da42c40cc93dadc086f85f730d8c76b91aef695e4aff37929fc08cc499a8ddc1

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405226a92195e4429fa42c588eb4193d18426virlock.exe
Size

189KB
MD5

6a92195e4429fa42c588eb4193d18426
SHA1

1ce3f60ff39f8497f47eadc456146f2bc04dc115
SHA256

da42c40cc93dadc086f85f730d8c76b91aef695e4aff37929fc08cc499a8ddc1
SHA512

f91b84e3e89183dea4ec0f9b44bf7595dd660659dd8a3f67e72ff0cc876497d4edf4bc4f2c52916f8343b732a35e90795662a05bbf122aeca87c82b89ce3ff2b
SSDEEP

3072:lkg2UE2ZPRBrVC+bmdxyd4m52dVFMKjIcxzzql4BkVP6LQ+9Xgm:lJ2UfbBrpbaIJAuKcYBkVP6cwg

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

iucgowcM.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation iucgowcM.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2628 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

niIsMQkM.exeiucgowcM.exe

pid process

1668 niIsMQkM.exe
2700 iucgowcM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	iucgowcM.exe

pid	process
2628	cmd.exe

pid	process
1668	niIsMQkM.exe
2700	iucgowcM.exe

Loads dropped DLL 20 IoCs

Processes:

202405226a92195e4429fa42c588eb4193d18426virlock.exeiucgowcM.exe

pid	process
1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iucgowcM.exeniIsMQkM.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iucgowcM.exe = "C:\\ProgramData\\QqIUsYcs\\iucgowcM.exe"	iucgowcM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\niIsMQkM.exe = "C:\\Users\\Admin\\zigcUYoU\\niIsMQkM.exe"	niIsMQkM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\NugkQwso.exe = "C:\\Users\\Admin\\bAwoMkQU\\NugkQwso.exe"	202405226a92195e4429fa42c588eb4193d18426virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOUEUMMI.exe = "C:\\ProgramData\\GcoIoYYQ\\DOUEUMMI.exe"	202405226a92195e4429fa42c588eb4193d18426virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\niIsMQkM.exe = "C:\\Users\\Admin\\zigcUYoU\\niIsMQkM.exe"	202405226a92195e4429fa42c588eb4193d18426virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iucgowcM.exe = "C:\\ProgramData\\QqIUsYcs\\iucgowcM.exe"	202405226a92195e4429fa42c588eb4193d18426virlock.exe

Drops file in Windows directory 1 IoCs

Processes:

iucgowcM.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico iucgowcM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2876 1572 WerFault.exe NugkQwso.exe
2428 2952 WerFault.exe DOUEUMMI.exe

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	iucgowcM.exe

pid	pid_target	process	target process
2876	1572	WerFault.exe	NugkQwso.exe
2428	2952	WerFault.exe	DOUEUMMI.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1344	reg.exe
1044	reg.exe
2144	reg.exe
1768	reg.exe
1032	reg.exe
1680	reg.exe
2320	reg.exe
2424	reg.exe
2320	reg.exe
2344	reg.exe
1428	reg.exe
2528	reg.exe
2720	reg.exe
2732	reg.exe
1576	reg.exe
2484	reg.exe
2984	reg.exe
764	reg.exe
1152	reg.exe
1872	reg.exe
1572	reg.exe
2800	reg.exe
1268	reg.exe
2872	reg.exe
1652	reg.exe
2872	reg.exe
3000	reg.exe
1252	reg.exe
1516	reg.exe
3052	reg.exe
2804	reg.exe
1720	reg.exe
1528	reg.exe
588	reg.exe
2656	reg.exe
2716	reg.exe
1544	reg.exe
2620	reg.exe
2324	reg.exe
2824	reg.exe
1752	reg.exe
3056	reg.exe
636	reg.exe
2836	reg.exe
2888	reg.exe
2876	reg.exe
592	reg.exe
2308	reg.exe
1608	reg.exe
1880	reg.exe
2524	reg.exe
1756	reg.exe
2752	reg.exe
2908	reg.exe
2076	reg.exe
1140	reg.exe
2804	reg.exe
2600	reg.exe
1300	reg.exe
1428	reg.exe
2704	reg.exe
700	reg.exe
2156	reg.exe
2236	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe

pid	process
1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1640	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1640	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2300	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2300	202405226a92195e4429fa42c588eb4193d18426virlock.exe
992	202405226a92195e4429fa42c588eb4193d18426virlock.exe
992	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2896	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2896	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2248	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2248	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2484	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2484	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1936	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1936	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2024	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2024	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1576	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1576	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2228	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2228	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3020	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3020	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2944	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2944	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1752	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1752	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2156	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2156	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1156	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1156	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1280	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1280	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2708	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2708	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1988	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1988	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2076	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2076	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2628	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2628	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2060	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2060	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1376	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1376	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2152	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2152	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1492	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1492	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2592	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2592	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1828	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1828	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1816	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1816	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2792	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2792	202405226a92195e4429fa42c588eb4193d18426virlock.exe
636	202405226a92195e4429fa42c588eb4193d18426virlock.exe
636	202405226a92195e4429fa42c588eb4193d18426virlock.exe
472	202405226a92195e4429fa42c588eb4193d18426virlock.exe
472	202405226a92195e4429fa42c588eb4193d18426virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iucgowcM.exe

pid process

2700 iucgowcM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iucgowcM.exe

pid	process
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe
2700	iucgowcM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

202405226a92195e4429fa42c588eb4193d18426virlock.execmd.execmd.exe202405226a92195e4429fa42c588eb4193d18426virlock.execmd.execmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 1668	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	niIsMQkM.exe
PID 1760 wrote to memory of 1668	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	niIsMQkM.exe
PID 1760 wrote to memory of 1668	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	niIsMQkM.exe
PID 1760 wrote to memory of 1668	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	niIsMQkM.exe
PID 1760 wrote to memory of 2700	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	iucgowcM.exe
PID 1760 wrote to memory of 2700	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	iucgowcM.exe
PID 1760 wrote to memory of 2700	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	iucgowcM.exe
PID 1760 wrote to memory of 2700	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	iucgowcM.exe
PID 1760 wrote to memory of 2276	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1760 wrote to memory of 2276	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1760 wrote to memory of 2276	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1760 wrote to memory of 2276	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1760 wrote to memory of 2600	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2600	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2600	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2600	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2720	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2720	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2720	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2720	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2276 wrote to memory of 2104	2276	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 2276 wrote to memory of 2104	2276	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 2276 wrote to memory of 2104	2276	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 2276 wrote to memory of 2104	2276	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 1760 wrote to memory of 2520	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2520	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2520	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2520	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 1760 wrote to memory of 2588	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1760 wrote to memory of 2588	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1760 wrote to memory of 2588	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1760 wrote to memory of 2588	1760	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2588 wrote to memory of 472	2588	cmd.exe	cscript.exe
PID 2588 wrote to memory of 472	2588	cmd.exe	cscript.exe
PID 2588 wrote to memory of 472	2588	cmd.exe	cscript.exe
PID 2588 wrote to memory of 472	2588	cmd.exe	cscript.exe
PID 2104 wrote to memory of 1708	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2104 wrote to memory of 1708	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2104 wrote to memory of 1708	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2104 wrote to memory of 1708	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1708 wrote to memory of 1640	1708	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 1708 wrote to memory of 1640	1708	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 1708 wrote to memory of 1640	1708	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 1708 wrote to memory of 1640	1708	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 2104 wrote to memory of 1720	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 1720	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 1720	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 1720	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 1836	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 1836	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 1836	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 1836	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 860	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 860	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 860	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 860	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2104 wrote to memory of 2816	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2104 wrote to memory of 2816	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2104 wrote to memory of 2816	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2104 wrote to memory of 2816	2104	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2816 wrote to memory of 2020	2816	cmd.exe	cscript.exe
PID 2816 wrote to memory of 2020	2816	cmd.exe	cscript.exe
PID 2816 wrote to memory of 2020	2816	cmd.exe	cscript.exe
PID 2816 wrote to memory of 2020	2816	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
"C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\zigcUYoU\niIsMQkM.exe
"C:\Users\Admin\zigcUYoU\niIsMQkM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1668

C:\ProgramData\QqIUsYcs\iucgowcM.exe
"C:\ProgramData\QqIUsYcs\iucgowcM.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
6⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
8⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
10⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
12⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
14⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
16⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
18⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
20⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
22⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
24⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
26⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
28⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
30⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
32⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
34⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
36⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
38⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
40⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
42⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
44⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
46⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
48⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
50⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
52⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
54⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
56⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
58⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
60⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
62⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:472

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
64⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
65⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
66⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
67⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
68⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
69⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
70⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
71⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
72⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
73⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
74⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
75⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
76⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
77⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
78⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
79⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
80⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
81⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
82⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
83⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
84⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
85⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
86⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
87⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
88⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
89⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
90⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
91⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
92⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
93⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
94⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
95⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
96⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
97⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
98⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
99⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
100⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
101⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
102⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
103⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
104⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
105⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
106⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
107⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
108⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
109⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
110⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
111⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
112⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
113⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
114⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
115⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
116⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
117⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
118⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
119⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
120⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
121⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
122⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
123⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
124⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
125⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
126⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
127⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
128⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
129⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
130⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
131⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
132⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
133⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
134⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
135⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
136⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
137⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
138⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
139⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
140⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
141⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
142⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
143⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
144⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
145⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
146⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
147⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
148⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
149⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
150⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
151⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
152⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
153⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
154⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
155⤵
- Adds Run key to start application
PID:2980

C:\Users\Admin\bAwoMkQU\NugkQwso.exe
"C:\Users\Admin\bAwoMkQU\NugkQwso.exe"
156⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 36
157⤵
- Program crash
PID:2876

C:\ProgramData\GcoIoYYQ\DOUEUMMI.exe
"C:\ProgramData\GcoIoYYQ\DOUEUMMI.exe"
156⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 36
157⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
156⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
157⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
158⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
159⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
160⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
161⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
162⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
163⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
164⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
165⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
166⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
167⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
168⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
169⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
170⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
171⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
172⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
173⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
174⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
175⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
176⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
177⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
178⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
179⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
180⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
181⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
182⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
183⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
184⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
185⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
186⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
187⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
188⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
189⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
190⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
191⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
192⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
193⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
194⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
195⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
196⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
197⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
198⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
199⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
200⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
201⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
202⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
203⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
204⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
205⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
206⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
207⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
208⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
209⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
210⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
211⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
212⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
213⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
214⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
215⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
216⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
217⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
218⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
219⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
220⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
221⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
222⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
223⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
224⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
225⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
226⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
227⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
228⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
229⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
230⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
231⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
232⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
233⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
234⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
235⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\auAEQMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
234⤵
- Deletes itself
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSoIIoEA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
232⤵
PID:3020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
- Modifies registry key
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qAUgQYYo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
230⤵
PID:2240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\weoMoQME.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
228⤵
PID:2552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEAYUogE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
226⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
- Modifies registry key
PID:700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fssIskco.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
224⤵
PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
- Modifies registry key
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nGcEwoAA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
222⤵
PID:2688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:2576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGMQoMEE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
220⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIccEMYM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
218⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEgsYAMM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
216⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOwAgsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
214⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMwswogY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
212⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
- Modifies registry key
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmoEAEoU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
210⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wickokoc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
208⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies registry key
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WigIcgko.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
206⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
- Modifies registry key
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AskEUQQc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
204⤵
PID:2768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwIckIEg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
202⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies registry key
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
- Modifies registry key
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYUgUYUE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
200⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies registry key
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JoQQAsMw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
198⤵
PID:2316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- Modifies registry key
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIYYEUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
196⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUMoksoo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
194⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pcQYkkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
192⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSQcYQEA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
190⤵
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cigscoEE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
188⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgMUQMUo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
186⤵
PID:1444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
- Modifies registry key
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkYMQEwM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
184⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
- Modifies registry key
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\awwIIEok.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
182⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsAooAEY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
180⤵
PID:2792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYEQUIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
178⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAkYIYUA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
176⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
- Modifies registry key
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUwsIgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
174⤵
PID:2696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSUUYcMo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
172⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
- Modifies registry key
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmwUgEwE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
170⤵
PID:1112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIQsQwAk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
168⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUYYAEwY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
166⤵
PID:1964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\suIEcoIM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
164⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- Modifies registry key
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\scoogYUk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
162⤵
PID:1076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- Modifies registry key
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OuQUEokE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
160⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOQIUEUc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
158⤵
PID:984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGUYIEwk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
156⤵
PID:1312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies registry key
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
- Modifies registry key
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOIEoYoI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
154⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZiYIgkoI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
152⤵
PID:1880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMgAYcYU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
150⤵
PID:1048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yCgEYkYo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
148⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWsQoMAw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
146⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies registry key
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUEwQcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
144⤵
PID:472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIEoooEU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
142⤵
PID:1048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAYIkgQk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
140⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\agYEUIkM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
138⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKEsUUYI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
136⤵
PID:1556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\taEYUIIc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
134⤵
PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUUsscoI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
132⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lscsgkkY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
130⤵
PID:2836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:636

