a04698f9ae5a6f148769c7852cac3707823304265645089bcc4411100c7a88b5

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
Size

186KB
MD5

843d4b65b69d1ec8e6a4fd32a2769ed2
SHA1

c69c36418a5c9533da54a703c25d66e5bdc3f546
SHA256

a04698f9ae5a6f148769c7852cac3707823304265645089bcc4411100c7a88b5
SHA512

c80d06b19007cc51e81bdff665dbba665b440e5b8f57a24d80dcfc5d124d0afd359c66819f6c766382a8f64ea7e1153d2d38e696e5e95da0d235dca20e1a5fba
SSDEEP

3072:frfH7LU9NknL4KPe9Sn/w+f2/07z1PQeQzTyH1ZxPVPmK8cMm4ffl6ceY3XzgCqd:frfH/gecCeQn/w+2M1PmzTyH1ZxPVPmu

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ZeksYgMA.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation ZeksYgMA.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2772 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

leUQUcsk.exeZeksYgMA.exe

pid process

1684 leUQUcsk.exe
2372 ZeksYgMA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	ZeksYgMA.exe

pid	process
2772	cmd.exe

pid	process
1684	leUQUcsk.exe
2372	ZeksYgMA.exe

Loads dropped DLL 20 IoCs

Processes:

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exeZeksYgMA.exe

pid	process
2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exeleUQUcsk.exeZeksYgMA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\leUQUcsk.exe = "C:\\Users\\Admin\\micMEkwQ\\leUQUcsk.exe"	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZeksYgMA.exe = "C:\\ProgramData\\zUAMsEEU\\ZeksYgMA.exe"	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\leUQUcsk.exe = "C:\\Users\\Admin\\micMEkwQ\\leUQUcsk.exe"	leUQUcsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZeksYgMA.exe = "C:\\ProgramData\\zUAMsEEU\\ZeksYgMA.exe"	ZeksYgMA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1936	reg.exe
1524	reg.exe
572	reg.exe
2512	reg.exe
2472	reg.exe
2104	reg.exe
2492	reg.exe
2900	reg.exe
1828	reg.exe
1848	reg.exe
1292	reg.exe
1548	reg.exe
1060	reg.exe
592	reg.exe
2916	reg.exe
1740	reg.exe
2472	reg.exe
916	reg.exe
2392	reg.exe
1608	reg.exe
3016	reg.exe
580	reg.exe
2136	reg.exe
840	reg.exe
1236	reg.exe
2436	reg.exe
1160	reg.exe
1512	reg.exe
884	reg.exe
2680	reg.exe
1760	reg.exe
1836	reg.exe
1044	reg.exe
2944	reg.exe
2456	reg.exe
1888	reg.exe
2632	reg.exe
1384	reg.exe
2460	reg.exe
1872	reg.exe
2772	reg.exe
2960	reg.exe
560	reg.exe
2796	reg.exe
2448	reg.exe
580	reg.exe
2032	reg.exe
2880	reg.exe
1732	reg.exe
612	reg.exe
2448	reg.exe
572	reg.exe
2000	reg.exe
1372	reg.exe
1048	reg.exe
1780	reg.exe
2916	reg.exe
1568	reg.exe
1100	reg.exe
2368	reg.exe
2524	reg.exe
1896	reg.exe
2852	reg.exe
1236	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe

pid	process
2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2456	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2456	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1896	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1896	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2952	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2952	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2072	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2072	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2300	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2300	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1060	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1060	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2664	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2664	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1816	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1816	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
796	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
796	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1840	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1840	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1416	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1416	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1160	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1160	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1096	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1096	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1812	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1812	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
632	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
632	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
888	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
888	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1696	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1696	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2704	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2704	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1500	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1500	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2864	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2864	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1812	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1812	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1664	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1664	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2364	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2364	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2876	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2876	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2412	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2412	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2996	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2996	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2304	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2304	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1580	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1580	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1208	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
1208	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2340	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
2340	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ZeksYgMA.exe

pid process

2372 ZeksYgMA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ZeksYgMA.exe

pid	process
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe
2372	ZeksYgMA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.execmd.execmd.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.execmd.exe2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe

description	pid	process	target process
PID 2336 wrote to memory of 1684	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	leUQUcsk.exe
PID 2336 wrote to memory of 1684	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	leUQUcsk.exe
PID 2336 wrote to memory of 1684	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	leUQUcsk.exe
PID 2336 wrote to memory of 1684	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	leUQUcsk.exe
PID 2336 wrote to memory of 2372	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	ZeksYgMA.exe
PID 2336 wrote to memory of 2372	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	ZeksYgMA.exe
PID 2336 wrote to memory of 2372	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	ZeksYgMA.exe
PID 2336 wrote to memory of 2372	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	ZeksYgMA.exe
PID 2336 wrote to memory of 1976	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2336 wrote to memory of 1976	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2336 wrote to memory of 1976	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2336 wrote to memory of 1976	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2336 wrote to memory of 1160	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1160	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1160	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1160	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1972	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1972	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1972	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1972	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1260	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1260	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1260	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 2336 wrote to memory of 1260	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1976 wrote to memory of 1956	1976	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 1976 wrote to memory of 1956	1976	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 1976 wrote to memory of 1956	1976	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 1976 wrote to memory of 1956	1976	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 2336 wrote to memory of 2032	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2336 wrote to memory of 2032	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2336 wrote to memory of 2032	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2336 wrote to memory of 2032	2336	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2032 wrote to memory of 1736	2032	cmd.exe	cscript.exe
PID 2032 wrote to memory of 1736	2032	cmd.exe	cscript.exe
PID 2032 wrote to memory of 1736	2032	cmd.exe	cscript.exe
PID 2032 wrote to memory of 1736	2032	cmd.exe	cscript.exe
PID 1956 wrote to memory of 1844	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 1956 wrote to memory of 1844	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 1956 wrote to memory of 1844	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 1956 wrote to memory of 1844	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 1844 wrote to memory of 2456	1844	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 1844 wrote to memory of 2456	1844	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 1844 wrote to memory of 2456	1844	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 1844 wrote to memory of 2456	1844	cmd.exe	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
PID 1956 wrote to memory of 2464	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2464	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2464	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2464	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2460	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2460	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2460	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2460	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2452	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2452	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2452	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2452	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	reg.exe
PID 1956 wrote to memory of 2868	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 1956 wrote to memory of 2868	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 1956 wrote to memory of 2868	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 1956 wrote to memory of 2868	1956	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2456 wrote to memory of 2696	2456	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2456 wrote to memory of 2696	2456	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2456 wrote to memory of 2696	2456	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe
PID 2456 wrote to memory of 2696	2456	2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\micMEkwQ\leUQUcsk.exe
"C:\Users\Admin\micMEkwQ\leUQUcsk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1684

C:\ProgramData\zUAMsEEU\ZeksYgMA.exe
"C:\ProgramData\zUAMsEEU\ZeksYgMA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
6⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
8⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
10⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
12⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
14⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
16⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
18⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
20⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
22⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
24⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
26⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
28⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
30⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
32⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
34⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
36⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
38⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
40⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
42⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
44⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
46⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
48⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
50⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
52⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
54⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
56⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
58⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
60⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
62⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
64⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
65⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
66⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
67⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
68⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
69⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
70⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
71⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
72⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
73⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
74⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
75⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
76⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
77⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
78⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
79⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
80⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
81⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
82⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
83⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
84⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
85⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
86⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
87⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
88⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
89⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
90⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
91⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
92⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
93⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
94⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
95⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
96⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
97⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
98⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
99⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
100⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
101⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
102⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
103⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
104⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
105⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
106⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
107⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
108⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
109⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
110⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
111⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
112⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
113⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
114⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
115⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
116⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
117⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
118⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
119⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
120⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
121⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
122⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
123⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
124⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
125⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
126⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
127⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
128⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
129⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
130⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
131⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
132⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
133⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
134⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
135⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
136⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
137⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
138⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
139⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
140⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
141⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
142⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
143⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
144⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
145⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
146⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
147⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
148⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
149⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
150⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
151⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
152⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
153⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
154⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
155⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
156⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
157⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
158⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock
159⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock"
160⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iggUUEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
160⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
- Modifies registry key
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACscIEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
158⤵
- Deletes itself
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:2980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\leQgAEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
156⤵
PID:2140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zggUUQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
154⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIkYwEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
152⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies registry key
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LeUIMEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
150⤵
PID:900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgcoMocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
148⤵
PID:2044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcgsIIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
146⤵
PID:560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqIYAwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
144⤵
PID:2888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\myUQcccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
142⤵
PID:1208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMoEMUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
140⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EackYYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
138⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoMgsIYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
136⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
- Modifies registry key
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSUgIEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
134⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ruQIwMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
132⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGAUgAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
130⤵
PID:876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcoIYcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
128⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIsMEYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
126⤵
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgwcIsoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
124⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SiEgUMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
122⤵
PID:1044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuAgUIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
120⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IAMgkoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
118⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mkYsYQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
116⤵
PID:2276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gyEQEoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
114⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkkwwswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
112⤵
PID:900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PCsgYUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
110⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmwoYQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
108⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyYooUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
106⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
- Modifies registry key
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcsEkwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
104⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAwQkMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
102⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\keEkwUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
100⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CUkAwkcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
98⤵
PID:2452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqEMEcIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
96⤵
PID:2636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
- Modifies registry key
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cikwcgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
94⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQAcsAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
92⤵
PID:1832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dIgUIQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
90⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkAkIYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
88⤵
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkUwUEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
86⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DewYMUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
84⤵
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\joAsQMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
82⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sSUUswoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
80⤵
PID:692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAEwIIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
78⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
- Modifies registry key
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUssMwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
76⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QocoMYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
74⤵
PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:2960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmIwYEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
72⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\igkQsEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
70⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies registry key
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOsIwcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
68⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOcAYoMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
66⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQQAIkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
64⤵
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyoYUEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
62⤵
PID:1204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiMwcgYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
60⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fIMwIEYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
58⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\osgUgcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
56⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WygsEosQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
54⤵
PID:3064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\coEQUYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
52⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
- Modifies registry key
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\moIwEMsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
50⤵
PID:2528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoAwoYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
48⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqoMIQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
46⤵
PID:1768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiMYocws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
44⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- Modifies registry key
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmYgAoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
42⤵
PID:1828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIoIQgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
40⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkUccUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
38⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkUsIAcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
36⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAoMAEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
34⤵
PID:2164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAAkAQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
32⤵
PID:800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoQoQsIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
30⤵
PID:1832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
- Modifies registry key
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UekQcwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
28⤵
PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuQwcEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
26⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\egUwgMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
24⤵
PID:1116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUssEIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
22⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\luUQswss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
20⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JykYIIQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
18⤵
PID:3064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwkwMsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
16⤵
PID:1136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMUgAowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
14⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGEMcYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
12⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CaIwosMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
10⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UswQYcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
8⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOYEMEAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
6⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\muowowwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
4⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWkUwUoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2092419860-1842348857-1106795338-1203251404-2097796924-513942463-6613473671405747677"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-382126864-13759653866715181431451738748-131113718498487837-9223604591977591164"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1701468568-3649661611146676275592236606-768316622-367295236148626029773103476"
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19800533791564225427326805642-3907888321226335047-966031047-265764263-2028314381"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-890103573883243818119572121415716353311656741008-992820026-1995510774-1119352906"
1⤵
PID:580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1111267489-2097766649-1673742777-124663890-1725277287-3943546831891693315-1262620266"
1⤵
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1979047573-1839361405413187189674883642-13964696961795761476-7128542521948687194"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-31623453335803798321220338171970903983-57815569417986435771084045882-1684059777"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1000355702-5415041803417517744288117156727695461191675799404730143-992762719"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2094305997-634000547774696565-4713820501541460323-461527125-1797843063-1151220646"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1853041654-1407718824290070215162085580319121846373322459245891689391404917499"
1⤵
PID:796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "720180198-842062603-1035935664-1382973679-3647494832796955411902129158851057748"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-274799790-17034706581603094272-1721862336906840178-1196612423-1493478546-1008317152"
1⤵
PID:596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-51528056-1783470226-246704258284598213-323321406-2073547543136217044268260656"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18143652581578641265623427360-1652918076786145785-178142039371162280746492308"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4076002412134683196417063146981856070-11734970351781554510-1048473762-1493639248"
1⤵
PID:632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "67470008911400339612939671514671218551222292454-1022134116-1280410522-1294264494"
1⤵
PID:1692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1012047403-1001808749-4351115721447966116-1449726527-1628538634-7353868272033089666"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9745285151081800366575757441296216922198737-1992338278893959474-870920054"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "404465448534487894-780294417994705834-134645595116492711951878576749-443749821"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-979225292-688099857-1751587064-406292676875820944-652995627851229151-2057523718"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1844221474102266493118493263401280662120-1690772703634484006-807210844915935947"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "145073079157551434616636596422049102323890113294320164503-29230747889986418"
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "655318134-1393550553-1814851792143120959-1010951640964224241-1815841257-1014737207"
1⤵
PID:280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1705320197-943730058-15596874921299115801-970446806-5679152-1456985312-1571915252"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1157996536167902532125183260667983836218955875491138738205-156853515-1691366812"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-531685663-818473977-591215439122140124518791604932535659611386842651202621436"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "120773035-2946214841556895903-1821275029160111881-855173335-1918822925750183295"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "389859221-46913508139571591-593131696-132454839918356180521277801498-1778098945"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1643632808-2113019882933568871039975322-81248882691534728820496282572060325982"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "95070464962780303-7746989411783129006878817027-1524349463-1568554304-371753568"
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12866079631180074396-1660611906-813145269-2114978154296709505-584756127-388831432"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10831111741330675185-52176566089046146-18605952961100597001-18686448831433752285"
1⤵
PID:2636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12226266751292164671-1219019585-16971729641142883406-2042056041-1950528511-569000386"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-524813459-185920920443210137-353609862-152190635-1216716170-1252643621-1977759968"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1557649886653114459177915023-200105707520373823961528448569389735822552290004"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1715811321-2009346780-165506936-69156355411772521341456530221840794101139892507"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1887474184-64515992912820194911562451861221204430-1208117324152033593178638118"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1690724998-1655513249-1730182173236250332-11224388801495641557-434574526-1961658937"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-119409290528979012151738308204994156119722430241466435451-58798586420605423"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1940924327295150630-3545278299157664591062774267-2093772403-18244216912015467503"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8041295431885160398710063660140562164-410351835652158046-1738669208201160530"
1⤵
PID:1988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "195380059-20970356551934886786-351440234-2141818702-664188014-8065303101451847353"
1⤵
PID:1840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "827077044-1062659632231719541630265213704920629-1763176322-213084959-2082716599"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "889423118-831900689-2287421571323903035-1917059856-774894332-1281489956143663924"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1123153930725423407182677624512862154813304863141167746580-1002970705-1601617658"
1⤵
PID:1296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1482922354-14341106202134974989559710775481309451314654583-411509985-250252844"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "429154248203565992-72156701711441170451534219440-1802240187-20443295011116523151"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1656665012125929932017814508011521303851-1644432179-19705959991363969503-1344326798"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1250099481-559546505-1358779781786836683-331861712-146877234512104865251136003866"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3922459701815377009-44879681812198097781981488203-1268180307251541803-1006709568"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-545207268-7750589812429916911604686141-1398465633-982019771-881027785-777494329"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1452035843977246926-5447337651359773386-156621808621240620091660470333-1243448769"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1016296844-126045048922357829894760114814142996805781630961421114658575689594"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "213081200950244332357657281106036912318369088411872932502-297692222-1044703861"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1441345249-19410577511480271831810616533-1442730914-849461042-1222455304-1139168271"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-268253482-147237700315963031211732248918433897153-2123327072890063377-410915097"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-772036608-14100104951282595363-2034285342-1707979798615801363659247271466163363"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2011582196-62359431910209226551184947802-1628820227-10250633161471860635-611338932"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15150372047756920041525633249-21010114301207127754-177743249-1157513734708692151"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5504774421778345987-541346340-44317171859854372246457732-13089562501653576803"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-481129427-177959768-8323856-1451759606198448712375361433-764037001-2072347319"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-963467248-1953071360-14168669981800908847-17501477901637633730-18226292631515930866"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-877809021-473580771-5232568719617170911707304395-16792316643294255451050785356"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1077942056-1624561676-163657267413287759517638765961396137956-7053140261809675327"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1910733860-1162154095874690154-8211526809141292481214522909-653559185738658893"
1⤵
PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5569024311031600034474387569-547552081206052658013227824471881587821-1643017729"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2013134422055127757-4292396591600943207137443988920410853421171461169-979444630"
1⤵
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "998831689-2062872561-613981007-20256202895846333641511847806-1309380261734576049"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1721769569-58386790-1483900780-1257041959-249589883-16526822378534949-239775113"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8649061171710983174672653960-139851335-449207151689696170-176739860-1324482214"
1⤵
PID:1264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8723108858859529111110800058-881809517-1221428704-1573011709-148401913133558234"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-547457052-8232431521185439397-1595207630-1232519730-1012687619-19649950711737176491"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2001445459-4318065021127807257-55620519412063795318773051461073892165-1953225426"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9763798691650182807-2997561731891625453-6996663745397660724681502485557820"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "144301313819885211301258334571-1618888619-1493179722747535578-1368920885616602602"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1053625873-12448764082136212438-840424383-462918871149409786316807884001205619569"
1⤵
PID:560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9868990552025280622181857700310977008751418323025130464943361132366-373318875"
1⤵
PID:1404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1608535430423740919-878292589-354680754339764449-6214409652906998651030505832"
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8369428041892967610-524080683-1267623881906202180-8926068882510029731954392627"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "49335836799997841653915908-13957500691059838251-1098854973-1913961633-684859638"
1⤵
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2140640044768013957-1994640817-978593192-139584076-1534266349-2072158349-1795548410"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1781428838-901423514-258581509590462323544752622157080050179052142832265112"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-109363284-1799268762237577436494145995-20850594981185515412-1962442177-383866751"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1723140249267378825-1006035479602687536-1597966928622353883-2695526511976605001"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1910417420-179270002621340315141186301458-1871045149210350834820190452501366169674"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "167180332-20060138445098981714142832312504257131908648339-2004329511-54714323"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-555242951235039512-278907345-17451905911420842636-105858413412530087421277411451"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-46028558-2029067296757057734-2111762521160841702324360102519319716942038583838"
1⤵
PID:1140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "831713746-233939964195860439-63288460111873395794542412441127509317-1951930742"
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
244KB

