004dc39eab6434f8bb120994faae8bedd

SHA512
b103109f1105662185be6785178f3adbcf012d31dad057853dedbdb30ba37799192c9876175e05821d35766421549560118a8e508fdf3073c0f602cfe65eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGAwcYcM.bat
Filesize
4B

MD5
a67b340e13a8bdf9cb0efc071349c4f9

SHA1
a0ad2b593fbdf828ea18ea8ffbb9e6e32c8c009e

SHA256
340a35d932e46fa981d393ce9eebe1ac940e3d87700cf20a2d7e390577a934d8

SHA512
ac85036f292a51a2592d65f518db603572d65a7a4f05cb2d624ed4d416811076eaf9aead38f2adbb120045a98a9b913d067ecbd18604fd4cdebf1a1882845feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGwAIEgI.bat
Filesize
4B

MD5
6272ad64ea4b7176978b11d2c88e64af

SHA1
d29fdefb3bcc4b869403b5e620cd0d3ee078332f

SHA256
19a757ce089d4cc07db4dc9b613cbf8c3dfe00afbd4ebd2a121884def50e5339

SHA512
b92f180c00d5f3a492563c44352b14e5338f73dd74339d9b3df51094177e3e725c02d5e2abcb7dd2c74ff33814b027892a05e613cf61652b2be543fac3403b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROoQAcMc.bat
Filesize
4B

MD5
c37e0ebf77091e32d24d71c618fe81f1

SHA1
fb71887b3adc744e9588693f3e254a6da77831b7

SHA256
55921aa31b67a1c5d5f0f2062ed53aa3c59e1e4d65c5772be5d7f3604810c403

SHA512
63c04005a51d8ea54d7395df2f304855d3c82c5b806e1f4742429b195de7f9b230dd28d89c3d4ef6fc24bb337072eb4b05e109856f8c95cb7ea7ed4779fe79a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RioEkYUs.bat
Filesize
4B

MD5
5c3e4ee1894d32bf68351e49b446d342

SHA1
9b026c985b8850be1e0084657af9fcda44a8bd0e

SHA256
06785420829b0c1c7cfb337c54b3909d4835d4f84d4309ee1d19066cd2e064de

SHA512
f79106ac4320bf1cd8ea1345782ccc883ab1164a76c2334c32aa100b4fcab0ca1d203887b859d9bc57a51ddb719fd1b13cceb819f1285a6f373b7325a0807592

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwIwoYwM.bat
Filesize
4B

MD5
7390f142e96f18ae7430111558e4a0c3

SHA1
e2d56cc4a9880be89bdc4d5fed9838a4c790787f

SHA256
1e8fb1e8b613233fdd4b888ed1d51476e09cc8a0d76f2db07554fb90fe72277a

SHA512
b618cf77d20f72db476c69f0bab91bf1a2d75fa6cb22d73dd603a3cb06a4864f5ec8a65f10dace3e31010b2c57560607e170c3b30952a1303ad140d9bce12fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgy.exe
Filesize
243KB

MD5
7f4675d22d6c52115e3cc1318e3b68af

SHA1
10bfc599f5b3727e35776c7872cf151444b89a9a

SHA256
93acaf1cc50df302ac0907321a5075ce69d4d0400854de2d7bd670fe250966d2

SHA512
bdb0ffef6ea8de3eaded68fa3751bed4cc8457604f64326d87635c9d81616f8091ee3825be86b5bc5968f630d47458c66fa602e119cbfeb4107184be18fd2bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQgY.exe
Filesize
217KB

MD5
884cc813b998dea18752b76e0f82edf7

SHA1
61b388c2a01c30349c261f95b8adc7697dad8adc

SHA256
45dccd6fcf29ca5510a3ec9856a67672967baba94183bba7ad6cd3a45a36460f

SHA512
ebcfb3a9361998c6e625926bfb24e341380af995848cd9ae38677c9dd84705be81788276c49457bed90789fd965f3e90eb79f124156e526132504c37109dadb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUgG.exe
Filesize
1.9MB

MD5
5370ba6ae80ceeedcfea12140eff30ee

SHA1
88b04ecd52cf0ff77d734dc946b5d4db26475eb8

SHA256
645ffca6e7f8a01578b08b7edaa405af06a957da2ee109073e10133c16f95696

SHA512
7f5f941289fe8377ba3e3c4c3bb6be6286f642a6f23bfd94c6686e9fc2e12a1925935aded2a673d34ca9da333d52bd8cd7c0122e8eaf03b547f7a9b5bee02d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoYO.exe
Filesize
523KB

MD5
2d674c977b89ccc2199c9e32e3de18ce

SHA1
1e58e058cf84c95ce46d148f65d7f392ad47da84

SHA256
b7cb6a7443d2a531519f3f4b4424cd90c0570b3a432c237c76868f9f86ecc899

SHA512
117de5387a1659a6ba27d2e9284e514bf221975814afba85a13f47eee69c1619f199723453dce8e198d9f4fda10ce1d207cbe6deffad88c7b1c4626decfa477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SyggowYw.bat
Filesize
4B

MD5
af1110da1109bef528bc08c436248d36

SHA1
877e86cf6aa83bcd0549e8ebc3fb6413173551ed

SHA256
541efb55ed54cc66fb29dcc39fa181f13fae81f8aab58ae1e5330c1bcce3364e

SHA512
df068e1d53219fac1dcbd5ad415552e9ce5d05c64b3b1990d8d7aaeb063a2dd7f7749883d352b9cc3a5e7f2f9d1c5dd62298c71d16303554f9eb737172ebcbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSAUoAgg.bat
Filesize
4B

MD5
05014a899335eebc402f389a0b2a2ab9

SHA1
1df98f550546571dd8a3fce15b80a3c73907a50e

SHA256
3ad8939e6369c9b9ec415e8bf514b09d9d7a0a8adde87c5d23e79f395ca46174

SHA512
91c47d5582c9f638f64cd2820c39fe17a8e218c3f3692ee121cbceba8e830dbc02f4aa7c549c7f16be0de8c7ac36c37339c4f999ead95824df2df67583476d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\TyAEMIAo.bat
Filesize
4B

MD5
c7277054e7cca009073381dc1a1c8fe0

SHA1
7a59fa4fe077939ccc4de6f534c64bb3bc353327

SHA256
11be8feabaef519d2e95de493cbddf1a9eeebad73328ec191cc3ebe01761c9c7

SHA512
77bf280c311d155fe73fcaa2811e9847d6c209bc50e069bfc2ff284585cb8be9b1be9a9c22c7ed5c0ef51389d6acac85a64ddee2475bc21a0751a9bf19662c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEgEQocA.bat
Filesize
4B

MD5
d41e1957abea66844a17bb386a421d15

SHA1
8726f04a8aee2eb5a5c8e4b2d3d2c28ee49f79a2

SHA256
0ae2446ae94d532f736cf6acc0e702e616b35dfd2dae11d31e07f8a4529ac51d

SHA512
00e1bc410fb9df3f21cff66c2789d46423f01aac410336af7754e351f5fd936abd3d7e88caef847bb46f490cc93bcd0f76dca09f610fa6ad13cdab0dd7ec6b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIMA.exe
Filesize
248KB

MD5
71343be202b8c2df61385c95894fabec

SHA1
5a1c42725ccb72f18b51bc9ae91e336694b0945f

SHA256
36b4880e247f75391d6f167ed891a65695f0d3a845f20d45d33d4b85cc4cef01

SHA512
66bb23a31b5410ba90901035cca2ed79d9c03276523e4da045bf9433307ce00d337ad9e3ee79015583b81b9aaeec94fb3df545d9bed821f5e6c7e86b63af89b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQYUwMIc.bat
Filesize
4B

MD5
ceffe503c7adfa59a44ef38794ad394f

SHA1
969eab5efb1f512364d20bd069c5cb9208993adf

SHA256
a82566e331d70d372b3aecbbbf1ff5449727c1268c1600109cc7fca0cda8ed70

SHA512
703039b85f9ffacd4a3ef507c9461b0b7c46a3e81ddcca253d282d3d147ffb7fa151450f14022386ea2f049c64679a2f0ed2e93f2892d042afb296aef5b4516f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUYY.exe
Filesize
211KB

MD5
f15c868230b44890920cc0e30f0d5086

SHA1
1996460a549b1021f9a0a7f0aa3098a855452331

SHA256
cc4bd3ab63ef66f1b41109d35af2060c414b59bd8c22f1d6fd5410fce383fae6

SHA512
045a66959831a8cc5605b01876020c0700640598787777e90d836099ad957c8286a9664e7489a8f599d6094554b9a48b1b8be56330ca5978315490dfa72bffdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWMkowEw.bat
Filesize
4B

MD5
7315c0309acdb1b21464c8d51f1f1312

SHA1
885e0291afc350b387d8f48f4524a96b510e198a

SHA256
e3e9f33147efb498735c96d309f64903c52e5977a4b4c12b7f09e5324a6e07c9

SHA512
f5953e4995daaec8a4cac2668424eade0d87f8f59e4e6e230fbf0182cc97bd86f13eacae3f493ddc238e312b6787ddb787282256f4d1b8d419f62dd1201aedac

Download Submit
C:\Users\Admin\AppData\Local\Temp\UewAMQAs.bat
Filesize
4B

MD5
7cb88ad72b2309baad4856fa6b9bafca

SHA1
a85a1237486834c9e4792bc34e7023329b8c6d23

SHA256
d314ba520a4d4d5baa144edcb74980870de8fa94683a13696699fb23ec38b656

SHA512
66811e69bcda7847d90a0777315c23ec1ab1aefe885bc22245d9bc0439a834282817f52a9d45aa5600a912208d77b4be1b189a9515b4f092060d7dbb5abfd6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgIw.exe
Filesize
197KB

MD5
474a889c97dca9ba7d313686d554da7b

SHA1
18bd2c210f8ac351e29a9df3f90845a1f75d0b74

SHA256
abebdb74d58fc11cd05b0f931f0054a7751c525a1367abdd625135ea4e7eb2df

SHA512
bd2cb73c24c9cc1cc9d7b166133c6e74269dfe62263caffee443f03e09b583dd9abb83d9bfd14488505d980cc8d6c26392bc91881b911cbfad3a38561157f4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoMu.exe
Filesize
640KB

MD5
ee3b39e2b69d12dcd486fc570a1060b5

SHA1
e929b1efe4da8a15d9c19184e589ab08a773094c

SHA256
d3b11d95c5111416e294cdd6e4cf07a18bd07161e9701c264e963cc71c9f8bcf

SHA512
353861dcf9fbd20734fc2cdf02fdc49dba1577b52dbef8505cf400985639b2de4370cba577c845fb113b0843dd9ac10d623dc2eac5e78ec5a4ecea1773ba6a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UowkQcEg.bat
Filesize
4B

MD5
b594a5eb4b6422e568136b63e1b0a711

SHA1
d9a89ba4042e9326bfbd5cc40f0197f33d1fc55c

SHA256
0a754b7f4ac7feb9c8c963258e0e02ebbe12430e4c2f1a9a1137cd0537ef9548

SHA512
8bd4ef4485e166f415a74d86ee123f5d792b07bd3b7d027fe152e1244f9084463bdcde3ae470e077ea6646d2d41cca20864b4203c6f18e34d92bc97c42aa585c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwwc.exe
Filesize
8.2MB

MD5
ea3463756133fa4d4e715f9770f9ea24

SHA1
92b51abe38f0d64e10c7e71f1e5a9fe767d92585

SHA256
65b35d861ee67dc8a937ca8e4c6b06acf7c1a78f3d20eed1c3de1ac317a629ad

SHA512
346d0092a555c69f9815553570bed6e5b40bfc2e589c5d8c193996268d6c4b2631e285ad9c2364b5bedb2f62ddd77aa8a362e04ced0b58cfa4e7a3955d1a76ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\VogwwEwY.bat
Filesize
4B

MD5
10684a359c1e246ff5cdbb1967b6bb78

SHA1
2687c093b40779635c2c8c75f272a0ff6ec4fff5

SHA256
e212e2f7499910b2381da8b82daecf8b6e8aef24b8db4c2576349f6513328b64

SHA512
dab2fd6f8037f3f14de4d474f54e922de7c51780e2d061669618a321bb05d03bf4e7b883fafe052229a2747bad28c1b6cd4522ae086c0808430c5344edf54cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEIA.exe
Filesize
1.2MB