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PkUoocgM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
128⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wokcIUgs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
126⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies registry key
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCcMgcsk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
124⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
- Modifies registry key
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\isoIkggs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
122⤵
PID:1284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuMMYgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
120⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
- Modifies registry key
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sicUIsYc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
118⤵
PID:1060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
- Modifies registry key
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkYQIUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
116⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwEwIQsk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
114⤵
PID:844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYYMIooc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
112⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSQcUoEo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
110⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEYkQgUY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
108⤵
PID:1504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JwAkEEoc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
106⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ggIgIkcI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
104⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ggIMUAQs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
102⤵
PID:1340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQQgMEAc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
100⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yOocAkcw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
98⤵
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKcoAogo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
96⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYIgAIco.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
94⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmAAIwYw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
92⤵
PID:1032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAsIEckY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
90⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BaoIAooI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
88⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCwcAwYk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
86⤵
PID:2528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lmQckkYw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
84⤵
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yAsYkIYA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
82⤵
PID:764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GeYMoAIA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
80⤵
PID:988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaYUsoMk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
78⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOYkYQss.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
76⤵
PID:1492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKwooUck.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
74⤵
PID:844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AywMUkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
72⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies registry key
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMUwYQQI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
70⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQYIAMIM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
68⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsgQUMsI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
66⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKMEswow.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
64⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FGMkMEEU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
62⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VawEUIAM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
60⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\teAUIMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
58⤵
PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciYAccMo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
56⤵
PID:1936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MsoMcIcg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
54⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqIgwwYc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
52⤵
PID:1988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECEowcYo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
50⤵
PID:1780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqUosYkE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
48⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoYsooAE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
46⤵
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- Modifies registry key
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGUcoAcc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
44⤵
PID:564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgIYcsEI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
42⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XyQEQgcY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
40⤵
PID:2732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcsIEUUc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
38⤵
PID:268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RiwkkIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
36⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VgYwIgwI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
34⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYsIoMgU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
32⤵
PID:1376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies registry key
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMIcscsU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
30⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwwIMYQg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
28⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwEEEUgo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
26⤵
PID:896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
- Modifies registry key
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQUYAoIk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
24⤵
PID:2988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEgkIYUA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
22⤵
PID:1268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSMMwQsY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
20⤵
PID:1108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQUMcQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
18⤵
PID:2660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOUoIMAk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
16⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKwgIcEg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
14⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tGkkAAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
12⤵
PID:2924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCMIocso.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
10⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceAEMUYw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
8⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkkoYIQc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
6⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KgAocAUc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeAEMAQc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-122589789-631854368756540050609112331-287841471-1432803148-61490708-1614313179"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13731780811565447009-444045948104463881412425144131530554347108997588-109803836"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2020730965-4554895451170448831-15999584722137482717-1080746952-979489069-967225138"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1564363354-18943632201357572984-1147719017-1551083155-402770616-1539361519-497700023"
1⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1710438553-1643498239243734471575451690-145547829712490656211882741019-1395067339"
1⤵
PID:2776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13191890941028226000-357519233-1375944840294428952456201317263019115-1682204829"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21358013541383825463-1998295044-665777863372343832-191995142620154651862038311642"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1357094485986295988-1627294437-803800403-200460352-2010561601057198252-966743882"
1⤵
PID:1608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1879513246-1864852817-258718605-1285100503-32824207119291048301763321854-439334892"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10928687181360874691633054253-11901056462029685313966308110265715283896691205"
1⤵
PID:2404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12093901021856408930610026044-7829598682135881585-499004562-721604701818834683"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3977069542003279394-1013332661-1438258258-806826307-386749271781806561-592981459"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1998278068166830320112868552-466455154-817375884-1909727595-132709389-719434989"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1163778563-16882556851739672258377593181208752223-7155153611433119334815267278"
1⤵
PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "60993338810997749652027709132-998358870563110712-1901553652-7584457761273278393"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1834287880-186566513-163014152-1179208747206648767412554801773491033-1774800340"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6905477158143381-2118470321-1660338597-1605428827-1020207853-1770289088-1950361325"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17129215649058256071023357013-218610226-1499465336-50476286312806008102112460936"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20540296032068075362823678885-1017802316-2142829579-734822281-1260276494-56213041"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-143599962110249173022090046527-1346804839-913218731397086381-925863177-1529355590"
1⤵
PID:1052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1928334917121242947510946384831329388215-1592293874-19101352141732966055-1736887316"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6189203-294832947-16887974816186913161418158338-20612353251847961023-991415455"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-550621558-1869270786512115675-1268619222-866705204-14554080241318557156-1170394391"
1⤵
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-339139106751498032-1806168091-1326523440-1114915434-11644085681228093558-2108291909"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20474524192065672488-1548410988-545590710-983546237-126144788-9038052101138373467"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-208965576-908392150-1344713329-488491341-1676275857288689589-605966039-1596077982"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "962282446-1776894509-2010495990-19651565731143194575-17651085991375650035-557653049"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6596331626347583631040165161-8693504501106985803109733993012167468242055649950"
1⤵
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1592837565-1057124954-15681449311824868481-10882737231164905151-2101252012504648274"
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "137057315872251983540001730-1880174370-35535305173649867514171885591392914056"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "42119397753656075-16170370506856577911743172376-463857805-1066139393-1501986933"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "676852665-1567255712-734962583-1547375205-88901629-875328614809516801-823351827"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1782177151-6579113731898433222844161202-1598246254-41572609118471298321131570968"
1⤵
PID:768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "43129728963094901-1296157212-1735217916172944073213740427695029747112045462239"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17871254411326236110-255185696-5279493952018752092-953498256-19366497741387765142"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "58959901719195480651594200913-17680833491096593309-486104569-1935846653-245764240"
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-672921345-1156112526-17001226931363403089-1777263498-810207976-23185272145232767"
1⤵
PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5288836241207532740-6124730211103440033-791022102-1596631227-2134571339-1718452203"
1⤵
PID:1796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9075060001317765367-535514343-74679765891198798-8531547715969804471037639908"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16198864754104458792041872100190350161172914864-2124524599-5080177341186738873"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1202952023-12631468006254921388640367-820539967-1595543320399898646823426148"
1⤵
PID:1304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1877777471-359146579-383896789275688484200121411563253010-759294103843805124"
1⤵
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "950623407086595801939205483-1158208346-143734802418945170441663436469949932159"
1⤵
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-182023907017410665827341595001459701859-16663592611897652696-777074733-1163313048"
1⤵
PID:2284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1177179803-1540459748861223293-161224649-1890015299-1135312923-14775009791521672745"
1⤵
PID:1504

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2736843241649861052-1449821776-1759997364-19867514325115199671574183333-2131422226"
1⤵
PID:1780

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-541371477-990845826-1504359638512668374-1177418480-330567091223603886595008617"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2036074373-1874151773-154343351819920534928876521271617314-15265947511824901750"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13193463692023659985391086273-623694910710162396424983828-1067495389-590606818"
1⤵
PID:652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "532996015-2005471906758505676-1466810939-1107649902-318595368-20480237741410588347"
1⤵
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20980062032115449094-1376468947-1938270647513299148-18261267211561498718502489614"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2009089869-68054126-213992273315933321042085495710-15754966292039726298-564911955"
1⤵
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "769467407910391365-795151953-1361101341841929981-1450815158-1754008381-1688400318"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1206393863-15164114622012444253-1372296363-9397745032095356168-8468528421069104721"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1251888757-10571628099088218871393497978-2007809595-228523691-359163124-105241684"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19612691801333266481-1215048200-1312257545-2082502436-1310933686795362046-229671800"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13164537611895509619-14775784361828693055-128066290-1878933452-962161029-1904813039"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "190120791-20498982631402381747-393918069-618907437-17359612691902382166-1796920000"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-889159536-20805471051904039194-8017859-1319679765918953592-2101674842-516971389"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1751534697-6787603741316257264-1967473938-9076493141907476147-1294411011-2092810021"
1⤵
PID:1052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-779688722-193164040429015953911077928027617159981474753604-1033465507-1846369196"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-250248490649804429137785947912062662091590180918-3890785731242599993-1710335100"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1807550789214533597-11694230191338508443-15475483471829716335-1093641103-473909719"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "583130015-300850179-865984052563641133-1931792658-11930857831950847656-1738760883"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1284475027-175161868212802339981363771911-6615894641440080886-1347995774-1981818691"
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1607123138-13517700071928501931-18967964128666320591908454268-703103128-1059479127"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1850998234816877123907025321-1465079118-180176696485892457618295457541677128831"
1⤵
PID:1280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9646517161219210526-2924651401676363281-14111384781422796335-696781117-1100905497"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20616575921673131812-1427704721370054768-621814522072685793-13604742501513986266"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18717731781338341976340849344371274692161712797843404735432114-1309893038"
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16607068501549043751196061545-9770190759400383181589239892109473455-1694664082"
1⤵
PID:772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "649443865509620832-344558473141604496539380663-422509908-603452320-1535308663"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1998877322800159613-1067627739-2025991530511064740573916676-1795255530-1885543308"
1⤵
PID:1336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "926136590-7934168811034239186-15750268415876277271579268695-740536803-903387695"
1⤵
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9526529739395549801122535911189780462051305593418859395161074128742-614260479"
1⤵
PID:2684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "476886728-3484194351589137473-908241112-228866939-2003271682-1395819078-2007944260"
1⤵
PID:1832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1044791703-2072043229-230591849-13782136821649043399-355085262639773985-773408261"
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-673377955-1974468178-276659393-11434798701537003415-351422590-1790223269-474633572"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-327538032-392842995166893904-79888111-910040180-1399746487-2633639521861405940"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1513999703-514145338-6717867618435952411202245784-18311460292099776847-1338031750"
1⤵
PID:912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1111579907-1737763491-11319976751327990427-13189925331539035733-1823279237-1065194000"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88819493016253852661354389885960992751-1921117060-1875228485-1847808603-1748353829"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "136547440518366225207294845110008695722146071071-1690570777-17433703261939859553"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15844645161692701229-770363159-200103102-103176825719084322351132995863-670800306"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1515792403-393529660-1252980262-2119159278-2032979438481683707-9534716351021573436"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "533168513969324551359835571118129802-2012027232-1553270410-151178982-352743324"
1⤵
PID:984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1642648426-214087087218659774361662274307-34233127220607618231483528176171678994"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9684860641754535332072680619-741802980196526691963822639628202342330906502"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-535148916-443847702-963738591042255285317910320-7711819011411474063-1982492827"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "121972082913575369731441211268-1134687506-13149773901651200171560516758474521229"
1⤵
PID:560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-191894460-268691944-254684653430169334-1764713528-286663053-1167409699-79972772"
1⤵
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1354736381100707326018909306781952265935-64115520349531136319361905632089880168"
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14677007637996144251140468218565609197-75113104-392810186-7716023561903025742"
1⤵
PID:472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "953491059107340493415568012991147178474445815176393959291-889019624-1960819473"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-119963415712676678061027276386-17247451751113837817-822401085437757746-722020843"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2512826413185719701590990668149658516717901553646213235196861299651055283544"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1340235400-1219332719173364596915213118665488162706785956002051171548-749917297"
1⤵
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "155534146558682360-1505022387-1065188547-1433398514-1953353813-986962620-335937799"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8893083071874581635203662689111761895331038991819-4082674081457408153882937335"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-495763204-1888874471981289995-862595516-190567454264186646105389729197777625"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1489992002-1027936056-1241952304-235096695-10709406971045249303-2144066875-1067531028"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1663506582-1962058151-1448840462-16597265221712663937241314810-1500478510-2079690005"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2551480701194641175-2066466301-1478751892-990701282-3794703831430626540-932624487"
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1885835215-1025428420-20862962541197268586-361477369-104507127-515774506-513879424"
1⤵
PID:432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1950428795552520825-1615095216129597291310332216911384624779310347421056296849"
1⤵
PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1462971199528191295863389202-197034739-779446587437263344-41808545179284802"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "378922040-1222359757458298189-33352481-698541885-2121786508-185298839-2091534236"
1⤵
PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1883564315-18287766581426323966-1222891027-979213058-759924214-97588442-386651611"
1⤵
PID:2812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "71624398520515417011818813454-13603329911589861849-1775788080-750433092-1044486485"
1⤵
PID:1296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1112286917127699312511772267761501269770-4383286971494251885-2070991649860288380"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16669454901744958672-6935115601220329816129385647-236288964505409322-1287350406"
1⤵
PID:2424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1608439520-1345270510481006260-1883011251106438194877431183511769314891273236449"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "756280818609283089342959655779477210221481182129255460711104992035280"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10815388201666126718-16531270481912314466937132380-1679718859-697425904-1405953034"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1831699436-5906604281943849693183627985710677025119577483852142589488-810961813"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1253471990-384256132-1329976151772490513-1616206514106478147-579758639-516660958"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2035957598-160455736713278216222044588266621847812-374200073-9544763501482844766"
1⤵
PID:2992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1285913355-796346447-949331323597738005-1609290890409138026-350373866-1731016530"
1⤵
PID:1808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1538559646-470290214-1320119669-1220493181-918176764-126094425018466949301277987777"
1⤵
PID:1044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2058675103-47530760393152061-1656083707-1355892057-147639094318148613341755340711"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1451373375-235105198-6524238871307915358439455192134645347322430585-502680698"
1⤵
PID:2228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2038195706-1048315029-11934925116957165281391985802-9385929527992090071346245014"
1⤵
PID:2988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "200634182239090137-2002974914-1212795527-582609506-881256779838227706-1324969463"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1326070781-1048377461-4304855481926863762282736331473625234-13684084042004903549"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2123263138-663831370-129602889644700235-904476235-870221505-1283210286-880425771"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-665569262128610724497747717-9837041251664640717333876311-1547914730-706489945"
1⤵
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-845325549-1858090258-385683728436018883-13893841981803726417-24892996-1456302276"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9340503561812885840-2325024765469136971239648434-2100322859-1401021127-1270983718"
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
235KB

MD5
74a4314eba1a44fc425ec73de1e9131c

SHA1
adf0d73fe44233a8ab08dcb602c86e8d6f777990

SHA256
df729724f75ef533825d4c44b9a35e9581f36d8455bb4105ce2610a6af205455

SHA512
272d58b1e18f728654da1f80871c8780b07875c7b356ce61a7677f67095e4d14b591eea987886e013104a4b7024fafb47b34bb41560e674958d40a5b67e7ba72

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
241KB

MD5
c9ad915bada3a95a7b354c78ab982947

SHA1
c8ba5fb0641273793a31a665ad15851590dd6de9

SHA256
ff9347902314fe6edfb95f0453cd34e0055c6077beb698bd893dab5509776c2c

SHA512
73df4e90c2e99e2154396a21a6d9792e48e0949ff4e4ee366c52ffdb20ed548d2748690461f37f241419133638a74c6effca10069870923107dc74149e60fb13

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe
Filesize
242KB

MD5
f2bb51b49e48fa2df1ddbb9913603be7

SHA1
19bdfe0a360ab2157c9735692b69a9deadd7a572

SHA256
5061bc2988e80f80dc4f724f3cf06da9237dfa8b913605373ef6400dfb0ef638

SHA512
9e4ca8f8ccd23b7b9c66014d311fffb0e3869dfb95fc133c56a0e259f6eaff79a86dcc65e2bfe788cd739856ea14bb0f8276edf47224382dae21b28de2f7bd5c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe
Filesize
247KB

MD5
2e4aab0e07b3f8beea0c44484b514e2c

SHA1
64d277cc6369392fd5fb48bd2b62537a5598ba7d

SHA256
8e7880c823d02889338d2a8b1460c77ccc3c700424be442982c97a2898b0ae11

SHA512
c855ef69f7bd17810f707cf06455f9e7b3ffa5a5449cc04286cc7834bcbae32aab93c7d4a7247a47cb796b10881612813a4e61b560827154088b5741062e5c46

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
Filesize
233KB

MD5
9287f8dca5c1090db3c548448bd0076f

SHA1
f9351954e2b9f2580127f80be4ac6a18428cf2fa

SHA256
88a9c52e056946dcc23a6a58b5140a1fcc12e0fd0a68ccd3869b771acadacdd2

SHA512
6055be33c5ef59c8d008afd688ab30a05db41053404a00ceb9f3a96dbfb5c699ad3832855c2b5f2eba51ffd0231640510a81e585e22001d5335ff2eb5f63704a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe
Filesize
249KB

MD5
beaa5bbacab41a136fdedef8c4f0ab99

SHA1
03869351259c31bac741b1e6377fc44ec8b2cd65

SHA256
0f1dedbbbaa1b92a697b5f72b221e77da7116b7c10882d131fdd8f8f1179fe98

SHA512
7a596d73d6add3175b5e58a3eac7a52abb1d5549abcc0764a49fbd8b7dae5591d41170ae8f3b4c27d461c7db6922f637723b315d95aa015464d253796c6b2ecf

Download Submit
C:\ProgramData\QqIUsYcs\iucgowcM.inf
Filesize
4B

MD5
d1555159accee6aa24ed437d555675de

SHA1
2279fb25640cab880f5692488cf5846e30e2d629

SHA256
bcec4fde60b523c936b9f72f15f4ed93b0324b1e7b68af856a7f129e839c78f5

SHA512
9b361fea4111307ff3c45724a6a260e187271e9874fb4d0d87ea961cf0a5b5b5dd25c80d91d91ce333d0b17a58ad403679849cbb136193ec22117d7766f448aa

Download Submit
C:\ProgramData\QqIUsYcs\iucgowcM.inf
Filesize
4B

MD5
634b873937b52e15470a766c34bf8c22

SHA1
2847aae4a4cd41aca667724fa9bf0f2280c4181b

SHA256
622e8639587657cde3373fbfd6ca7b3113773227bbfeb97da48142189ecbdf1d

SHA512
a7794e4c15815e257fb60f35a35c49469dc61af8ce04701981ca87b5263d4ccb46344c1df4c5c9c4e2aa8f2c4ee57a547e8c039626036907506287306d838c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMUU.exe
Filesize
238KB

MD5
5d27265526830dcacb0119f2f71f5c08

SHA1
67ea542575f022be5bbbce511d538b054b8910ec

SHA256
f373f2441af8331014e1d8a2ac85f9e1083263a0457f9ceb1ad18998b90cae21

SHA512
79cbb800a18e153a83dc19355810ca5b47d7c227bdd96c921e301805454b4eef12abc9b2bf3ad53cf6ccd05dd50b0f60f2bab501c66a7a781da418e276809ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQEsYsgE.bat
Filesize
4B

MD5
abbbeec3fa9ca17f3725281a692ba416

SHA1
38a4ebe4142e55645d4c2b993b845416d9521c7e

SHA256
8643c29fb787786f9d28d8da4cd205423dfade00961fe28394baa5bcb4625397

SHA512
3ca73db2be6d9f279d772d22e79353deae56ff1d9bd3370e1f0adc45be3a99f4b057fd3fdf27727a3e6dfa5ba6524f2faab1b5efc6a3ffd4b7a19345c0d2ea45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASIEwkcg.bat
Filesize
4B