MD5
f8d7fb5c58f039ca809285a7e07dc748

SHA1
eeb46399579ee76f998840efa58c6028115718f2

SHA256
36e8a6085dd2eda3ac2c841149ae60ce9ec7eee7f977c01a24bb6993ea5777fe

SHA512
edffa4c774f59df956a1c1fcbc9841e70f07ec7beaf918874a1349f34a762ba67c222dd080265b71cdb57936cabe7176404830c9a721ac45fc7adaf650705b67

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
219KB

MD5
3141b372e13377b49867dfff4a74803d

SHA1
5aba3c250dbea9fc54c5877f5deecdc87588a1b7

SHA256
cd61d88dc133cce027921a390c252a64365250b77771f594636c612f51729785

SHA512
ccc790609ec1736dce1826ce1271f4b5937cd3ada6c16677e12bd774a0082fdfbf4c4db2820839b06b9d232d5d9d005be279d407338c11b7b90a1f870d6cf4d6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
217KB

MD5
388f3877f8049fc4ac50e699a72c2e60

SHA1
53d31245a2bf1046bd272ba28647d35414d78013

SHA256
ae9add2841a8ebbc829002a3a5f96ff3450e68a353594d82d1f8d4d9a97b63c2

SHA512
a3973b7253cf8703330114ba6c0e10b5b21522c9e12d24b3b8923b288d5d95a15c1db3eec82ce89f455c7331c4dc621bec0f575753634e7b6c4c13a7e4d75dee

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
246KB

MD5
17c822f62c6bf461392b2a08eb53c9b6

SHA1
887e70a20a1ca23d1dacea4c64821dd4b3d608be

SHA256
dbf98995b0c09ced1c87a570a5afaa8bb0d4046016e37d1d72ec4ae4f4c2645d

SHA512
e3df60a43b70321757d4e11ab14684c8224735d103251955bfc1f9a32f0d8e9e50cf9558c8bdc174a7cabdee8d313037f2aa481310ac22f7438b9a1a43ff063f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
227KB

MD5
eb0ff73214b977ce37a9b3b4fb75ea9c

SHA1
273b28d72f0997ba073599ce0e53e91f4ee7994d

SHA256
937427cf88f971eb86faf1f7dbe2c1736fe24345d42640023e73af19605b5048

SHA512
a77cdf15eeb52ffaf75578640a5cea37bc4b096a0fba6c77d6d74bf665394b7556026b1fdff4f621cbb201c1e4440ba3b22a189fc8a358d68b39621cde006469

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
228KB

MD5
6f7fa8583d29e969cba73178ff591e69

SHA1
bc102ab04a0c0bf202cff7341a1a6151c25772f3

SHA256
034f9c2d5b3256e6b80412f6722b05e2516f86cfdefc5004b8cba62bb00308a9

SHA512
1633af34f8519526541749d9234acc4f6ef7b459e9da932b412b8b613dff34a95d0395b28c1cd82bb8f766efb179f3775eab872a639d81220fb95e6c1ea56ce5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
230KB

MD5
3f2976c1afb5b585b51a26817a0a48ec

SHA1
921bc223ab3fba6e082d2ad402eda924400bf152

SHA256
b2f52bb97d3bb10218ddbb03a6c8ef0f0595b9ec0a324beb642f8fbadbe5ab57

SHA512
178edc3bf050f755c20ee02d4dcfa0ed2d780f25b92876c4837d28dad78d14de6d43d730fbd95953aa2585979dd3db8775833fcda252c97694cea42f1bc759aa

Download Submit
C:\ProgramData\zUAMsEEU\ZeksYgMA.inf

Filesize
4B

MD5
2443b0fc0682988d6bfaa2ebc5b63293

SHA1
3c54bd4a9c48c1b7d69c59a3d6a3d4ba032448da

SHA256
4dd9be56d892344fdbb45342fb84b3f8973b56c754fb520709f44932c70d430e

SHA512
57d6627464a58c582f6af4370864de97d0ae43caaf16e49a1d3d95d60da1f549556040c2d95c69dd55d21325de5c1e0021f84d77b55ef64cbf3937ee09c72e00

Download Submit
C:\ProgramData\zUAMsEEU\ZeksYgMA.inf

Filesize
4B

MD5
e761ef05f5d5afc702783e13af1c53dc

SHA1
232c29159e9404efb6e60c1dff4a4b8177382abf

SHA256
846468c4888bf1e5c7219e25ace6ef757646404cde08c2e79c63196e239a8068

SHA512
aa881c92836cadb11e357124fa8c693a6c142b101a1aa45d82628d66b4c4fa1af21b0c735ee03549b8af7cafb27523d1ff78042bfad18a8c183a2a6166bc07d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-28_843d4b65b69d1ec8e6a4fd32a2769ed2_virlock

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAUy.exe

Filesize
227KB

MD5
159019a153a4fe4fd2fb13f4a0afab41

SHA1
c314fd9d2fc07aea975c460b921da34755580b8d

SHA256
2d5791374a47fdc459f5d6233c0786c703791b5dc0b5fcb0fc1cab7ed73166a6

SHA512
c494ce5a0ea4d29964f890b96a4c149bff2b18e2ea424044247bca466a91872f31e4656ce0ec14a4946f5c2e8c4932aae773879eb240d9c750c1ba1dde2cdd7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYIW.exe

Filesize
245KB

MD5
e05043d579ae298b6dad9ab08e4acf20

SHA1
e20b3d2278016b0f4339f6e6890f5189d67fb0c6

SHA256
7b83e9a9b8cbcd768f3393c1c1e35a852b15220784a79829f8f0ead3e0baf335

SHA512
a6e8596ccfcc612312c7e53c818337e97c230bc14e3adde3bb173582b84a86d0f72bad1883acbb739d4315b268bb958063f396bc04dbdec5dcae823c38a10a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aogs.exe

Filesize
239KB

MD5
0a3fbb753a0cf567e889286b7fabf016

SHA1
c2f2f0dd1cbc22c6b1292729083493b7b0efdb3b

SHA256
4b80cd84b0ef5296ee51fef94aff36c4d5e81d765f320d5f46d09464634325fa

SHA512
6937b6f308a09d8583c086532c9d2ea024ee7abed6f15a1219732d59e49620176647eef134ad434b9b9cdee561d96c7a46fa5f6accc526249539c7194629754d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsQI.exe

Filesize
249KB

MD5
46d43b2089eb05c24559af52c95156fd

SHA1
883e6ae0b96e9de3f5e9ba7cadc796725a7be4d7

SHA256
c1b2ed8db72b224e3ac01c938c657ab2934b2e27c41d63136b1709af5ab78573

SHA512
ceb8c2fae5aefc1d242599dc3212cd8d6103f7a35fb786c094298b158c5091778abcac0b6023043ee7ec34da243a5db14a3f4d0f305a59e166c4c73fbbac0813

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUM.exe

Filesize
241KB

MD5
bbf1a0efb199224b2241e718158bcb78

SHA1
62c352375b3e98b972a57781a8eaf813d8941051

SHA256
1bec788b3d83bfa9a150e626b3ae1f2d47f932dfc264980940eb578df9913745

SHA512
41d99ce8e27ef6b70c92a32b40311a1cae85f033d3302e44e028e7bf02336f302f0d7a5f999a589df8585132330fa93206906ab99d658bffe06eb2c14c86b8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQQi.exe

Filesize
638KB

MD5
bf4a7185f041c962560588aaf14d6cf1

SHA1
524ed5e5afbe8d05514579fb64907a2cdeec00b0

SHA256
9628031d5daa434edee5db7de2e5c0afce50886eb92d179702d7c9b29846f99d

SHA512
205cb0fef8a36cae00fe9f57300ea22ddfc95c3f3c9d786a79fd027f181c6c8f4936ac334782f8f852118abc592d7af7953b2dfb79d66914005a3d12051e8596

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcAs.exe

Filesize
464KB

MD5
e7537a5dce2bb3206447d60cb325d49a

SHA1
3305d59fe86562ec0a72b07809fd4bd2ed906481

SHA256
a0c078bf50935e414632bda6a7ce434b8ea7408f1443d0ec2012085649b618cd

SHA512
e82a7f1c85e7fcf54a8318a68b1fbc4ccdecaf7a3764fb886be945d9af030b2da1094f0e2fb24ed023871f98160a6fca55927eebcb24e00955d3dc1be27cd9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMggEEgo.bat

Filesize
4B

MD5
72b4ba76a2c226340a5197be8cc8f67d

SHA1
f9c726c39a356661a2ccaf49fda5644c83745678

SHA256
2f0ce2aa06b2398ed5083b08e60d1067a8d11baf8ddf4cfd60345b2830f1a0ab

SHA512
69704d1e4f40817117d81ad5cc24243c3c12f27351872847ef5653ea5aedcbf774074d66ecad6441eb336d2a587361c2d91bee69b05e1d3538a9284c17964ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsQIAIUo.bat

Filesize
4B

MD5
5e16de60ecbd3b34f85f8ba827f86bb6

SHA1
67885b63b516fe97f8837073dc766f95ddabe507

SHA256
8e243807484a4917e53e0fbbbbe81537cde15f8fa8846085d18dbcf6435cf157

SHA512
d4c6781b5e3e089009b1cbe840016f72ac4d01fb19dfdd0a2a96b5620082ef9a1e32a8e429c4fa1e599f5c0c30fcdd79aa20cf07b4c50078b6cd46625b58f7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUgW.exe

Filesize
238KB

MD5
abdb95ad52acc224c51c6bbb46fe2f10

SHA1
c8470032221348921672592b33cdfee9a4198ed2

SHA256
2b2a178f9053585b067002f239b96984bbd14aadd5c1cdcd471fb8939f6e770d

SHA512
2703e94967bc20340bfdf9508dc0197480a953d04da7ab9ce31a5eac3462854f2a18a159a24e9c1c479393b4a1417de8f396ef0bb6211e28c9e65960c84d94e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkcY.exe

Filesize
1.0MB

MD5
d259f8da5742b8d6d5363f634bcbafdd

SHA1
1c199ac42025c75112f25ccd30b780270670156f

SHA256
45902a8f4f71472cb578954d1184bfecbc33eed89ca83392fcb2c64e7ce79ffa

SHA512
189e5f5c2ebd83213da71ca2d0972e85f535037b4a90069fa3a7f5d38877b0c6706e5e4bf3f5008adacaafc31cb3a6d1e85115c86266f884f3da818010e44fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eock.exe

Filesize
321KB

MD5
c9f6e65466608eeef9e3ae457512b1e1

SHA1
00dd1a57839c846399cb993116eef0da1c7777e3

SHA256
3b7d36397f99005c177e8187fa22afe2c491964d26a1e4ff2c3fd0726b7d850d

SHA512
195937c4fde8a04d12187d327bd101b58aa40b15cf82b1e97d0b5858a484ba02f836860f4ca3aacb6b1fafb01f992ec5d40c29a65eb08ebd524808df515a600b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsYMkYoE.bat

Filesize
4B

MD5
4dc5328422756e8668392dee82728fb7

SHA1
fcecbd9b20832b3473d197bf9a2a11af456d9180

SHA256
55376b5fc0b1e5b214f788d4d5942c07bb6d6b40c131b4054f0df0824b32b282

SHA512
c9adb339e585211b2cde7f3e662569c071cb8656c1f692325ff800111b1d74067f41eb403f06ba01abf97ed2cc8e4cb9a0a73308be3b5ff60ea473c5341d76e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOgIoEsM.bat

Filesize
4B

MD5
36705034a1ca3600d3f1467508aa0a9c

SHA1
91e3d8277c01fdeb0328768bb018a5b6deb8a417

SHA256
1372b482d11277a5b00269e25ac477f98f584929701b870ed6c64491dd000916

SHA512
7be0cc69ad0105cfe5971371c59f43d3d0a61757a11183ebea7fb0fa8d6fb3729a729f815c1b78250ead499cce150ff86637294467ef0562593b8caafeebf67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQoA.exe

Filesize
238KB

MD5
6728b42a87891f7084a64de98c7d1aa5

SHA1
b7028cad4a58e65172c3dd3d255527eb5ad9081b

SHA256
cca170890a3cbf55fddc081a72d3f62421fa3f48b88a7740e2812079b47c12aa

SHA512
025a2db867ee988f23fda8336c8e290553f93993214cd80161ec2e3086c6f5822bb8b90878f23ef67dbbb78ccf1191a6fb530b68e692283d2fa7aeda356612d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYoIUwck.bat

Filesize
4B

MD5
03e7ad1257d479d2a648a99332dcc15f

SHA1
3fdfbc4250fceeda83a3e6609a2a1e6b8a8bc639

SHA256
bc09be3d8de4b5b07eacaf63bba342fdd9511e86e536d940324df8d555508b6f

SHA512
51c08af46cccac6f83ed59d4cad9d24d623ad9dff195f6ce4ce9524559f15800e82d3080e6ccc8f4903b5e243eb69e6b263f7f5cdf9472a44c5d8733df41c517