MD5
b5ee761ce720d415612ba82dd298a385

SHA1
5db8d85c6e9b3e30ff8dac91c54100150a6b91ad

SHA256
e3257cea99639e1290500b1c8b24dcf4c83ffacd7afcd4d2e8e9459df728de0a

SHA512
5d2b9b1beba5dc7b48b27423f2b8d35bbb95bff23e986f622deab519f1c18b21bbc90b3526b8e12a286094cdf1ee7681c0fdd6d8877769007e58b7627cff4053

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIwC.exe
Filesize
385KB

MD5
671e074fc4c73648057e37b3d2c899a2

SHA1
68c209911f22a0db614a8ab6037486fb6cb8a8c7

SHA256
c9a42815331ba73744ffafdce7fc8d911df104a68ba0eccf9316526ff74b56ab

SHA512
c0e41cfa0b1c18b05122662ce07f22617d28e0b0f31ef1ac6669c72352e9db92df102a0250c2026fe8aee2e5c3f5cfadff294a4ceb082e102ebbb05ae4099861

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMsW.exe
Filesize
479KB

MD5
41cec699e417a0a5cd3da2e7e4b7fc97

SHA1
f6d97a3ceb05c20ad836c91a144a7800039e4fe8

SHA256
1d923434814d84ba85cd89d7efebcc880716d4bd6a3bc0257fd345c63c7a3243

SHA512
84869b09af420e8c7ca24de71ae625088791c16e17e7d479eda83c8b32eae49a22b63e303b7c49cf49518b37a628421b8c0d80c00b7fc32494087cd839b21c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIy.exe
Filesize
957KB

MD5
8bd0dcbb4c3b7fd2d61c561694f7caf8

SHA1
776a785933f378b14f5e8aabb030f832220f222b

SHA256
ce936d85d6d879e05457b18490f10b84e6436f4c944b980e4bf123745f4ad0ff

SHA512
aa271fa886f0418f0c66c173d7727e8dec6c11e31c9243d856d8d4abca3d67fc97f7be563add645efffca697461de9d6cd5c4d42215b3636e4ba442892fe20d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQgq.exe
Filesize
244KB

MD5
9f29b33223855367511293249c6f4e9d

SHA1
dd8dba8c69b8c2f57b86fa89136323e7340272eb

SHA256
cf4057031ab4a6738d9bde3db837195adc7a3020ab99ee700680f0cc181be7c8

SHA512
8fb90418fde35584e13777a601c26f2a36f01e818cd893ebb6bc8073e903bacd152c946f8e65246d7f8c70635ba16d571cd17c5635d742e572c91f6eaf7b06bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYO.exe
Filesize
191KB

MD5
76645859908c0c1a30971db6a4ea888f

SHA1
c253027f00305b9a44bf7784c2863da5779210cf

SHA256
720a363a4603e5c82aa2afd31999529c2273fd26a48f29cbfe797aeea8430408

SHA512
ab270bae6a9b811f294a3ae533dacc06eb1f397ac0c1d1f0a583ceaf3b2c95278a2fb20a34354a4d96daf21ce74aa2a918e0fc317803139c5dd5fe9e777936ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYu.exe
Filesize
233KB

MD5
2c54376223096ae17f55e3e72c1e476d

SHA1
285efee7f2f069566318fa631e954792f7445b41

SHA256
2da579d0c36312eae300407489046d2e13c2b2daad9e3166e3071c685bf5c79b

SHA512
64e6d91981f57fb79bd718fc47fbfd8e48135c0e3583a869f432902e8dcf5174d88905d304612b6214dc461d4286eea6f0f87333d369da99141e766f3d1fd23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwIs.exe
Filesize
182KB

MD5
48c9f0355405ac3c16a1d901521f6c9c

SHA1
4ccd9114583f62dce05f97632852cd4a1633dc4f

SHA256
3be6f3addf076b175e8692bffe9b18c4acdf490c75950d3c2edd3b4cc337cfd6

SHA512
e6730bdf7673ad1c49d36a05de1332c6697cf4b55cf1b1040ff93579b14be4b221b33c7792616b9642881af0cb6146c30f261936a6f1aeb6537b460e1ee8781b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWUIEAYQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEsc.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YSMwQAsA.bat
Filesize
4B

MD5
711eae13488a3e2ecd3f1a0b988aee47

SHA1
23388d8cb2439cc3d1d8000abc853dcab5626ee8

SHA256
34cb00650618f951608edd0fd764cb9010d90c970f78596e962ed410b842e47f

SHA512
1613d9b0ce15106b20ddb8dd3c7efc7930413adf183440bce5d487a64f96b91defa5413b90796b30c32a74389c9fe4e0495fc9ecab2340bbe7c74d70631e5926

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcEi.exe
Filesize
243KB

MD5
724a8750b223d64332959fec2d8da7b0

SHA1
e0d1c1434cdd9ebc58e81a0c38cff2fece31c5f1

SHA256
c2480565aaf4f4d8b972287b56746542b298716334e95101fdaea2666ee54a4f

SHA512
5f947a3d409951f9556286f2ec1d388203df56b3b1f9946e041f2ba294d579baeac1289246fb0d895dcdfdea141e42eace6d354a724f155a1fb1b9bb4ef4f874

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgsK.exe
Filesize
183KB

MD5
059d8f530ef374c9163212de4d66ef58

SHA1
87b452663670797bd8f1a49c2a6abba9d41db110

SHA256
a90aff3c136f389f12f0b01b3c805aaa0cf06fc5f109a0203fbed2b6bbe48ff1

SHA512
f8bd38bd6db64ce7efc843524eafc12f0404bce9495ab3c959f064027bfc8a41d42f1ab4339c7bfc817f661f2ab986d804e64fff115d7e58bb992b060c0032ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkAa.exe
Filesize
248KB

MD5
a498eb2a03385c160eb18ad98629b3a6

SHA1
b5952cc206b0e00db716e293b295de7c40addcbe

SHA256
5cfc8c5dd00d35c5ed570f99a5847d6f0f843d00ec8fec85345080926a6ee343

SHA512
46b2f3827b931ebb23f7b1aaaf957a8883c9cf98c2a0fcfcefc3c1660b5e03cd477bf199aea5b3d955ea7b4dfabd059b326c872166fffdf9fc5657d582c154df

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkgA.exe
Filesize
234KB

MD5
ae8b54b93b1f1d7d1dff918756676158

SHA1
e73b5fa8545fad7398b1acad5b7b10ca4574f3a5

SHA256
bf331b0d7597705eec6418aacb6ba9a685f79b2ad89b3d3e968fc725a3374794

SHA512
9358c1bb8ab0838b33ec924fd098433ced68c0f74b59dcf041b5c9e56adc070f44ef07fc7058827eb2f113274cd4f6269783d92d6920bc4f732b92c3732781de

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmAQUEEc.bat
Filesize
4B

MD5
7f471e7275b2362c8f3798a6e30e7586

SHA1
47e37bd2b66ebebde37ccb84743f12f4ec5c33c1

SHA256
ca54fbc88f0dffd1086d57aca4247575242b69dd3f6d8f58f0bb4c64e5232c37

SHA512
50b1844b0c8db210b11ec98b65fb27b3e223b866f5222bd54b2757aa6090ea2feddfc9199ea268fa84252840ae3b756e10578943e656ee41069e96c7c7ee2d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yoki.exe
Filesize
234KB

MD5
fddd29ee61fe84bc8d8ad0ce20807ddc

SHA1
c82b5c563272d7284ed804e81f3d661a3338f479

SHA256
6317ccdbfae58035a93564a2775448761ce6ae1679e29f7f70fd8a9c091f6960

SHA512
0cea8eb91d82575b1a3e85944b0fd6023a9a841a2039b110fe5f870b7994c7f6bd99bdeccc255a32bd17d809c35d394adb9cb6aec64d80d8ae7ecaa3cdf9b699

Download Submit
C:\Users\Admin\AppData\Local\Temp\YowAkosI.bat
Filesize
4B

MD5
30097ba0910dabd200a075ef894829eb

SHA1
814d203d522765c500aee1f394d5e152eebbe26f

SHA256
f26ae992c5c4a1bfb8a282d9365e93fe212b53d1db66d580fb76690922714103

SHA512
42ec1185bf59b23340c3154872b096aa1868f0a9f03b1d835b9221f7d936d25817b8ad07b887143958269a6df1d160ed04412ed6e94d20ffaafdc3607e624464

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAwsggUA.bat
Filesize
4B

MD5
45c395a963879937501bb98161c04245

SHA1
244a4b607979743b01c47288c52ae22c4d9a9882

SHA256
7695b51d476fc053b949b9f1906b736b34845e94e3144a101411c785941b7aba

SHA512
4a86cfddd6cb8367b4e65f305b41b609dab8c505dee8cea8dfd9821b783b02523607a2fd7544543b709fee2b68d5efb08b6be51de5de9a3d762f2e546d06ac24

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOkQUMow.bat
Filesize
4B

MD5
ce6f199456a5cdafa6019799ed20fb0f

SHA1
3c28b08ef171a46fcd61eb22a84ad5a273da13eb

SHA256
940aaccf4e91dcad2a9bcc2e27e02157935842b0e284c43d45e9b8e9da610ad4

SHA512
9e0e5a2d66c4632dfe1c92e4d999500221d234a8ecdcab4a97f13541f7920e5e9f7202aa6d44a7be09ea3f6626d406d44c1419acc720dfb293cf23effc66e009

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZawMMkcI.bat
Filesize
4B

MD5
e8415909719c28574ae9f95716ac739c

SHA1
006bf5934aa3f38f294f28d404e592576f839a35

SHA256
835275af59fe87a33207148ec33cb61fa0fb2f31d032e7044df0a657ce57de71

SHA512
f661720176309a3f940867faa57a29f7534abe26f3f7d5b606d451e7c4e084b03e19be09e6e42b053acabf54f4f31232bdfb641729a1f7a9a1630fb2576f9772

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMgI.exe
Filesize
806KB

MD5
d1fa0d59e77c8ad3ff206ca00ed0c3e8

SHA1
cb5942f5020565972583991d1afe765c10c6c6e7

SHA256
d8cdd7474c53c472282fea79a47f26ba506908fee85fc8b94d3b250360a2c3cc

SHA512
142c7ae122ae8d1c1cf57322e8f79663866793c0cec953e6d8e9c12a0448e2fe1f9f2c502e821469e73fbb52a3fa908ee96c84bf7faf3c34ca86be59f4d4c8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQsQAMsg.bat
Filesize
4B

MD5
66a772b0ac366e400bf7251c93756fce

SHA1
14df1e5acb511222d3f06b4c4b3e18330bc6ee9a

SHA256
5ea5d2649b86697d6ae62afc7839542f8d46e0894e99a10162ef1be447807843

SHA512
a0f923a1c29c50f43c0dbd2982cdc477197f66198f143adb4bf482972c52b1f160dfe19879838f0d247b3893461d67f930e9bc2ed2708b5fd0c3a5e512a109b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUMw.exe
Filesize
222KB

MD5
2db991b141ddc8cea10c1ec9cf03a398

SHA1
7285e355c918ad02a2d1a2b680ed7d161fd9479b

SHA256
f3e2c67d493d8211988e21c49c15862c7db0694450f48e0a3a130c5824f2c4af

SHA512
a8ca072d88e02d433b45a2b6691b80b7d450c8322f4c6225d002a4d7331602f84cb15f5e3c3f72e32a77d1a2c2f1b5c89ae8f62984571cff1eb1b5b1bb0bd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYokIEwo.bat
Filesize
4B

MD5
afc3b23bf4e2f46bac7dff07e4be8502

SHA1
ccde94b8dc2614d8aa1e53a8b34048e03d8fc16e

SHA256
cf6d0427d4defa43ba6335af92af54d3e6e40dd043d23bed010d33a226840ef8

SHA512
0bcfb6667b695f13fe2d1e6e39b110c9185322e2406cc7f0bc7b25713314a00897382e529a773ce581d94e68efdfed2f1d69471780aa1397ca300c8ff28dbee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\acsMwIAQ.bat
Filesize
4B