MD5
946b5307c9ade6b1f4f1119f8f7cb590

SHA1
e9f0e02e972e19f025000bf21f5f2256059e09fc

SHA256
8b380a56d82eb578908c2e3dc865788a3972aecd4c4f57131db5efd785bee30c

SHA512
d01bd7c887a25da37668b09f6eed4278fb5f061546c47e26c0ebeb73059c3ffa4511d3c7a4da80260b02f7a973eb56bbdb696d0bdf5818619c3e3df041a299ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASIwIooY.bat
Filesize
4B

MD5
f9483b6e71eaf05c263795db8e5519ec

SHA1
3d5c99882b3a9d38350a16613eb64ac4c65de343

SHA256
4e8928b0b9b0fa88716f4e46e750f79afc7a322459f5341ac758064c8e959648

SHA512
8eddde04ebacf98187221000d7e77295ecf854cc9e13bb4ff6111e114d00799169b707ecb2bad3455d294a642500ffd71d019f5659fbf4acafe9eb7ca183909d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUoe.exe
Filesize
229KB

MD5
00543d2e03982d4ed6c611cb79b1718f

SHA1
410484f132b120ff353a4708143c2e3940091470

SHA256
254facb9aaf3f34bfd3bbbca1b0f4897b6301491283588d7f43062d14cfc1cc5

SHA512
0c41d840cfc423c06be76399bb67201fea7b7310471ba60ea27e8cd396b9ee7268674b282188cc51c4a1ee95548538f932e9a26b16da767de161df5f2f264e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYIkIsss.bat
Filesize
4B

MD5
90d2a86dde277e8a655b00b1c856c88a

SHA1
efa64ab737256904d9dd237f2e16a87947cb64a1

SHA256
6977be5478a8abb1f771c955a93d739b42d80e0557c976361e5016f6d11f99b5

SHA512
ace032833edf24cfb6372f89bd28475b0da6fd1eee4d592fed203ea685178f23033cd6dff461b5b5568570bd47f07914afd9be78147a0141aee54747a1d49faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgQMQAoA.bat
Filesize
4B

MD5
f6d37893969b360397946840b78f2c18

SHA1
af64f51a26264c175d7e6208c0472ee3f6ab0f0e

SHA256
5c07ac44e3dcb5335137afabe4cafacf2ee9297562d6e34d25154eb7829359f8

SHA512
32e6584fe41d34f9807b45f55aee19308cd62d8be18bebe7e0b75158302bbfe1d5c19cb54850d8b4fd7de6fb09a65560cb215fb175595f126413c16f694ec979

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOcgkAYc.bat
Filesize
4B

MD5
d268e08a853327ff6e9474941fa1bb00

SHA1
56be777141d77ab293921522ec1f09b3604e194d

SHA256
c18fd5e6c64b2b6eb19aaa9cff1a3128b38e1d201bd0580fcc1da5b8c97428ff

SHA512
6e973056713ed1cda2a504111721b07e3d2ce98061fe1bd96b766f37cd60e90b38e671ad85a0a4d32a24e4c391867bcbefe058775ce01e746e675925b71e369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwIowYEI.bat
Filesize
4B

MD5
0d97c55b9d061c784ea4b32d434c00a3

SHA1
cd239a7021ae34bff342dcf225396d636ef34ca3

SHA256
f2405fc70540fc9f574de55800fa74aa0507608d542ed38cd89a54a339c38bc8

SHA512
f73412a4501afe51eb28a43cc0ca838202bc5720d77ddcb7721efafadc92eee180bc866185e5d1a776b5acc82db5569bfb36631f210f9d8f3bffbec08b5985ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCckcAYs.bat
Filesize
4B

MD5
3cad0eae957c21d7e48bc91d92a55dcf

SHA1
9acd029a8afc31ddbc55395d5fa80033074f0811

SHA256
d2fabffa718812222ae37537c7de78475e5b201e66466b75cec9274f8cc487ba

SHA512
6c8531c1d8ae4f3c9d99f6e7a1ee2feb865e8887e67b9a8009bba2563dd0ad6db272e0d9ead74b73797cf85a309b18c16eec5a6720dca49c525a0de7a0552a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQEwMUQg.bat
Filesize
4B

MD5
7adfb28636b125eb2a845d2c9f34ca4a

SHA1
2fea0d0479536bb67e9fa90641aaf33e2a0cb0fc

SHA256
a33482f47b73444bb806d6ca80c973224c035fabca99b7f3038a2197c6c6a5b5

SHA512
95c2b9602265fc898c42108d6943f83149f5c1778863bb6351223e3e2381c94d2377a4267e9d301857d206a5845cc64fdf60ac14fb3440f42fa9bc406d19789f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUkY.exe
Filesize
242KB

MD5
bbd467a764c6965a8abb32df93f876df

SHA1
6e6822059f9f2462edbaaeaa0a5070039740e206

SHA256
2d0da4187f206161981752372cae2ba32689000c076ad789fbea277a36b692fe

SHA512
4dad1917625d7ca1235fa9519267cc365f4ea1ac2a9e9c49911c4d669be4d52f0565906607d7da8e96b790db965db8a236016b04565bc332556a00d3cf2fb909

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcMUkYMc.bat
Filesize
4B

MD5
af8b79b9c43a3abd5b39df65f8cf06e9

SHA1
79896c941070de7780fd3425a2a5cf1a5e4cde25

SHA256
529c43b560c9a5c1d7a7ff5cabc9848221c1812bb523a35955f7453e64c589fc

SHA512
13b229d544a3f71b0b4757b0b30806668b82b007f06707fc1a305ef50884957d1954883cf6aa9b9c31b8d3510313d4f2b2282365a2974d1fef261850435f860c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeAEMAQc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CocU.exe
Filesize
230KB

MD5
3eaba536e19ca52bc0294006fe47d54b

SHA1
13ae060083a62bfaba76ebb27366279dc34d1bac

SHA256
a3f62c0d2c3c80900d3ef035877aca8994050669dbbcfc1dc3dd765f3bcc766f

SHA512
1ad15d8eeb65a90d9f4f9f67bb3ccb6937929d59a826f011275ef8f734cd0c5324eff2da0f86e71a137b1efc9b121c042259b2608b8f2e66531a235d42741d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQQYcwUM.bat
Filesize
4B

MD5
711d76ab190b31aed66e8df66c2cc401

SHA1
df7e5176fc2392755ef99278c2ab9553cb0f3cce

SHA256
687198d8480aeeb6d936e6b7319b5514ac57f53c220b370c4212e196ad010b8b

SHA512
f5e5af66f3a2d925e4189cdb1978b55d4ea1170357b751962e3b5b8f7792e0471db64c867328b006bbd8fbf5433f740897cb4cbb7adc0b5be7fc7fceb3a823d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqcMQMsA.bat
Filesize
4B

MD5
4de7939f164d326032947dc04b2e130d

SHA1
c5cc469c177c061501ba9779eb7aad9366da63b2

SHA256
2314280aecf24a62a7ed2a6a1e6c503f5dabce7e0ced7ddb9c0aecf07faed0e2

SHA512
74609686e18853597d0a52378cebecb66b58b71d4533fab975fae236bec1aab2261ab737fcc35aad5109fc285dc809983c0a3384d45225da8ea3b8495687f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAsA.exe
Filesize
247KB

MD5
bdb5016f8e3c1b92688c805dc25624fb

SHA1
88d060030fa98c6316dd6726331657e41bb198f4

SHA256
1b674c39605c1426ad24b5e2e682063a3ebda4bce7e9ed6621dbdcbd2d5b8c80

SHA512
9b24f5d49b080a926b9419bdc6e57c35d9819ec6d7eab5da111c1fdb9aaf00dd85288dbb64c0fde611647f5dbebc5de0ca3c873656346c044a2e6437862e4b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQcYAQgg.bat
Filesize
4B

MD5
d29b19267c4db4638e411d754d5a7a06

SHA1
d9d74a765050733013a75b5c17fd0816361e2c6c

SHA256
bbc12db86dfb7307de49bedab63271242d68264bed785472490b7be6f3e55f58

SHA512
5c603365b776ac58045688d417e3d09d76111f59dea2241cae915889af64c08e793331a140c4acc61bcc37827ae205f0ccb38f6e106d6f27fff21059b657a600

Download Submit
C:\Users\Admin\AppData\Local\Temp\EckQ.exe
Filesize
248KB

MD5
07012bd2aac3c28edc558b2266264f59

SHA1
c0e7b9626689be5b9ce4e8e474a4eeb1b0f28abd

SHA256
2fb26cea7c72a7c3ecf4593fdf4ee989acd7ce398a1a3efb030733358d00c5b5

SHA512
9e88ab59ff5575dbd7d4fb075018fc71564260d16396b5651e5557207034df9566c210fe9177061cc267cfb371b85bdc6afaf666ccdf8bc1ebb81d949c1054f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgoW.exe
Filesize
1.0MB

MD5
8a21bbd20c444dbff347fc01200b4b75

SHA1
c685c68c3dba618362399284eec51e0343ff5244

SHA256
52cf7d2a0f3735e1c3c48de345d5e00c48de104b1876d7c4de4eccb653257867

SHA512
31745cf67a6f2997a2ce46d700828f8117d2fec1c6bcd308d8c9df2c960ba709a8aa44b0be6059a453c5db00b28319835234a1ade924f07375d8266cdae96551

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIYccwMw.bat
Filesize
4B

MD5
2f489ef5c48e920ad606978877724632

SHA1
c2c659228ff05a520729c81d64073c6a522c9bee

SHA256
3316ec8f3a4d5b2d9dcbfc632651fbf649c8978beda8b88c241e893747228415

SHA512
aeb629715d5d71292b5c281f805ddfc5e4bdcecc10585ae707581c6bda340a45b8d1c72f2bd124ec25b6e5760c4344650033c046a59e2fb0e65f6a7efd718d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAcm.exe
Filesize
235KB

MD5
daa9149d1b17518b423462732fc35778

SHA1
8ab0a4c1c9ac3df932fe7b0f780f674eac0a4355

SHA256
3e157ad54019f0b39a77f31790c25deca8e3566508a7e937df491842bf92e917

SHA512
0d8d6eae04a75bc8582b87f1646bef71ee116d2c0812485cbe791f9b01886136a2802ba047efd0a7c2e9ad0cd4d35c2623d2767943e2f2fc187ca5029fd36313

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIoU.exe
Filesize
208KB

MD5
0a80b9ab8faea600b8e8e5e0a93b95cc

SHA1
2fd43a92c741be0b96790983bc10811762975a44

SHA256
fbbc3721d3c0a0265ec3e485e41e2d605c81cc6ce760d45ecb1c438e84c22fd8

SHA512
b0ec3f031caa70572360ddaa3438c8dd3f961eeb0d7eaac92d31bfc9f9d2ca00f2be56fdbd83d3222d87ea45b4c15787ff3bebcc2a8c21c9a96e791e79b739cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQAE.exe
Filesize
230KB

MD5
4d2ac1d7111a7366d91df771d7737f34

SHA1
76e9252eac09062c52b503da36f0a88f45b82435

SHA256
57539db359f3fdbf81aee7fd6ef9523f29760eca4e409a48fbea23b3faf8f2d3

SHA512
94b508cffb232870e5fb73db4bec416985b4338b7f8a58ec34874fddf55c6c59fea7f3ac50f118dee5e8f1ab23478d8bb9d83af3f9cfe842b1e9471a0d0e38ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcAm.exe
Filesize
241KB

MD5
990e1dc835b19473e843e948e41a02d8

SHA1
f8de6249f07c95e5411df7e19ca4f6f5364099dc

SHA256
95d7622bef13fadfbe3836b90284f5d5415cc0abe4985a118c5c11717fbcea3c

SHA512
ac99b59a5d6446d19bfa17918aab1234c888eeb450ddbbf18efd607686a43f88d04b69d79f3976eaa0ff4f400d5d907a11f63632d01348f0af7508745b55c907

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAYssYUY.bat
Filesize
4B

MD5
68bb70d347759850712c620244026543

SHA1
99826e6af1bd30f1b21606438c138ebfcbbad64f

SHA256
5a99641f85484d923a89fc5173172df5bbb5750b7fb9ef9e5ac99236cdd85ddf

SHA512
f5eaa0010edd6e801a74b6455325389fa57a451ac324b1a0816bd577af78d6d39a201858018d4f6252e0f99e463872fe384b86e04753e2621350318fd6f17dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkkIMoYY.bat
Filesize
4B

MD5
57bb338e7e1219b8997356505910d8d1

SHA1
4f1b08a058b4d85d760191bab28505331c9d208b

SHA256
db8ac455082d4b5688e7f0ed1ce3cff32f4672378ab049e6c392d682347f68e2

SHA512
3b91e9b61baa8740e5ef8b8d3c97dc18a41a0c056adcbb221584245c81a7148da35e574a7224ed8bbc745f9c4c1bf4c4e046856c19d426f69df1cb9b4afd0aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoMYUswk.bat
Filesize
4B

MD5
4eac67b1cface1054efd2212a6bacbbf

SHA1
6bc894d12f0f84470a44b56f9737eb08ee01f32e

SHA256
0ae22172ede03059206b96e0f98d3abc96f04ff4a6a3e9c2d44392bed01554b2

SHA512
b470c93808e59884b5fbab9992ac990eccad2ecc3922667bf71178595b9337808d9b833d751e3acf7f4ad91a37687096fb0715acff3e59eb196242e6cab78d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuoMcgck.bat
Filesize
4B

MD5
d6c931e0e433e5ff7792cc773d36d791

SHA1
72f9459e08b7a4e929ea998fca3c1059e7d9995a

SHA256
2aa092d026b5f30964d4a7841c6eb434b6c89f47c09f1d8107737fc6bf7afce2

SHA512
0c062895dc6c237ceaa063e4bf02a4cf3146ae8a7d499ccb7de366b90c97e45de8a3ca3982a8bbea87b0013e83ac60e0c3d87b1314ab75b49f09e5d0b8ee962f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HysIIIwY.bat
Filesize
4B

MD5
64adb234952829505ebe223bb736acef

SHA1
32b60f2afab77f744368a9d2fe749590a1e82bf8

SHA256
0b95647c03ca76c01dfab03fb8987733de146d2ad2fae77e6339a20265012ac5

SHA512
8c0e3e066d62227b45461901e670d638c772b8d7f416bb48b00268ad1eb186cbaac0a20a49c7b63d602a93c65033d5d62080a184338cf73ac9b35f9efbf3d755

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEAQ.exe
Filesize
952KB

MD5
036794cd227a4656fd66eb5218552082

SHA1
9383fd2d82a25acf62b14446bddfa02536a51179

SHA256
c028e09da2b346c6f252c7d71e6252eb272b2175f02a3c564298316d319ed51d

SHA512
20bf1dd433a8edaed6e87a2bba43d0232f6d4af35faac151b1319da68cc4ac6c88d2d3996f5282a1cbb5964adb2f6ee2936bd4fc0528a9c3d2bff03ebb24e627

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkcU.exe
Filesize
237KB

MD5
13ec59ab274a54a612eafe1935545704

SHA1
fb587d73cb637371669200203971074b573f3432

SHA256
f4efa08d471cd873e8f88ddddc1b93b8341e518117cd4308c10a0ef68df68c9f

SHA512
79271e4ad5e34eb4456a589027110022be3ebc7f28bb35f35e942f21fff829ad1a86053e62ee4f3f06b6cac132632eab7de6bc9e7aa08ac2347341b74ac3f15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoEo.exe
Filesize
232KB