Download Submit
C:\Users\Admin\AppData\Local\Temp\GeAQAAEY.bat

Filesize
4B

MD5
84f68565345bd3af60e2d16591d038c0

SHA1
1deb75100f31b74d47b710bd5bc9f6f939994d7b

SHA256
8c71233d0610c1440ddb4923f5bcf831b23b7ca75223d666d68569e1e897ac93

SHA512
e44c2f8b4289737ff43b447adfec333b8edeaf06af91543df760b2ceef0f7a78d63cdf448bff78d5f880b1f38c1182a0e10abc093dc16975663b77146b87ae0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkwA.exe

Filesize
234KB

MD5
561af94d701248577a7ce991faa804ec

SHA1
b2a4f5055206cd8b4101208acf26ca83a6b2a605

SHA256
5c6fe0d30dc04af26658ec1efbe12e17cc0f008f4b1c360522591f6450d50a73

SHA512
c530f9d1cc017a63ec93a76f73c017bdd9301c1cfa8f4106e89148b7c782929fedf753e1f3e41c4b7d5bffde12b99cc16eac43ba5635ed935dbd88930fc40690

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmgQwogs.bat

Filesize
4B

MD5
2d711c5a3c31a9457bf0f5c7623ab89b

SHA1
467b1915b9034107412643891d79879c0a0e047a

SHA256
f0b7cc48a88c1af260ee9814f9b0195a456de5a1aaf96de73964b33881e7ae0b

SHA512
58e70ecf6869a27fe831630573ac45d0f04f65a04ca4fd10e7ad781d4126f444af13dead00b5cc6f29bcd607145699b56222f5c66acef0956ca5545cd0d33f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gowo.exe

Filesize
828KB

MD5
bd0c2303ca5fe69d423808a0012d06bf

SHA1
7f86e05a0bea6dd292d4cf73a9d1cbb5c7303c9a

SHA256
138117e0c15ce32bb9c69421cdc5442b5538ce34c15ae098c53ee25f1bbbb828

SHA512
c1ff67f7218f6a0f515ac44fb41f0bed9a601fb281ad1d15ec2298789d8da02bc25737c3fac5fd5ac035a108f50224b55a8c31a12ee25dfa285859651eadbf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GuEwwsAk.bat

Filesize
4B

MD5
00cb405e420bbf310962a9a0fb71746e

SHA1
696da952c4e3adf2f97367406a362c1763ebce7d

SHA256
0cca71e146913410d9d5f31d4ef4fa503fcc807a42bbb8538b3c6e6db49663c8

SHA512
ba1cfa38d22328a7d23d8f6533aea9af9e76232bbaac5c88a12e5442a1d557c5ce5e419ef7f66b600db206d68be6380d2b530e9cac7b0b7d26c1efe4f4a87b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGIwwIQg.bat

Filesize
4B

MD5
00cbc79c95b200cab1b6e23fcda4b1a7

SHA1
1acd8bc8acaac0f8caef69be4a517be157a11e90

SHA256
b16e28661496153c45582dfe37eedd806854b40fa5c469176963fa3f81adc7c7

SHA512
466f6008a75f24e1164fc00de6dcb70b68f803be45383186f1c568e6a91c471e2950cf331faacb82e8bbae6ade119fcf86b3c288aed99465809091d54f9c94b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWMAQYUI.bat

Filesize
4B

MD5
03e3fcd612d091bb5ca5853415ec1c2f

SHA1
476f02818ca674c35f275987e10c11ca2ee047ec

SHA256
e92d998618a9ad7c82b6253632d8daf6b6af713bba68d2323edda34ac930eda4

SHA512
1f09cbcfd77c1a718e065a3c5acbaa087704d910114fe44e8cea0e9d08689869515261116bda4699afda9addbf1318345a7b06215cbd6933b5a39b577e75ee4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYwokEgo.bat

Filesize
4B

MD5
1e50cae769fc9447383d6a6cc8459445

SHA1
9ae11937d11e7a96d42d292b10de74a74029a0b0

SHA256
6a01d4b96fa9a73ab99c4bae34683c88bce11dff9b26cc86b4752857b869c8d6

SHA512
98d7b376bfc6d09ac6e14619a4a6484f02da94a80ea62e9ba06838433d6ca43dbfdaf9825a5d6c9e2bd04338409c22d1836f7f99829ce5dac05e2ab4b5753094

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICUoUgUM.bat

Filesize
4B

MD5
f329ab28f97c17e678e9ceaa12522192

SHA1
088bf5bd30e19811551854a460e8cf5d15fbfb0c

SHA256
a3cf35d7f8120500308cc26e5dddf66343797b3bc3793bcf8779f3305921f5a7

SHA512
b0aa68a1484f96a7fd00809c3d8d2daf77bdfba2b0eef4d39a15bc54add524c39a2f67b58ac9955b49839cba0ebed8c2787ec3dbd902dd08fcb8791a590023c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMQI.exe

Filesize
238KB

MD5
758a2db1a8b8daa628e7ad18a97abea0

SHA1
b2f4d7ec41c55b2d42516d019e2b6f805ec72462

SHA256
998bf73567350ce708bc75357d0ab991e2c70ea5e095687249d0a4af8ee93a84

SHA512
cf1f2b3d366467bd0df53fe39cf670be205cc74e9ccfa75c60448db8da53ad76b4d5f6ee6432277ffc67e1b74d2ac29549138c4aaaa873a5f01678b71701fe16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUUa.exe

Filesize
231KB

MD5
79a3ef3ee6a6a54679fa5e689563ef9b

SHA1
1f2fd4218c6d653ced20f1ccccf1f46b49d98f01

SHA256
5b194f36808dffcdeb3889c17b557d8b57af9ceab31bc49ac929b460e14592a0

SHA512
c7a6af8b67b812b05943f39fd1ecc7703f2e17a00dbf376b305fb26bc6f062950a05c9771e9b2c680309074512fb6b11d2b19ab51e2ecc908a2972dcbc141b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUYIUIAA.bat

Filesize
4B

MD5
2fe40f1121265850fa04f2d12bd18276

SHA1
ba27ed5648d4155c3b57c0373c9c36ffcea59c7f

SHA256
7c1865f169127c44582f6d345fa1bdafd7cd0832695ff76ffa2a9ee6126e4784

SHA512
1a96f9e57abaa615a9412a217894aff86238941b6bb9375817d664c8ee5744e2908b1e73d1ccb6620586604af7f4a57a97c145c8b962f09e3ed69780da1e0a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUwC.exe

Filesize
226KB

MD5
dcbaf9d978b292af2375ae4dcc2832d8

SHA1
0e8009fd2d775d75c59e66816beb7085af57f27f

SHA256
0d0e2bea429384960ec11a23e94304e3db9e3aa927873a37f1bc2b4a41a1596a

SHA512
e8075763700f34e7006e89d3be88aa971f60af1d03b9ed2869b5a8cfe39dfdaa5b776eae1ddf718b45aa054c97627c6a328766736a9be8daf5faa0314c576e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikwu.exe

Filesize
230KB

MD5
40f360213e9e713f22f542a9e90b26d4

SHA1
1b270ff583ec709aab99bad982cecc3fa8edd69e

SHA256
1b9858d835ff3ab19bb863b6d04409a6f8cd2bac7e2306a9797a9b29d88ac374

SHA512
8893fb7c561f29e27f9aeb2082b4ab5c56f3862e1d86b91f78e120d106d8024392c56fa41aed33304a72ff339174c58e59f701d832624ebe2c7d2315b2d2f135

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwwY.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSAscsYQ.bat

Filesize
4B

MD5
973c81f50b1b2828f882127441547916

SHA1
f8476663476da1657e1cc8b86a62f29e9ff78289

SHA256
e6de4beb714142f1bd70c1039641d9d1f67b56e82351fef9e81cfd8eadad5b5e

SHA512
c629405df249950b5e424eb712739b4c6c5d11c398337cc9f25ebb3e82e541f322edce1866a144ee27d21dcf42ae95c0f148993b624a8e506e65cf11de750fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSYUMgYE.bat

Filesize
4B

MD5
3fbc60ae7bda006b679a2ba5caf0d985

SHA1
71027ee6a5e5fc623a6b14685e8041c82e2b5b2d

SHA256
ce516dd2af8a748b74942f2a7db1710fe12aff336e560f23387be5ebfc4a85ea

SHA512
91997bc438e01584618a0dc1ede3f39f9aeac131d626b6689597299982c4e9de5ee21f7b04e1e3d2738e8643643b82ff9ab61315e402f1ef625dcfead3b633c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwMQcgsI.bat

Filesize
4B

MD5
68777905a4262e0633712ece67e67498

SHA1
1fee42c81b1909484fc29c7706e87a2d2174590d

SHA256
e29dc73e51de77cc65c680697b8d3ef61e37134fe3835a053d35a20816247096

SHA512
2520fb2f661f72bb03f174a6701b6425495b162bdb1d81b2308c24c975da321e492913dc31c2b81b72f0f96d2701e0bb584e9658bdaf81299f5b72ac0ab5a9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAws.exe

Filesize
231KB

MD5
e12562bcd01953c6c6ce549a186c7b19

SHA1
5be46c785f85efa139f6f79a71f2dd5b895f038d

SHA256
02005916d40223ea798a7cafef2ee66e62a27904df015da4666ac29ab7774944

SHA512
65778eeeafd180b9e5f2b041f7e1f9164ce174079559655ea68795d55a8c0aea48cc241c1467c586345fdb7ffc8bafd837d7a192342ce3f6b81ebcca8d767db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMYAsMIM.bat

Filesize
4B

MD5
c5c35dbd6676a9c34712d410cbb5fdbe

SHA1
44975cb1d2fb83e4673669ad2f7bae619beb7965

SHA256
69be1ce225b7ea30ecd30d053b38648a2b48a14bc67bee9d28a87ceb7039a5ae

SHA512
92e4dccad43fdade6e03b8f7df27b763f6f7fb6aa009fde681393ba48724e857187bd803bc799d08ac41fdd3b9e77b89e848f10d5edd6d7c46d55df275d47eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMow.exe

Filesize
4.8MB

MD5
4bb13cf580ece9d932e9dd6b579d589f

SHA1
939fdb79b215e64e7eb01a7de239b5a6bbc5de92

SHA256
cb750ff07610e0e71c82822ee40f6e3aee4100d6694e151caa8fe5f39a9ebd95

SHA512
82b7bae4fca6449dac57a0076d19dd554abe51423488f7be37e06c20f84299503e7ac9d48c09d9d7819f05b322507864f23796fefd18572365139456ea7e4b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIi.exe

Filesize
234KB

MD5
98d62caaf822871bd46f8c38a7563bf1

SHA1
f6ae65c13132058c59c3068e8cbdab9726726e06

SHA256
b1e5bdf0e67cd90d6503387ab2342dc50b486a3d3d6fc41d38eded800e35296e

SHA512
8554c1040e32c039c61595b09e3ecaf78178e44b49ba94738a825e5c906e5d7645b77765f1032f044043e1830f6e799ddd50a23edb168bb0ef086ce79a8bf319

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkQm.exe

Filesize
250KB

MD5
fcdc4bd165efc1af888d107f5983e365

SHA1
7f172b07cf2f3a6c50daf473f62a8dd183b60670

SHA256
5e291e21d8c6b998da786ee6f92e7cf4a9ae6745ea5788d4809f51bb63e36aad

SHA512
8033c4c94541eda319bf48b7d08b00cfdf149f156487da529e9bb4bf1383f92bbfb09ad75ed2b2b308ff699ec6c88ccdd2a28eefb00e1668ed909e001cfb46c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoEO.exe

Filesize
642KB

MD5
5b965df7257e389cbc8cdef863c13307

SHA1
592023cfdb5e05ecc5919f06001a2e08df809b46

SHA256
cb18bab7ffc94e4312bd0578363919221445fcdcc4bc87f9e7d58ab2553f4b80

SHA512
185e19b3d81a2091342ae444064d5f7d9bb0fd007b56a40c03943d80e1b10ddd73c33077dccf108b0129006d270f3371f6d92a5e95e5a6e85882d2ac8461abc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwIW.exe

Filesize
234KB

MD5
03b2cd08264753380275ddc9513662d1

SHA1
8461ad63173cc11275655f0d59e7935a7cb39704

SHA256
15b7c89d51868e868036f1e6069ba7d39e575d98034f0677b99e6070161ac690

SHA512
e34f2cdac78cca67899c402cc71a4b39a13704d998595ed8583cff984a9efaf575011217fc6730ac5740bb660819570c2e19ffa3c4c74d42f21c1eb157618867

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCkYAEMo.bat

Filesize
4B

MD5
2d74327ac2db4230daeff0e23f2f2e40

SHA1
1612fd87c62cb9b2608cb816840a77d2a37c154a

SHA256
35bb0087036d88e750a8ba31a5d0467dbc78dc4aba0f7248bea3218a13f1ec0b

SHA512
9f24815f2c107a68a975a4a3c80a4490ba8ef24f09272413fef019dac7227f57f512b83a98f6b5247cb8dc4a23b51c672e1524201d2518a70a97ae65fae5c1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEEw.exe

Filesize
228KB

MD5
c4af015b3aa00e14d275d1f38c2e13a6

SHA1
a2b0ac05710bbe4497c1fc7f585c06313c09672d

SHA256
b3fed12eb0951c15e36d4f25fa79994de954924c91d24a4484d88f55623eedfa

SHA512
068e0db66ea88276a819ba55ac0c65cd621fd7931fade230b3581e8dd521baf8ca403347031a544e1dc1c06d9a74d9ffd0ffbe6e46f7b45835f0b0a781aa8a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYYO.exe

Filesize
229KB

MD5
9bb28d7d9518c03bb34d9f9ef3852a7f

SHA1
e1dc05bcb72f1ed836596c3d8cd902c050f70ad8

SHA256
074a4c3fd9e2613e41936013c198d7b0ee47b273daf98265ee3df61cafe31446

SHA512
e9a5f5a341407e4d859cd6042afe771439003b11bf2faa57f9a1395f88853eb3362b4be01f140e89ccdc9885c353b6ba8d14131ab81746068bb0088e1abb7feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcku.exe

Filesize
249KB

MD5
0eeaad7f02912a92ab1bced226b5b93b

SHA1
d2f01949138fa088316467b76ae644caf1fb1142

SHA256
3eeb68ee7ea62620bc4409a4dc4009323ab45bb2ea39dd7581fd8b55b6abd1c1

SHA512
43cd03859fc8f3f23d627d1a0fb5d7acb60a37cd32d33db5e100fae0d2a91f578f10a12698e910ca7c3626bf086f1e6064c98c7f338f330aa68c5f8bf71dbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\McoC.exe

Filesize
226KB

MD5
ebb33d6910461c22ec865f9fc20e72f3

SHA1
2a614b7ae123d23fc511a09846b9cec0b602c732

SHA256
0dbf2322c487f1b55c7b7fbe99c070ca214a469874f4efd7613ac80532e99868

SHA512
d69f6e2c74951e8de7acdbb38f3fa32e451e8f1580899b93bc3fd0b4c5cf4c9d36abd9c280c7e7d7596524c1484b7dfa1929aa311e2f9f9954aadb8c51a40dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqUQIEwE.bat

Filesize
4B

MD5
4075bf87364880fc1ca67f7e54627b03

SHA1
c0fdedc72589781be423e5268cd9591e6bb8799e

SHA256
350956d3feeb8f5e363321593d2383214d6535900521933d1042a28f09f4b09e

SHA512
bb6fe2856711282e5d078361cca3952d7912fa4ecf6fe0986b2cc4fc0a96d6a2836ddd9174c06d848f40a8f039055376c7e51fb8925742b1bb47f1803fb44ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAgA.exe