MD5
3d695986b001bf6b57225bf9a3e74436

SHA1
1d52d35014d91370c98bc58b7c3492d441ca6e55

SHA256
38c54fef5fe3801e243262e411f0de0cf6b4f49c54f84b644b940e30ed212056

SHA512
d1bdfff4eafbe3d09aa34c9803c92030cb36eae25d46f80ce78fb96734102021540961ec190c8ce2784f4c2aaa056dc2e93d32e3f4e4cb99d82fb820520be1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aigEocUM.bat
Filesize
4B

MD5
ec0d81801524b503d6038b0d40c05657

SHA1
c49adce133b7fc5728deada0df44d7f9cf3bf5ec

SHA256
0c81453283c77b75f1793abd6f257289a51d277eb50220de73bf318be8e48641

SHA512
4ea1dca2137a5d0e4a1efd13c997cf90fa42f3749054bde4dbc58b97c3be06bb2014c74072b876684b9c892cc23d590e0881ff0285e4080cdacdd46652c65273

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcMwIsEg.bat
Filesize
4B

MD5
416d28e1c56e7dc8d4c9ee55254cd50e

SHA1
f38cc84637884b172ae1ce5f36b5eced2c10ca03

SHA256
7586307b43dfc57806255ec2cbc6bbfd21b9941856a5c99b76e836be88b7fc32

SHA512
46e7bf94e9fa1a36e16690454b64418d9572da1862bc1c3fcf1464890d1d9152fc8ece448b2987462e4358cb828114f60f1de362a5136c82e0a23b54fddacbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\beYIggsM.bat
Filesize
4B

MD5
c8d361d52d3a5ff8a77885ae8d5837f5

SHA1
fbff7bf1bbe58af4037873f1488f07b18040dfcb

SHA256
4eaf7ffb0738999974164e0d5ce253046ff9c6e945b3128c7b4ea14cf21685e9

SHA512
cb20692a77050d7878472a0c5475f031e6f93ccbdead7109faefc37d4ff4abdb17e405d4951700bfaf36cf6146cddb180d38392e8fdaac25e58e8c31230bf695

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAQocQgA.bat
Filesize
4B

MD5
7b4d5656283924b7d9dcc85288f0254c

SHA1
9ca5487ab1b6860839b35ab13acaa8bac54f9386

SHA256
9a219ad68e648c33da99b9a60e5081a55cc47c7cbf243d0204b6ebaf7ee935e8

SHA512
3d916817b38d9ca19777f31f4bc7cbeffc50e2f8777167e316b4d0e33ad940b6a4aef8702f808035134d6bb8a7368ca1114c3b4f7d4f6e7a126ef1f394a63125

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEAY.exe
Filesize
773KB

MD5
343a0d5ebd28633bc8940870ca7ff6c8

SHA1
e33a4e4e6c4a3219d5168f224b57d8c45112a2da

SHA256
c2d4604d084eb6b82fdecec2dccc74a92639c72bc394e70a0e2d8d5afd71c3dd

SHA512
0cec0171c64cdc25c56a90613bed70b1bd8b985a8e89de1625fe1e5c34634496a490d499a62c0184923c20e834d60a3a2db51361a5188a2189cde20e406c933a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIAO.exe
Filesize
800KB

MD5
e52de76a220f8a66df0fb080eef62461

SHA1
b37c399c4b0502b58ee5d38df5f8eb36ba561d85

SHA256
5b2e1a5773096ed2eeb56ca0dd449383d55f150a8ddbc449031f940e5ecfb54f

SHA512
7eca694250575bc5a15a8b2030448d1c7704b762418d089ccc8804252584a1cf5110b0336826d45376882f2c0d5318320548936a8542e902ec03dc242e16ed8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIwIYkoI.bat
Filesize
4B

MD5
2509039ac9343963a655377bc6c060ed

SHA1
3bd9efd6cc4a96431f8432867f4013e4f9f2d94c

SHA256
16fa89de961aee2d24ad523983be9fd43ba321cfaa96436fa369109e92dec4e7

SHA512
3e6a11dd840d2960b75e40c09fbe988b1b93f5b1e40f334065ba6739a5e44c613806a65aab9b925f02f9d71715a042dda485e688732808abeffdbc361b64cef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUkO.exe
Filesize
392KB

MD5
925a5221351e18d0fb28a3c1d375f690

SHA1
986d7faed486774bc87aea15c52f0a59ebc5fc93

SHA256
338c1fbc88b2c7563e4047892c8b05d6895a7e9863f41a9a1cae9733eec192dc

SHA512
ca1988426e8009a95e81f22e265c85e763834d9fb61eeaf7f08156d9e68ee662c2de9bf389b28ece40d73468691e0e8ada8d72cc3c2a7b317f91e7b0b33a7f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckQE.exe
Filesize
236KB

MD5
9652f4118897743e7f9f4789a36a3d7f

SHA1
c9f079ed8ddd76df671630c25e771f7d244a9e05

SHA256
904874ce9b0bc2477da5aff97145fe66d706beb76dac93e1434e5048ec683bb0

SHA512
40893e19cf76406162ac84c03ccdb68844dffec81184d848761227dbff89f57586f034bcff834c9563e69f72d83cafa0df99e06ff8acf98932b3d98bf6428ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwEw.exe
Filesize
246KB

MD5
e28ce81babc5fc06735074cc56b1fe94

SHA1
121606155b0c158e72131b4bd925cbb9fd1b6f17

SHA256
95cc889f8eb2f1c987066cddcc98e65e76ddf755ef3b33724cb79334e6be6c6f

SHA512
23c96f015aa229cd4b3058b3ff5c6272c062dad2c75945e05c57f4ef53715714fccc1ea2cd8060ffde1a0b9d2a437529b687993e6b965c2861811f79d67e25ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwUgYMsA.bat
Filesize
4B

MD5
3b290705f8ea2cbe177d8d9037e70b19

SHA1
284e0f66aab748810973d7c2347781db7c71e451

SHA256
9902a42761af21e911ed66a7b3da2b43914bdc636e6c809a0633ea3cec4ce65c

SHA512
249a9426dc7c9970da5a859977a0c0a390e18c124e79fb2c2af6201e29741a3740bdc31d73e39f0eea2c3032792fccd79a6a4bcb6e85c32a2cf41cff45aeb507

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGMowkME.bat
Filesize
4B

MD5
5d3c9d993c4d2477336cc7486dba129f

SHA1
3e2e5f29f5159ff45c00ef583805413a8aa06f75

SHA256
58355f35ef485bd60bac1bc50879f7caab5644295b476393807a619460bdb49d

SHA512
b4415aef8048c610ada7f35e0681e3b7cb8f4debf1020df30f4d5783390e0d2793b702be7165f18352a2361b78e94fe0fdf77de592c54b1d302039aa1f0b6a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIAI.exe
Filesize
236KB

MD5
6a39a1b23830fca8a217677fc5c21804

SHA1
471b95c94579fc42be8fea6d277e6ae3f6217a24

SHA256
b17e124d246f640575102bfdce176c11bf071e82b315082d7c2089a8d3d2fa13

SHA512
0bb1b5b82879393c21cb54e93de0eea8abc8337c77b98bea52a3970ae23ac513d199fc31932d5aee249d97e993a1623ea5dd35b8d104d3ce523437bb6d8fcf87

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIsG.exe
Filesize
234KB

MD5
23904d0e545e5d07cd1fd4346c822052

SHA1
baf0f2b2b4704a6ae54e6eb4805daefbc1b836cb

SHA256
f5edc9fefda23179f27d9411351ec04cabdb69c9803aedae886efe76b019f6d2

SHA512
0d7d11c3c833acaf43017080a57eba6677b5b3e6fdfe4de4907dd7c60e40d25294a96a31a7b63169bd91027624b30070a6b73d362697a51924dd97c1cc2c9944

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKwkssME.bat
Filesize
4B

MD5
db426153d3e7ee5b17ec665f3ff229cb

SHA1
c15724f1a6b81f7bfc6eb499d03d611fe8092c26

SHA256
e630a35563b0d9567d40996f03d312303102ef15965839278c1a40d3de9169f4

SHA512
6905bfe44b4e0efa938f1752d0c96af738360f453a4ff0e033b5c09186068f1fafa41eef7c06edffeab86190478e6944af91153f059b685a950a317ca1f22db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSAcossI.bat
Filesize
4B

MD5
71c4b48b4496d88b2d1dd6eeea4eb4b0

SHA1
82b017c085fbc1e73b2567ea7b50856db596b08c

SHA256
52804d634baa79179ddc583c3506ae80e9bd1b95713172c330c94bdd3800becd

SHA512
276394594790f33b4ea646095091dd4534b5b6fd971605f268f66eb9bda9340eeb3495b1835fcf9c5d2b1a65e25178fa64ca4d753523eddbc4803a192b1d332f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecYAUgYg.bat
Filesize
4B

MD5
906e94cff434e77f5bf705f5bc52b22f

SHA1
8c5631e356c7fddd3500515ccd0afae7df8eb300

SHA256
ccd01626f9af7ffeb5c8d78b2265d9eca84fdd6d994ffd36c731c46b05f83c3c

SHA512
a3e752ca8b335e385061924fa6fc8e05425f9f59aa96ae66cb2840dd24bf054e44852bdd71cc8222110c8e795d8264fe4a35d6e2f56b8fcbbaa9c3202159f8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecku.exe
Filesize
492KB

MD5
753cfa1936de25d761498c150e55c9e3

SHA1
916f8ec79616793bdae38fe4ffa5e17b2b6cf641

SHA256
a92b8dc9a949d9698999bf450b3a1d8439bb49f3901bc0abf806bf4b2dfdf5a2

SHA512
1c9d54c189c5b0036dc72c0742ab04fc8f052e6ead6eae475777e2511a0aee8fbe9f22f7f6fc97f715383b7d51b17a18914bb1a16d68202db00912ecdcc038bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeMkAkQM.bat
Filesize
4B

MD5
0446e74589bab61f4241d48662093608

SHA1
ae67a371c03e1373785ccff3545d637b97483bd2

SHA256
b7069c8ab39983b67ec2937cfa6b54089064b13ab89b5bfd9b91bf0350e2b28a

SHA512
472588b4d93acc545ceb8a39d1c863028b5e2570fe4ef2091becc55408f56b91ced88d4747d70b6f4f7246321bb3e0b776770bdb5f525cfa764cfa650030e687

Download Submit
C:\Users\Admin\AppData\Local\Temp\eogm.exe
Filesize
190KB

MD5
f75f66a0b02d0d0870389bb92492295f

SHA1
f4a26af48165bd778061cad8c7dc92979e60e81a

SHA256
3ba312a8f68805fd00ecd88954f975f01750ec61c256cea0a862579209166d77

SHA512
6bdf8830468372b58443fd0b485f64065fab27bf379a43936ba3be0c42b9b65f6141e053d0acbbceb6c25455b0033107b025c1f8f893a317e830b8ea8ec729e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eskU.exe
Filesize
315KB

MD5
224d8089ad79f83702dd29f56f2ff2bd

SHA1
c5239328cd726de358d4222e128ad4641abe79ef

SHA256
59d8d21b21350c0aa0abe5b6de6d843fc420fa25b872ed70264b106289eb30c8

SHA512
cbca2b4ab03c665f26b078279f3b5adb2fa6b4829d200ba02f04cad2f117a5efafb3b06840d3c2517f03e5ef0f8e9d9a1a38ddca131120aea85607af8836ea57

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyYkkgco.bat
Filesize
4B

MD5
46fa8bc72d05608427a54305a32d4958

SHA1
7777160123f84c816b01dd9cc51707e671c7ae27

SHA256
0310c36d7b272c77f3faf94a0482e3f627189abfd832150ef29e549bd8922208

SHA512
0e45105a832754c6f6f4b7ccda0a8b368f56d0608141d051958c180c24039ee935c07239d7197a6632196183268afa64596815f1ba1ea7cffc69886e5e600cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEIUswQQ.bat
Filesize
4B

MD5
a734ebc7a267054d76c4d3f857824b93

SHA1
dd331c4e8c743e44dc9fc20edfeb270215545142

SHA256
5ad9d183e75f9646aa5c670dee9fa3585dcf57c6e9f51b437b0b68e4bfc4fb4c

SHA512
29c127750acafe5cd5d8639100b8a6d7525115a4cfdde86f562a7b346987b038e59795a4e1fc7b8dd51f576add9453e76b391baeed0f20c29998228c30497b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQoYIMIk.bat
Filesize
4B