MD5
179081fbe6bf0117f3ffec5c8f6e5959

SHA1
d2f1a84b023ec87a7bb6ac8ed2abd07a82d99e62

SHA256
17be69c6c53719b29cf2e491a0d1c23b464b0eb017809951c5f1f8b00f556277

SHA512
07a39a82fcefad6a6a8dc7def190c478b9ea4d60227d4e9aed47f4c93f8ffa3c2adcbe663d50c1eea8b10577274eafbaa654723963b19827bccfbc0a681c4e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwEo.exe
Filesize
647KB

MD5
c82cff84a7d268c91a55d36c2517dc59

SHA1
46fcd474173810f7a2bba677c68afebe34389f31

SHA256
3b9bef8567c9f152258418674ff0120cf69a0f2c5fd67af2a0b7ed77bab57f4e

SHA512
7f1235d1c7f9861f3a158b62000dba67e3d8d775b7cc1a6a506d38853fa888e0e61a297917dde4bf806a0e8d06e4ecabee0549719b26a26038708821f3986bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwsg.exe
Filesize
632KB

MD5
aac7d996055a537ffa8042ac11440a14

SHA1
5df58badffb9497842fcdca7dd214a4a718c3226

SHA256
2dbaa282c7ff24f6864792debc7178c434a25553281daf21c96ab93689baa45f

SHA512
c0a1f11a2004769416ccd1dd8a308efcbad74c9fad9dd77130f7fde9382b67c1b1eba28f1726f39392aec7a10c5469c483352fea8f9fc2dbd88525987bc7b674

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcgUAkIY.bat
Filesize
4B

MD5
53b42cdd6d6e50210339aeef686e7794

SHA1
fae9494570b3b52875dddccea3bc37af31f28a5f

SHA256
dcdf1240addac31bb181895bdf377eeca203c817ba6d9cd61a3ae3b8712858aa

SHA512
cf682440bbe5ff1ab441ada86cb9f2d871ca4b6276ed2f163f2bbcbd2735455e5e53c2c17e3c99741ec9bfa90d349b689a876aeca22c1b7822ae8bcf637c911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqAIkUkY.bat
Filesize
4B

MD5
52c559f2775c1d3387788210374741ce

SHA1
302481666da602238acaba5a43e394e7825fec21

SHA256
43bc64456851ca8f51ae40a447de1b6f2b5dcafe71a56a71461f74466b2290f4

SHA512
53b181c19188743d9e4fa91e67542a863c60e08b159152ec1b69ddb7561a6e4c754cd618034197b960bba93ca26790ed58a759a4f5fd1b1a56fecf20ed3536be

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqwkAAsw.bat
Filesize
4B

MD5
57b33ae5ec87614f0b1efdd2dcd85717

SHA1
54c16b84b9d082630398573ae2b4687a470c9124

SHA256
3785b1b8293c42ed2e3b6e25ad52a4ed0e4bef3f118eb31d91ba28c1498b8f31

SHA512
9954ffaf3163363f2c81e41e057f8d78f359df391d2a7096662a2a32c51de41bac0a4e7b0b6052201e7a6e60da08dc032007f9e641f7d00b2cb9856610d1c8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIYYokAg.bat
Filesize
4B

MD5
ebba98e7d0b4e569e26558f054e58066

SHA1
264952b19d5708ea2e0d998f008b76fc4ea9e5d4

SHA256
bbb555078d6218b7eafd28032ec9d92ec1ac9ed4f8554a81993a0fdaac7ba2f1

SHA512
4716b12c5539b737c21c3e182d61cc1b77a239094790c59b6d5e7b84c611ca6e056025fd90d33f48d6c7bba3ef5caa87beebcaa0fd914d869cfe25d064c2a894

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMgs.exe
Filesize
677KB

MD5
b5783430f92b7895cb81fb56ac58384a

SHA1
f8bcab2f86a4e5b04cfc1b62f4de095fb2e63cea

SHA256
84d847de84fcef032871ffabc77e2b5a98f1ed98177a1b5cd342b7bd47f72b4a

SHA512
69021057dde440380c6a517cb5de80fe2f51ed89b060d84c8e4e4906f35c94bf16a362411d52a22792a4b2d14e0ad53d41f231bad1c831da072dc70e773cb3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcEw.exe
Filesize
247KB

MD5
6836e781a16d57cf873d637ee15cc527

SHA1
9110af1f8eee49e990d9fc361a5aa80fc677b437

SHA256
5611c8eae6de1b4cc04b36583d7af52833fce13fc6128e54852a1b1c5de10606

SHA512
da5678ae359451fa9b31b1638cefb1795059944853ffca6174775ea10bc635cfa106db476cd456df6400a8a1425551192c01ecbd97eaa265ce018ae921d786e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcQc.exe
Filesize
713KB

MD5
5b54155368adfa15b0789db08f0e932b

SHA1
1d0013ef16bb0d14325335d0d91baf524f050e39

SHA256
5ec63e9f57a0e02347213ff8dd4cef065dafaabb71dfec8bfca9d3c736c29986

SHA512
8d4db72fe645960f917e99faabe9fdd7353b5cdfa7119bad84b43a21953a8db7596a96a8328d1453c0080924c68e64ca7558d165117c97e6e822a92573d2ae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcQw.exe
Filesize
230KB

MD5
908f6e819daaa1a92634f47448b9a58b

SHA1
8136bb15e136cdc1bf59f5e32da372222beeee9f

SHA256
fba8c6c135fbb5efa183d97effefcbcee9bffd55fd42bd3187cdf04755a895ef

SHA512
f008435bff9f4cccb0b53b755c1ca82e6920afe0060ff9993b03801b208f677d372828e7286ada769e65184fe2ad497f7a007900444fb123a827f6889f9a0d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgUE.exe
Filesize
323KB

MD5
6afe75bb9b19abb3c205443c5ff58150

SHA1
725b12e1074a1e456cd788c7886a49278d3de0b9

SHA256
e122756cb2ae0cb878aa95ac78c47d6f0a1447f31c42e95251ab341e9afdfe12

SHA512
958b8afe0d9351b0c711eebe40a26efaf706415e40fbd34810cc6a601a0393fdd0233054b9680ec4664fe84c31f921db8b83bf4760987e0e69c91e31276e06d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgoI.exe
Filesize
8.2MB

MD5
8c3290e690172b5b95d8c781da9bc04d

SHA1
bfa0be24c3e2f477526df0a5561db6aa8a08d7e4

SHA256
761c77f214b2375033978eb33d3faecb358919c5c0f875d54b62eb142ed5a155

SHA512
c43e79412e06620b599b6831d59606eb29754f8dc10b71869cb76e9a793d749a52845b4f3c73a31fef8fc37af2ec57a3085798a5bb5866154a4dd4abb94a9853

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkgi.exe
Filesize
906KB

MD5
89f5e078c60b70c204bdff00ae79a9c5

SHA1
37ee7e0a2864c665d718cdcb4d6988cdbc6cbecf

SHA256
fa06e8138188652737fd753482a4a5c98abfc0e7d532f5bef3a080fe78917657

SHA512
611d60f76178a1799e103305dc23850bc097086e1ac5015189eb18e19d364594fb31ef675ce94bfbd39104049fa0d4ed19de6cc0733638887670cc5ee73dbbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwYW.exe
Filesize
323KB

MD5
285a53f7dad4c2f96418818aa999faa6

SHA1
8958d08d0806fe3656e7cb4f0ca736405838b9f7

SHA256
8eddb301994c50c1949fb29f4a378f25d0e039cdbd06c32253b0b2d1f621b41c

SHA512
24522e5bbc1f0f73e40b57ea14dccc2a37656fda9d4d08889187fd33e5240ed431d61e132988a89757b97aca0bc6ce5e3a4e22ff9f8b2f32b90ae430aa680ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMkAgMIs.bat
Filesize
4B

MD5
ba08c3310387c2b68285f9cac0994f77

SHA1
55eb798e797527299a023f0d28aeb52b72173fbe

SHA256
86eb8f75e8dd46e823158c4b8a2cefd24a2d94c907c07625c33070ab4b63ec4d

SHA512
10c168b299111a64546773d52511b412dfbdbee7b01e954b298e0711e796bd9d7d16ad08d29d26e094197f31c40178b7fb55840b44f6bfadc8beb350e0bb45fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMoEUMIo.bat
Filesize
4B

MD5
8b5301ace0ee1cea3cacaf606ed29ebe

SHA1
b5d569cf6d8fd1c16048c8f240c51014a2dba1e3

SHA256
87694cedbb9fffc76d3b3d15906a32da1d0334bdc8b78ebd676085ed2191b73b

SHA512
22d1be20814a53a3e3b8b910285a217505a2050f5e12c3737dda2e401047d2c07f846d0de5e8ae26c86ef558368365e9846d3c7f10abd43bc3b94a0adaf1fb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCEUYAkw.bat
Filesize
4B

MD5
a03c2ee611cbfa6f57d214c95b02d2f3

SHA1
02087a1b1198904ce8484222008cd0c648bf3c52

SHA256
2d4bd57bc176c6a32a3ea56fdacac314f01bd6b6e5448066d0dcb7facc1d33ac

SHA512
97c580b5b11c5856bfde6d7d5f0c19f13fc3a36d17fa15421f01333232e677b3274254b11a55cb6bbf6d05ff50eddbb2449f330c9038f91245390ec069b0ca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEUEcows.bat
Filesize
4B

MD5
6ec0201ab19514517c028e4543f4911a

SHA1
c7ab098635edcf11435195ff924ae08e521efdf9

SHA256
9c06f7b374bfd371802a712b439cc2f0f671800a0b5c8576caa2696f883c1e61

SHA512
59822ff8aec22aa04ac519177f22fe3079b48fdf11cd6f041a4cdbe9e3b39826702813871c65fa327b1c7a20261d704a6b0b61cc3bfb4c69d3afc4580dc84500

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEgS.exe
Filesize
711KB

MD5
c3d312ee880d24d2e5d5f4f98f4ebba7

SHA1
fedab40b5ab9cb972e34ee43adac9b358f8583ec

SHA256
d7db71da20e18c31487dec0b88bb77703d118254b2b6b8bd57df063c1bbb16f0

SHA512
7a0d415f7244ff3612c3146ef74b0bcc9df302dbc2fd73498d4a0d144a519092e266f9b71e459d4d606845f9d03f6370cac0cdfaab9ee03ab34394558e218927

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMg.exe
Filesize
231KB

MD5
3b808c663ac9caa0315c4b48df49a99c

SHA1
102ddd6d08f46558fc0ddeb138cdd9c3f2d96fd5

SHA256
714a9cc531794ace50b994632bf79c3dad744102a1559574ca3200c17fee4b96

SHA512
e4bf4741dbf1b9818ef7ea7fb0f7f52a2c59a33478c68d5a4a572f38e3e38af6ba1636de513c2fa5eb7ab5a25d2881a6175fcf56c4bd130d0d871b472b4d01c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgYswowk.bat
Filesize
4B

MD5
86e80818cca131432c41db79e010e397

SHA1
e206c53e9cdcf8b62352ddca2ef1e6dba951613d

SHA256
72900d608682b6bd2f13d250312c7a9988cbdf85c2b2a71fdab8b3bb09dd0d32

SHA512
16f2e6d18478cb84be6e3b149f9595b38de5f46a303a69245daeefd191b5adbd244d381fa5393b414d6b8203ccfb60da3728da93313d9b57d5c4209b5b46ad0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyIsQgIg.bat
Filesize
4B

MD5
604b12b84017d566d107c2da01a52d13

SHA1
e4bdede92f42e7fdbf7400c2d79f296209f7c18b

SHA256
dbade6b414a6c3844e7872611b718a6c7e6163ead2cc374cedaca303dd8b36ee

SHA512
b6ab00477fe4b72bb23d223479c270b26a46744889fd56155e44b82103b9c54847a84845e8d0c1ce0aa7e09b979a9d9f45cd08c0c2a65eaf12f0ef272720a47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMsIokQo.bat
Filesize
4B

MD5
196df0552212a654ee0d6771f8a40f20

SHA1
add68fb4101a5a22c68238a4a63d0d97cd59aba7

SHA256
e1940c144e9f7cafefb40476021a46c2683fa759a9a661a836d28c049006cf23

SHA512
16e434905dcab4bb605fd7ddd02f39c5ea871b67e77797470149aa9e14601ca6538023aeca34bd443eb0a83501d676e0ffb188040ba83837d018b133a2a5d25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOUskQsQ.bat
Filesize
4B

MD5
377d3c43dc58ef907c8f022568166bdd

SHA1
f29ae25eae0f6ca634dc1f4e1f1e880e8b075fd7

SHA256
182c35ff38893f443600c12313d118d8146ac203abfa67d0b5ec2cedcffee457

SHA512
b4e2465dcd66f2b58503006fa6bcfdbf289cd6e28d2ce14805c70370864154fbe79b265b61f327281ca776fdfc2c90e8a5b2c6bf9cba8d3d13779dba37cfeadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeQosEkU.bat
Filesize
4B

MD5
17487852cbabe46001083668d243f3e3

SHA1
e12fb71afe55db4335c1bcae42e40e1510a72624

SHA256
61aa42d3c3adeedf9561fe7c04b227408a0db64527a9a0e188366e0c382a8e7c

SHA512
bfd45969418edb3849719edadb4ed960afd7b6d52e59c85951da06c34120bca8ae1bfadc6329a8c0b59672f49b4b965ec4c378cffab20f937b4279dfd570a9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEwE.exe
Filesize
232KB

MD5
c059872bbdb075236add23518a4e8cb4

SHA1
18234d4a2c9eefb9f8f69ff1b7cb39094f399136

SHA256
56a50c0c1be3f10af5e1baad3aeed04def7bf20ef0f3e4e92e46239ce3e771ec

SHA512
02a405330e71b26a6fd7eb8f849302fe629cb77618491103a372a7d8f3782700f7a5fa96bb4e284851f344c5014f0245263731a15e49b9726074016d7699f3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIscsEYY.bat
Filesize
4B

MD5
f46fc9d1ac0743c01dd39a0a3dbe3365

SHA1
b55aa8a03fca25c1d2eb1bd4ed0bb87b3e874dce

SHA256
c2b501cc807631339b2cd719ddf6c2a2344346db3010b6cb3fbd6d3cb0e82a80

SHA512
fe88830cfd7c80ecbd3974b762e2ae0d5d47551a8d658bc27cca38151b5dd17a2a00a6ef4f650db3e419d8a19cf8eed05d1123492c578986b40d627ab9b17d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUQUgsk.bat
Filesize
4B

MD5
53a2a7d3eb09433c83c89fd9135ff371

SHA1
d980ca7eecd28ac5fc84cd789e56b440371aadf2

SHA256
b3c358bf39da2fd30f4a945201c3678ec48db0378cb13f2198995a78330ff81e

SHA512
2c7606a3b51214f94ba85a0e67902f70da5d562f7581330717ea5f8e5186a518dfa17a3d60943c021e716112377b40711a7ed41c9049008006fc5185d8cb26ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgAm.exe
Filesize
4.8MB

MD5
f7d05d36210ef0c8bb877ed3ff776afc

SHA1
4bb10391aec28c70328d3668ed7afbe4d9132c77

SHA256
9d640105aa807ab48540a298a50179dab0e960a244dba2dd06b17194dfc00011

SHA512
41ea367d5a0e7f43e8f7f06731837f1538be38f4630cbd63a10ee0e737d5ca762414a131919c9b55bd6216c333dcedc7a433aaedd105f341e61ab2f3c8770123

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgoK.exe
Filesize
234KB

MD5
a16f273500068a4869fafd4c96a85bbb

SHA1
761d75d3402b77b2f8e17bc9bfd6ae444d17f782

SHA256
013ac2665291a796838b668595dcbfc9c95d3dd978affac3cf21eef032901258

SHA512
b0908b2546bda74e3e9903f152f2b2fab9e03f25693dc5f4a395fff9bee787bdffabd2c5ce5214f6f01b3b01a2ba6668e2e332b6f12e4cfd8c67880aa604b3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oowq.exe
Filesize
814KB