Filesize
228KB

MD5
5746759a09dfe4f6005ecf5d215395b8

SHA1
dca6ccf35207a2605c0fe7ec1e84c2e98a857766

SHA256
5c12a1484e6570147b41cbef472bbdd5b6cff4bcfda5fa80a511ba4c74d23467

SHA512
26e2b0f31a9450d5583c357b5343d465b627aa18b2fbc4e733e97a9fe2e4c7c624404d7c55d040d975d2b69e04e370c039c96038ed98df9127160d0ac530ca4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcgA.exe

Filesize
232KB

MD5
68fc7fe29b5c38f802b7ff88f25b751f

SHA1
cace6f64cf314153721fbaa36c03b7bb6f2b3925

SHA256
4144f7f989ffbcbd0dd7f3b441e99868be4ba6ea5e875c29312196671eaff54d

SHA512
00d2dd6825384ccbedc47488f603c9794030bb8b90775928e150a0d051ac382abb3c88ea4f73cd36c02229e44397cc0696fce11b7b311459b246315f8feab1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgUy.exe

Filesize
244KB

MD5
a075120667434ec9e2fb629dc160c45a

SHA1
cfec1b2b06f548848f57808bd9e18ce3ef4bb6bb

SHA256
4de2834e9d78ccf56ff898b5896a2237adba74a2d58dc23a4febdaef40bc1470

SHA512
60993ddc5395ecb88e59526fa4b657e87a398244cdc56dae487332c53c3e4afda9544f81ed08b54deadcd870d8af35112302638ceb6f8a05e896c635b9e1aa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAIK.exe

Filesize
4.1MB

MD5
cf7476d1dc32e7528d878c54b472c3e3

SHA1
9fe606fdbcfcf0a97a3667119a4255f244e61c11

SHA256
68e8f7607cdce0c7f0b5f45988677b4d6c121634db0c9d68a08cc1354cd46566

SHA512
2d2b8dc970a9e7e4be59c2e76aa5a76e74ef0e3d6464115ef09871af565edeff7cd10ef1e8c2289e5da283d329425ead328ad033cb2143cfbf98457403a35aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIcU.exe

Filesize
742KB

MD5
9b8db25e2db4400911e8603eaafecfd8

SHA1
b9d7b6196dffed0d55d938a67c4ef012d07b5269

SHA256
50ab6910f7bfb93a0edd25796af69dab215fe295226e678fe60ae9220df16f4e

SHA512
2e939a08a2b1be88895841039940cb2c6552dadaa6188a9d3b42555ab4d144ca3aeb4b471c7f26590c0dd2402bdb838dad28eaad4b38e402c7238c9bec2b0798

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIoM.exe

Filesize
252KB

MD5
32bb5ac262d09b3d10f5bfa43bb523e1

SHA1
4b395238bcbf961e6f79a43b775fd5436f5bcbd0

SHA256
7acdd59ebf170e958897bfbb0490b46331189232afd38d95ab36c5d70897fe87

SHA512
0e5f39ac34e4f0f5231a2321f6219c8605e7fdab4bfed673d0683b65110a7350bdeb9dcb155d8fe9f62fd95776ea75dd8488110d13ecb9323abf019ae3cdb916

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYAe.exe

Filesize
227KB

MD5
35505dec87bca81ae2b893e20fbcc85c

SHA1
b4624b6daf920e1d2a31d251c99cf95b5a8b3239

SHA256
a2af8b305baf08c16804e733d22fa11c01bfc384aa21e1ee4b476e4992d1f0f6

SHA512
176e0085d49c2f10fcdfd5f67d1b79dbdae5fe51085b083e43a651dc087c32d41cffc17be3665291396fb43aa2685c69b7bd62a1fda91db6743a79007dcc8f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYgI.exe

Filesize
231KB

MD5
3dcf39346a9c0d3e84cae5964b9eb0d5

SHA1
62161fefaa6c13ba79e246a0ed354175de9278e6

SHA256
4140fdf51fae50b4ba1ecff1779230eaf37e86596959f2a44bb18fe1613e4ab0

SHA512
f46f3c89b80235364e37503fc18257f28a741ba0c3153991f93edf68f2222efa1bb285222d40374b29babe148d96d9ee4d2400a8bf9b4f486615ed58c73e12e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYswwwIA.bat

Filesize
4B

MD5
28c1ce0e2a1a64afaed2b2a8a85e1249

SHA1
b41932c2a19ed5aedeaeacdbfc6a7f025af6d66b

SHA256
aa1e86ca106807b52c9c207ad294e9b9539829f2faa4a411f88df16d71971c38

SHA512
89654d3ecea7fdd690ff50f1ad7db69579620c303d554d84e0fef514c52b4e283c18bd3af6d44f37ebff435ae09e688389e9984f0486aa756c8855842125920f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIk.exe

Filesize
229KB

MD5
194392d0877113ad49acbb04174ebbd1

SHA1
16b5d5be13496b85c5d5d42bad9768793d4f17dc

SHA256
f56c7ffcd811c80ab28051f61e9fb227bd1f4c8370c9bd292316d36a069710b4

SHA512
ad54519b175541f344c3436cd5903423256d91323e1d0729c261e7e3e3fb64bde918f813a8ddff76b6ae7aa4c92de81abb76aad34bcf6c80d10a98421493e447

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcYy.exe

Filesize
245KB

MD5
58fa2385730647b5e481d81e5786e703

SHA1
de49cd2e316838eadca8c22662d829c009e8bec7

SHA256
cd926b2c86b06b8faa725027a58335d1980d47c9b76167aebb1f281df66b997c

SHA512
fd2ce0aa298df6f01f8f38d4d0ae6661d6a141952897f6614eb15dac58f61ce974f1059ba6ba5cbbf8513700813910decacd1fc249ab119f8fe4def3d7aae4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsAa.exe

Filesize
246KB

MD5
036fbde70068cb9ab7b6e1696f47f178

SHA1
5a83a76f11f44c507256eaa2606929d0ffbd11b5

SHA256
a3e21b74a1bdd65d2ea4437f1d98b34b60991326e3d7d4d2417ed69d9c748927

SHA512
d5d52b6a3412b35def45d767c1c8a7b15c2d5db54c967fc30d94e85076a9fda88ba3b1982660cd0bc2407b6e9327114e324f0d1dae5f1e0b898621e11b9582f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAoEEoQA.bat

Filesize
4B

MD5
8fbbce6b309bd45193160ce80c1ddaf3

SHA1
4d1c41f2cfd67efaf2610fac88125a84acc244c0

SHA256
3d1d567c510f63c89ee460b4ca5f5edd0a01ad9306dae1366dceb95efaa2ad66

SHA512
10c57f44de5dd45d74afc7dc9d4cdb2fe026151650ffa0b2013975a61091c1689e60e357e79542a411d3e1917e638ac4373e2b99f55f5ea9b030d9faa3da4633

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROIowQwM.bat

Filesize
4B

MD5
5b31d3c497c63f9d8de3f5df2694f942

SHA1
7dbcf01ac0384834ddefe948a670f1e6c63b31da

SHA256
265331040f6325500b30402cf7e0e27a8df107371be3ba036e0adbc1792e0d3f

SHA512
aed89a2a02e54d0ee8381d623cadf7f36b723ef6710feebd5cc3e0617e1b384e364ace67dcd3a7c75939d8f14879832560b2d829f54d5b96f4e0fcf42997ea17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUcoAoEA.bat

Filesize
4B

MD5
b459ef83eba367378a694cee911e9600

SHA1
31de1525a3591a1b2390967bbaccd6dd1179d5ca

SHA256
14f7403ee521a43f953d058d54c684ca9914b92a806aa490f88e6781b77f9021

SHA512
51485289922834c0c797c7ff2e6e49455940929cd14a3f7b6dcc92619bc256d087567c9da2230c87d1d6b99a6e5017508046725871db97db1bcb8e4d8d488dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RswgQMgA.bat

Filesize
4B

MD5
5c4d2608acda4eba34c3e4f7916e427f

SHA1
a88981f7d63253a97a702f9d37f9c7fe601e9504

SHA256
bcb801df3e80cba9e14abff55936ee4b92ddea7e055b87ff66f2a42889320f9c

SHA512
9034e4be2479a4c05a48504685308abf96f2647ecbd9e6f4c9cd4ce2bf82457375c6a0aedd821639f858640010f47a078a9b965e9da05ec9c9ffbfb4a5065cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQAW.exe

Filesize
8.2MB

MD5
65a67e5ecf2507ff406baa42f832dc5a

SHA1
15c899010153ed30daafce7fbfbba1d6870a50a7

SHA256
0aa0c73e865f8af86e9affef9aa304ba8508e0af6d840913885beb5ddac1089d

SHA512
c5c48cc59cc46e5d7879d79723c762b46cf824c64f5c8e303c409777163780df7ca6de999cf4bb2f97203e61245eed39b34c409cd7f54412effc8c41dd99e1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scky.exe

Filesize
761KB

MD5
3a2e2196c54dd55893e9866d16733b70

SHA1
7c1fbe4437d829e388702a5b94e515c34a7446c0

SHA256
7e7764e726876d3d3a0c0faff0e8b4deade29ec64d16e057bd19a4fd0d01424f

SHA512
5866fa4efc29892fdab3215f1b11748c6b60aa6be8a4facb2b2392986fca9412833fcfb723e4c188c9d060d9418365ac9e08f1a1d3ad17e39c5ad245c48905d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCYAQMME.bat

Filesize
4B

MD5
50cf646bc98f031e91359ea0f796cf4b

SHA1
ee4e7a00b77f98a49e3b0764b89b4770fe83d580

SHA256
0560c8b5e59dd4a2e358f7f38e00697e722458ef354b20ae1fca29eb8cdbcb1f

SHA512
be15ecf2eacae64e69825b798f4d4cef241a2fce36ca5f852c593804ad60fc10c70b62c64b54a1fdc7da76a3757c11ef5e524aa25a2e72cce996778904f26ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSEMoYAI.bat

Filesize
4B

MD5
2d7229cbe0d9880100df81236a9f96d0

SHA1
217381903ccdb4ad7e8f44a44debb6353aa113a5

SHA256
a788bb90791f51610a0aa9d9313e1cdd77452542d62090a7b1ed89e003c18077

SHA512
c3a0ffa743a7ec232d7ea79fae78d6fc1576d327c92a93b955fc3d172f51373fa0d2678c413f06530518abdae94de13366d25e191a45ba595429d5e9193e4434

Download Submit
C:\Users\Admin\AppData\Local\Temp\TksIMgYc.bat

Filesize
4B

MD5
54b63498f5747d7e496ab7680f823d07

SHA1
3f4d5339f0a3ea1e82629fefa84c8ffcbc7c870c

SHA256
c605995f7c570119b7bd550becc6efaa599bd2875b7a3bc663bc8dd0f491e4bb

SHA512
744e23644bc1294c4314977817280400c306b73169e90d9ceb10b386a499b237152906811894728506e0c1c67ebf885eba723166f11543a4e9830a5e8edf7cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAIUwAsQ.bat

Filesize
4B

MD5
e54ca65574b948be7d71557adce67702

SHA1
1a416dc392f5639f2503eb88085b7b8d268dbe0b

SHA256
0cfee9257c7688dac9481d4e6b7caab3cd695d6f1aa64d45ce62e6666c4d8347

SHA512
a0f22e67535528dc4bf7c741255b85eab7589eebd1d5307d3fb796b858e29285633903f0f6209b381a7717d18f22f22357e7ab150be83d0172e7794c282959cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEcg.exe

Filesize
244KB

MD5
a3f3fe35ac0b4912b65037c19f478c53

SHA1
25346bf6c5c11d84d8f0769dc0a33f410564cd49

SHA256
c8a47d9ff58d135b024563a2d1bc4dbf7e13099e6706e79860769c65f79f89f2

SHA512
7cfb5a27829cf3426e79dfc53a8f67845f7e96c1403bd30ed31b748b140926894de79cd64a79820e4964e22daa75583fdc3422a671d0bca6cb1b2d65087b0312

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMQS.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UawYooAs.bat

Filesize
4B

MD5
cccfd275574a7da165ba95979c061a7d

SHA1
990c8a02e8e14649862861b2fb669f7d3716f741

SHA256
08144fca716c051036708bb1b1bb3012ec61005ec1b6c26a46a3af146b5e4d56

SHA512
3cca838a49c7062a9ced8217f4d9c5df65f1ef8de1d919ba3d6af9fc78def179b6e5fc2106658a40463237283def2a291617b15a1705688bba3d09846138f2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwkS.exe

Filesize
245KB

MD5
c9d100e2c6cfdee81c2c999cb99fd867

SHA1
b4577f955388b1bc7e00c5f40f55f061b6c8cbd0

SHA256
a733fe8c2d04d3fceb238ecbd921647149b7dddf5f5afb2a87a63b9d302677c9

SHA512
22802a94a51347cf664f0369e4ff04c8170b6e6801d59f4cda7ad820a3c2ff815c0da804ae3c061bcfe81f30be2ca72feacad9b4ffaca0a2d8fecb3e82daf2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGUsAYQE.bat

Filesize
4B

MD5
8d47acf338665c4c6a03214a87ecd95f

SHA1
e3ca97daed741cf4338c16cc95ebe2b09ffe23b3

SHA256
3c28e5d6a6807d8718220999e71a64d3fffd2b8606086eb655ff8144f32c27af

SHA512
67ea91df718118a89347f334cd1f9010b2031261551a759f1bfd6912e620dbe5bb5b760b177bf2abc36e9cf935e3fe21558b1d462e1fde1cc229f4c3a1a1a6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAwK.exe

Filesize
536KB

MD5
094ac2e38a2f8774229fa253c0b72e2d

SHA1
04206f8f3b7529d6232da4dc81af2d6877d40e7a

SHA256
f7c1fbe4cab33905585da64227c20efb4cae5968c9944cc6868a5c271ac84f21

SHA512
e4014d2914879eaa227ea083ea424af2825ab671d294c819a0d913b2dedfdc2fbbe3ac863ed37f8f632a9f9bb0d56670a7ea13591dc5641f1150f61934e702a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMUQ.exe

Filesize
641KB

MD5
9bb1a7910864c5424a3e1ddf99576a71

SHA1
5eebd49dcc0a84f8104e2f3bfa86374c0c58498f

SHA256
a902152dffa6a672982c39e6a4e04d3980d3554dca2c43c7f66437adbcc0964d

SHA512
4742212472db664223c87040b37e5ac7c0cd875abf11ebb118795489da3ce8638a5f0cb724991ed68e1a7b455f2b9e292de182f2625025b2cdbc3d234f1f92b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQwg.exe

Filesize
214KB

MD5
ecad47574d3eb8bf84820e257fa72b87

SHA1
e4e6fde808a748f4f651cc12a63186b0e39a9eb0

SHA256
676cb5f14510bbda249e2daad6951b308545ff714a4828e964793b60650c4948

SHA512
d099ce237527dac4ad5fedfa1df615e1b94648dc93813f950344eb8ad4839995aa0d18db16ec377123d04a59e0ad8af467ebcde39ebdf56388e36021aca1ce30

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYkC.exe

Filesize
248KB

MD5
6e6505c004553e617d61fea9f3bcc6ea

SHA1
c9b73e58d45776a582053d9fddade6375169da5f

SHA256
a51b18f3b6593d69e0361084195d54ea57894f60a879ee0dd8721f3a61cd540c

SHA512
f3f338cfea7c87f96cc7fb5acc6c1df93e2bbae0ef64e7458b31f58e876230cd0751968b7891f703b32313c1d6b85c339d94abde8693f6789d08875da10ac9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgQkUAcc.bat