MD5
a48b86069ad2f6e579125bd12ced4952

SHA1
b3b3fcddd8d9998d4026df96e65964d202a5a8d4

SHA256
5de576358966b589d9a861edeefb56d01a10bb2f95ea6a04d77fb40bd92ed71c

SHA512
514d4ff0f356dec699cca816c7a378bdf2dc1848ce94a466e67fa4cd9fa345980d3c142c0e6bd7b4fcc8c427e7eb5b8fba9f9c3183716d701a78b9c036f6e600

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fygkAUMs.bat
Filesize
4B

MD5
008b623b8a82f9d8efa29d2fd99e5042

SHA1
68c53f2d4d2fe6aacc2c785e6dd49ce66c05a710

SHA256
e9330cfba6b37bb2d4c0df805cc46b229cb6aa15e066a092716f2b43abbbb3e7

SHA512
30f293ac8f9709ffc2ed280595ab54bcd81130b57405d1d8960b669a825590ea2da53365bdc3f03832abe763a0fa27df0dfe38c7cf054cedbb9bda6ecfbf1aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAAc.exe
Filesize
239KB

MD5
78d8cb2e629935c068de2f44cff173d3

SHA1
2cc69013a64e9e0315153e5bafc3a7ec9c21f1e5

SHA256
e4b1084c95fb2d2bcc7d131fe155bcdab57a7890220617dec24c63753b1b711b

SHA512
9ae0d9252b337379a1c9ab32a7711359750de29836eed5b56f83973b7c13269f2eaa43798e76c3113b6c162d98c7f56067cdfc3762655bb9a058136c6c1d510f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEoy.exe
Filesize
232KB

MD5
be459f8d64dd56e88cb84b36e8ab7f7e

SHA1
eeff8199cf39498f2e3bf3ec525d64426e8b1375

SHA256
831c3b3b7edccca591f091e2ce334631b2b36443a1d6ac8f9d5473a9691dea2e

SHA512
ef47514f9dbca4401eadebe65471741a9cf5cb0a3d1c9d0e592ef1fae72cf7e492a5abf4b1fac9b464f7b0f47b593656f4e2720be61a5f4b68fa988f4e98b5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMsw.exe
Filesize
230KB

MD5
eb92f3eaa43eef2585245b56932afc71

SHA1
5e7ad82cc26225270327dcd396223ec2ea5faba6

SHA256
40108b09d698ec6e8cac7a3bd3c89c3fe8956314d6cc8324227872fde68d87f7

SHA512
ec20b0ddfd54544a45870f58af06773effa24b06c8d0f9d203a459850c4d2c6912fd21d08e2808e84067927623fc3b1a4097a33d93030df8a7e3e26ad4edf8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYQO.exe
Filesize
192KB

MD5
0646c2955bd1d72d3900b622c9e44ff6

SHA1
f3437278c3feb234f019731b17ebd486f857abe4

SHA256
694389ac3eb20088a77d3e35bfdda508f022ba6140f27716581b3f50ca0ae080

SHA512
1c37ef4370bbbebc4c95310643c2f3bf536a1fd490174d933b4eed9f1f4c2030649592dd269d1911f93b41a03b09fa18fc3b7cb9ae5c63ffd2dc9764b322b1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYkQ.exe
Filesize
727KB

MD5
1c478ef80de56acd1fe67fff00ae7de8

SHA1
d18dd653b0bb0004d137d42f38d59100a23ff963

SHA256
62aa517c43fcc505f25d3f2ed660ba16cbc366e35c92b2f479719747acd9d243

SHA512
69866148658ff87226977ec0a6da3d5db0a33724ce7072a224e54bdae606866368f72e1a97e31eb15568f4c04deb1b92a7f89adb87a4bc2502d019108b0e6f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcsc.exe
Filesize
238KB

MD5
8e8111b7c6462a6ccca65efac9d2a0c2

SHA1
5caad284599075d6f01f4b1a0232869805272ace

SHA256
c418d955a55f47370ea70e6002081f8e483ee537eaa7173d040d9c486d2cb1a6

SHA512
ea78b72249665113f91770051bb146a0a1dd94f700e8060dcb4dcbb94eb0db03448782fb316890c767729121633d397fbb47ea39c92a2a7abbda3b2a1d52ecb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkMu.exe
Filesize
1022KB

MD5
b855229c7871f264b6d9798f87e4e521

SHA1
b10f86fa3a2860b2fd9820b8ecda1c56298d797d

SHA256
95b61f865bf22de6cda08a6ad5fc610d56554fcabd03bb8bc2ac6f7406004f33

SHA512
3ab4f705cd8003d8ea3b85b1b16c0917bb0150c2cfb07a283f633e6dc98683da6f986b15e34cf66df0d667d8cb922dc3bae9962068dd1d752043dc06704f4797

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkQc.exe
Filesize
825KB

MD5
07ace10f07f7c1880b520453aa5984d4

SHA1
5302ecc1fe04906f71f133c3fd48fc3bafb8bef0

SHA256
3198401ba63d12fed95da51b28f1b1c9049fb3ae803d5c91c1dd4f6ffa646bff

SHA512
19045b038d6e74661481412825ab92c161e3d53dc5ec248a6e4f1c774cc514a6849c68461bcc1202cafef81c7d59ef3c9ed3c6ce4ad764e0ee4368fb2b9f3f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkUi.exe
Filesize
483KB

MD5
6ff77eb8e0da5334723fc292d896ce93

SHA1
ca0330664ea3e6b06dec67d70cb22c7830237947

SHA256
3bbd961b55ec97d08a0d7d270b3909af995490a7eb74d2958678f3fc9e9cbe2c

SHA512
f5e1d0b2b258ea8d86bed31d5c0f863a3051d274b2739cd4e5bd9170ef7fcf3d68e5a15f92a061d1f0a9bd7e6e258257f5c1a5c4e736ad1c2b61d3d280303343

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkke.exe
Filesize
232KB

MD5
47c3e1f10e90e0f60786f39078cfd08c

SHA1
25af93e89e9ab2eb3c4b182f0f067bb4e50d006f

SHA256
d9c7d81940636cae790e971046c21fa3dddefeff031f9ee55fb51bd76fe347bb

SHA512
a154a5a187b50b951545cca8b48a7b076aab6cb99d4801c0c84e34d2e3f02c55a105397ea1da84c746ead2d79232a14ce1f878d3186c2efb3f085b4605cc792e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkku.exe
Filesize
230KB

MD5
8cdbb6e195444538faeb9c9106d7ee1a

SHA1
bb9d8cc77aca9393a8de3e22260d0f5aa22adb7c

SHA256
287123f2869a93de0c0620a29964d802fcfe381129c38c9673586ff006e9dcff

SHA512
93dec972460769645cc4392215a8c4f532790bd4276966ec128bbdcea4bae1b7eb9c2e16d2ad739020195f79de3ef3e353e4cbabd50c95c351e13ae305b05635

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwk.exe
Filesize
307KB

MD5
af5310bba15e89b6bba2feabca4a553f

SHA1
dd5cb70e0161cf4e3607c73ee5d652f80b2461cf

SHA256
82909159bfbc32bb12a45b24bec06fa9f6bab1df33daa210b2c221f8b5ef75b7

SHA512
fa5bdc8d765f3005c174dcf1525660a48cae779e1ce7be5eab51f73034437289c3ef0cd9db6b01473bbe5fb58e4c631b302b29d5fc8f26f505c9b8621f6efca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAMocIoY.bat
Filesize
4B

MD5
ab528d1d86c0c05b66927891ac6962fc

SHA1
601b745835b978e035403ce058531fa5e490a59c

SHA256
35d225822f1ef2501bba7722561afad55d6642b3de440991d59ea70dfb52e815

SHA512
a1b213c8a2f665c7adf2511dabbd742b2e5c57c870e2e7a61ce72731fe104f3005d61880fc509b2f09c1012e671a99fed57c971b22bb46ce5dcc190065bfef4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQcYkgUw.bat
Filesize
4B

MD5
8670ae408094ecf023bdd684c74d36e7

SHA1
3aef25e997dd852d1c7dad62d4d06511e7b76de3

SHA256
ee081e2682f952df6f993f01db6613f34dc128eae6d4abbf12baedaa7e1e060f

SHA512
491b5b9734d2d674d848ece2f35a5031bdc7dc3042ac81655a2e47467a2e0183c7a098c8a6bea17afde0c0a83cf752029664d90e44e5cda2583d79b7885edd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAYq.exe
Filesize
2.6MB

MD5
449f006a2e2ce5ef9023fcad828e221e

SHA1
3c8fd7e3dd29f5ec02dbb2e779f7ffb569fe7c5d

SHA256
cc838ded8b9a573aa4561b9b82a8983e039946e6df42cfc87b5eb68063d4484a

SHA512
ffccc5cf625ec262c8f8ff44ec0cf2659954fe77c1618a907694e5a76a614ca897dbb2d15164c42359f4dc713b5698b172b20f9cd14eee876fa5771cf2d7a5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOwcIIsA.bat
Filesize
4B

MD5
ed3e1769dd9c6f1e375db871be309aeb

SHA1
2e5b34fdd17c05c97b1ef0946b7568463efd5138

SHA256
67a80ec486f735887e114a499b4cb91c7d17fcc39edee8e9bf5848950e5650b1

SHA512
10614b13f80512c6c0606c9b80d4f822c3080c30e3084b07e5849e85d67efc6dc778132faf1c186e24211ce21aaf225b1a6f5cd1656496032c5a48d0f040f840

Download Submit
C:\Users\Admin\AppData\Local\Temp\imAEMcQM.bat
Filesize
4B

MD5
e8dd4c05af6cb84c7ff39ca64a49a8bf

SHA1
b5e761d881c6ef9f7c300db3345d94990cc87e9b

SHA256
4dfdf3815736548879cc6e750f19ce5517f97c6d114e9d229bb2c6ffb5361cc7

SHA512
07b486acb9e7a7427bf78435d140001b49dcc71f8fd3bce8595eb9dfa720ced435c927c6fd79d809c6a1aca532d5a4a40216716247b63a4e692ddfd35b55e10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAksoQog.bat
Filesize
4B

MD5
2e7e0b6c6ce67581fdc9e826277f6c84

SHA1
26f60b0f7c8af3fe7b4278be82251b7ca7b917a8

SHA256
e40df0d2f69521723cc24c5903791e6eb86c24eddfa1afced0dea40e5350e4b1

SHA512
a0c90517f6b860104b64bf066a6f19747231f3a0b65ff0572589099dafd3a7be98275ce7e5b72a7dad600791cbe3cc4c138d39d38fb601d9f71bc646296c3e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYYcwkEQ.bat
Filesize
4B

MD5
a101efe7b6fefb4a71f4bccdc689766a

SHA1
44c72dce1fbe936c4ea9454115cb322b92abb038

SHA256
75f0059dccfce9880dc0c5eaecfa2ed992d1c4b371c0523af77971bafff6c7be

SHA512
8465e56da1d92959bc294d7934467422f1ed216f04aaba02413bf8551f828c7d265638d549f7da26ff6f7c67f57b0a47dbb4ee88d37979307946471f385df2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqsQQYgA.bat
Filesize
4B

MD5
719767d32cf0219db799618401701ae7

SHA1
de121d2abd118065f178ea8d837029215d1f36cb

SHA256
ad5f19997cd89bd796193d9aa2ee8a8246a16456071f6f19f154f93793092a86

SHA512
9a88c3ba8655543f17bf9a3da3d24532c671e7764502300d4d3c523bbf79cf5736285486d40e1b2e9353a78d36c23f267f566a15d3e7144e6ed54cb217b1da47

Download Submit
C:\Users\Admin\AppData\Local\Temp\juAQUswg.bat
Filesize
4B

MD5
07e30f18b6a223ffaaf617f43b7abc10

SHA1
161a1cc3d635b20a6064b538adcc200f57fa35d9

SHA256
89be33c3ef881b728b87eb4a426a6b98b129bb718f147b9a979bb5fde4d617a2

SHA512
a687ec5abad0e12d79e62771dacaff0e89ba2c4d59e99817ae10cae937eb756a02fac3d1164254e47b0f4340216b11465a331a0c2f93ddf401ef672583094ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\juQocMIg.bat
Filesize
4B