MD5
43a1e0998b1be5930e77ea33a725ae83

SHA1
e79de4f2887af4fce687451bd7652964c58b2d9c

SHA256
f903e8e84491c48dfd6635f846861d1ba2fe1d2d5fa844a52db0d633a46936dc

SHA512
99af9f3ea5ee5f76d0ea5eebb21c2b987ef51d352e61129c0a5cc151e387381c04656acc178086da8cd83aa4f04847030324c89848868bf3b8e10f6363282cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwswcQAo.bat
Filesize
4B

MD5
cceacf005c9fd236664fbb4f060d922a

SHA1
155e8649bbac3ec6f307a21f0b074c9926d6d8d8

SHA256
0df24fcb198eba746a9ff2d373994c9e476d1062327dbbc8674830185f553a78

SHA512
834c43d00920c961d02915e1842de37b3aad41bc25936d311e94051e9b808c4b0ff89dc5e8d09fabf41563b496c250a9d417d703350587edd8b633f31c73e8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYoUUsEM.bat
Filesize
4B

MD5
596763aa5dd9e9fe262759a0544faba4

SHA1
db8d4b4ebe1b5d4d272736d36d142264816d3a2b

SHA256
aa7d2df4919645b36274f13efdb02ee080ce38d5c64ed07966a6c88e53252256

SHA512
e057fad131f91ac79bf750163a8b5a65e9062e8f8d9f6562bb51e98823fcd7ca75a3750b62481faa247e675cdf9900789927eaefd1695897b7179f87fb882c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkEwYQgU.bat
Filesize
4B

MD5
156491130f1da65d8d312c8259674421

SHA1
3fb2f37074f3828a85f3fa7d8588bf78c596003b

SHA256
edcb6857b2e8483759e222ee50b551fa99492a97c65243cdf8c2b42079ddc59d

SHA512
b7b8790880ac1f1a372ae6bb4f9c2f4c2fc818764f35de4444696778626477c77cbde6abb5e6b46582356aaca8f2b60199b05b023db9dbd951c86717e0fc90da

Download Submit
C:\Users\Admin\AppData\Local\Temp\PskgMUkE.bat
Filesize
4B

MD5
21d0860a65cb601ed17dd9cb7273c20e

SHA1
678d9ceeb3dc99941b98f9c65939fc6f5b8ebd87

SHA256
37bfe2863b2e937121a1c46c3b8cd502ac079c98578a20d6200da2dec87db9ba

SHA512
6cbd300bcdcf4c878411b7bcbd50a97df2a58b6396293172c8784a2c8a9616bc772158986006ebe270718aa4e2ab3eed942866514102bb44e33a96858ee79def

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEEo.exe
Filesize
232KB

MD5
0f6dd27af6a3d6a1fd5da283bece997e

SHA1
f70db113c396b0ac45fc16de28c4e72ceadc108a

SHA256
d2b63cca32cf5bc835222743e25f582959e2938affab1cef76a922516c3c4071

SHA512
685367be7c11d37c3e3eb33db4812ef2d32f2971d29d0d89c4228af6e3739de371ac0aa8c4a74b35fc4ac5c9f7ed2ce5cf1f6ef48054ede74ce29673d8b9ef57

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIAg.exe
Filesize
900KB

MD5
11fdc1e8a416bf87e31a07dd8deaf220

SHA1
31e6ec2252fa6faab56ee672227a8ea4322afedb

SHA256
d0733c7c6b8791f749f9c92b7f4e25a87e7c0b8c6770a0ec0ae4291eb13fe452

SHA512
cfeac14ecebd89daf18e13d860f49a6ab7d0a7bff9c3ef73fc71da7e39e94a8c0596f2ec713c5cf4f04a46c0916ffaf28fc7bf8f1507f950e9873e7c7d441933

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIsG.exe
Filesize
243KB

MD5
12f2f133cfbb584c7948f4518a9baeaa

SHA1
795ff0d5664a45741dd84534c8d56bd5899d6044

SHA256
bd0246470c5abe8549701ff62d95ba3fb2f54dccbc4ebbd6cd47a9542ea216c4

SHA512
fc2a4c56c5401a7c65c29e899aa7c2422ff8fb8168a8f4f66205d76499eebe7709bb9f36b9bb93dc4e25a8e18e2dc248fa98fc34173f4793556c3a85240f0a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgoO.exe
Filesize
234KB

MD5
92bdff68703a3c6184acf3de10f0afa6

SHA1
2d5eefac37bafd65f3d95b0944c22d5ad7144b91

SHA256
173d571065f97858cd0db317fd7abfdf68ffc97572f28e76fd2d08793e5677da

SHA512
43b63b6325f3d44e33cdab3574eb9ea605e52fd0c5244337b21c697fc0c6a5c8bb5c9dd7762e73e5299b6d6fe85d2f00e7292def31018b9dcb2e2d9de135f4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIso.exe
Filesize
231KB

MD5
8831d8d757da8370b6791828f458477b

SHA1
33ecdd68601fa276cd42fde63c8d0babe9b2c438

SHA256
701d829a6ece5812dd505635848f23f45d4dd04bc8876e0c703244b6996ad974

SHA512
91b0a0fdf580bcb78945272c8cf87a3cc22ad543de4fa596a217f006cec94938c6927c84bde3754fea659f2979adaea37e5458a7f5719fb9a6eb91895037cc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMoQ.exe
Filesize
235KB

MD5
0d358a741d30c001b82d24453dc4176e

SHA1
2a015a302111db707712fc53d71a358a437efd32

SHA256
9db88d870f0385786150140ac731be4c72dba1ad1f38f9fee21fe86c2bdc3665

SHA512
60e6ed41dd89989b63fc0e4b1a48454d523c7b962d1baf53cb9aa364ff04d6f1963be2c1a474dc5c5b85d2bda50bf39784636b873298ed104518a21a47b7fe02

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQky.exe
Filesize
4.1MB

MD5
08f48de4c54ba313c91d3c1608505964

SHA1
1a61ddc30b44f75c19a1fc1fdc024eb734443a64

SHA256
d0c3d34fc308e0b9a2c019fdb4fc787b4f8df9124151d37e018d952839886b01

SHA512
29b6feb967916c2f81c9c12b221cc342bd933f9441f1e9221960a828fd622fd105f713458092bc0ea337bd27851730f8c2ba1623df63cafafca11a127ca962cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skce.exe
Filesize
252KB

MD5
be54075579367f81ffaa8d8f346ebd71

SHA1
10bf562c69affd03b1678d00cdbade0416fdf32c

SHA256
4606a7d6f2a7962680e5311023c27d651c124b025ae9c4c5e24f00ea9752e583

SHA512
404fa96f6c7fbf29aad8769a4eeee32c20baf786ef73b1af45362b7eee3769f4e0391c036b09fe30ef183c17d43305299f80d3b7486225e0463ce3400ed38595

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMgoEsIA.bat
Filesize
4B

MD5
8fd46b494b942facab4a3a18b7826a7f

SHA1
9d2708e6f57e58c932373404b047551401460353

SHA256
4dd54a019b3db72443582782a4c1346dd9f07b9b3588eb3d227c61eb2fd302ee

SHA512
a0371b901ff1a6fb4718f5e8d5c95dd7b85fd8a64debb0bb1b5b902890aacd356dd28eada00d05684766eddedff92e15ef5017547d84653bd0891218d0012471

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcAwcwYM.bat
Filesize
4B

MD5
aa196a997905afae72362d693619fd1a

SHA1
d932a4a807121448dce8fa5f059c70c3c8dcd3f2

SHA256
432d1f3123635873191de0e6aeb3597957a709d330ca21b570df1eb8e99a448d

SHA512
f0b3023e720863cad6fb62cf686e9e2f37ae2ff4765c077b6f8eaff256e49f1ba96caca4e372506395929d0364bbb876172678f0d308e5daf894b1f31637093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwEsoYcI.bat
Filesize
4B

MD5
b0c2df5f1139d4f6ca0623b6b59647b2

SHA1
763eb74a77043adbe5f69dfc98c0da8cf1b939c0

SHA256
83f24e01a079a06465d22e68670ecb94518b1c5f6c032b9e97c1a3d5b55f8f5e

SHA512
4774b964e75e2772fbf730af560b6a6367f7c8b1e74423d7da9838c96fd2675c89f1cd8bb26aa05bc8866efe169c46d8b00c29f97d9e7d3106c7457266ec4a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIYYwcEw.bat
Filesize
4B

MD5
947c2769f98fe1aea5dc52867eb57b25

SHA1
86b192edfea45387a0665595b2cb59755f863d9f

SHA256
4786d606c32fc3fb546eb6d1556ef0c15830e030b08bbf16f88646de31d4f0eb

SHA512
f29e29ce805931425920cdd9b90bde7dc1cad49424e6c1a1355e1cf808c468687d1ba28b9c782d7eb70265bd787d620ebb9199c4e3cdb94e186dea2b5b92a8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQwW.exe
Filesize
229KB

MD5
408464b47c207e8533bf91a8b3bf9ae5

SHA1
e6190c6da9570b26d72ce1830659306022535899

SHA256
3555f4cfd8c66c0f7256b41f256e01cb8805336589d7c3e490e7a4da2fba85e1

SHA512
a0c43b9445315274edf801e3ef423374684d50a95374051be8aa42f598b65dc682eebd556b7f19ad52be032cadcab1fdd60ae4cacc380ddd60dd7b3c35dc3d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VOIooUoE.bat
Filesize
4B

MD5
71fdc36dc479658ab2dd590d374437de

SHA1
258e873c3916f444ad532877f1a8ce3f5a7b7d5f

SHA256
1d26342c7bf08ed2a7dc4b41a6773e677b99f6e1a011a611f6c61e6b700d3a7a

SHA512
1eb3ac7018d3eba7df0a9a134dc6103b388d1a13d8db9aceaab01e1ca8c7d72a7bd1273925f2d4128159c2d727dc0ae893071167ec302f7dbd6806fef6a26d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWAwIwso.bat
Filesize
4B

MD5
d4370d9be5c626e6ca90699a31ffe1fc

SHA1
e5fab01900112b17a271f83f779fc60e05aec74a

SHA256
036175c86d4189c88b92c80c3c91d158a9f86db572c1ef745a1c2930d76e91b1

SHA512
03c410aea3bc9641b9ca652ccd8bafd4d2576ea50412e96b41ac5db554c37fe70627da8b8e4e25bb049197d5d59071d6eeeea285ad4ca38abf56b70e965a7afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIUC.exe
Filesize
226KB

MD5
0ffd644a8c754fb9aa4207732c36be16

SHA1
3d1702fbe6a5b6f5958ebda6577d1fe041e2f792

SHA256
93682308cfa0566cf20e28090b79bea0f854d51a0d20337bd4dfd7d354795021

SHA512
1611278ede629f3a2e6646d203c73af2684a64d07a42acbf20de914b7bc32a22f76b0e1aa96f2c5ad57cb2e63f43f334cfbbbba386bbb552e8133eee3efa75af

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMckAYoQ.bat
Filesize
4B

MD5
e7d9cee3673c4fc1fa4ba1761a7a0d3e

SHA1
affbe87ea7a65ed1463171a99eb65fd4fad5fb27

SHA256
06e11ee830e8e1fad115ae626c8c725adc3fa91ab0197af38948bdf7c8122283

SHA512
16cbaf79d174191c634b5d0cfb1d20fb1ddac9910b572a16f26c25818ebc92dc27beede455923e2a38e522ec04e61d3a6f0f950f3468a5c80905ef508f255c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcos.exe
Filesize
239KB

MD5
83ed84fce77571492a61437bf774ab77

SHA1
e7854ce01f3e1a2dbf30eedfd05663775e883779

SHA256
f479ab6f510ebe97e7dd0b08316e43264ddf8c74560cdad0418a2c3afb29c46f

SHA512
4ca55cf7b34f586ad8f21b64eb36737813b1914d5a79c575c9df0a7a4e991eb7d8ef2ddabe3c33f73eee20e9f16082dfc85cd2566229bc3dddd1bbf4f2f1d85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WocA.exe
Filesize
228KB

MD5
5b00e75287743cf46f106a0cfa978816

SHA1
450a9afa8e00bd8dfc66c872c35a2450c4e57cd9

SHA256
d72689657fd4697b45ccb7cc59aa73d79a61d8d38f84a2a29cc59279d1ed7d4b

SHA512
26a0879d104f3b02ff4434edd081d127c5de672cf2c1c8a78d8be4a5b8f921d926de9ec5bec235745bd97bfd329d12fc09ccd541af42344e06ccf7ed4546e5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wosm.exe
Filesize
247KB

MD5
9036f564a5af40d2580776236dd34d42

SHA1
39a7d4473725ceee9c26a286d305bec6a9ae40ab

SHA256
673c4ce9f59b32af0f0bdb94eaa2cb11c213842e596ef64db5edc19d0dbbf954

SHA512
00da09883d1610d22ca69d03bb835410161631a80b21b2ae5059644775000d8aadbdeaf94405161d42b9b2808d822876e9562522d5cd367ec924654e7fe11152

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsUQwIww.bat
Filesize
4B

MD5
a0bf12a7e13612878400995d85d21d65

SHA1
9a1b511ecdeebad418da3073aeceee583e1673b0

SHA256
e1078bd0b49c1a6bcb7b79e59cb8b50ca053acc50990c39fe8fdfdc90fb7a214

SHA512
7fb8d008df88affa40d8c229e52579276d715328e3a6c015fce3ed0b0d5fc7985c1ecc0dbe7168d29127fd9cd2428ab7e1c683224980ffd82a3f332d7b8ad605

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkIQEIEE.bat
Filesize
4B

MD5
22eae5ca5a6e89ca2193197d44582114

SHA1
328c41ec4d8dd1c379aac80a945938a1c01f4e48

SHA256
560dd8a06cb8354a70c55c8b5f899fa59d4a33355dd33c791d36d48dbb1bdac8

SHA512
b544433c70d84daa1f985df9d3aa526c5c0c327231a660672d1dfad3230063ca1562ddc0869e106956e4654b67014bcbd973e060aca99e05b73c34fb5a0c74ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyIoccAM.bat
Filesize
4B

MD5
e92a2f2d3ca6c7fd2d844119b88613e6

SHA1
a45486742741dc5030c43d43317c7b3180c2ced8

SHA256
418ecf2a2fbab84817a7b393ad21090d1a91823306da750aab17b80c92a4401b

SHA512
afb0c29350359e52db5e51bd6dbcded2b8bbb987bb860116f770a1bd205cfa9015eef8ee7a80d18f8869fac8be95de7e12d657392a6aa6aebda5feb3706d1794

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCkUEEoc.bat
Filesize
4B

MD5
ba4e5ef4d1ca25b4a3becc409298a0d8

SHA1
99cc624a3aaa553e720f492403838e1684c6585c

SHA256
7bf020b233c55b9db4b017dbc7e81ea0a9af3efa2843a82f7a7d47b83722e888

SHA512
53cd792b06debca0fc6d014241809b60d69dcc907872c93affe4d86b40a48bd01b87053a3aee3c8c1a8329c7633518deacb32075bcb0711958ed25e2757ccc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIIK.exe
Filesize
251KB

MD5
9307c2c999051573aa5bc0f65313065c

SHA1
19a7360f3349cdb9f84a1a326aacc753d024dc1d

SHA256
159dd97fe83457ab1f76490fc5c16f8aff0aff4ee42e029dd5fd0ff0cf3cf479

SHA512
a344d28862050adf37764e240fb68a0b443094bc3eb9a84ed03b78bca3ae4b4f02833e6cb4c0b4465777421dd53eeb10f63b18d4aaefe0f3df70d2d2b79c3a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMQO.exe
Filesize
234KB

MD5
067fc2ac9d817908c545ae16c521e1b9

SHA1
c5701f588bd836b5cae46e35e96e3633a8ea5ce5

SHA256
4f7862d320c98d0ff0118d682a2aa68004a573117f76d8053982342111843d15

SHA512
80845e5e932410c248540c499b4b5c68373795ddaad124217b761972fe4996b56a4fb2c411a6799368dd07e6209ec2cd08ee8c820935ecd2f95ed023e2fee582