Filesize
4B

MD5
3a1cbf4ff30160a3f9be30966227faab

SHA1
a6634329a995fb2401431092048c9ebf3289d275

SHA256
2ca749aad637f7b3e871302258ee909b55d87158613705f7ce3819da0d061be2

SHA512
7ccfbfb5dd4bc32502b24d4b21a6077e868152440999ea297352c506422c0ee1ad82c29376b4170771388351cefd26c43713f7862152ee8f3d7e41f315fee9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkcAUwUI.bat

Filesize
4B

MD5
1aa1944c3dd108844b124b1963310ce6

SHA1
c4bef5ba6c1f8bb2bba2b07a1dec38e3ee7dfda0

SHA256
224cb5c50aa550b89e3bd4d57cf5ac783936c2e7b764374a1538cf92b06903fd

SHA512
794c71399b8d03747c27f28b1c39cc2319e4946a42713770e45d69f568db78be5c1b703437b107a74d6824f522bd5be0fff9c82ae3155b5f09fc76f52d5c2353

Download Submit
C:\Users\Admin\AppData\Local\Temp\XmUUcoYU.bat

Filesize
4B

MD5
76124f2a25a6a53d9a4fb918a71f134e

SHA1
759162a2ba9667ec6132674e6d9e307e7e0266ef

SHA256
3f90395b86561130aa25a39ae6e6c4b8d2613912abb46570c8dd3ebf5a046c09

SHA512
70dbb2de9797b5e540103b19be3a958f1bcb15a7a0ca632fae609aecc16fd0d3988536ea2e5f90cdb3e5c45c77e51a28fa191c9d768af5dee02f8c57b9319603

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMsK.exe

Filesize
247KB

MD5
c9c3bf5615cc482b98fe3bd1bd2815dc

SHA1
949f47af75537cc8163c90224a1f3b113aaf16c3

SHA256
98236a1e3ecda4f5e77da344dcd62108dd3029d0c4cbf94de36590a498795b06

SHA512
c1cdedd0adfd316ff9b826e7a2470e967531ab844d7b7c5134b5fbfaf52868637ef119087ae4c95d27aff1ea559a488c84d7223d9d3e3c3506556d645c33380e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykou.exe

Filesize
232KB

MD5
19c31b76012644403fcf7e5d0c2c0b59

SHA1
677874d62757d12a0210079f24b84d47ad96ddf6

SHA256
884a0a878683f068d65edc4034ba5988ae964508265ddcb12be40a63cd44b98a

SHA512
428647a94536f338015aa2b0cfec0c23ab3dec6f6c7293fa69d532b1294a2ae0aeb93fa4204ca7b693c0d05119573279bf1c6db76a3fee86ea7f955a694dca42

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmsswIgk.bat

Filesize
4B

MD5
f04ee6adc0db9b9a175a81c8a04829fc

SHA1
159982ba15f2c34509172a59c4610fdf583e870a

SHA256
7a573e3a4a7aa1b56f95a7faa162603958853e38dbbc3e6605671e6a7ea6d2e4

SHA512
a1b963ae4e0bf65025ee1aeecdc79a405e0999321ceb3eaec387e7a79541b4d989052dab8c492f0a6b8804567117d943c93ddfded9b550a1f25ba405ca649aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkoUsQEI.bat

Filesize
4B

MD5
3d859d40241c0ecf3b190275169ed014

SHA1
558860774a021c50d12ebebffd832b7401929dda

SHA256
543a87b57c4d4a0f274a4cfdfbc6711fc451e7aa833d9ab5bbb605ffd7f4f070

SHA512
12b5f9489d2e7612774c0175dbd7ad93d49e91c58000de6d31ac038f9880bfcc84ebe1b65deced26339e0cf0e5338291211c327c262eee207fed44e25f559781

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZuwcUAcg.bat

Filesize
4B

MD5
45e37f29f47d07d2bac67d741372004f

SHA1
fd372127a2ea8e0ae2384e013ea418880e9ed3bf

SHA256
9e912e3a19e67d3805d101e52b92c183248a121a3f8088a2eade0dba701d68e8

SHA512
2a890c95cfc69028a08cb23ebb9f07f1764bc78e2b660ad6a288e84f1f20f8de758dfd8b7c4ceada85ea29ec5b22cb3e00de9eadb5377ccaaa3bdcb60d0f3d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKwkoEsc.bat

Filesize
4B

MD5
40e445a900fcf5c1a41dbb5187154791

SHA1
bb26644b90018e5c76466d58ceac7cec3896305b

SHA256
84cbf94c5659e3b7ee6e42b73c4a15a1c8454a42716f0da1db41bc7621a68ca4

SHA512
708916fd2d4e2902932899869a4c15de3d295f4ebcb762963759b882fe7feeb87cb2530f22b24a62188742e1075bd9446ad78c758dcddac114419d0840236da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMAe.exe

Filesize
238KB

MD5
15942a4f8ba40799816ac27497776c45

SHA1
66c252dbeb9dff08e772807cfe378005aebec6ab

SHA256
ae9027703f6178906bb676e2da1322319e2edd049027ebbe8efdf138b38d14c5

SHA512
57936e35d234ddab6314b11eabccda2d12d9aa90c57eb8c4bb2b311367780313f9367c7e1e866bd77b3e25802c704e29b8bfcecf8b1c8fb3e7fc987a5ed5f239

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQIk.exe

Filesize
549KB

MD5
5bee1ebf52f353d05eeaff84a2ca84a1

SHA1
fbf7547b77001ad14f6373dbe98e35e6c62145ad

SHA256
96c0fc8f9f4d37f71a5c0dffcfdc719c831c07e2d618f7d906c972c5b5070002

SHA512
7e7ddc1b012773d857ddbb3b48a055bfd86e802b9dc79de0b3afe699180a37af116bb28d2cab9afb96a615550bf6412b468ef5bf56fbbe8eb4c1bf61b5fd0b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIY.exe

Filesize
247KB

MD5
7e546fc87a7bdd33c4e6aecca99a241c

SHA1
d33651e29fdc6d58676c9b2850aa07aa296e4835

SHA256
1fc13ab17a6d1e71658540bbfb37cc8bc202f8c9788a326e5a500f4988ae75a5

SHA512
ad03d645c8b17374c917c291f987197e8b65468d6c48f5dd1d3cf3df6cbc8d4fcbf466390d9ae5479ccf050bfa24c98be66045ef6efd49624e230c50a48b9a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agEU.exe

Filesize
1.2MB

MD5
90815707f1a21c8cc8346802e0300008

SHA1
0cdc06f47844c05ca1a3da3a24d23f3ccc7aee3e

SHA256
94c4238631592692e590777dec0f2ecff33213ea6b54b1ec51fb2ba065432429

SHA512
c57620b46f7564ce0de9c64e032589cd0618ef086cefafda19ff030878f2c113314b62e83656da109ca33918476b990d1f0271b23dc8f49feb59d63f045705b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\akwccEQg.bat

Filesize
4B

MD5
7e6c352c35111eaeccea1141ca815251

SHA1
640743b1c4181aa31db9d236aad68e50ed802f6a

SHA256
990d66ce4b7b7e1187658269880cc4c5c5231c4895df56b907c296287067a7bb

SHA512
43018c8d8b13f06720bdf694276ff2794ad118369fa4ceb23bf69155460f5bfa54ce92f93e74c38f4e287c47894d41cf1bafa496faf79e390c6c0f446a69498c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amwkssIw.bat

Filesize
4B

MD5
c768e88bb9c02a0b0884db988d23bc72

SHA1
f6fb75316a30d017adc57dec8c802ac9120765c6

SHA256
295e7d649bd416f174d9e693c030c371ee81899cc8f746085be578bf1546d35d

SHA512
c38752e1c3abf5cd4304b6218f7757d3188b9fcfec0c0094243107c419e8ba631e13e3439d992f206be72c1d36a5b4228e690dba507853d039a54fa7d4e6f6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\assQkwgo.bat

Filesize
4B

MD5
54cde02d92cf674efc2e3e8ce8720fa5

SHA1
4f56492c24f667b3129b830c5a27c8e2b24ba669

SHA256
341dca94a0e43d6936a7fc51f692eee39224d6a5abacdc8c204bb98df315565f

SHA512
62704db490861fa1c20e8de5d1ba359f772107e2c00961e2ae6061e8cf07317a11e341ef05308e1a52603c2f4101c0784418015b267eedd2c857a6f25bd71b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\buwcoQQY.bat

Filesize
4B

MD5
5a2365cc93fcdf0d21bd4709f309e830

SHA1
908c7fa71db34c58c08d521ba0ec35e299eeb636

SHA256
beaf77fe0cd7ad86573acf1f86db9bd92132d5666fbf4690cd98e3d3695ad66c

SHA512
f5bc60624f146b3ceaa7d7670e7effb3249cc3a3834dccae4f2091ca9323ad7f016a0b231db5b528fff977f4ed9cac80d8ae9617f7ad17c081844594586e48dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAEk.exe

Filesize
247KB

MD5
6ec930c293fc6f87946c79ce63e29b55

SHA1
db5f6715b50ea0872c9128dca52088f8c5afa5c0

SHA256
04d927d9e86460713e4f5dfd483fd230483fd746ab867a5fc69418e8ecb83613

SHA512
2e2eb63ecbcaeb2ac956d529b450bf1aa754eeeecc36fcf390bacb97f46742f32e98af530d8e78b50bd94dabdc141a079ce01394b5932f6ba83fc99e22a61848

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEIwwEcY.bat

Filesize
4B

MD5
7591617826b02e246208a4fe7d0d595a

SHA1
352e91048e00d81ebc0500919d3383e6e599d1cd

SHA256
a3020e0c5675311bdacf9082184c0e074fce70b65b0237125fdb139936870c87

SHA512
235e0b69424a321fd9d39b135380aa727e67c9753f84df103543ebb6451e8529d5cac46cefa9fc12d8252815439e0d196cad88cedddfc70f84b1ffce73da1ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIkk.exe

Filesize
348KB

MD5
ebb753907dc6ad87bdfa4d422accae66

SHA1
19749aff12446375a4338c634d68a9d7aa8fd786

SHA256
08543f468ca033fd2802342aa89e7985d8136eedc8315274c4427a51bf755422

SHA512
0affda5e4a37a00781816fe4033510f5190d8c7c18b24e6613d47a23fdf06d872507f989e979b00c41ca8503334a376f2330eca27d15f38a27ca4838eac67844

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQcW.exe

Filesize
247KB

MD5
4c92500d0549fea75989283615fb7317

SHA1
0b40caf16f242388452e64c52eb6428dbaa38bbe

SHA256
6f6c4292eddf78d9604e11f43a0c58f60164b9730232a3b22dc264e762b5fec7

SHA512
696128b5602418fb7ac2b683fa15e2c9de4ed69ebb7047bd2d3983af470a0ec9603bd42d2fc07c284fe06c4b66af9bba8ac57cb657dae9f426c9ace7bfe502ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYMQcsEo.bat

Filesize
4B

MD5
3f773c954cfbb6c06b6f1723328e2243

SHA1
f5b8fd8ff93df166d74db216d12dfd7fa0be194e

SHA256
ce047782a5e27a7260e5e5571061c01fe89f55619687c97f3848ef21b82e6a26

SHA512
b09ac8d5f4d722a028f152de8b98be9d263564e5a7dae27b687466c8cc3f5266d62ce0118d4e1b16d28c4b4ee22dd1ef4cf25e5b34a7f3d2c46c8ec713a6cb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYsQ.exe

Filesize
314KB

MD5
ac644aa739e42a380ca10d0a72ecbaae

SHA1
3449090095c48cc31aec9e0e6f74204bdcd00640

SHA256
e73da918f00a295f25735c43fee323473a9b408ca2603932fcc367f7bbd69426

SHA512
c185813bbb2df16710dcd45ca01130c3f783b6b130aaf6cd2689334fc297ce57b821adba5d4f5344b08d7edef0ec78c22db78c6f8ee8af4307761ebc7549fe8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgkC.exe

Filesize
249KB

MD5
ee0a076822c5d9720e9d35b54e264c99

SHA1
a7bf26161dee6f92c4d638bfb81da84cd30dc07d

SHA256
18f4683f9f5c1af9585573d28307f9970e072f6196b00f24b77ddd5477ed1ead

SHA512
a19130c49ba423e3a239d5c0435f624de5ff7b6c5a4a9d963db3d556f3b542348f524e37ef491e64dec3d46eef01d17d8730e6d33d0609bf49300d3d46670e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\dGsYkYgE.bat

Filesize
4B

MD5
1595138343c8c549ade675e28c079de9

SHA1
bbf9c29fbfcfcf2a8453179f927630db4b1b9356

SHA256
8fd6c5e836e6d57f4550ec7f63508a8843859b36d742b0224370bcf52a22a78e

SHA512
21d870965f6fc10bb344d81f78c44dd33b1397da64d5ec825ea4469553809d08bce07be2c4b26c9b64be712e146c27fa53daa83bc843a271a96b93ed4e4e30e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dWssQYIA.bat

Filesize
4B

MD5
e69e3a2cc1fb097780c3ec19bb979880

SHA1
70b703355870da00cd7529624b58cb18c14a2190

SHA256
5fbe8f65099acde599667a8013dba24d5d2be07ab4379defb4062438931b62aa

SHA512
eaa907c2a2ec848d9f13c55cfc1dc7fb698a5ae2ddcc0a7860045e7044ceaa0a1f025dc2b030fe81d12d58f3d9137f9e176539ec68573a1597657dcb98c0c6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEYu.exe

Filesize
236KB

MD5
32fba92ad11e04ec11e33193481de14f

SHA1
9810e801e6f031b8b57db58a0d0937df87d4a96a

SHA256
779a204eb653b6b146c3503e37f824a9c57d31ac23ea937a2f138d14f8ae5da5

SHA512
1c11a43c73789dabe5be75ff1346fea9c9a8c8ed8c61b5362eecec09e7ff1ed9c50acc34a06e2f2cec44d5823320cf9cab73ee3fa1476ba85ce510a31688bd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMAe.exe

Filesize
401KB

MD5
43ed326bec43322bdeabbbcd2d9508ec

SHA1
f406e8457efb5a76c0f4ec490918de0177d051f2

SHA256
f3b4f00e6d31534ec6282fff5c97bb8356471e2160763aecedacc879ae5c4f61

SHA512
3a40be694387cba5e6e34f1e49b574b4b7df868d8a34f671de0d54a0bb321a9529061644f067f2a9b182b023ed5e397daf1c7260099c154e9ecaf80258a03fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQUO.exe

Filesize
241KB

MD5
bad2237f177b1663c79a55546b905fa2

SHA1
4c38aeacd4ab3075494bba6e2b0689fd72f3d41d

SHA256
8884a950eccfee8182dd5842d69c23ebd6ac526136fb6506eaf352b9b1b42c5a

SHA512
10b4a1203248374bac320d23de87fa670a05181f448bc731f83da575b330666fd6c8608eb2da971fa7c339f7da9440f1924800362e0812c299abb8215369ee09

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUsy.exe

Filesize
235KB

MD5
d29e75be56cdac09ab38e06b5314055c

SHA1
42a0c019d31d58e809506b801df98c9f0a5e5131

SHA256
bc8063f04433be86b53f2a2cdecdd2f7883094ece6cd3021e638511b9efa9792

SHA512
eda8ea3ef61fecd0f84ccb7f40bfa6dfe9d95a1ad8b430119c2e0df5d71741a00dbbb09a5ddbb8574f5198490d024acf191f083e1a770386bc074382b2badd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYcK.exe