MD5
42fb1fc43154c4052c375581af3c422b

SHA1
363d70d4391d7afd832c5b5eb0d6e65d150da015

SHA256
01d1a0d808e70e97f72f52e22bcd64f1c9b828452a967be0a910bdd95e4922cd

SHA512
32122872bc6163fcc3a5dac1b296fc6576fab5a07646c3e5368a57b8951c0898bd0ae29df2139d6db258c56483a118d1c5f1b8ccbdf753681db214c05c524dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyQwUoQs.bat
Filesize
4B

MD5
624f3330dcbdbc33bd0b531b6c33def0

SHA1
6a72ae8718c11fcbfe51284bf0a197ce45dc97f7

SHA256
481772f3bb435f4e4a63e94aade7de34dc957ff0eb0ec10ebe5e5e4db5639af7

SHA512
7418155ad6f3a6ddecb358208f82f81aeff663f594d8aa28f12207ac41d693d3a433c6f8e815b0dbb1a21fd4aa417717712566f15bc0a97c81f2c1950af68a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyUgYwgk.bat
Filesize
4B

MD5
5a1e3356772d0042ad0bf9fe6034963c

SHA1
eb310973a5b859ca971b9516a909a84264c81ff5

SHA256
3ef1d4677236df8448cdf94e66ad7b4cded322096802decb215d932a12d0fff3

SHA512
adf55057b0dedb94c24432b751bf98c355c1b8a4e404edd4af9461cf9620cc49ff785f0f1f5f8e14a7a442ed4ec98957b3ae2cd733776d127a5198feb0fefa16

Download Submit
C:\Users\Admin\AppData\Local\Temp\jykgocoU.bat
Filesize
4B

MD5
8b7cad60f332493bf38c4d3861336d35

SHA1
e1194019a222a329616648d51e560ff3241fc036

SHA256
a0a5e47ff471b2cd083f72bf5fb0013594e82697aa215677f2e9b84af4236b7a

SHA512
a61b5c69ab0441f516f716d21d51572a408832fc2f5bf9cc3c2be8974c37e89503abe33615d909fbc5231f3838e97cc5dc2c3039d3b2a0c94d637000e457aa33

Download Submit
C:\Users\Admin\AppData\Local\Temp\jywogwcA.bat
Filesize
4B

MD5
2ab7a85e1dfe5d62348975165ee579ce

SHA1
f51a16657f380b2be18c627b7e3a257a575a1df7

SHA256
e247fd5f861f2d4dfcf454fe4a8666328a74419bbf614d779e9bd66ed49eb79c

SHA512
937b1609088596048e293300f7bb1fbbfa529803dc041a389c56f6ff62ddf23e1791162a284a10d4eccc7aaadbedc32e5c9cceedc75fbdeb262c3f49a59e9d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAQS.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEsq.exe
Filesize
241KB

MD5
bed602205228c435cde1426290be6330

SHA1
3d4f8ae0d0052ab086e49a72f807ef2e1ed098ad

SHA256
3093be4df7777a84cf7e14dbecf89c47fed86f40ba496776329b36c7c2dd6b94

SHA512
0a974009a13ed7ddb3d423a7e8b7f9051fb34fba8bbb0b020f9d1573120475dcb31ec2985176ab1720978af5572b991ae63e21fb0e80ec05074fe163bbfb0c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQcc.exe
Filesize
1.0MB

MD5
a7b2023072bbff5ba87a00271704de32

SHA1
0954beff2c49a689a339868afef578c15c5a558a

SHA256
58b942e3086ed67b178982fc35168928ec3e373229931b74bcb2086953a35d9f

SHA512
283b0ae11cd36bf5fa93b4ad307a54c28ea628bacb007664e6c31338681b70f3c6566081b07ecfb85d11e9c5b8746871453036ac7a14ecddf4ba87d642afa9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYoS.exe
Filesize
240KB

MD5
e9bea02dc5d319c7f3d0e9984260e588

SHA1
35e5c2c98fceaf9973270d2b6d655e8037615c75

SHA256
fe0818b9de14b87a5c8434e20bf8f86ed324e7bbb5a16ada50e424d0740baa33

SHA512
1216b8aaa4b5d68506a1e198f7c7969ea709f2864ef51b286c32e1722d9231dadc86cc14b76e58610f20203c6038c03321fa401f0f8afae44bd0e4984b4c10e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgAW.exe
Filesize
233KB

MD5
78e946523e0a896e89e118add91da834

SHA1
84ee45e00f6db51f172652cc0524dbaca5f9bfd3

SHA256
6bb25cc6e7f28445eabb4294d9822a5c1b467791fc595821498280bb68a9f15a

SHA512
2a412ec5dae3717b17372b4807c35fa2d57eb2e1b2258c1bacbe549d7acb4becca496022341d23a672ca9defe5f95ae16a7f006b2d03b43b9c46d71d175a6974

Download Submit
C:\Users\Admin\AppData\Local\Temp\koMkYEoo.bat
Filesize
4B

MD5
d8b8185120213baf5a59c111fec56028

SHA1
8dbec0c353bc90c4b9bfff0c228724350a07db15

SHA256
d2f5c2e2d228ecc343cbb3c218c3ed241d8321ee3d2aa9faf5c9cc1d7352b45e

SHA512
138609f5a8cda0f91f0a06557f0101f79dbb184d3177627304b1ea2449ac64e959f2594fc7f7651f309bf31a1076308f2ca1546f642c85e603a8690081a99707

Download Submit
C:\Users\Admin\AppData\Local\Temp\koQW.exe
Filesize
207KB

MD5
ff4d75a855bf663ed5cf0308a6c0ee53

SHA1
ef1d8c552ee31eaf6643db463395a1cd3b3ac58e

SHA256
ea5c68c4bb1fb4cc16eaf8f8dc13f51601645dbd10e499df2ad39cd4b8e8c024

SHA512
ce1cfc92c454ea344221f48cbf4746345e1a651f087d03ad202a67a3ee9608ab267afc29726de130b5719faba4885cfb6155098eabd805f276a13b993f1275af

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqwAEIIo.bat
Filesize
4B

MD5
f3a03a2b956680a475a158b1064527bb

SHA1
a1b56867849fce448d8d4549b4f921bc3662abf6

SHA256
df337992a3e49e692465e0a29759bfc9b191741f1c801b52a15d81e284875209

SHA512
467d83f9ab352767ef2ac2171e2e24a9497368a0a232ed10991e430bc0a3b4f8e0b582e0febb64be813eb0ce40947ac44a7304055ef124cdf1e3f9d346a9415a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwcC.exe
Filesize
230KB

MD5
ed3e8f18b4c3c3fd4d074bd3fb9bc369

SHA1
ffc76926eb957a72d75d405a1f47548a176d1a6d

SHA256
f7fc05bac4a827144cdb23ddf75cf09ac450ff6e8eeea0d8d5e44f8a7e47735f

SHA512
72c644e8952e11bc25d0fd9a0ec2454f663ec4592e673695d2dd6f56f62ec7a2bb447615b69e76ed57a8a97efe91dd7dd794b49588cd2f935a29700bf782c0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\liosEUQw.bat
Filesize
4B

MD5
92ecc0850813a306c132f33589ad7dcb

SHA1
284c1fa82a8fbe1504426d5dd167b7b913314c62

SHA256
fd266f20c163a4940fb48fb8c5d7e566032aab20d65ffe35805f041486bd2946

SHA512
fcb6397dc3330d5d30670a7536e81d403305708ccd142f87c0423166a9992202563bcd2123f1ab8606037d7d12c58361c1aa25f30232c0c6545ea63fee00ab85

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIcwMcUA.bat
Filesize
4B

MD5
8cac87d9aa9611d076b52820e0c447dc

SHA1
7d61eb1e7cf3644fe5ee8e6e80cfcc60e2a21244

SHA256
e1ab4712dcf29ec66cd90e401025892d0cd5be3ff8fa65b1a9e59c1ec7ca2457

SHA512
c9c174b5df9217ac604c41d6efc596822ab336226492365efb00d851a21f6815183133083f9c184294c097f2035347b810a306c48cdac97d094c0668444ad0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMMY.exe
Filesize
252KB

MD5
51ad7b78d4a4a2ae78a437bb659d4e9c

SHA1
545c8cc53122e55e8486a2d07a2a3a128f7651f2

SHA256
78cf584d569a8881885a34031327ae6a8fe0d7fa7dfb9622500f46bf99c6b535

SHA512
97948401fb1b69f65770ea2efe6415cc9c5056c74f1ccf9885742bcaf178128ee4fa62ba7f24b54716e8c60d892a7b162b0f2e73c7a3d946c3bb339ea98d323f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQoa.ico
Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSsAYwQE.bat
Filesize
4B

MD5
898845ba552a0ef03311372dcb35f5ef

SHA1
30f8ec610b27d5703a32a1a053186e03a57064a7

SHA256
0878f10fea001d8559ce829802b9560d00831874c27dfd50361cc11304f3d599

SHA512
43695c6a3e916b8233aa76f749c215c0589e21ec74e34e98460a70b7d934770027889e9e9a4cdc39b2d9ec62b11cbd7ad043dd381e9803ea7512d55980ce144e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWggYgQY.bat
Filesize
4B

MD5
271deec9cbca7252f9a4166b3558a206

SHA1
3ff7e0a6b5befb294eb9ab07e450361db49b6e29

SHA256
747a63a6c2cdbe100ca541794f5d5ac01215c00c319528759bafdce9ba5e51c6

SHA512
00b435390d0386abb5a02f134ef6f67504c7779b90469c33f5f998857b8f66b84932678502f11682d6659e7d03a813953d3f36414337e8cb0b1373894b05df17

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUc.exe
Filesize
228KB

MD5
4dd5a3b144865db1e1869c57a42295af

SHA1
cc3b2a38e8ae569c1dd37315e5c3a3d5bbd62419

SHA256
b0b5eaff70d823dfe7ca04295f4d39f1c4454cdb6df08515ee50638ae7078c94

SHA512
025ba47733ab539faf4e1d10b0b14801be8499aa412cdf390548b2bc6d46aadf9edb85a570bc8493462d3f9906195349ee4a31fb63990067587ad66f48e498f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgAQ.exe
Filesize
200KB

MD5
644dcb4850a8a2fd397423fba70586c2

SHA1
5648bd4f5d39585f982bd0b92f25f1d7fc8ade52

SHA256
70f53770a1c9f2d3a786e61b1a750ec043cd45003d22ec86e2ac4bd726bf3e70

SHA512
da81b59e694eed1a8afa60a31d75c12a6de3afbb062ffa3344233af1151d0df954ecf1c3b96bae567a1ec36b76c55c05a4babcda9566fe70f60dbd8cb2dab41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsg.exe
Filesize
4.1MB

MD5
ad2a8c2ef3d974e440b91f23d26ab00c

SHA1
d63fd800b5cf444331f1cda8c11d9122b18dfd75

SHA256
e61d1f4610c42e1097405e5e6c347cb6702b6beafb5505104564eed6c6648295

SHA512
3cdf8aa3729e14061faf2c88320c38276926efe94cf400503f79a574f517108686d239902fd251b8ca42873407a4f7b74411017f53767143071ecb41cd613b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssU.exe
Filesize
228KB

MD5
e603c83595d218d46ef13c2177401e9e

SHA1
2743c342cfae17083a0e4fd57a3c48fe392d16e0

SHA256
30bb1153bcc1f30fcf9d5bba4ddad1e2c4304cd1c5f09897562b205bb165fc37

SHA512
e017b2fbd0b6f8586fb95f3a7762a5ade0c9ae4f8ab35fd47b0cbe3211a1075b58394b1c721b77c6a96b4341a1a324fdec442ff2277e55d9842fefe9dcd9f586

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwsG.exe
Filesize
2.0MB

MD5
d2e10693095f8ff6d84d06f44b96efce

SHA1
2b705a78bdf3d80ee721e4658f77a729361876c7

SHA256
897a20f0b0fe7eb16e4bca5983a6e877e06965a453d9720a15a3ba601cdc8789

SHA512
6cd9c4a82bbd76709810f4a655eb6f6347599213a8406e2f3bc1ef306dbcc0ecbf3a28b6a8253a6ec34986206ab03acfce8ec6fc5eca61ee6210748256b78085