Download Submit
C:\Users\Admin\AppData\Local\Temp\YskU.exe
Filesize
249KB

MD5
5c0c85d05984b349d7547d0c182f01bf

SHA1
ee6e75ebf6729561f717f093647bf653a7840172

SHA256
629b9840c274b65404d31fab649257f4d9e5d5a7e82a028d90548588696095ec

SHA512
12a9382ece2dce62f851e2fc47ced3ed10bbed0617a5313c56aeb6bda5a10e8c1818c4e82670e69ea56451f2a807a54b599fd14c1a57daf441a22c0540e878c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkAAwkck.bat
Filesize
4B

MD5
65b532ec1f2c11453508ba32691b218f

SHA1
26ae9fbcd80e9399e3123a72db160fa195e63ebc

SHA256
868a92aaecb8b9cf1192014e1864c24869b66b2974ef6d04946cc0579cfbcac5

SHA512
e5591f961016a5e0daf5dc129bf23dc0b0e0585cbe6bed5e3cb6a02d28fccdd32a2f15eb43de4fa2cfd5448670dc33180d7e12594ef5afdbd572a169d6a49585

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwooIQEs.bat
Filesize
4B

MD5
691cb6871ea1277c45398232ac69399d

SHA1
c6302d61927d6ef09d411f67cdb8e74f5db1adaa

SHA256
d1b2bf2fc0d34136235598a47cec2b6084de6e461ce9ac3bff164be1b2d1a11e

SHA512
09fcde1ba5fd03bfbea7a198f34beac21269247d459cea27153c1f16616c4c3680deda9567f8c7f2b2b4045751267fee346f75c7d260ebd4264ca83d3aa4b1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZycAIAgw.bat
Filesize
4B

MD5
be6e088858c26412d46e1101bb379292

SHA1
abc750a5666c3f5ac04d4a37dd708182bde5fbd6

SHA256
cd8946128c82a8267c5b2ad802dfadc15c4f9019ddf0d19991e881d6fd2c1264

SHA512
7e6b98bb1f99d2c6569fdd0c08c65595ace7f92177158af6bdf2a2dc86a7afba2aa7655d28c046f2baaceffaf8c1079ebfd2d6e10faee273a9dca0b0d3c1b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEQo.exe
Filesize
228KB

MD5
5f22769890d26bd80286ecf803fc9ade

SHA1
f28c9cc61742546aa53a63b7c73c8d84d3b4d6fa

SHA256
a6c3ac2a14f79e1c73538b4ad65c65aea8cbfd7bf7a260d1216caafb0491b3cd

SHA512
463f2e99737f72899f55565314ce52905e96147eda73c393fd330a066678c23f0c9150a9ac29e5b77b38c0cbedf697c53b3547baebe1f151fbee88b19d68a1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEYAEcws.bat
Filesize
4B

MD5
ffda92658a05ac6c55233e95147dadbc

SHA1
3e00428be489c00d8d024fc48e391fb86bf864c7

SHA256
ef6d0e0f53cb5c035617fb9a6fa35b1e202c16304b4b34faa9917d407379dd9d

SHA512
efdabafab5b779ea06c12d052f44ebbc7478999031d61d4c800a07b203701a97d6fa94229d906ed8c31979bf0979ad206ebcce52ac0aa0d4cf87ced25834923b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOAwokEo.bat
Filesize
4B

MD5
0d9b06b65a4918f6a627ab1ae32507d6

SHA1
288010121d930c0f9427004e5a1ac84620fd8832

SHA256
e01218642700af83c46a790c097af3d9a0de87150ded2a9cda7c2cc461443b95

SHA512
69ed6b17eeca3a1e48dda713e20a0646368690df0f208da7654ed9460614446f8dc4d60bb2c1846f2264737c49f471c8fb5bef13f310786665b2619f586a0592

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUEe.exe
Filesize
240KB

MD5
0fa0cf9bb3d8f6be35a207336a9f58b3

SHA1
9ada44304f4e143feed7e4663af6f3ed54de2b69

SHA256
279e2998a7abda27622defe122d499f24be69fb1a1c9a299d323b85e04cb9f1a

SHA512
27cadc65ff15dbeea89df9e1060fa237e4363a454e0279c23a454b47632c4769f3badccb0a7067325d592a12a2acdf5baa90908bb7d3ed12147f2c6893cff148

Download Submit
C:\Users\Admin\AppData\Local\Temp\agMw.exe
Filesize
233KB

MD5
8abbeacb5f5e267226799c0cec084578

SHA1
1f5190c3e20af21ecfb2a035979269d35c345754

SHA256
b6e7133f472d8e4998be0a233f2cb2e517aeb005d2fe3b4c58b875e13d9a16ca

SHA512
53d002630fe35141076157ee5085c65f21aefd823f6e3b0478f45ff3bc18ffaa5875fa863ad29fb49b3e83f3fa0ed63f69378ecb53f63efad7c352cd3efb5778

Download Submit
C:\Users\Admin\AppData\Local\Temp\aogG.exe
Filesize
557KB

MD5
a02ace0fbbc4ce2dc938110579b0750f

SHA1
bbb7b31dc2e56bbf2574d2e81b4c01b9c2909d29

SHA256
46a64813d8f23c094cd70a5ad7ea018e269709999e626ee8cf3b038b138ec5d9

SHA512
fb8e28f6b797ac84fed620fe369ff28504981614a5485804afcec8f6168deff4389c171df30b6843c151c53ce27b1d30c0a4df8acefef54a83bb8ae22cbd442e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqMoYYsI.bat
Filesize
4B

MD5
b727cb7c1318759e750ad4fa798b2a2e

SHA1
8abf2c7520a4be763e3af789442786905e8e0e45

SHA256
bfe5ac4ca640a1007efebfa5cc4f75c1e422db4e7eba3b26c0a1c001ba8440f8

SHA512
71454a36362d9bc221e892c818b4f4293c3738d627e9dc24c933d20cf7ba502600484f07bf78f3fd9a0ab8d91ac3dd854d255c38a212e3b420f4837707da1963

Download Submit
C:\Users\Admin\AppData\Local\Temp\asAI.exe
Filesize
245KB

MD5
c142f44031815b6ae40db41180389741

SHA1
ea1bb3e8b8f342eb5cb7b77425ac698ffa647df2

SHA256
dffac4b65ef2e20957e44d68becfb230e7b1068e01213f13d4ed36e7a801f8a9

SHA512
0c0adc56e31a747e955323421fce194dff67f7794412d1d3e26b1fa7dc9e1aea101fa0ee1c37af614934af69ea8c2f46895794214fe1b72db9601148dcf83e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\auAsoQQQ.bat
Filesize
4B

MD5
63d7e17b2dd41ca5dbdba424765a4ce3

SHA1
e49da80a04b16a8a5f6c6bbca81d97b6303ce97b

SHA256
701b386add1a6cd2988139296b9fad5cb0121031983c7f5414996e54a306a5d7

SHA512
3871910c25c6761e6069a55db7324247e9df49e45733608cbb81d2aeb24bf2f104c4b057f805a9da4ea6096a35b4458d14faff8bc0fbfc426d92518477f2dc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\buEQkgEM.bat
Filesize
4B

MD5
5b0918cac5b70b63b044e8f01e512909

SHA1
d44a19e92567a94a998891f5386d0b309e0e8e02

SHA256
250ab1badcec796118eac4dd48656dba83ce4915cc8fa474c1525c65f9047e8f

SHA512
3e176aa381e6d45e1b50598cab19fd8cec06d842b0a8d88ae2ac3311761444b713bcefd28a186ca3a9a7923c085b093924ac60a11d83ead4f471e483defed8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAIoAYUc.bat
Filesize
4B

MD5
cd0591ac601841e9a8c59fb206a545a8

SHA1
b8eb636a88ab0c5356ebe6add20d19ecedf0bff6

SHA256
3576b7c3a497332cdae2821090b11385fb81d1c74482021764af089a96c12244

SHA512
d6ffaebddbc972b596ac4ceb1493fb7411fff91ef42374edc9ba926ad2150b19af0d3073dc7608c660db3fd663e8cb53a9785bc8c33a1fbb5128759db7e9ba56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMMK.exe
Filesize
701KB

MD5
db45f76250b1847ab8b44dcbdd0bb59c

SHA1
5d98f75c6135fe1d25aecb9114e3e7f8c596cb62

SHA256
77cf9cf8e08c246b67ae7a08d6622cd7378cbcc43be8d79f150cb8c53c62f0f8

SHA512
97220d13afedd88142faad0a124aa242ac0e2db8b48cd95b6b7d4e5ae73214eed9e27d2dc5ffbfd38a00da621b0844c276cb168ab526e228a4f84a88df80cec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYEA.exe
Filesize
246KB

MD5
47612ba31f4f7bfc70d4fd386c5a01bb

SHA1
910d9d979781cb6b11db35797798034ce1423651

SHA256
98e5dce52ba10e04dd13ebe2e0b76fb2550efa5d005484adeabb884380eef5fa

SHA512
aa5bcc28827f9c07efe76173ed07806dc8b3c9d5a4963a8e38ca3591049c471b3f466fbeca41c3e49e779cfcbfe4086f3359e8f56530c54038b4eadc01c19fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccMw.exe
Filesize
227KB

MD5
5fa9b780d3f0a24bbadb490560adc0aa

SHA1
23b90300959a5bc3bf9370406add5000d4cce80a

SHA256
1b4f32df36f9869071801bcdf06bf33eae9b9d5b0366d967aabaa9720f4d78da

SHA512
80bc74ccfac97b69d083859229031783695c2eaed43a292660337d4695532140765eca7f4918c56b3ca0615c4cac72d5cc99d4b7b2b17dd3e1475915db1dfbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgYY.exe
Filesize
236KB

MD5
9ec82f6941f6b10ad4311147ab8c44f2

SHA1
1188b2acc8450435d43a81be282d442d7b8a02ea

SHA256
63cc7c3afab0a7910561b07b331cd0459c29f9593aa6c40ed3ae4fcb94a63c40

SHA512
496f72531cd037df91050e3da728dca199744c3e1e2ea3bb3a4ddea18685b71b504944e35c9fd36291e288892cbfee60a6446003867c94772a81768ad2ee4bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgooYwYM.bat
Filesize
4B

MD5
37e4ece28bc9f4c985bbfbe22051e32d

SHA1
4a6712cb90fcc65a94cab22e6633d3826fa84a34

SHA256
9c0cce105f93b0d6a7ad1986afe38b1f4b450924be27520253844d56135fcb5a

SHA512
b46deb967c7b8c7842461388ac9348b7119ed9cb4822fe90cf84c864de31ebd3f498085a0b82c3304c8b8b346ff20cd037e58b83182c27e3e8a311296186c95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsA.exe
Filesize
228KB

MD5
9e90c996b895235ca1ae6170785cb44c

SHA1
dc1976532bf3c4d52f480eb23510f38e71ae6164

SHA256
3cd39b95405baa8ddc07a0ed631ba353bac94d9ef90d2088f3e9fc4ddb807010

SHA512
5041647388eaca3b9c3a125ba4d8d314c015ac66121d192e1393fbdca26641b83ccbc3fd280e901deb3c62d888b935d491c108ea755272608c6bdcc23ae0a489

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyggUgQY.bat
Filesize
4B

MD5
66f328e0ba204a74412d0b8051799365

SHA1
9886d20d6208685803d936c0ec8964c2b48a581b

SHA256
50e88976dbd97f0f872e071187f819fb7163a3bbd095fea5fd7188ef06223c14

SHA512
407aba45120e6ee05e0c17650ac35dd742dc24bda6f986e057ab0e405082507edfcff34bb5f5d4158f87fa49bbd5fad7110db8f52633cabf99da685a1450e1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgkQUsAE.bat
Filesize
4B

MD5
1df72debca831b561813a509eeb5e121

SHA1
de43ffd6c137866e9f1bccfad6adcfe18322a5ab

SHA256
26a90659c1f8e29d63b4dbbccf2937b8daf1f4ca17078a0546c3a716d56a4a50

SHA512
12006765528c4d8b540a39c0eccacbb0394d5108c89668cdf84c243ab827842a033b3f531010dcf4baf3af30e5cd2801d1fa06df56b9676e0dd296eb288a574b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkkMEkkw.bat
Filesize
4B

MD5
77dba77d1d535bdda86594ceabf35c87

SHA1
02875a01a0b7d6017f1bf56e3d27fae6828f4fb2

SHA256
26d526e156f0eef914a2954a23eeae15f4a532de778b7ace22c9a065ef6d3f46

SHA512
f3c2e03101b57e1aab65327b7350270fc4803e7cf90f417d8540f445b79151c3f48aa39205d988e23c2c6c0e1aeed5de833f0d643ed04510a5de84d127a4edb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEEu.exe
Filesize
238KB

MD5
cfe9f17b5a35d8f72d525650e3dedeaa

SHA1
de6c3e5e5f63db2c52d7514641ccc1972686eafe

SHA256
3c7709d998dbbddb837ab36218b2f38bfd91962b050970dd9c9634c72ed7ced7

SHA512
64a3aa700fab10eb993851a34cc46ff5fcc718762c1c7bb0e44dc9968711bd2309d6f3ca30dce9f6d3dd3ed1187da2a43b61ec9ae48d2fd2cb2dbb044b6c5454

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEYY.exe
Filesize
789KB

MD5
d840e3092045933ceff5e2fd3bb62586

SHA1
086683873c406898aa9308f4a8df69c531b17783

SHA256
767e4d0e663cc85c63fe47577e7c716437cd4f1a787a808599af8c66cd6bdccf

SHA512
d4a773d4a61ca075d77a2d744539bb0cc66bd18d084e9aef9848c4b05c1949fe40122a1a609037db39750c1e8a4306026da71fd92565592436d856d95f3c7ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEsw.exe
Filesize
231KB

MD5
662d309b1049b5e6df081f422b55128e

SHA1
f5de832c131d6c66ad1c39fb11812bd11dc2daa3

SHA256
41d67a2b9276123122a94f95aedddbfd57932b1835ac0d343036fd4ddd58da69

SHA512
cf84c767886656814529a7a80a5ea1af769d123bb0007635ca2323f150a079233c0c22198e206c0536ed887e79444d7d93bfd2bfdef7aa9d1835d478c40172d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIEi.exe
Filesize
252KB

MD5
dee6b6feaa67cc4f259f192db8ae0649

SHA1
6f646025d7e72a8fc29de45886ac1c5f566aef15

SHA256
bf68a47b510da6a598db74da9923868016a07d00cce3253af0128f2b90570239

SHA512
5a2878bfa458a87692a36343b06f0be8d0274e51976cf61cd9bc402c37897dc98167020951c878ac2a7670f3af34cc531532682a6a77f5d36e0f19a67e3bab42

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMoy.exe
Filesize
837KB

MD5
789958bbb9b76a69f812ddd28dfe3edc

SHA1
d1ba78e1cc3e605c2a51bbb9830b86a5055be981

SHA256
67035423e772031d6504e38ee1923709dbbf538f3610145b29cda3e8fe133ea6

SHA512
b3b8fa9f0640de205684665dedc26bd6fbda9e1baa7d71b4128fbbdf7392e39fee5475e006c6e7d8c303dea408c84ec54b30661b9de3df8de4ac9c8169a6fe3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUooYEEM.bat
Filesize
4B

MD5
90cdd6ef3da680875defb980336c05c1

SHA1
0ecc31cfa266f3ed80572ce2dc79d22df554f71c

SHA256
6a703a1efad71910ae7a84f580e7a0de2d927284676be61641fc9e0dd2d05f0d

SHA512
4cf8514781814fc42df77238c2369a703b27f5a4979d645ddd465bb682bf3652f709b3ea4d1cc95d44b0978c77fa7a858d9fcb9598c43e35ce4a96c0713a87fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\egQk.exe
Filesize
493KB