Filesize
238KB

MD5
8acd3aadf67519f0ca59bb2185c76447

SHA1
c81b5d49a6a7dc272d33c9e0e32d22e32a018926

SHA256
06e877e1a3e08c3e9775536e67cc0040f56485dda1cba3059159c30d7176477f

SHA512
1fb61a9e1284091e14eba2d1792c952d2f508856a94c7f16ef3ad17f6585c3de3015738558a8509c724af97b28c839f614d08cb786ff5ecf294e7365c5ba7612

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecMS.exe

Filesize
251KB

MD5
b322d6d21b34f6d7b52b172bd302e9c6

SHA1
d53fec0e63258411c42fb698ffb368d93f8f1d28

SHA256
f56a67879af3736bba5020136a82a44dbbf826d0c5b24b44541e225dce6e3e10

SHA512
3f0a7a4e883ae77ba66decbbbab02cd724f0d5fecb6edb2314d5410db92900871359dc9c95617c96767abbcec72d5b1134c5e09a91777e2c6080b405f95a8c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\escE.exe

Filesize
475KB

MD5
cf9aebf906b01eabfb064f75c510d550

SHA1
edf18b2f0289063662c09631896e5a3b0934e69f

SHA256
88b502bf90937357145c2ccf3f7424e3c0ed406f46d80df054604427ce4a9cd7

SHA512
7f7bd8715e983e4515a59ac32d8ea26a9a6b81c00983f7743bcbbb1d4d4de97ce23ea9aef39243ad49b4544e6f115d381d5e30f767dc666f1e4c43b122a75503

Download Submit
C:\Users\Admin\AppData\Local\Temp\escM.exe

Filesize
245KB

MD5
d2e81e2e184dacea637aece5a8027497

SHA1
2f21e3a34f8fd21ef539a83d4be1e5a14cdb7e6f

SHA256
6cfb3a3b0c16dbd2e2916a46ca57394ac7d350c4f41e0532d9a1190f2a08c9b6

SHA512
f04def25f09b3d0b1604b3704c1b90f8e380a8ebdaec424cde41036407bd1a3b85e8ad99bc87b08de23ff7579f3441c1a389669ac722e1f7a4c4851804f464d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMIw.exe

Filesize
322KB

MD5
4e102c6ece8850edf7e69ecb8abb79c9

SHA1
694ff5674e05b5e983f7fea37ad885bd6b886eee

SHA256
04665f507bd6bfbfca218d12bcb5a7d7528feb7c6741687fef70463796f500a8

SHA512
50329d9d54d393c75f3c5428cc5c8d82b1f405610b44eb577cb104b939edc58ee61f42788e7045e9749b63230c4a4591b5fbd44bff6020ea3971260a6966fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUcS.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggAQ.exe

Filesize
229KB

MD5
3f0e4a484ce17611c127edc83b83e6b8

SHA1
4ed88f710c574e6891463bd7ad097999f9e9c384

SHA256
3131193adb9632f13541034db611da2b891d8d7716dc71e2a45fbef85d67ed96

SHA512
78aa69fee37719c7535dafa7dcc124b8ae2989343206fb1509b10b25939bed4f7a810ac5e4a03d78bcd0e260b5a7cdbee1fc1253672de37cdf98316368216353

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggIcgooE.bat

Filesize
4B

MD5
5b8c69d1fd3d6c7c1b82c4ed838fdda3

SHA1
dad17fab26a67cdadcb60acb403c5b3b38b64377

SHA256
a3b3f191bf0b7ca9aca260d1bb9b0b0b0f6cec8690068cbf88ddb03d670caf7c

SHA512
187fd2592eed13c6b139ca9c1f440c91d4d254ab6d24947ea31957967dd310107ce320e28c1c0db5fb3cd6ffce92b46cef7fca60c1b378930f389dac5c607e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwO.exe

Filesize
238KB

MD5
bb5d545e5ebdfa1916743e6ffd8fd032

SHA1
3d57a9cf0541a814641b709c4fe756c5b05be0f6

SHA256
c491715684308db3868267014e8d66f0923e569fced3d583efc2534baff0041f

SHA512
13767910ede6bef5448c0bfec446ae00f1df35e507731259e6c1a646021042e2f265a78b0677841a462bbd5f14f93209c768db6a00a78dc3200b509b6a6c5371

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyMowoYo.bat

Filesize
4B

MD5
0e0a3c0fec99a0be658ac46d96a89b0d

SHA1
71013775097e377c503000b3cb1dc5dffaff8ade

SHA256
42bce9b06b450ce5afd048925fafeb94c67c4de10f49edbc8efff8dbbbe19f2f

SHA512
df6417cb42a6714c679c636b13fd75c993e81cfb135c098c2dffcefc16698aba25758440f49f1dd9c4e28f5008e418ebc1157ee74a2684a7c2ef59d6e3ca859f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMooQAEw.bat

Filesize
4B

MD5
da69b35526aef3da3d7958ba2644d699

SHA1
cf18920b284d13f8bda7026a91eefa7ba0a8cdb8

SHA256
18b9b48f36183b9a3cbd4ba7a689fd67bb671e71819f8570ba0d5ca868ec21b0

SHA512
0122602f25c067dd96cab30c710544f229e8ff7bf0284a15edfd137a6e8fb70143d60c40f3c77dadb641389fd8b1af6b1bdc55cff98f6c6daf36b60c388737fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoIoogQ.bat

Filesize
4B

MD5
075d8bf99db892c873b1c060d1d2bf4b

SHA1
2e9e0d4fc6d79d171147e41aae6cad2120f4be4d

SHA256
b2134297364bd0de800fa942041a0ceb26c096c2932687b08a075cff65e666ef

SHA512
19bd75cf5c01a10b57ca134e052f3c24b45a0237760e326e8f20399c84f3a8f52f5254528da11c37fe76b78ebc4359ab65a18aed6a76fae140dbc127d08c53b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIkQ.exe

Filesize
236KB

MD5
9d2ea5426aff35c01dcf71801fa68218

SHA1
942f23c05204463cd8b48130546c333c7d883a32

SHA256
c2a633334d645e8628ed844c9096242a47e0f3875ea413ca5c6393a32b7a2f5a

SHA512
7ed65389f399b26f6092efa35edb312feeafb474c57c633943531f7ed3039f06b257911402511bf4e16c506e9fbb08ebb93460c2e952d4390a50c972e8489951

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcwwMII.bat

Filesize
4B

MD5
ea235e5e3880ed27954f75308bd6c953

SHA1
0fa40a0fdcf242271f05585390f590bf7e896708

SHA256
fd08c060e58bed920843f9c8aebf4cabe45f5c0eff053f4137fb8ce0360d5e21

SHA512
6b9811c853e76f0c260cab2e6afabdd146db49d979dd8075c2f4bae8f95a257c5a879289bff1cf0eb7d763e856294ba49fac1a8b4f97fe273705bfc6d1405099

Download Submit
C:\Users\Admin\AppData\Local\Temp\icEA.exe

Filesize
242KB

MD5
399943447129b77f9ac026111dc08946

SHA1
0ad6fb95e6bc78ab134c09dbc8b9eae901fb9ba2

SHA256
182fe73a7b71c2147d253fba9944b54c4889a1ca14580cd0243f379368560a2e

SHA512
7ce8710fb48412acc3c1aeef81ac5dd8e4a4f4164f5d78ac59d83991ab4eba86be6d9439160c5ca07a0b62c56bc92b867a4fcf546e289b502a8df684fdfc6669

Download Submit
C:\Users\Admin\AppData\Local\Temp\iggc.exe

Filesize
714KB

MD5
9f70a0dfd2afd0da9563b4407d209106

SHA1
17993db61c4e3614c24f82c530d175f81e71db36

SHA256
990eaf87a250fbc4bc3630df744c2bb433760c2cf67663c6fd2d191207c5328e

SHA512
c5e7e30a730db8741d6b248b1078a5fffdbd3637b7b4a96246171876234608f9d937291250f6a0edf418c26e46b557c446ada0bcea072e021a888c91de1a2256

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwQO.exe

Filesize
235KB

MD5
f181bb089ff661fc702976f74991680a

SHA1
c85d84dbe94e51b6bb5b10de4f40e05c08053b7e

SHA256
d9347dfaaf35956d4ba17cddb1880153baa4a8b75315ae10791e8206d5d74e5d

SHA512
9a7e08a59bdc687185b65ab21da0004ce0cd9515980f1ceceb92cf5bb1fad486be9ad4ce51e0b7277772c234591eb74525f2f92316d950e31918b591d024adca

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwcU.exe

Filesize
229KB

MD5
906f915e33e20049e045ebb52b549f83

SHA1
eee4f99948743acdbeb8bcbed059dee846914704

SHA256
ccbd84e90cc80472e81c71912bbbe81c2ec269cbbe2da35cf59ae8c55b5261af

SHA512
e2d531748e80dd09ba3f6be40e46fbbacc49f7c2db7db3d81e75734b216a6e209d82dbaea08e0e2a23f731819e0d197f83aad5fb777ad55f89a91594d18a44e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAMS.exe

Filesize
236KB

MD5
e3b23f1fb58ff9ab39f5779343ce2ce5

SHA1
7d4b177e4ccadae6f80f4226ccb3c70c3bce291d

SHA256
cdbcd798357b0bf9fd78d89773fdb58d75192a0b558e095f51c1670ca2632a75

SHA512
d35a8a8a1f7eeb7b052a54bfc6ca3a01df0e57c616881423731c64ccb97adf042d7330d267d0022cbc3723ab029505add42106a1c69675be0c3d01d1fdef4e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAQQwgwM.bat

Filesize
4B

MD5
c619ad496b73232e94527853cef0a3a6

SHA1
eb0f1cf64350a87e9454ced551faccf2359ffc9f

SHA256
09f6383de98cd1db4a544f4272320a7e71b1dfbcd73bad02934157d8281b24b1

SHA512
80b92dee0d26eaada35754a05357c08773726a214eb6a394ca5eae0be0e182ba74e91d91d50145bff00d1bb3abd0e88de713fb7d1aefd146cec87e26fe6361f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQka.exe

Filesize
231KB

MD5
9ecb0d2b7d92c633935ccf7e69a32ef7

SHA1
626c306401437d2e8ab7f39f5b56aaf58e6e24db

SHA256
9e35b989d43fadb6e73b7765f8f5bb5b6af4822912264907d42106f1ddd27ac5

SHA512
3f004e8188abe468d1796ec19e983368fbe7b9669d3f1e93ea48d6a78424f9056f839e5d03af7cbf506c126fb32866909c00e31d2eb16e98f75ca699eab21fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\keoYscwg.bat

Filesize
4B

MD5
673451a920844fa4438e0d36db6a6cf4

SHA1
94bcd0ce89978cf8da00410ec385190c751ff19e

SHA256
be54af92bb0d21708e0b46d089050bfa97c9b42e52bf115f1c535f4a5dbe5544

SHA512
23d6461294a4747c897f0a4f344767d44eac0fb8e69911d0c6999dc558499e73b2b8ef34cde3e3da59a32a80687930b2db156d0ca00e7c09ccde691c63bb932d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgQi.exe

Filesize
232KB

MD5
d52be0a0154bce3fdd2a60abb3f49e81

SHA1
a70fd5021804808c477fc6e2092c6ff64379bc73

SHA256
83e35108693eefd7161da6f89c8fe8e8b307ec0c47c1f40f213050be60563c6a

SHA512
305fd968a655d7e296cb40118dcc4b745e1f9c73ad2b158e42020a9dd3ff7aad9dc5290463150ac486bd3c7f93d098864bae3b9164cc5b79f9b2c0cca0d41f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkgA.exe

Filesize
234KB

MD5
9ca564f2cd4c5924d20e96a5703c853e

SHA1
27b8d0e8f10b2337c40f8dbea05a8d4a05aaad3b

SHA256
4109dfc82df5a3b5b56ab03cc7db3e320503d62098a4c2eb865bb5c3bcf3da70

SHA512
e097fe84b060dde8b953ffd43e676c19ed16205fb5092794a265b8b60366c20e0c0a48f1ccaeded7b733276e6d848e65bdfae179a4ed54ce47555beaa6b735e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwkI.exe

Filesize
241KB

MD5
4ded683f30236e671f2865d729938d6e

SHA1
285f9bdf2f597db85c61a2a3aee7fc5a42f618f0

SHA256
10cd1cb332b15eed038a5ba6ddec1ea3737ac6948797aaa92a1ceb4b0060910b

SHA512
05183708d5ab621d361298d250c71be48499043c5a28f4d246ce50dd61d88aef0d86e5f4b82f2ed94631a44a4e88b7dce98e8c489fbe73a362510f0fe2b7cb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEIUIcMw.bat

Filesize
4B

MD5
6389505a0085fa36dc4b9f0ff7980031

SHA1
f9425b8a181294789cb5d85442df266c49450297

SHA256
28441e284e73b46e908c3452bf1f2c6dac4e0844463519fbca98e5da09158c7d

SHA512
dca844409adf717e694ae529ddf13224ecae5da430646a8d40bac837181e43d4c666d9a16dee2ae31336fe34d1d67070991e74725929a7a0b221b098a0db7109

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgEgIooU.bat

Filesize
4B

MD5
a0b62c5b80942fc1180dfc5f1e707190

SHA1
890d399227e9de8c341810277fd842824969e7fc

SHA256
b26b6d5b1e463366147d5150209133bf5f8e38303cc145b0ee2c2dee71dff807

SHA512
eb1dc6d9981f49bef8aa1e1599dba6ac0cd5b60d1a1a5cd298be0c9dabf11e01cf6aa1a97c5133014b19ad9cdae9d5f384a1e306998ff21d141368838c69dc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\luEocsEc.bat

Filesize
4B

MD5
b87cfaf1d6ea5a92f261d59efcf25f52

SHA1
07cf36ceebf19ad472a7df22e681a20afdec6257

SHA256
f64608edc77b9e5a80c2d30e8fcbb447296183c724d5092163707b3913ef0674

SHA512
d6ad38be42e7b0365379f5b79bd51fc52d88c85ab19c5497219508103667937754f7aed2b59ae37586bc71a518f69611d4e5973d68d43375fc79b693737147ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQES.exe

Filesize
589KB

MD5
61f85ecb66c6e369ba91cd23b6454b46

SHA1
9cccf943325f2c564e028a8b3374d0351fb98296

SHA256
c242b6867b65c0c9ba6afe43861293be473fefd896a805b9b6a9f87f745779c7

SHA512
ec5387e459e35b8a5271280b42dbff2319af204f4e4616dbbb2ed000574c0f7f0f5fb6336a086843ac47767c6f26892f885784633eeeb8041277006e30ac6ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYwm.exe

Filesize
234KB

MD5
a581aa11899bfbac34924c5d691e63c2

SHA1
b1c455f37256fc4187b889ef610426b07084727a

SHA256
92360f082321af731cb8c0e44341d17172300c36f3ec76e46a7cca5a7685a097

SHA512
c3f04546f6bc739c6f8d046200676099171bdbef25fad9125c9bebd57c6aaed90f351d54b76544bdac5fe312ae9516dc3312c53e6bd7f7c06b1825c7d3b06f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mocI.exe

Filesize
238KB

MD5
83a434bda0f8a827dc5e821822dc3363

SHA1
227a75b9cc2d02f0a0dfe33f6aaa05ebdab998c2

SHA256
0719b185dd6f20b9cce6467be022c21847ec039353b1faaf2ad5b3a1f31b27c4

SHA512
6debd1e3a29263656cc25f423570b34b934d7ff1e48e29e274478e53965bcbafbbf5ab58e8944072c0098b25e4680c2138cb295a2eb34f74b7d188be6993c6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAMEcQco.bat