Download Submit
C:\Users\Admin\AppData\Local\Temp\mywQoMQU.bat
Filesize
4B

MD5
cb643a1851fdbc4925698cbe824efcba

SHA1
6112f6b929dec96fb510cc08f8ffdd5d1206cfa2

SHA256
c01ce2fba546dc56e16a217c192e3a1bbd2f2528f392a4902797af2d5f7ec3f6

SHA512
b5eba20ee09ac521d5f4cb07c9ddc6e68715a6d926445be4ed7691419d284989066ab8e8cb95f6941905eaa19be01c998629db5644fbe2d1654056aad7622395

Download Submit
C:\Users\Admin\AppData\Local\Temp\naQgAMwg.bat
Filesize
4B

MD5
fad77c02671ab0dfe04feab5a215aab6

SHA1
758bd387f39f4b41d77862ab7e68f5a027d5ab03

SHA256
84ae04512c755aac965c9700ce989c7846a8e941042ab931c700c6b42968c48c

SHA512
c2f2445fa6ff4e85005afb2224cb1cff17d7731f5a4402ad1c225a5d1b6c81e331ee5b376883a79cd921c60b1f58c08408b70874942a135c6df4c6dfbe787f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqUEckok.bat
Filesize
4B

MD5
16717d204c9191b2527192ffd7a8f5ce

SHA1
548991e5c821dcc4e898ef9debf65de082d6649a

SHA256
c588085b29ea415df2fd5c453a4789ff7aecc7d068f3bf69c7021d0aef55daf3

SHA512
5a84c6edbb79e35866fde8978a7be81544b6b4203f2f6f29e9a42f0bb4cfd0eddaa13d0dc0ee922a093e8778ce7231d0c3c5e77701bdfb7c52e2d61c0f21b983

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuMkAUMg.bat
Filesize
4B

MD5
269389b47de277f2a4487870f3705780

SHA1
5cfc77f13a66cbcde940c7b9545438f0093e88d1

SHA256
da1aa02a507127caafdcdfc9a5bb90a320d811a59d2adaa0db11c113f37855bb

SHA512
ded894221314ff922902410c1a6613fb56741d07be602c1ad7783b295dcc6857c73d5591dc44621fe8580a5f894a78c41ee9a36a45d8481f8edd0ec543044070

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQwsMEcE.bat
Filesize
4B

MD5
24c1c5219a340ce1e8b87d4c082b14e5

SHA1
17ac210b07540a27b19d89dffa307efb991f1051

SHA256
06f75db490a448f71885223ec1396f28a7f296380a03f22e9445875f4bfad16e

SHA512
b8e2a6e453b1851f8c2a55a921b3e6ce678e2bf28f776964a8171d1f1df89db4a91dcc939c2d73db860a294e484970dfaa5c40427dacd5421098c6709eda0058

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUAI.exe
Filesize
248KB

MD5
92ae9db84c920f70471d2c3b33718bea

SHA1
0542a8bf13f7394cdfe5cd2af1079eb56e546321

SHA256
8630d67fa3ff010b27fc6b1c8c2850e03e3b0bfc9be0fdd45f7ccbe58e4ce9e7

SHA512
31166a303e7bd778021c1fcdce9aa5f60427ac9f1f56d4db1ae3cfd4069a071e33a6382a92453f19830088c9195726f71dce634fedd40ac0f83acf6a9e118aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocEi.exe
Filesize
241KB

MD5
bdce1fe2df6db9d5aae6f83789f2490c

SHA1
9de0b4e95e1e7100081d61f696ddf094be7acddd

SHA256
032c5a9a491ae0ccfb97dc2e1e9c36edaae0ce024656ed32e8319394c87e1001

SHA512
b63ee8c2bb01def22c33ecb52353f88fe66660d9640152bc83ef738cf27b8294f593a936390097069fa2e38eb3cf6412fb281f1c04294ff3c68510f23ce04102

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogwq.exe
Filesize
238KB

MD5
93949700c1b539977689d7dd0f7175cd

SHA1
2677c2873542896a4d50a305b8d9602a7d873de8

SHA256
da282ac5990ae0754c6b19666eb25f0c471674d3ff8926770be3e99f460a2878

SHA512
84af2cd3163086a0a28c06efaa8a03096b24aabbb169e9884a77c1c29040e87f3b1241ef5522da4cd97db44504c5801e38549712f1813a5b63c3e85c07c28ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\osAM.exe
Filesize
828KB

MD5
050a3d41e1c122fb85b43646fb586c14

SHA1
8f999d5569705a5338f3efa785f83afe19555327

SHA256
55f956fb9b1638d4ffdfb6dd083ad733a0ebf44ff3ea9fbfe1c5ee52595b8264

SHA512
bf842186a63508a07b91582b4c25d46904effc25daa8ebb8ab7241cd42b68979b0d6727bee79b9e49efa46600405d185b0a9fa656286da24f052b3c96ddeacef

Download Submit
C:\Users\Admin\AppData\Local\Temp\oykwIgUE.bat
Filesize
4B

MD5
788d0490d279a1c10f93f111f874208f

SHA1
20ca816736fd3c59eeace4a47b7d08c78f317837

SHA256
1d7fa6b5562bb36454f68eaec59f745f61d540763a100341757f42ffca094666

SHA512
ce8333355c7324918f663f1fe11fb6201e095f24beb99462436985a2cb9042a42fc8ffc91ad3155435f57eedd12ac1ad206f281f6a0fe1d82e762be073d6b7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWIcAgEk.bat
Filesize
4B

MD5
2cdc0297123a099b0ff7b278ca2c7e82

SHA1
62a3be07a153497f448491d31a20cdb6337befec

SHA256
e284266789a597559c2a278f563980a832d6f301a62f2564681d20b2fb848689

SHA512
60e799d470151d3372ca4b227063b869315791ee2ea645ba7607d0410260cece78ae8dcdc46e886e40127c517fa7ae8d8cf1c04d3196837a1bdada5ec56fce84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYcAMQoY.bat
Filesize
4B

MD5
579420bcb91867628da596e393969219

SHA1
17cf1b10c9d4e24c8b06aed778a3435de42761a1

SHA256
cae3c5ab77186fd8bc230041616c5cc533f17d72b87ae0dfde34f4643c6fe20d

SHA512
fa75bd84324466e214c41205c9f86ade7eb6ae38400335414ec7f803899305cb746ff73c6a3168ff2f62a2e967335c82caf243a10e7dd46d97f39483e62b9235

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwcscwss.bat
Filesize
4B

MD5
c4160976c3161138a0488b4157ff55e9

SHA1
0eb40c8397cbdac40a31bbdddb528b24d7920357

SHA256
8bc5f28749c0be2de946499de8cdd26865d47da168443351f76d54b993965ed9

SHA512
690233f8c5aa565d306dc8b911ec4e5855415458fc5c928a4031c5817b0e91e8d56c074411433c5fd592936f0b633535c09be857f3eb8cfef2f241ef4b40eb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEYO.exe
Filesize
227KB

MD5
ffdbbddce8cacbb99eca85b6218e99ae

SHA1
61a19339947a4e262da3c39093ae9b1fde9c1c7c

SHA256
00e4b64a0ec6d0b1177ee4ca790439bc1c1ad9eef7d92a822c21946f044ca563

SHA512
fb3423cd6cf651f2fbb6dce216f9a21875d4bb19098100b6e0e43542615a1bcc32de153c70093c6e3b11d6d96c3c1287b9b3b36748e3d2b16934f3c08e8d96b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEcgwUQg.bat
Filesize
4B

MD5
766cdbc9714636c7004cde533e77017d

SHA1
0cd7758329ab77b6a98a227ca6382673bf561bc1

SHA256
00ab3656f762a270c0653ae6d0512630a5c5a8ad795b033d82f03661db3af4fa

SHA512
4e2bdad3413507f9f170448fe55487a77bdb90f8e9e97c74d0e7cca1805923f8aad9943e2ec1e634bab508147796b995300e9d9eca99ab311be1c202dee51745

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMMi.exe
Filesize
244KB

MD5
caffa8154e3b0717c029b333b21efa9e

SHA1
79fd3fc9bd778317ddab9d85a840bf36a58fcbc4

SHA256
ed3b9c295b35296b1639bc7fa064badb2fe2e4fae6584cca91492a566c1feb04

SHA512
ed3210036388ecc60b8847f533d781fb3b3b06aadd61c0356766d4dd06c588e200a08846d7282b74a8597a6f7730c0101f90dfb8bd49c7a160f49ffc24742258

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOswkgkk.bat
Filesize
4B

MD5
0e98e8eda2714802af9bd914c52e2f75

SHA1
34c0199585f291ebb7c68bcce77d81f202645838

SHA256
882ae9ee8ea4bed2de437e4fe0301ead704ea38da8a6045fb32f73367732cc9c

SHA512
7f9408daa53410474fe3cf6072ea2c925230b6c2763944c35e7d843a6467b4ebad8bc81bd2f006bc80676c98ea2ccc6f9f90033d18acb115029a98c7fdc36e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcY.exe
Filesize
184KB

MD5
3527f37127b8892db62dd17ead69fbbf

SHA1
14035fb1e31029cb064ed505d6b457136a103b33

SHA256
416a7da4a1e6d215ba60244e02964c89a90f10a712d52d93d4da4ea505e4b071

SHA512
b30983691c2c951f6bc9fa9bc86136f6efac2d26e3bdc692b82c04d150148ea9e605968cc8861f2320f4f01101660b7d8ddc695cafe2b0593fa657f646bb2ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUEe.exe
Filesize
207KB

MD5
1e2077142166d11d8f0bb5e682578b1d

SHA1
7e9b06430039cc2a3f8eb21afcd88293098573b9

SHA256
30d545d66f019cd69c3c6e63fc22181b666161af263866ba69279ae8cdef97c5

SHA512
588c579de3b60e1154f41bc161bc7f79eb02321349cec98766958953fbad698413b7c12a9187b61c0ceb2bebe3d4e5007fee4652a5912abfd426b981f353ea2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUou.exe
Filesize
227KB

MD5
9e9f3a876a81f5946545e2e21e928453

SHA1
633cc54841e82ea494276d2138d5f10fc2da71b3

SHA256
2cebb5cde649cda7defcf83cc032f1c6feb08ceb4b7c42c4ecdb638a376b65e9

SHA512
93c67fdf8029267944f90962f2a2055f4b4e5fe9c9b5da084924e5dd33bfab3f7d02a61150093459f4a8ac5869887ddc44841c42897ebf65032227d95971e22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcIc.exe
Filesize
655KB

MD5
dfe8902964ae6c4973d07e74b464b529

SHA1
f0df2e91b563c37efe3766d7fef2fee8d54559ee

SHA256
4aa988f6fe1dbf4e192b706aee2943583308d05378cce0f3081f31e2b34c165f

SHA512
36a93e2bec402b46b7109a946eb73c65e91af556a63133b8c235af469541317a3a8f63c7d5da6e257248e5c0f05597c03c5cd36a2f0781a75a04bd81c4456057

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUA.exe
Filesize
888KB

MD5
833b9c19f8ee3b1b289e976e6c524488

SHA1
6a25680ab2049afd849acb3bbcc9a46858908057

SHA256
7e864e13f49326846cf2479205e9eab960f716d74e670e5c857a8b7813617021

SHA512
cc6345a5cf7e2ef50485ce9a57e032f121077f232cd59ec33699750eadce17ecba73f286d6ffa6305ac23894ecac790156c6323004716699c4d4ce1e211ce2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkMkcsII.bat
Filesize
4B

MD5
ccc2f63904dcdab292f8a29278399822

SHA1
e2d9580193a6d28cf8ce6f97e99f82b2d16cae91

SHA256
4462d3b8fca61c842c43ff1c2da1157c7c865115179c6a0c94d021a0dbc56fc5

SHA512
75b10690d1be72da452271fb65a486432664ed2a38f17b7db9830f9b94278420c1ef88c01df920e5f8ee308a806062e0985d356ddab93d0a5d25a1214dd951f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkUQ.exe
Filesize
249KB