MD5
7aabb7e929cf3a2eb4d52ba782a83a9e

SHA1
de0156b46bc12cf250a7585a77323d861674bf59

SHA256
ad10edae3b460188fe9b5879a2d92c7c288fc6dc54d1e6d635aa078e29d9e818

SHA512
99df4cd09887be15b0579bd8fd41a9db43452a7e0543e9d670873e98b9c916cd8dc77542739d66ef5c4cdd5d60a07b2ccbbcd48f8d9b1e144fd35d1ce2cc6d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekEcYAwk.bat
Filesize
4B

MD5
56a59f14c0d417c4c9082db7d692509e

SHA1
627797f86dbdd3cf17a33c9045d99b725bdd5d9a

SHA256
58c710446651631167062ac61688a28690e4145d45f06286bb0223c673eab580

SHA512
1b0f0a2483d301a43182fc824ef2a483b6ff34b4554821b90e5e6ec7645022397dd6624918bcfdcb69ee1969a6165b188df51d80f12ee7de2cdf6c0e32fb71bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\esEC.exe
Filesize
237KB

MD5
3e431f83a7d16855fd15282af58e502c

SHA1
806e00868f7edd34dbf3890355ece3097f5a3f74

SHA256
78367f497ba3b307d321548ff860fb4e978354737f7408e94ffb9d9f3e01f242

SHA512
9f32be89271ac6eb1f6fc91d4159542c50efc69915fa5a2bf1b60749be9b58a176b4c149653157f55aae1176b9c473761346803b9f52623070c206fb48d44490

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgO.exe
Filesize
238KB

MD5
18a8dc30e61df602c50016bf4e69375d

SHA1
49104366687781fca67a38d27109196b7618fd6b

SHA256
336ecf8d5b95b39ad8bdda2bc394dd50a8004616a48c83acb05f328666260d4c

SHA512
d81f503f787e6578b41d79e4bca7175565090fb5e8f9673eba68fa20d4d0c1f4d1e37d6ed230fc6662b6673209fa5ec75657a1fba1ac6300bf6309feb4c85d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcIgUUso.bat
Filesize
4B

MD5
871b935f452e4438763621350a02b248

SHA1
cc808f36d81ea40ead8e44d0be5c6c4feafafeb6

SHA256
6cb7c4a03ddb7a0ab6aed2a484653fd8eefe3f925a13c38681a6ab497ef8f5ab

SHA512
0f8284e9bdd1b4c3467889856c1be9238e94de3fdfa836ba7b4e79e4b07b93b42575c5fda77b76d7befda8afdbb14be08922f9d2fbcc1a13381241f42d3babd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCwsAkEY.bat
Filesize
4B

MD5
74087e07e310dd9f4c0f484b2a30cc4f

SHA1
af7cb85164313cd6bf266395d2a2f622e156e514

SHA256
08ef11733d7dba55b7052d50ad6601186c8e240ea5efac199f96717a2645fb77

SHA512
60dcfefc390f18c9659f02e1822701d4b817a9a3fd095a9f16d9ed683fe920c4e2fb53fe5605a88571f36151ad6f0a95bda511005c9a1db8fff8dba4c8684413

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEAUEwow.bat
Filesize
4B

MD5
ab73719ae870a1a9cba5daf7c89f9041

SHA1
371a7b2937bbdf524ed9838d2113344cd0fc9cdb

SHA256
8e62c677064bc936d33e352bfd37b9fc7675328cbd8f23173afaa17ff434774f

SHA512
d82b4ce9d5e2d99311c60c5bce18f1c80c899ebdd5caa6742ed01a79e1eca221bb3ca054ae09731dd8b4a408fded68b21f4b363be4f926e067d59b2ee9c5a7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUAA.exe
Filesize
236KB

MD5
f455624ac3bc9aa3178cc3a2fb7dc176

SHA1
82609797ec2c8a8d1bc652fa3a7eeb065ded8ca6

SHA256
17d3f916362d7cb3b118c7f273cea066f049aacb851faddf8333af8903b29ab4

SHA512
5297db51b9cf51417475ebee7768d7e533f6658fd3fcac9fd0991fda7315d924abe0955c37ba50e6fd4ba5d94ba6bea5db081ffe31eed457f0828160c4c8097b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWMoskMo.bat
Filesize
4B

MD5
f73e1c74b4adb4dafd5ef67f74cd94f4

SHA1
72cf39fdd37c8df54357eb79fae77cec00265a25

SHA256
6b21f83cfd31df135e3e4b521c8ab81bbc56caba2d3bee2eea037b5ac43c331e

SHA512
31ce6a721c09df36c0eb7850a60a9cec422ec4e784b069d9fe6ad0b7722f1a1f518a1e38c322c55133a827e1f2ba3cc2a17b25c6709bd9a97aa62f616ee369cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWYYgowQ.bat
Filesize
4B

MD5
3a91d52b2a8ea5093073375a27710a8c

SHA1
b178dc96c714afcac7c5a3e3b5c9ba394f6bb45a

SHA256
3a6898d67812a69d22044a0c3dd3db43fddef0ba323752e9a0dbaf41016b9bb9

SHA512
187703895f4ec1e37cc38093a0d0964da6b4db12265e6023deb98d3e27d8bc0e222d4e230b1e41d092f8d7d062b2c1325d104a8f042cff649a609002e036e25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcoa.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggAC.exe
Filesize
215KB

MD5
6cd141b13514118ce768d1a96f5d98b9

SHA1
78fb7dc8356029133d0a28b8bd6c984b2a3db2fb

SHA256
34b8c2cc43b1c3f9347bb65c67433e719a8edd78695d073dc78bb14a6826e486

SHA512
886ce6a2057137b9219f0ff98ef0c5d90c3a1dbeb4c8e150f508b90bf58617343a871852a8a125be678e6e3682af3cf7f1f157026b0833b42ffd48824571aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsgIgEIo.bat
Filesize
4B

MD5
ce7f2af08155e734025f00c9d23f6372

SHA1
9dfd530f8a748965766dc2e27704b8b4ff0dc6ba

SHA256
bf039b1e604d5019c8a9ade06e331f7b1f8e7e0705887dd3672a75b41fbe1427

SHA512
81c326ed9b007e899ef7bc5cba34c6b14256bad1cf19795b320d08c9ce3f847f5f4ba47b38f31e955af72b5c9ed5a199f9dc46bcff538c9a35e82ec2ac36e89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMEwYEss.bat
Filesize
4B

MD5
827628bda9a1601012de385e7cd17cfa

SHA1
143724a36c2e05037c71e40809a38a6fc289c3fd

SHA256
d7cf3e669228137e1ddb0b9897bebba6bf142f6260053c932f0b6bc8f890941a

SHA512
e2dc9f0b9484596f5d53b69f5d702f78b99e995b4173654943862d1d918fe8e89c8889caa36a55f9544cc3ab66f143238f1f08fae5bf98890015751ff9761833

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmIowgcc.bat
Filesize
4B

MD5
4eec3e4979ba5299324197d2ce5cf4b6

SHA1
d89b8484af295a5977758cfa82acedd356abb063

SHA256
d89c46976c2d0553c5c2300246af990812b83a7a23b0a353d791e268ab7b2142

SHA512
aa26cb1aa618de3913e2fe33c4dc0e6c5888531bdc9bdf3c72c26b8ed87e6229d1a5680d67043206768d02e4e06984df226b6c5d42129bc46a06fc38d09eb58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEwM.exe
Filesize
220KB

MD5
07fe67932548acc075baba1d3fba38b4

SHA1
c230188ab499784291455c3d7d807f2e9aa3cc35

SHA256
bfab611579a25065ccfbced52521b1eb5e8937afc0c144cbee4c55d5778db63c

SHA512
05c6a8ae1e50bffc38d26e09cbeee78026e18825d56c84c33ad3fe01ce014f010ea56b79803ac2f2f2f8ef7f1585e2b5567c9db02d9fb5ea777b9f563e112ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIoQsMcI.bat
Filesize
4B

MD5
ae53d21fc90a1966b356ee12b8cddfbb

SHA1
9bbc0e63af48c2896348d1fbd082a9339a9614e9

SHA256
8bee9ce2ffd9d60f58d3c2e28eb76f1094b3d9601632a31b79b10c1071eff38c

SHA512
c4910f330ef69551f040e919c1043840f0cb3265c456c5be41ad8258850b917b6bb7b6fe49f99cdf1b7ddfdf05358b1e7b2b30c5e8370aa1b1a1612b79029bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMgs.exe
Filesize
219KB

MD5
f9fa1e1802216203e5b512def15e78cd

SHA1
432b7438c26e3b46c622139ae7a668a4f5785653

SHA256
62b5bd1b6e775d1638493175b769fd6170c7ec91940518fbd355f42a506c61d7

SHA512
38154a87d03356d3df186612661ca5a57c72de98a50bbb039367138fd8f77de1002d80efd654d2f2a3e8cf8e62c92b4813276ac14af8fbe592995f00fd9cfea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\igQE.exe
Filesize
247KB

MD5
0bf63100bcf72f8c669297a51621ff0a

SHA1
91be8459565b96a6a4c8999845a27670c87e3980

SHA256
b06133351a5be56d8ffdea7b9497c7a8efd2da512e3ce63debe9de86574e5f26

SHA512
27ef312df65db2c046758bfc4a3029f069bff4fcd5f49a24aebce1bf5752b2e36a3f2c1561e420ade72afc0ab2a825fed792ac168d10118b957ffb8c6407f30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioQE.exe
Filesize
243KB

MD5
5a457dc43e9cea998734975ba261c4bb

SHA1
7da497d444baeeb6d8e660f308b0bddf1c5be3b4

SHA256
e413949976efbb5d5ae8f408ac61e9e46f50322af54c5ee2878e3131efa41e5d

SHA512
5d414c45f72b6170b5e2d081e8a70995eb7206d3ee0d0a7fc4b1593a09d46149c2bdb4b80a5e8bb77b537b0d22ac321bf6222f9fcce1f029b7acb661c67f8ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAUo.exe
Filesize
817KB

MD5
455b92d360ca110d9b56a891cad4e486

SHA1
6b6ed9eaa16c3ab36a23923029b8f14857f97e4e

SHA256
a04e7f9152fbbde52fc1a060e914aae65551a2335adb5d32e537a0b5ec16b44f

SHA512
ca1a2d27ef6d9a560024e96b33f945a27af92ace8d49620c3ede765d3c8d14d20c0e873a723d66261bb031ce9f62285494c0bf51a6aa21779a0afee341e70119

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAcE.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEAAksUk.bat
Filesize
4B

MD5
feaeef6256705f5aae79c8e9160b0c8a

SHA1
f2685a46b3849d627b888488c7b2bb82e4f71d8c

SHA256
65e096f1a90c6aaaa874c60fdca8323a4654bff29d49f85da1a3f5e2b2fabc36

SHA512
29997d6cee8a1055660ada5e851c2596b7e7a955e7c48dedbb9836c2c07e9d5287cdd3cb743543cc0b4dc15175a8f03b9eb9602283ba4c32e981987b96040e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEAIsEoI.bat
Filesize
4B

MD5
cecfba04249ff389d74eef4e211433cb

SHA1
e08eb2ee7ac3b78883cf420391374eb63f6212b0

SHA256
28528db184c5039a7420cca28926e6fee93df4cbaf6fde388a44185367c1aef5

SHA512
f347b036521652b042276c18f114d46030f886325f9aefbfb18cf46c3833e27bd60aab6fccf23fc5e02c1cf6dd94c84bd0efa7196592312a24836a3f4f5ca925

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQgu.exe
Filesize
227KB

MD5
c98902a070997c072336f81f51751a54

SHA1
63ee54631e1aa877137b03c0645327f42ffac5b6

SHA256
0e7bb62c765414231221fefa90f991f4415e380ed43fa0029bb31c972ced1902

SHA512
b32e91e9daf20cf5098966af9203d1fa6b18739b80e0862c0bcb528884e32656b4606d31f782341fa8e4c87aa1776148b103e1e1470b33b9ed36cb8f242d2f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYQC.exe
Filesize
229KB

MD5
4545f8fbd6ba453b0f609ea92decb318

SHA1
7d4868645e698a034065d2d3ead4de76a0db005b

SHA256
3c06409157fc8ff6ea8b0cc45eb0ca4357a9d33da431ad92532a6124e779d7c0

SHA512
bab94cf3750d5b6b66e0dc2cf8f6d1ffffd593cdd746022296c483b8c6744ee8a8ae3afaec030c6c9dacbf9c89a4102e6d4dd3a4ad7474ef78d501a976ae1686

Download Submit
C:\Users\Admin\AppData\Local\Temp\kccq.exe
Filesize
744KB

MD5
5d3115b99f694a969671e40020bfdf47

SHA1
e9d231b56bfcb03577263ea483892c857ae707df

SHA256
a02e630c213bc38d735a88bbe3f1200b7d357b9427cb7971e6d9e326e42ef9eb

SHA512
3b017db05df5dadade64e272dc189f8d410efd5ceebffc80e9343e12aacaba5401bfe0b39b6869612d89512b7e2679031bf4759d30783fa308040e8df58ba81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgIs.exe
Filesize
239KB

MD5
79dac84e5ebdf8809325b2dc03a8d749

SHA1
7bba105747577ca3beb0a4a47793f77645fc81d2

SHA256
f7c9208cbcd74876b63cbf155bab66912f8824ecd23a3c8366583106cda21374

SHA512
c0b6134a050bdc4b23e81310063ee4df230dded503715d9befa81eea61ed299d7076e7b3d8b0b137c2a60a81c7bf5f2f180280fcc0e674a10863196d869b5445

Download Submit
C:\Users\Admin\AppData\Local\Temp\kukMMAII.bat
Filesize
4B

MD5
ca2970247a3a1f773cca0ca8235129c9

SHA1
ddfba6cbe04bb74d9a90c7d34fdd44f34f2fe6b9

SHA256
b8844df4cd1ba5bcace8ed818297472a8bf006cc19fdad947eceba02d94543a8

SHA512
e98c7ce953f3a89867126f7c02e29bbae4bbff629fb6f7e361d8795a01a020037260368885e9d23dd1566b0bb0e20c72f966a2645a08b368a96b3b1421cfd20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwEq.exe
Filesize
231KB

MD5
9ed20b9e376b865cc7fc361339da01a8

SHA1
dfa2aeec808125b51a960fca995ce56040e059ec

SHA256
f9528d4f82454de1971848a4a1f71fd127907b3f72dd1f9c0b9d163e59f4daaa

SHA512
932cbc7672443d1c561d22029f09fbe6f6ac0fd3224280ebd2d6faec55808ca4fceab78730395cf3e4b66b06f3ce78851eec4e6be547bce570c00e5d90312140

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIgUwQUU.bat
Filesize
4B

MD5
da35d07d73dfddcef42a0b86450d7a6a

SHA1
7ed851cc4d7a62cebd1f99132237cf9b26aa65f4

SHA256
cc78cc82b05f9bd4853a24b285b3de0a5de6be8e570722c7db01661c51fc9a44

SHA512
3aedf765ee388df7f97b0eb510149c94c0b5c969c86e0b65c3a4f3dd084862769b529692bfe393e7219707ee3768f3c8505ce6212ae6bcc1563f43a81f85ce85

Download Submit
C:\Users\Admin\AppData\Local\Temp\losoMkII.bat
Filesize
4B

MD5
77877889be0e49614a15143bf71ac175

SHA1
9af3e442c55b1fb36249fabcf4a35262d3c3c93e

SHA256
f002ed00465e3bbc9db9033c62e1863af2975785c67cacc5abf925b88116814d

SHA512
ed9efffb926be9cbd4dd31632644901c9216b92adf4d7cf6a4e47dfe9b332f650c37526cb301c717fe61ae9a56dd4db57b5506fe9f109aa793c70e09d0d5960c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGoEosMg.bat
Filesize
4B