Filesize
4B

MD5
320892918fed05a410505c8055ff1cfd

SHA1
c825b8f499f4f6a6c83ebdaf2eca566fefdd7265

SHA256
a7c1dcba10732a1f343db33f8133f533a6bb5c52fd5ea97376e8bc7c4a2ea715

SHA512
f8d984fe0063bdb41459c91b443d3f12ee0345b92113c9a4901c20c67d3dd4dd893aedf598e069f58ad09b3da56ec39a21623c69b2dc566c2f99a4be3908489b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncwMQoYA.bat

Filesize
4B

MD5
b5354ebc9f925581d56c8bf59049df8d

SHA1
46f9eb3304bdb6b2962541ae7a521d7281281a58

SHA256
30889627644234ecd93d65b58252766334afa3307b99702a7be0ae9a4c0fa9fd

SHA512
ad528f202c334988926910399e1be13c7742d2cd2e23b2f1b701f5b0f8f94060a455082a747180f42c9436e42608c18f3cc45a300621ceb90a44bb541b8f298e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngoUsEEY.bat

Filesize
4B

MD5
6d8609b6dc7aca03c066ab2d15ca9b18

SHA1
7f86a61883f7615681be07b394c8c8d01992e071

SHA256
6b8cb72787225bdbcd22dc753cfeb874d3cd1ce7fe8278d411f0627979780ca4

SHA512
91addc392858d5501bc6794de23947c5566752dba05b29a2fb1dc55929abf18b698625093e2b0926f2a8280c311891b87ed9ff975b4ac887b1697325f780495f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIki.exe

Filesize
233KB

MD5
217129f38bdc5e81d6efe91a0b4df28e

SHA1
f9e11eb910e2ff2084433b25e19ab944747344c3

SHA256
04395372b7feff870287399fc4a727f7ab1d9b1c3c184e8357fc5606b4f20cb9

SHA512
2748d0d3ab102f803173069ad671d991bebdeb560799008d36f9de50872dc4f9fad19adf4ed08002275fcd60d580b7e77d00efa250fa8346c7df2292a2dad87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oOoQAMUA.bat

Filesize
4B

MD5
ddde877d9e069fa34ea1e1e2367b60f6

SHA1
bbb1b2bc4cff9e20902a47823055beee6e0efb48

SHA256
a664e8d8d96583470cdb696958ad8222efafc4f381da125af686c05fa1ea0f25

SHA512
fba90f9b87f7aaba1466c4487045d5be8bd20c01ff3a358ba984411014bef4205af662d5ed02dc3121cfc2ed7ac8896878ddbcb2817977ee62b95226cc5bc723

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYcm.exe

Filesize
227KB

MD5
b3d4d2faa519d39d2bb0dc926634e62c

SHA1
85a91a0bc0278b7052f3790c0a4493a340b05604

SHA256
e937d275bbe91520036f9db455513b758607490fd8df43f524710b8c01313c61

SHA512
9cb9a598736a52836cac94fd16aeda1303fafa85a06f66ba7d4a3a2982a7128396fc8430263a81c1b32b81a0e64478d9984b69eb10f98745ee8e9dddf601f83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\okMkMgww.bat

Filesize
4B

MD5
1778d1a4295b986c6e66c652c78ff082

SHA1
79b41c7fce522c85a66da87d4732f2166b92c08b

SHA256
055e7051e798d88ec2c9f20047a436f2b3089c3dc9170a120a42083a645a0fa6

SHA512
82a46a9c5ca8f6d7c31ac6d37a2ba45cd15bf62aacbbb8ed5b263dfc36b9406ebac7b5601b0d767ed641a620f04d625bfca7f8f7498ead302dc168077d31fc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\okQi.exe

Filesize
822KB

MD5
17f4aa08c27066001f599d069fe6af5d

SHA1
ce082f95ee368166f9c4210a26a425c20ad364c2

SHA256
79bb6e4cd7a5b0e8b4e7947871d46318a4063e4fba3bd772a3d4af27b5a61d1b

SHA512
59000df7c580cd361c11bc0265f465d26aba7ef116f0983498bad8b87eb5aa955a821b0e0e12f1bfc818fe1f90d1dcbfd38f7cb31ef527ce5ab2172d8a777682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMA.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouMoMogk.bat

Filesize
4B

MD5
e0b670ad5d6a44ac73d35270060d7337

SHA1
61834ba221e82acd6e40271a53c3db5df8584a03

SHA256
75511980cb4a0aabfd04328d495d5dbb189fdf83984abb126a9611d22e1cfa8d

SHA512
5249ac011b7f666ef5aabf50cdcef22fc4d463589e51ce8d75ccee3ac2e19265752111a81783cd7a3251cd2ae24eaa82240efbe499ba718a3a679ab54a7b2670

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQwckEUM.bat

Filesize
4B

MD5
090dee22a411078001cb0fa38e91a9bf

SHA1
44dbcd837212722191219a8c44295ae472d64e5f

SHA256
f8fb1040c7ac220f27b0a66942a0176386040c81282e3f37db11fd3cdcfb9cf6

SHA512
9553a0839f69225cb2b63bc55ef8a89f9bcaba2b8cc6b5513aa38cc15203740e0aad10e6ddd96f3f8c9aba4a37f539e840ea1b03a2f96ad6dc40d6251aaa0d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWYcoUgg.bat

Filesize
4B

MD5
7074fdf1c9de7350b374b761a0dde9ab

SHA1
1ab7cab21cf516224432f1271f0113a9ecdda9df

SHA256
fb7a8f629539910cb95d06347a162785113238d5021af821cbf471c157588fd4

SHA512
f8c2e6f6f32e1a1b440358cd758eb9156527b9e8e480e4a3734a5a4e7bc41e3da4e5a0891e3954472a5ef12d6a038a7b070edb18ea16677aa1ba135312215773

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAoswYcM.bat

Filesize
4B

MD5
96e230e78b17a7f67d1396e1f4e407a6

SHA1
5db114da40ec6f9a688661a1bb7971af9c19bbac

SHA256
b464e55f68e543637a29ab52b3d4ae155d7b51636d8eecb2dfab9dd7bfcbf5b3

SHA512
b24bf061e8ee2d5820277a9f0f0c024933300cf814c355f8195696e043017b435ab8cd106593b015ef4b4a303fb6bac88244d3be13b736cdbd4c2425300c1e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYK.exe

Filesize
962KB

MD5
4041f49aabbd716fda520510b74b58a4

SHA1
e0d6a875d265d06de3cb077cdefcea1beb4e08b8

SHA256
b359ac8fb10d155d922876ded098355e4c2d6db1334d36c3544298b3bd00e6c1

SHA512
2694f2a4dfcc0554e92067b8c986adb9f031f71e690b1ab5c2be6ce55c310634a4b6220e3c698d11c863ce146bd5b43b3eeea45ccdc62847bd0efeceb4a2782d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOckoUEI.bat

Filesize
4B

MD5
060843858bb7272ed747ee4a39a1d13a

SHA1
3ac632ccec2fc29aa2e2b65060b4993e711dd296

SHA256
b137a0c56c7370dc98def26cf2d6db629e998db18880622e3694ff7bfa8a2b15

SHA512
d4d7244c8a22210556cce0ec35d45fe430e400e0cdfa7f67e91fccbc4b4991ba0d3ff939ae9d6f63599a13a30386d24468c8b10625e4063850271082016e81a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWkUwUoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYAW.exe

Filesize
605KB

MD5
fe286661e5033a20c474f2413ca1150d

SHA1
ef68316b42d25759fd8f665854277125508e321b

SHA256
0788f54084605f72747681fde32a5d516050ab9834235c796e6c3d26456515a8

SHA512
237dc580a94f08242ed6e747a554b6c9e8638c8f8391431bad1d818d1e04ff2f326536a031ec33f26a99646cec505262e56d6fa55cf588814a2dd041fc68af77

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcMc.exe

Filesize
321KB

MD5
8399ae80a07180e94a788184e2dc9987

SHA1
8427d087b274e93c81d0ec95bf1af0048793e210

SHA256
ce3f561cf30117f0c7d3cf1f8807ae7223936318c43c0e0c2f9524169f16f3ab

SHA512
b8b24f01db31b0137d3b01c62d7693de807afaf01930f3614d1230d0c61ac2cb996e75f9ea7d23d5157fc97a3d8da5e32de68928129a8a334e1952d3287559bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgIo.exe

Filesize
233KB

MD5
255843263647480dace98bab4738654e

SHA1
c0cf35d5bbbebba044ed040a940e0248698791e4

SHA256
5e4b0fa21d6be7be37a6fbdefada45c8c5e0124b1e79dad3122c119f04fae877

SHA512
abd907aca85fd5b36561cd3c6ee4f3dc389a6b6fb8c9f648ca09d87267fdb91f890725bceb7836fc58e4152cebd5a62fb032a172b4992ce8bae6a2c9880b09ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqsEIskw.bat

Filesize
4B

MD5
55a4b0fbeb5c0bbd7f10550672c5e37b

SHA1
b12144d78baf70a8f7887c54dddd1eb54c8a55d7

SHA256
c19c91b28d4b195652db41af57d0eefb14e646ccd3340ce4e0eca007fc464c20

SHA512
27d4256c93a265049f176cfe2c9fe2d5b47bddf6ca6b4cfaa059071603b8a0a10e8360bcd998c960156da5c675920ce8d04f36ea1bfc6cb6ca74dd8f970e3d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\qusoIEIs.bat

Filesize
4B

MD5
1ff4fa9754bfc007b71a89962e6a8c52

SHA1
4450d31528314fa4ce8388a678c44229ea0895e0

SHA256
35f8df56dbfec81feacc596149657e0d8cad332090e866b9eb90453d4b106efe

SHA512
df01ac99698ba7693b404d40ab98679e866bbe88f205a93ab3d60d59144baadd91bd0e2aab68a5bead4a0f7ad58572635e64cda57c581680365dc769d1c828f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwUE.exe

Filesize
237KB

MD5
6ae6025fae0f6b76cf9853eda303ea7f

SHA1
5f44ad384a98ac630bf492b318a35f70a4bc9cdc

SHA256
bdff4d67743093c359517b4da4ce5f5b761beaf4c4143ce0a0b7eac932d463f9

SHA512
2ab956af43edd326dfc59bff3efeead5dd56a6e4b6d200cc02e7a7f271aef1267f2acf38a6379d6eb3c61ee412c308f82a87fb6860f5c010dd7150b025d4fde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkUoEMgE.bat

Filesize
4B

MD5
eb745ca5859d441d8e5db560e63cb570

SHA1
540dc4dd1ea1c8d0ffe8446b8920c1e5a4ee57ae

SHA256
d9f857a1b12971dea4650a7609e95f46cbebaaa77ae22743a138fb84f92ad174

SHA512
1461a3cda33aa3b8fbf01eba0089b07d5f7c4f58a9e342a586e5dbdce2ded699bbb095b29d628069578bc0350a90e642db534dfd51d05ffc34c8c9969d947cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUYEMwoo.bat

Filesize
4B

MD5
cadbe9e5894041c94dd565497fc617e8

SHA1
9154607a65ca1ccbb800b1c9ab16780f88cf614a

SHA256
16ca4809165a839eaef181fe7ea09e46371c52191a257ae24cfdb95dead7772d

SHA512
ad47557dc3a1d015488cf2df93c7c8a748f574698d978a415ee739bda8d97805bb20fae64feb58b6d1d9c48aa73b9fb3cbeffe6d01f849fdfc8eadba835a5126

Download Submit
C:\Users\Admin\AppData\Local\Temp\sokoAgkY.bat

Filesize
4B

MD5
ca3a0f1ec1bcd18a8b7095aa47f596e1

SHA1
5d4ceafda53c703538a29f339ee54d9fe382a424

SHA256
9f4e24013a1eda0c55200c6e21930a5026ed2c340ab50d22dbc6c4bd2f501e8c

SHA512
a27659c1488b811e06959d2f92e75eb4710d22b781260d038d2a60cd70172dc6324c60955945f2aa00a028e12a8676d98ee2ce53bc8c22a1c89019272a3abee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\swII.exe

Filesize
241KB

MD5
199e7f4dde9495953f82d016a18be67e

SHA1
82417f806c91d437529897eecab6d080252fe2c0

SHA256
a84c22bf3986bcad6a5c7bd8670239b63c0579a9f584f6f123135202d57f32e3

SHA512
1e0da507fa69e2a24120d6865ecbb6f1c36b406e20dfd559f9f801efb832a9df2d7818b675fb26c7e409b1a0b019e745ec3ba28d4e8e57174b669f5242eee460

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEIO.exe

Filesize
230KB

MD5
67dc646252f44d1084a4abd1760701f7

SHA1
2f4eb3b5ed38db0c661327637e746d3d34f08c20

SHA256
3e5586366e7c57904998cff2ef99b1c2db24a3254f3388089c43fde286785d05

SHA512
913b5bf76ba4531f13c8ad8ff113b931a3951b86b99590148a64229cf8820baa381533ff6e66b209e9c28d2cd39d474c3076585cd6b4d5c4e0cc1916cd3b4026

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYq.exe

Filesize
245KB

MD5
fa668118c6a24b7795108c884dfb5430

SHA1
3ec9725bc1ae8d52a63ef7cc8e77ff4b53d76de0

SHA256
3b30c8fb5756c1bb8852e7e9740f4225675be9040fff11a8b6f5ac3f0d9da261

SHA512
b3c8be66569b992d217458a4422cb00fb802e22cf340bfb40fd59ed81745851db871b67e8b4a96f43633973e1600c4b4df5ad956ad24bef5661a7fd70d93274d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMAYQkEM.bat

Filesize
4B

MD5
8bd4a9e70077d832b48a6efed14cc25a

SHA1
f140319d514f9c7ed64eaa88c9b7d109c666174a

SHA256
b687809b25168d35eb07100ffa747459caac07d306e44bbd84fddd866f79ca53

SHA512
1f6f24372d80b919e3c60986c9e7444a724a46d193f059a71c8b2f94823d74aa44060f49f85fe72bf662b6fa34b5baccd6bccdb89e8ba3223429ede8cea70d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMQQ.exe

Filesize
251KB

MD5
cbe9a1a3b7ed4fdea41a88ced6c1e6e2

SHA1
f25704e081ba9044b779cecdcfbc1f1329a8a900

SHA256
00e210d06fcebfa435b1c7a53ad5a5a402667144ab5c0caadd16dd0f80316ef7

SHA512
78ca8211cd5a9591277b440b7b076f1364f931aee06c94263d21ac7325babebd57d40ad9c605cab57987ee044c5c8b6f75040c39f331b338246dc63462dc5309

Download Submit
C:\Users\Admin\AppData\Local\Temp\uggW.exe

Filesize
962KB

MD5
d16786c7494104ac6f05cdc084c38051

SHA1
95e26d0c40a793f352d54dcd53f954cbb326a600

SHA256
7daa4e42a2930210eac301c8dde820ad50e5481fc40a52deefe97f11fe1abbe9

SHA512
1c10913843dcbbb31a024aa7e4d20d030dda867698e3a73bea2d93b3cc66ce56d84b6ac0272f661b7096af71d3b3db6071c6f90fedfe447f65c49c9702c36898

Download Submit
C:\Users\Admin\AppData\Local\Temp\usEe.exe

Filesize
466KB

MD5
ddaa31e2142dc85a3fd8088f57c34708

SHA1
e2077ed9c5699ea412c8fccd6239f32c0444425e

SHA256
626bb81cfcde2b594a98dc0e44b1d25acadaee4e45cc711526949f5c14cb23bd

SHA512
26054c3188d57470583954d88ab4a3ce2430f96442c7d4885c905028711dfbe5a2cddb8f9068c818bdc59936a266294daee79690a6d6a88634f8aad4f5e14794