MD5
ecd66af487bd94f5a3384d183c6fd36d

SHA1
e41104bc187857318980b537aae0cf23a682b787

SHA256
c67d2cb22a06b207f3deed659ffeaf136ec25f8638ae4b26270884629a5c23ae

SHA512
578f8d91b2da9c1e9008983b5f3209459f85da7bc5bdc58c68802f65fd664f7cc5b09d2f23e6199d2a1325c6bcd6a79c04da2e3adb82536fc54a0c1bb4e89174

Download Submit
C:\Users\Admin\AppData\Local\Temp\sCEUYIMA.bat
Filesize
4B

MD5
14ad2856aedaef2bb5b728cc9243b943

SHA1
b01bc5c9e3f13ff3e8bb2b34a001e4fc547d6a87

SHA256
2b58fea50d4a0fd8a426ba2503ddbc87c87cd37e5c94f1f347bc6d2e40a49e43

SHA512
ddaa27dcfce3aaafaa2dc685a3de12455e7ebd191fcd989633188adbee095562e99cf1a03a477967405a7c35f574b11abfcc016284641c89b2e477f3737ae2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEQM.exe
Filesize
581KB

MD5
f83cd09cda79a9a6d749acdb3321ca90

SHA1
6673d1240cdda8b0fb4b721705b24379c510beaf

SHA256
2de0c2b2ab037ee0ad0c0cdb4a5ed9a06d034e8ea8bd697e38d08a32de4bc4ea

SHA512
f5d915ca3fc682144507f24426fbc7536c568e009a762cd5258f8ebb220c8861492e63e19e26c5bed633ac8dfcf49fdf4d21f058f0b61bfe338c3d581315b7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIMI.exe
Filesize
244KB

MD5
cd7e016ed6b485a9d8fe4b93ed9dbab5

SHA1
069421620c0bbbc8acdbe723d54c18156d66c1c3

SHA256
959ef80d6efe118a2c993c770c8dc485c068778d0249776e1a9abe2b29c35163

SHA512
a2758982da9dfcb823a496f20b2bdf2dc1e9c40a5d1ef6ac8acb2f114e782f453ba18f0640c1071042fa6fd07d85ecf21e5105e642f5ec0326d315fc8474187c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIkc.ico
Filesize
4KB

MD5
e1ef4ce9101a2d621605c1804fa500f0

SHA1
0cef22e54d5a2a576dd684c456ede63193dcb1dc

SHA256
8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0

SHA512
f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSwswooo.bat
Filesize
4B

MD5
5c45ebf382a7bfb447cbdc261b8fdf3d

SHA1
098ba45ec172d32018af50ab3a94238237854fc2

SHA256
9f0a2fc6532089e7b903bbd9b90950b5b186d4794b4e0e102edbe7e9b88fb9eb

SHA512
4c61ba4f905c3b319cdfccd14b040381416a1af8b354fed0623c1f67c3bcbc1fb58cf679848a91ea121b2cd2a15ff8999652efe6dd55df6f94c0410286efd3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scAUsgIc.bat
Filesize
4B

MD5
1a09f327465886b3088b2aa6948e86f6

SHA1
7355080b92696d840ede0618eef3f9a71b9c5392

SHA256
9598f58927945a9b43a4fa824baa85b36c0771eb13c9d640f0ef1878aabc06d8

SHA512
fefe77f30e4db394f598d6b9a2c11aafb451061a90263217685b143da1fa986368d16d9564250784b9fcc79ab481a12037dcee93f7f9b5ad6087a7832179b2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\sssU.exe
Filesize
326KB

MD5
109532f3dcc26e98da4fb3b05ac8b172

SHA1
1539bf718082890f143878c3f2031ca3c1ab7c44

SHA256
24aef43c3ba85dd0025e978c9cbb4b02755becee6ec2bdddad3598848514a94f

SHA512
28c5d80c841e8f47752a3c8b8b1d4b7156ff333442c2e649853a42c009ddeda4c480301a3956316cecc1fd7773f3470549b5fe80ba5c3e373c1b98474de30b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMEoggAo.bat
Filesize
4B

MD5
2d9fff281ed2400f5fe2b1903097c23c

SHA1
08102be45b7b08da4d3ca249e2066237998563fb

SHA256
2b496e00d535d5106e0ae14e4b926a0c0cb1486b2dfdab6a1253e868d06c1c9a

SHA512
56b410e63603429384446121ac85cda4bed849fc1cfca02b5e58ebed4666fc82553207a5692d49156fc7a5dafb98effe8b5b8803ef41c74e9000653a88bb4bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAAcgkMM.bat
Filesize
4B

MD5
d41d7e2cba176c9daafcef249ee8d368

SHA1
f08c4d21ab4865a0ac2e2f28e346f8826a5b1bb6

SHA256
aa3658b9f245ecd64c85607ce3b209d4e0fa3856c6a2f8196674b19ea157e3da

SHA512
571bbf96a551e950c9ed740edc7f4580af95cb2aeabe0d3d1a20b0ec8f344b85b244d77d39703ed4e0e180c2d00e9dfe26f61e52acfc624e59ee64dc7fa4ed2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIAU.exe
Filesize
231KB

MD5
1bc0937309d12ff6d178d2e3c0be8266

SHA1
162c7eff095202d7f118168d88812b8c33a49534

SHA256
582870f47a36b7b1d4577888e5a5abbc83275db1e6ae6690ef3fdc98bf4852c8

SHA512
05e91e668356f1f7655bf4c725e01b0997a9cfb978a4836a7c083e27ecd7af65eeb428b74a43c9ee635cfb9a17d851e5ef7239c6a56a1eac538e92401cf5788a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIEUUIQI.bat
Filesize
4B

MD5
ee0db559be737413049a5cfa8f369837

SHA1
bd9a406ba4ddbf09f1a76fa63cbe4c9537b86015

SHA256
6eea72f0b54d7fabaf173273ea5f5f837d2146e0fcbef6c9ce5becfe275e7715

SHA512
4331aedc951536787619d3054b7c3c5acf86ae86858002006e7a6d28262ca408f6588fc7d4b147b7c9c7591f272b3f66528a274c3abe85274c3b738caab08328

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIce.exe
Filesize
185KB

MD5
054ffb93a618538c126186b170955be4

SHA1
7c307e04d00b5486ff61fbfcd3f6b33c40062e56

SHA256
48db6994a9fae66380cc31131db56684a1f403e8e399ce6b95c9a08125ffbccd

SHA512
52d2a02f1dc39f77fbc21923082dfe10eb4b022742d70d8fd2508e64ca0974dd32929149e5289aa11b2d73d6d3786a93a21da93c55c8cfa0dccb79c79b512cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQEsAoME.bat
Filesize
4B

MD5
906fd71eb675ef23972e7cb58597a3d3

SHA1
03f494ba016ecb57d031c5a1063240a9a9c3b355

SHA256
0243c2e50b6c9f92fefef91408cd21f6413792d9d56b14705d940186b46ecdcb

SHA512
24eb57fc7c7bf4157fb12dad5ae900c3615b6bef5b249786925f57cb0232bdca788e56e14b50e6d3c3f0f0b9f630fb7eb625aefc65715a659640d8b15415232d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUAUsIwg.bat
Filesize
4B

MD5
6aed708d03164af69a7f1f61aedd5aef

SHA1
952fdfd1ccd400a443356d6a7e23351182c89bd4

SHA256
682d790c2bccb6c3f599bdf10fa6cdeb031ee1953ed01008bc58f4bdc7c03b33

SHA512
b8759f95f3ae21f63c1900d98d2832c67cbd9254c1f3afe51503d63725c1da4c05e8b02c7af44327ec50140573e7f276eb4d0d6db4e34d5e38b10e5028a84b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUIM.exe
Filesize
227KB

MD5
5863157bb81e5e977517c522ba49c161

SHA1
317d420bd00b0239d2a183174bef660776b0256c

SHA256
bb44013ec520623211ef8591c9cd059ad415abbac51084eaa0098f1261256651

SHA512
b9bb07aa81acca75aaf2564407ddc63cb1993bb217d8cf9aba0ef4e10aa48f5c4294514e67fd2df4f4f0799b320632eb6c12b3a26aeb66998be57aad3cdb7077

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMW.exe
Filesize
202KB

MD5
132008dfbd41600f320855fb720275c7

SHA1
bf65a870633433bd7ede5f828c3f07daf79e5427

SHA256
eb2a727ed62a3bc4b958fd4a2e462361e3ba09bb17509235d5180d46a20706ab

SHA512
8b7efc36a5a842b1f9b021ca9c9ea86afd8b29dde27af0d430c62cc38cb2198f00d60220b4617cd2095d2a6db2e8a0b29bbc6d3865d342819a9690e6342bd9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uswwswkg.bat
Filesize
4B

MD5
0a1387cbbd064162d78b1a545160adac

SHA1
12952939318c88a87d94948f9c899dcaae7081e3

SHA256
64056e841807ed1af87b798f5323176406fef9ef067c9843f169dbcb2e2b575a

SHA512
d95ca6a7e6cc93c2d7b0f931bc49e7ce455cfeb1a8824d704c5399349662634fa51a640ec70b57f64b6e5ec96ef88b0a2f22d45a843f98746049db87b2e7b276

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIEgIsoM.bat
Filesize
4B

MD5
726d711ef7d0dad7233a3ae190354a3d

SHA1
a476521944786c8eeb623312a81a7a4011b7c18e

SHA256
425b024cd0a79a4b6acebb5cad73e3525511266ac6453a6731c7b694ceaada2d

SHA512
75a48ed52e6bc1c4fae447865a3444c6295dc45814678fbdb1fd6ee500b2cc3e59dd0b67be1a8d6345c2fb2361db5a4ab7069cf42ca0450f599b0ca7c693fc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOwkcsUQ.bat
Filesize
4B

MD5
4b1859bceacb73551199835b2f3a6aa0

SHA1
17d4a1fa1f05e49248999a301ecf8cca93d4a918

SHA256
8c9db8ee9a61749bc162ade761754d90886cae54684f65d5a94db6cb51818ed9

SHA512
d6c23460c243dd51a05ac441b6ec121a191f4bf6dcc8b42e60674119e8d40332a514c6fdaa0abbbb361f560a735dd7a2e9e3e8a836fb5fb1c45d8e2037800b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMc.exe
Filesize
245KB

MD5
da9eb8ebf607e2dcca0f67ec2d20d5b5

SHA1
9ad8003b10358cf0003fd57aad90abcca8bfdbee

SHA256
9b7bf04f7f70761932801d5873aff6b687ea06520a671313f65fadcb7839cd58

SHA512
f2721363b44706b575b500d03289817f0a88465fcb7513fadeb756bcb31ebffe32ff530bec6812a6ad7c9c12cf93c7967631f654b9d88bb26f2c471ccc39dd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMg.exe
Filesize
229KB

MD5
16a3f02c49d2bffa3dee01f335ebe691

SHA1
a6f379d8c3ac6bb2f0ac469902ab9927cedfac3e

SHA256
ceee6b86bbc41c7864dedb917b9328825ff4a88010768df7c8654325bdb1c78b

SHA512
baf2db83a05738eac4167e4f30270320a5798bf9f4396118d38a1f3bcacd857f127fc984b12909958ffc20b79693a01f4e071b801a1fcc6c5f329aa6bed69f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUUa.exe
Filesize
494KB

MD5
ed07b9d16200eef4a8b10a653f4acdbb

SHA1
acb298a411493aed738a075ca53a6ae86ab9d37e

SHA256
015eeb6dcfd571a48543ec75633df4cffb6d59f6515d340fea2d3e01ede7e420

SHA512
17812b1ddae27cd4a508038ae193a4a3acbbe064f3dc4cf2dac571a14075fbe66d5a611d218956d8a413a21868a952e804f138abdb09d64d894a19d4095de922

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYcY.exe
Filesize
234KB

MD5
d33a557995c60d3ef0c102fcbdfc046e

SHA1
c625dac42a725f605e9b4b7ef41fc3bc3ed9213e

SHA256
d0e63d00b5d4b3dbc4c6b442fc8e02794fe08d277df60e19d8472308ee6048d7

SHA512
1b00d6585dabce05c79a148f62ba18d9767bc9acf6acc9b565cfc4443117b7089fb751e7df72b684e1b286140d15663b4885283e21ff27a207c4e42bff3e7753