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmggQksM.bat

Filesize
4B

MD5
a57de6cda0205f5b381a536cdcf1a8a0

SHA1
990ece455887e63198888717364039fa422015ee

SHA256
e2d04596b16f728bd73e03629c138111f69e0ee2f4c5c020e6d08c14532ce959

SHA512
d883db95002bd4f023169376bcdd1e665e543ab5b6eeafb9ddb2f5f74782fb49d09e7911b98907266497fa90832d574ed0b8119d72ae75a8c2e931e25c2d8ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGQkEcIw.bat

Filesize
4B

MD5
d84f1a134277dfdcba3135fa21f44f60

SHA1
125c05d72aa40de55bd429473d4ab6d6c9db5b43

SHA256
39074ed6615bf82f0f2fd0134aca6145c806fa3186a0fca4b5df0b0898407c6f

SHA512
9d7473e69d199a2ae59cfe932fd74c6e3e5eea10f8abbe7002ce708bae3e02ed62ed73a9052e0b1ce8cb9c2dc3a7db785c44a484bf2b861bf13d8eb97afe0fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMEoMMQk.bat

Filesize
4B

MD5
de76716ec0caa2a2a65b85532a89367b

SHA1
0123217f7aea0db50834de703e8c9a0ca063938d

SHA256
10c50febc7355e55a2cebb7d947f94dccb3e2828d838baaa6ee58fb2f7aac255

SHA512
43c237e049836c402d253675adb46048f8e2de29b9d4d989b0dbce1490e99a466e6c7a1a0b0ed33320f82e21defc000c5d0c1846ed145d5dfb958197516ab050

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMoO.exe

Filesize
241KB

MD5
de5e699784db82cfd3e3146354d40e72

SHA1
31af4bb97b481d6160a61d1900e8cd536721ecb2

SHA256
d3a07b02c004422d8284e66ebe9872093f0afc1244e58b989f5255e7dffe20b9

SHA512
2c02a50dbc51b5ff0dae6a2db0ba1ec99373ab7f606fc3abbaa261c4546200235c6bb81aa4a6508152e834b39972ffd24e1adc220527ca417e7ea0c0f31c7795

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQQU.exe

Filesize
247KB

MD5
da15e3b2c90d9222685a8ac5cb1733c1

SHA1
3126ed69d871d777b44f08c164442cde6fac5de4

SHA256
4de9dd68478f7508a073b629c63eb469f4291125ae07962b6c465b46ed56b3ce

SHA512
f5e47ccc5ccf91f4d660b6e48c4aeffe81a662fffb07d384bf5eace4f2860be9a1c53aa3684be6626d23dfa46def11efa11e124178ac6f46253928555cc98334

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQYe.exe

Filesize
1023KB

MD5
292927158c91aeeeeeb3bf22d6824e78

SHA1
103fae383b0dc1d313499c31f967e0a58e687775

SHA256
8842c4a461dc57e454b06c2c181034fb4578a532b18e4c48462763c23cb798a1

SHA512
9b92f49ead3309ef5fdb4eeab00c1f2fbc38329e37320bfb5369d1e159b7ae24252ee881356735eac7d59541ea8d5631d860d8871fc2f36d1bf9c72e700713ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUkw.exe

Filesize
237KB

MD5
45f3586c17855a34dc6d6215e4b9b59e

SHA1
d42e67f391e9bd317a6e8e75290d5378a9dbf961

SHA256
2c57ded9a06de4fd3bb5071191e068348e3561e284b3e270aadb786770a65bb1

SHA512
20de8e73221224cec1d041e146337f1e6300b844e1d5ab1f7f72ec84c62f5dfbe38053595c61556e894d98c0296e1a41165be95b8c09165349c55c9b2e29890b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkEq.exe

Filesize
203KB

MD5
1b66f63b0876b64a8084a5dbffce51db

SHA1
fe4e77d351b39cadd783bcbe574cf23f73326efb

SHA256
b388a5d6ab1e482bed4de736c899a05a6de2169878acff2fc1d1bb3ba357dff6

SHA512
65bc5bf3985a6055c014dd38aade74c4a8af143a63050a3c711fae77104a20ba24e568f454d9be7379dd14ba9ccc27a5850e5d963918064d0c91a4aea32cbcd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wksW.exe

Filesize
319KB

MD5
08df492b68bd113958a0e4e23d6f4e61

SHA1
d8c91500f8976dc9d6d439abaa0e49432808ff0f

SHA256
8ccf85c9739efc28d43646e15368bfe63fb40ad708f083ce0d68603973e0615f

SHA512
a549d05e0b93e9ee901db9ca6686491e73d0e49948cfe8f962569c6631311a2a53a05913efe6e581a20ce3ffe6f37d1d6dc8da37675b0783c42918f2f610dd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwEA.exe

Filesize
554KB

MD5
86448b87564a448d107bde23f30fb515

SHA1
efb49f9766d6a2d67b82df1729cc48bfa22cbb8c

SHA256
c9ca369757cecaa6ed6532f5ed838a211bbdacf6cfb1b2b9977526eea0709bde

SHA512
acb970a60bd71a6140f43eb737bd975cf61db6281c586fb271979824ac29e0ef26f28696367ad7950f4c9a8e895e38eaf99dc4347cb11a140abf7c9de806565f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcMgMEIw.bat

Filesize
4B

MD5
3ce2bf88dd04f19d0837e9ea0a31832c

SHA1
91df3a1f04282929686579c24da4a7105c2d81de

SHA256
e246601560dea2ff9ac85464d0fd1673792fd42ea4753572109e048967d7f8be

SHA512
727d654f86187abdb00708a30d4e5d19bccaacd96697a60c886d9b2f485f59b04169c70849a735c4c3593770ea4ed0333dab8301d94ee8ecb8c52ffbb754a3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcwMIQUM.bat

Filesize
4B

MD5
279abf4e9d9a0d0ac9497441c53b7cc0

SHA1
2419ed74a0f66ae5e30342e64c4bfbae6ab06ee0

SHA256
2f88875108129985c1760e9c2f30ab7ab6924667686ebf8e69647a26a7d08217

SHA512
eac99a5358281ac5b71afd495ef1654180368a41afea5d187b408fd2637eabfd850479c67dd5c67289f6749e3701981f90deb4f267e0a6224199724db0abd22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuUwQwEU.bat

Filesize
4B

MD5
981795b881b569d02763368825573df9

SHA1
771d736e981fe4e4308253997f882c1e63c2bce6

SHA256
5df691fe6fcc0ed0d762b5058a4486c99d8a46ed02e10e076cc79b3be685d936

SHA512
5aa5fab90520fbcca69662d559b76b9ab9d0b84a063caef15b25bee5cf13a5131a70c81327043543a0b1f006201d03a90dd3ca9efba4303652a3d7f7d5fb1312

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEkS.exe

Filesize
833KB

MD5
a5c99e64b9cc9474cf8cd78a5914abd1

SHA1
0169d315b372fa28f8e6e7e601520263e5c9c5f9

SHA256
15f9361f30e29c58a023e4c0ec5efd11be1f5308d768a3bcd41716902f3d1e14

SHA512
f1c05b96db755e6088ccc49810bff997be4a9cb302cf6cedc480189a7491de5d0b421fc1f87356cf0cc8dc313707f4e04de1cdd5424f8866837f2001fbde16f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yGQMckwA.bat

Filesize
4B

MD5
b2b8c074f6a69a4bcf78bf0f63f2da3f

SHA1
c8716a456b1a4240c85dca41b30412dd2b10603c

SHA256
23b5b90a6323cd9bc81fa89119e870af8cd750bbcac2bde518347bdbe7eea60b

SHA512
4315ed8d56fe5d4cd5a7a0ffdb3a57948b513e3c4a34c347786befb7b53b9d40a462aeab9d1f0deaaf2b21d0fa9ed05ae96fc3750cc7c877a81683772aa09b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUMs.exe

Filesize
644KB

MD5
3e100736d6c0a3254c8e42bf4539c8be

SHA1
b187a94d3cb6096039cc58d1c8be804457c3d0fb

SHA256
4578049acf50b784273b5fef2d57a7c078039760c8cd467937bf83a82856d5f6

SHA512
67b62313e8a9bbcaa7de326035a3c1739d1862f605d6fa7c3f707021b69d9425e9054f7de2a7376c721ea05b5fcb1246cf17894401755c9203a353af9eec85b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYC.exe

Filesize
238KB

MD5
9dd4da9a762bde93d23e24951e66baae

SHA1
51202056f87745d8624ee128c9f0161ec782e7fb

SHA256
39920e41e289fb9e8a736d78ab339bf8fa6487e01760f95131d7aab6ac96030b

SHA512
16a2b4c001c89c80c5395edb703a05ba44be86221765a8d2068eb2699c3fc0d8f55beab87eb65d80e14e2b02077d425ca3f1762aa18312df07609bd2cda20b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYE.exe

Filesize
562KB

MD5
c107cef21909fc5fb54da9239120955d

SHA1
d51e09b60699d29aa5ed014ee46f3a5368d74153

SHA256
1f0d01bd7fb86f8e1ed963446821399163bf4d84df7acefd4abf23d363d18472

SHA512
3897d57317480fcc91299f0a5020c10a637c4a8e8d8d82d3f6fceb59d50b86013a7ee95fb413d7c53ac5e3c6dbf5cedc88836f9d60ce83fbac7831477796272f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcM.exe

Filesize
230KB

MD5
8981ddbed8a02775b5f54949a69983d2

SHA1
1271b3370d22284bf76095a244bddb2ba8601502

SHA256
fbb6e5d3a3f10ebee448698245c176a87da1731f0d846ed6d2aafc585284a2d5

SHA512
de024b5e4b52d19f66ef26cb2c621ad5852538361368cc18b55c7f75071f45c27dd81b797d4f9b2fa758dd5e8b541acb017c69837ec9d36e7c8b717283f3745f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yicgUgsM.bat

Filesize
4B

MD5
2acc2401952ce03decfa9b8521097693

SHA1
86e4848a4b076b83cbd744cddc7a29c874538e0a

SHA256
d91bb3f6184d817a4b51fd7bed7b76e10288ca426dc3bf108cef1458196490b8

SHA512
9accd0820efb960797f3674d0751ba4e575bc2292a4072e3584638c0db52ce6d7e131e04fc540bc987cf543c78d7bba5e1adb372e671f62f39f10d17af8d04f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEcoQkc.bat

Filesize
4B

MD5
ccfaedc4a7a9ec2c87d82e6f46fbd22f

SHA1
f31c238bac5a2faadcd8e88b2dad2c431922a0bc

SHA256
ccc006fec72974f0c9c7edd24a0e05be7e2d37d29de11dba3d8034b65eac3798

SHA512
0779d5f37188c52fc9d7cb7b98ed35b85af06e4af380c238f03008e11c42a04c2d5bed64bbf39c4b9f0694c048b75e3fbef3684ebc45c4c3856592dd202106f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywgQ.exe

Filesize
241KB

MD5
dc93a323c765faa6f1efe6b462d4abbd

SHA1
4b9875ffd08689debb1bc9c5d519c05025a42894

SHA256
a5725132bce4eef8a47bc3109d70b4dc32c33d342a3f713537e804c29ac44c2f

SHA512
3a0abe34cfe483cc83e6f97cba1b7211e9df8eae7725d43fada1341d80262c3a3d249453bfda855f72520dcbe62ee424f075f23376b28698d7584a1729d9dbf3

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

Filesize
937KB

MD5
9bb200da6e82d38af2e6f8ea53760975

SHA1
8f5dbe1fedf2591c9ba4198cee98252c93fdcd75

SHA256
83f40f8a3482e5c06fd0397efdce43261c3bd3db2da1eebb4d79f496014d9749

SHA512
482bd7a5519a42a8a7b9f52098502346761713811a951b37b10cefaf366f859b9f75189339e9bebb4ccb398e7f139ba3848d736b5b40c445d642948f3d925c20

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

Filesize
808KB

MD5
aec2d027e85b4e247012bfe268d36cee

SHA1
1c8febf5675ac879558c2650f515f516bfe0a930

SHA256
9bc0caf0855e9d153d5dec7e954480f73a329bca1a9f5c244baae748b31eb248

SHA512
4526208e23dcaeef1dd1674bc1b3e8a01ed7f012126c7b186688ca6fc0264df686d35560d83b9aba1e1cd84db2e2b5860396de99184bc77cee9d1fcf549ec219

Download Submit
\ProgramData\zUAMsEEU\ZeksYgMA.exe

Filesize
185KB

MD5
db36be08290d26cf329229baa3580344

SHA1
2ab6c18d98fd40b9c0cdbaa9b9fdc0de7dbb4dff

SHA256
2e7ebbf5514ce9679e885d22f032d7f5ab0dbdd8d6c918e7e76dae65e8032a7b

SHA512
7e5a01eb2e76415dc7b1f407014bf8ed477d535d463f98cffbbff2a677a6b0ea6ce53e0193c216b15fff45591607b782817bf61ea7f65aed504363bc0e0d7227

Download Submit
\Users\Admin\micMEkwQ\leUQUcsk.exe

Filesize
189KB

MD5
1eb40d815df578e75553b0d89a34c03a

SHA1
8eaff666b7e65c975b9790a2cfb543c7f67cdae8

SHA256
dc9b3c5955c8d66f267674f71a9bdb3c7647f46cfae35dd2ee8973f0d7ae8cc2

SHA512
90803365f0adb5cc485ccb9105668629492c6a9c060d56932aadf321c388a9cc30abfebb9df6497d5dc4e64083cc7bdc8da0a29b50920f4551ae5a5d28b2a7c0

Download Submit
memory/632-421-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/632-397-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/796-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/796-247-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/876-588-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/876-586-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/888-419-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/888-443-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/908-682-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/940-620-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/940-621-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/1060-208-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1060-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1096-372-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1160-349-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1160-326-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1208-711-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1208-731-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1416-325-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1416-304-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1500-512-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1500-482-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1532-704-0x0000000000280000-0x00000000002B1000-memory.dmp

Filesize
196KB

Download
memory/1532-703-0x0000000000280000-0x00000000002B1000-memory.dmp

Filesize
196KB

Download
memory/1580-683-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1580-713-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1664-552-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1664-587-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1684-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1696-469-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1696-445-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1812-550-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1812-532-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1812-395-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1812-373-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1816-255-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1816-231-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1824-230-0x0000000000870000-0x00000000008A1000-memory.dmp

Filesize
196KB

Download
memory/1840-302-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1892-667-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1892-662-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1896-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1896-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1956-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1956-65-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-182-0x0000000000450000-0x0000000000481000-memory.dmp

Filesize
196KB

Download
memory/1964-174-0x0000000000450000-0x0000000000481000-memory.dmp

Filesize
196KB

Download
memory/1976-40-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/1976-41-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/1976-460-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/2072-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2072-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2076-150-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/2084-134-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2084-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2112-551-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2300-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2300-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2304-692-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2304-668-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2336-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2336-11-0x0000000000470000-0x00000000004A1000-memory.dmp

Filesize
196KB

Download
memory/2336-21-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/2336-20-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/2336-39-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2344-294-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2344-303-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2364-608-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2412-622-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2412-649-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2456-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2456-88-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2512-444-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/2512-435-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/2516-530-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/2608-246-0x0000000000390000-0x00000000003C1000-memory.dmp

Filesize
196KB

Download
memory/2608-245-0x0000000000390000-0x00000000003C1000-memory.dmp

Filesize
196KB

Download
memory/2624-341-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2624-351-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2664-229-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2664-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2704-491-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2832-599-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/2864-531-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2864-503-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2872-502-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2876-607-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2876-631-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2884-480-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/2884-481-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/2952-103-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2952-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2984-269-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2984-270-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2984-102-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/2996-670-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download