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYkc.exe
Filesize
233KB

MD5
7e3eff3fa5bc21bb5e82d25590c29b35

SHA1
f75abb4606360a2fb6c27e1da2895a7f6b099ad2

SHA256
4956f7e42d5239a326f12746887d3e2af8b09e5473c910dd4a2d31fa56a0c44d

SHA512
54969fbf5199d9345c0b31d3f3163baff4dade1526a182ca146364959553c7d68f19a2fcbe7770663c3bd97a8bc4ecfde1a3bf2bfccd21a5e21cc029058eefe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wasckcok.bat
Filesize
4B

MD5
e1cb8d42d12ee173da66dfa05fbe0798

SHA1
ee52d8ce8964b442e01eb4cc5311c6baca97cb7d

SHA256
eefddf8c098cfb94b2d266a147591fcc8561130919c40bcd493a785547601d77

SHA512
562b293a56f9bb1612ca4a43aa4532aef4e90e041b2bcd321db49f774101777fd6abe89add4e8e3d3907cbbfac9a9c5bef3293b5a987f562031eb63b82b549f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgAO.exe
Filesize
196KB

MD5
f0847f31e5bee3ad6824ebd289348dbf

SHA1
796a6a891440b90905c5a0bb73743e8b881a60e0

SHA256
25e18b70a2ea1234ba4fe2262991f4c174953edd9c34a3477b22f5f11f75924b

SHA512
75f57901f1890cc3eebbd90d18f6db2f82a760d1cc42bd89b42204c02990e59e332077ea3e5360431086a2b47de47d5979a343795c0ae79d5b9f4b8308b6c6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wocY.exe
Filesize
234KB

MD5
00e5da4c61ab47dd32b40cb4195f3ba3

SHA1
39783074791de53f42c361fe1c1d0cceddda2da3

SHA256
7680ad082b949981fa7119783c5e959baa519d5568168f72124ae8d49a3a87d0

SHA512
cee5d2debad5cef5a9a717c1bc423e52e242621515f142640f42b43703494e3f987c854a541c7deffccb468c36e6172747966436e993b5361ce0d35eb1d56205

Download Submit
C:\Users\Admin\AppData\Local\Temp\wosA.exe
Filesize
189KB

MD5
e0a8ec200dc4ef7ddd9f55ae38a8dbc8

SHA1
369464e482c41a54e30b9562826c6a70cbbe4816

SHA256
67c2c6d1f03bff670a629af08d3e94d3846a475accdbcfbe839695269e1973f1

SHA512
be531fccc72923cd1f26c3cbacc6eb9be85f46c64fde1d99a95701ef0913aa324845d033e5d4f16efb302695cf63b132a5588fa4ba202ea27b5e0aea52d1c774

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQW.exe
Filesize
242KB

MD5
b8717f1e2d135fdf758ad6be69e9e769

SHA1
ff49b4191d4f844f86c761cfee24936d250b165a

SHA256
55316624dde8b39e70a12ef23c75aebecb5a80dd4c8e7d727a2026fb2c59eada

SHA512
94d9c4b43cc9ec29079c327fc27fb16f319d0d927592028b687ed4232cab9eb6d8e099eb4363f11bdb421c86efee5a2af86ecda5c672aa33bf2361ccf1998cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsYY.exe
Filesize
317KB

MD5
5fca28f725a368019f08400a1b0bf3d8

SHA1
1a92bfec7ead58201e860587cc9b4a7c34ec2e11

SHA256
74719040731846c10d527801477bf02591311582048b6d9e2b43b3e69da6b72f

SHA512
05ef516d91043a52e6d60aa6ed375d5f53068fa073efd2e5f7c32fb0020a77db1d34b70afbead341d6153228a24003303def72652c3350e20f39b64c5e0b7a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMosowME.bat
Filesize
4B

MD5
9888bb33007c562385f33db934dfc9c0

SHA1
69828338bd7a341540dac20b189ced6d10db6fe4

SHA256
0d0aac4581a596007fcc503869e7880c42b7856bc07cfe0305224182279ed171

SHA512
5c1128899063c37fe16bc8817fa50d2d08a6395c8abc6226eb94fda7551c6acc51318b6b0170ae063dad6897a61389de0ee2915b3a7e309be0f9c5718fc0e03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsAcwwQM.bat
Filesize
4B

MD5
a93cacc687264ec5e64b1bb0e5ac9833

SHA1
73fa1067eaf7f25f12d5ac610fe31c1bc9c360c6

SHA256
db63ecc3d7126b4ddd6c296037aad5458cef40d292b78c1e3139e151df3559e9

SHA512
2cd94472158be61878b149468982399064907b3eb05b916c7d352b7dc865232586f41099b3df8f3c131caf900bc87a20f3db7fb2fd1379ac4f374d89b052232f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yGcYgccg.bat
Filesize
4B

MD5
3a7940a6e1a9af78381afb4d0fec06e4

SHA1
77024bd7114d2bb35b909eeff502ebc7a7312055

SHA256
133541de4b03b8e1893336b74f95cb98a3d260b3387cca6a75a6c775a25ba6fb

SHA512
a6ae18c4e8b5c21a28792c9e718bc98aef5b8b70e973b994f07e8ea47124024b579b10426374a80b3429f6acd4fbafd5b5347679241dfc7a30a8642f3a9f8260

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIYe.exe
Filesize
202KB

MD5
6e2a554c21814f9ff15d163abce921c3

SHA1
f7d97f56614708637c05f78e7103dd2fe5568298

SHA256
8df187869c5a7856387e5c1cbe0fb0ee619966c6524a0befc1727e216f76e792

SHA512
a9d747959aa9d5d6a2e0cdb6e912fe6ed2d365a644e0f9c49e47598948d7be1e0ee3b5c2a7b9d6b39d8aa7366e10483cf736136050f37db519209d13e9d5e5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIYq.exe
Filesize
220KB

MD5
e658cf5c2fcd4ca64bf62dd9cb3a6db5

SHA1
5968ed4069f40f62153965d862bead0ef3b74897

SHA256
f1b14d94edccb7a675bc516ca91ad72c1fa1a1f81729c6aa2caf5c2ff7ea2a09

SHA512
a7a2963c0a2088f2c4b2a05120253722419fed79858c4308b810f7011f4d870191b32027fe700ca5fc5a44e9720d59dc1a6bd434489a3ce7ac319271ff0cf194

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMAU.exe
Filesize
507KB

MD5
ab4bf28b7e2fbdd761008bfdfe16f112

SHA1
b8bff4148512572d000225590e1e9dd7d1fdf7d6

SHA256
1b77f204ca8514da725e0c3100bb610c5544b50c6df6557be835d9a6ba423a8a

SHA512
b7de5c9db0c5bcd0604b13e45d4d0419a8db2e7331105d9234f547ef39412b2e6f021f7304845fea60879052d32f254a2bb12ddb5126861e7cf8752ca1fa2e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUMEwgIw.bat
Filesize
4B

MD5
d31e21cd9ca644baa02cc78482b5deda

SHA1
5a94832025bd38dc2f7259007e285d45f94df1c8

SHA256
46acb6c8a8bb87019805548aa05da2b86e7e5adc72cf9415b35d8e208e3576d2

SHA512
77de24dd1590139f5aa3ed63e0dbf4583eec7ffcf5c0e6b5c8d9524f808ecfb58e3bf4ffdfd6f033adeb742dfd122febc729f8d429421f36384b63a00fe114b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqEYsEss.bat
Filesize
4B

MD5
a80e01c9c52c4ba6e35adc3ce00c811c

SHA1
f8f01b9e1549383a13981d19620e290158b61639

SHA256
cf3f241620adc999deb04eda5371ae0f44d1adff37aa00e38f46fbeace6dbb5c

SHA512
c6ce01f3e7d9d78717f898cf83b3dc41629882d965330fe473aa13d983829b6d9cc42fc34f4eef228e9ab38af06661d78c642868db43e822db516bf48a662ad0

Download Submit
C:\Users\Admin\qcAQUokk\dasQkEsg.exe
Filesize
187KB

MD5
600f850d28545b9c75e9182f32d0dcfb

SHA1
1ffef64d333a4f4355366e3d426c1b837651fdc7

SHA256
707841d30376ef7941a5afec033828fa2b0228e3fe5c6b3fed92b0de338ba5fa

SHA512
56d82ee8a4f3f8ae586b2c3c8bd95f45542aaa3fff03543f41ca59eff254c47a96cdb9c39aa5fe73a1b197c0df772c87e76611ea0056617bd4db9efe4c1717bd

Download Submit
memory/108-368-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/108-199-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/108-558-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/108-527-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/108-400-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/112-153-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/112-354-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/112-515-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/112-485-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/112-319-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/540-105-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/612-304-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/796-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/796-106-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1028-271-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/1028-272-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/1220-413-0x0000000000590000-0x00000000005C1000-memory.dmp

Filesize
196KB

Download
memory/1416-652-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1432-525-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/1432-526-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/1436-414-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1436-447-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1508-611-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1508-640-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1524-536-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1524-506-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1584-631-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1600-115-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1600-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1672-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1696-2304-0x0000000077430000-0x000000007752A000-memory.dmp

Filesize
1000KB

Download
memory/1696-4450-0x0000000077430000-0x000000007752A000-memory.dmp

Filesize
1000KB

Download
memory/1696-4871-0x0000000077430000-0x000000007752A000-memory.dmp

Filesize
1000KB

Download
memory/1696-4451-0x0000000000100000-0x0000000000122000-memory.dmp

Filesize
136KB

Download
memory/1696-4870-0x0000000077310000-0x000000007742F000-memory.dmp

Filesize
1.1MB

Download
memory/1696-4449-0x0000000077310000-0x000000007742F000-memory.dmp

Filesize
1.1MB

Download
memory/1696-2303-0x0000000077310000-0x000000007742F000-memory.dmp

Filesize
1.1MB

Download
memory/1696-3270-0x0000000077310000-0x000000007742F000-memory.dmp

Filesize
1.1MB

Download
memory/1720-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1720-129-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1796-248-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1960-186-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1960-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-505-0x0000000000300000-0x0000000000331000-memory.dmp

Filesize
196KB

Download
memory/2080-31-0x00000000005D0000-0x00000000005FE000-memory.dmp

Filesize
184KB

Download
memory/2080-27-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/2080-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2080-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2080-28-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/2080-30-0x00000000005D0000-0x00000000005FE000-memory.dmp

Filesize
184KB

Download
memory/2088-568-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/2176-343-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/2176-344-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/2320-651-0x00000000005C0000-0x00000000005F1000-memory.dmp

Filesize
196KB

Download
memory/2320-650-0x00000000005C0000-0x00000000005F1000-memory.dmp

Filesize
196KB

Download
memory/2396-128-0x0000000000170000-0x00000000001A1000-memory.dmp

Filesize
196KB

Download
memory/2488-223-0x00000000022A0000-0x00000000022D1000-memory.dmp

Filesize
196KB

Download
memory/2488-224-0x00000000022A0000-0x00000000022D1000-memory.dmp

Filesize
196KB

Download
memory/2496-589-0x0000000000370000-0x00000000003A1000-memory.dmp

Filesize
196KB

Download
memory/2496-588-0x0000000000370000-0x00000000003A1000-memory.dmp

Filesize
196KB

Download
memory/2512-484-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/2512-483-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/2520-281-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2520-249-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2520-82-0x0000000000130000-0x0000000000161000-memory.dmp

Filesize
196KB

Download
memory/2520-81-0x0000000000130000-0x0000000000161000-memory.dmp

Filesize
196KB

Download
memory/2580-294-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/2600-569-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2600-599-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2652-176-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2656-578-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2656-549-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2708-630-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/2724-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2724-44-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2732-295-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2732-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2736-620-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2736-437-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2736-590-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2736-470-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2740-494-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2740-461-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2760-43-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/2760-42-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/2772-377-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2772-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2772-345-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2772-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2800-390-0x00000000005B0000-0x00000000005E1000-memory.dmp

Filesize
196KB

Download
memory/2800-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2800-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2800-548-0x0000000000410000-0x0000000000441000-memory.dmp

Filesize
196KB

Download
memory/2800-258-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2800-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2808-423-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2808-391-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2812-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2812-235-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2888-317-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/2888-318-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/2944-367-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/2972-460-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/3064-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download