MD5
99f7da1d4f026a61d10974ae49d44e5e

SHA1
41fdc17347a34ef5571ec0853421e30bde4e2589

SHA256
f859733aa1faeaffb32a2cdfb691024bd13d0d8be21421fa5b2bc799e4dc8b7e

SHA512
9610fcc140d3117e713abf83d96d104527704410852726807993e53bd86ec9e1d28797ebb8d20ffc1b284336c13951c8d24658fd846de33a76b9661ef6e1476f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIEu.exe
Filesize
306KB

MD5
303ad012d576a9fc1f083230fa031e77

SHA1
7d6e12459e1b541cb288370fb57f21c3f84a747e

SHA256
2c48d443e7c91081026d1b766827e6c49768c27fedd18be7eb307aaabc374e7e

SHA512
a1b3df58c44261dcf97b8c80a70186767897f74166e4411e80d310655b9788f00c050af80fdb2675b14222796bbcaa1523bbc0163d3ec16537ff283adf9183d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIcQ.exe
Filesize
238KB

MD5
8c5f2fea60de31bdbf39a49190af6d71

SHA1
f1fb2c38bfe25adef31e78dc7130b383d8e06e1f

SHA256
6b12c40c0ab1fe55c99fc6f9a1e1b3e657680c9b762da9294e943906b521df54

SHA512
e9d81c2ac432e83b79663d36a3174cc6c39955a2a4060fcb47fd58949cb23472d145ae859c274f7fcec5a263fc79f97393f1b40bfb4c5133d3972ec02d78c7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUu.exe
Filesize
239KB

MD5
122171bce8196536353f95591d88033c

SHA1
e1fb449ebfb8fb0f02da40cc0483b2d0ffdef925

SHA256
16e36959c7f6fbf04021c3f9a9258dd49bfac92b4f1dc1c25910c777b3fbb530

SHA512
a23a262cea4f8fda5c730976698f8f3672a00209f87327138b456e9f4f17e2315f22025f190818c011f77983dae8a85d1bbcf9d6511447ba77c4ae971662b1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwMIMsEU.bat
Filesize
4B

MD5
973b6c5eb6b78745decc46f48c164957

SHA1
4477978023cd3a9068991a5c1c1652ede00591bd

SHA256
aaa49b6aaf5d7f221aa7cdaa8d0a56ebd1a84a214ae28e9a1b433497c09b9b74

SHA512
050c2624717715e3526912012be252c9a1dc778347306858fef117cf17b827f98358643ae5349c093461f271751975721441f97947e4526bd1a97c71e01c9e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyEMYowU.bat
Filesize
4B

MD5
11c8f0d0ada6e11cb001beb7643343f0

SHA1
89a14062162f7e411a880583c56ebfc65a2e3259

SHA256
36060658931b0f811d894c336edbaa0615be5453ed7121bfb4a5c90574aa3345

SHA512
ef12c50d6c0346642b837ea06fef1149c9bece6450cb3ae680380a95d012a3d1f91f95ef95d634c8954ae0b04d10442e3625e62d6d6adf1881caf6d50bcbc330

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAwE.exe
Filesize
245KB

MD5
189b4943cc9eaac18cc3c956ba654850

SHA1
c951a7ec41ea60a47b17af1d04230d8e0edfc838

SHA256
760fadc520d36f03731339727f673072f97d14e12e9035d0704e8a99c272a1c5

SHA512
ac0bc475ef8d1578c5ea3e739fb12c2fa0128c9edecd7b0970e0e60a771c85cffeb1d13200f51dfed5e425aa379a9bd489cc8ab2853434895b44b7f03ec5b709

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEYw.exe
Filesize
228KB

MD5
23ae495618bc272316cf90eec2d99fef

SHA1
bc202404762f7281a43ffbd3fb029e7d2e09464d

SHA256
381ef37bb9134cc99c92df47f44c20c8983ef2bb800b56f279d19430560138d2

SHA512
e03ec0e507379fbd7f4ae3fee700195bbe2190f0ed2b704a96a35061dbe12bc01c60b96c17590b47a0c996aec9d5a5968ffa25edc4608c96fcdd3571adb4d401

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAIcIEc.bat
Filesize
4B

MD5
ce283921b3906f7f01f3f2aa466c656a

SHA1
58d92fb3891a81afb0db52f6a2da8de0c618c269

SHA256
ee872be6f8c257072b8ef7a909752438be8b33f38928a0055b0b2a8ffa5f87ae

SHA512
90d7b22a307366bd327a426b671fbd2578b229a5fc276ebc23a60124be3f6a529fbe0f0a0da2d86f46a12e9fa19199b447a1c45aace24972b8b7d2fa6f26bb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMkW.exe
Filesize
230KB

MD5
d4fd512bebac8d5ebb030ff1cfad3f81

SHA1
519087b7cb2849ce133a498a8a3d9b3dd39d0ee1

SHA256
f4c9d317f277b22e72b5a48bfd6b80ba7c72fa9d3b3328f1fb8e61d1ffda1c37

SHA512
3525bf44acdc11233e138e9ce4fcc1c4e7af5aad73eec43c5610aec1ce538c6261333f2d92f12daec87d90ca9d63890d5e544134d8e89b4a4badced4c37592aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQYI.exe
Filesize
1.2MB

MD5
3b0c6e01391579211524f8b455b2685d

SHA1
62fd3685ad7cac660663099afa6769b2bbc5832f

SHA256
d47a2aacf42adac406e9e4dfd78b9b3ba9f5feaae460a2bc0e9cdf0705fd0ac0

SHA512
f6fdf55d5b6e9e7a46c3379d50b2babe8b136500a6698f3fcaa3c8cf3169febb2e79c44ed3b63b697e6af283f6dde8d8bdbb904d6da891678c9a89e42dd93301

Download Submit
C:\Users\Admin\AppData\Local\Temp\occq.exe
Filesize
232KB

MD5
666d25f9ae2b2a67d5bdd6b4bc1bb157

SHA1
4d184b7595fff7e8cef61d20fe3c6e6ea3dca801

SHA256
2becec69749a882a1ff3a835dd767c63582a50ea0f094cbec1695037a17418e8

SHA512
6193f7a8a5f9472485e9ffcf9f6b4837a3b327453efcbbe7ae51cdd690bda2e23fbbf74bd39c9b03fffd5abd9f41791de1f766defb5324788077fdcbe845d7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogQocwYg.bat
Filesize
4B

MD5
d8474e6a6687b620ea9b4a3a7753e5c5

SHA1
4a6111ca131526a7a2054374292ff5c108161ca5

SHA256
433bab28e38f35352b4d20a35912d7ba1823a0ec344c7e5a30982882d3865564

SHA512
8f7be69150af202dab14ad62cff02ea8f96168c02000a70629ab6e8612a075262f9d23fa6cb39f36067a43499e38485bda4eee3d742f67c6edac4c60549ae5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\osIUwgck.bat
Filesize
4B

MD5
2939eb41b9c1e9d35412c5b13ecab30d

SHA1
22397b6a3bc3fba952a2649510a5a4deb5f33c31

SHA256
0dc3212ef7c338384ae5e3ca0aa8057d15e2ad38d314e93f1610d641d8253c43

SHA512
3e4ffa73b8ab9657b2e910e2b048497643c5efaf7f53e465f652074cae8498453dd8c690abfdf8f547e283c13aa765a4189eb72566f1f79d52e72a8f1505e1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkkIYAQo.bat
Filesize
4B

MD5
1fcdb44bcfa2ed5436a4040b17e0fe2a

SHA1
6ad339dc527c1e5fe5eab94e905bf8471a6a3cf4

SHA256
3321c79b1deb332f99060ba66753554414eae0748eb28ea93c2f7ae1c871bf62

SHA512
816d97fdfb3ab2e12710b4ba2193a22bebf13469ff5a228578d23c2fb1169d29dd674cf1a7f11e39822a759ce218c872f21a551782f7eef95abcdee905c56733

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEws.exe
Filesize
762KB

MD5
4e164af7d54dc1c3476c537743711750

SHA1
135360da46cee9a272e4788eeda6a800fec901f7

SHA256
00a763b98fb8ba2d7f59dea1f2cb87a4d8f3f4baa5a3dcdf2502361de9a6e262

SHA512
c998baa21a47137a52f855b2c38ff0502fdcb3b357d8d5d530f618e572ea355e9e97e8351240dbc799d5d157c48093f0c5b0ec02878bac8950c3627ff070daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIsC.exe
Filesize
243KB

MD5
1b043163b58bfa485d90b94ef4f8878f

SHA1
523bdb674c7e3f67d90ec61827acb7c4b08ee433

SHA256
e30af779dc5cef958a1fc81174a8e73572141ab1688ce234c2d4e6e28d8f7a27

SHA512
9dfbab698e29f3bfce546d771d0286955c53e07836853e232df7444d958f3e0738b116e5559d937ed74bfab2b21c8bd9556efa357b73e7067182952612679b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcYUYco.bat
Filesize
4B

MD5
121d373cc1541f4e1059eeb6158d4e8a

SHA1
9cb87bd44e90034bc45b0f70b363eae1e02b82a1

SHA256
cde4e2a1215c138ae000e17be1d7a3c09b62c18b9e61524b657ed9c5a4fb0c0b

SHA512
25749703e95dacf1c1381394e64d291261ad297cddbfaf29369f1b147e2d76e2e9e9d7f36009fcae82fe460d570bde970da5fa5ea45dce7d14c0b7b8b7dd2a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQsI.exe
Filesize
767KB

MD5
6aff150522ec970e1d4c8678e5889983

SHA1
78544660fe078b740356c4412dfbb3007869a8e4

SHA256
e6ca6977a53bbdf2af47a3bc68d12386b87c683213f7f624e7f28db81b2545d9

SHA512
2591a5ccad68139c35711f8ec05c4863479cb96d805d476c8395bbd02d6729d971d02fd7854da55ba58ea2a46243dec66cfa16fd960c9b6e8e768accd82d0c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeEoUkME.bat
Filesize
4B

MD5
f414a1a5f8a77a9186c9b67114ef851f

SHA1
0224c024aae52cd9ffd8ab2e69f7869b775b9541

SHA256
a09c4e52bd99fbaacb3715cbe1c994a5970c044a319309fadfa0f58633dceeb2

SHA512
f137bbecfa5087602d7f35a65342362a4233ca837ee3aca4957de7a68ab7d1a4de1fb2e20bfd4d83725e80df00eed0318c42e2e487253c6086d3b7731cd929d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoEC.exe
Filesize
227KB

MD5
28742417eef331add0e1c8503a1bb9c5

SHA1
4df81cd1ab0d7614c8605a7b73d8907d57855b48

SHA256
3b823cef08ac23be9b161b4e6f16bc4e9718e38186765fa24a39149be96569a0

SHA512
0b7cde706601d0b5d2025dfa0ada51e4cfc9bfa1cf3482bbd07cc7bac79e64aaf9a2369c3f9e1b5de614d847e84bb63c871ab242d2979c5836aa86c32c825445

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqMkoosE.bat
Filesize
4B

MD5
271d541bb0e7c89a37bf62c9e09ed271

SHA1
f9510b8bbea516d2b668b418841e79efe5addd0a

SHA256
e11a23ab2158b5d1ae2f23cd436fe855b314f37d20108dce2857b291bb49f43a

SHA512
5cf171f26eaf6cdad135b95de571c16a26735bf3bd84e221c90341c6c7f6720100a3ad263b8b36f0cdac2cc575c1069e73dfa468eed2e5a89bd8fbc84233680c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qscI.exe
Filesize
233KB

MD5
9789e7d46f11169e01eb5f6bc7290971

SHA1
6ab4c48f02f13ee54b01454fb1d811755f7f8176

SHA256
4e81d05de8045d563a34e97aaf78f9bc1806f31db0aa4226651d0b0caa5e1f87

SHA512
1c2a987023ca1c3b96987934ad9899c182ad2b5fd5b50ab7d60d7d702dea5786ea64122f15aabe2f05b7685c1c9e3ebc7df83d99f6e7b900cddc7ae4ce4aaa21

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUgIwMkU.bat
Filesize
4B

MD5
ae96457feb1e538b303c0b20ddbabe24

SHA1
9d4e2c9d6a7ca483892f92cec9bc7a6efcf1df88

SHA256
7e43b3c669c75e8e25c26b74135cca9e679f51dcd2112e6d2d5cc63386d6a028

SHA512
4adc156a081616deb5f1c1392483bf0ac4057d6fe174b017ec24ceae0c2d4249882efc902c40e05f2ecc1b7198de98a04155f12d2c82aeae19fc4c1f838cab63

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYcsAsUg.bat
Filesize
4B

MD5
9ac96da938b16bfd0991f118d4e19e4a

SHA1
3a56d5eb9d3c4f822fab809b2356d59df61f3276

SHA256
919f3700506147ce30517af68668f259bef6ce9925fb2764bdfa340f17412e82

SHA512
8e19821726da1a7f91323279e1cdf05a8759232945ff8545e78071d3d66944a913fb705502e10c81f6027c6e07d63e2e2fbd64e55fc60f098488c908f1a566bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsckskgc.bat
Filesize
4B

MD5
22ee27de3ac4190b024c1a7e64040ec4

SHA1
255914193631773c385fa7cfbe7cfe29fb1dc09b

SHA256
17d32fdae9e4cf8d570deca61e26193ec7b1668a582179d8ddc58efc9904b98c

SHA512
b3aba9f7a3e39296ac89c0c4db67200ba82f517f8c4d4adfc0b1ae10c71453454b467d3e7aea8523b7152cf03957ff10c4e5a8f055a7ab0bd070f7087c00d52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUAQ.exe
Filesize
326KB

MD5
be03a22803425c53557b01dc8aefef44

SHA1
c10e522355c26d0867dd1a857742fb6fccf8dfe5

SHA256
d822a68a5143fdc5a7731bf877834458b13d581b73878e831ed2432301188d4c

SHA512
ec9210cf80617ffd8ce79735960b5f5cc1ad41b72938ea9d34229e4970cc6098638db6c361eb6b566660b10e0a4a54d5ef145b2c3cd12143b76ff9b16ce9671a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUkK.exe
Filesize
595KB

MD5
45e99fd73c39b1edcbcb24e2dfe7d704

SHA1
e46c47bd734f8e7349ce1e61316e34baff4463a1

SHA256
9fc80154fdccae597e62ff3750fb8d528f372f34ca0de43faa0ea698a8d9d89b

SHA512
b2c561ace5c1ea4bdccf43b37b0c9083e8745f3784c8f6df1db8ade618cff321e45bd978f3a6d5a023f2db45e22dc625f29f5a7522a01c433fb8152fe44e672d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scAgAMEA.bat
Filesize
4B

MD5
9a72f2d682b746c9d6d7d8f01acc79ea

SHA1
70836c511b620c52f6de167ffa27274f34be6250

SHA256
404be9cf2232ac6b7043a2e44754340a0aefff924f98661e71627080bd8fde03

SHA512
cee4519a4126e60f4e26c3546e4dddf8b377dd4d49b578886ea920c650634f00b88977b2fafbb2d5203899f8c5d27cede8e0e261f57acf7586c1e1a88e6dbc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\scYs.exe
Filesize
874KB

MD5
2d66e9fdd999f9e9871999eb131f813d

SHA1
26e4e7f29b44cf6994a39660184df9e0f1e2b189

SHA256
1b701e8a2ab2933ffaa06e34f16ca024a657f8e44add0d874d5aede0c2841e7f

SHA512
526bc4b699eab58c0cb25bd7fe3c1204e201b9b6715f3067e8d91fd7219ab84a0c8920fd45143bc7fed27486534c3b199914bd7430b3f8b551684c3b9c24d9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\skooIIEE.bat
Filesize
4B

MD5
08facb7e08d3826ebfba2d6d6be2c3f4

SHA1
49c7a72a5dc7c504fcedcb4d04bd02235fa059f7

SHA256
d152b69c2351ca1651e295939703d743da06639f2807f946f589eaf2d308b63a

SHA512
bfe670db7a54ebea2406ea5825ade1addff9389345bae73f3ea2b058c3c89fd868c069bd1cda16c6f09cfa97a8b28e51b9c432d1a64780ab51a226dd5431fa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\socS.exe
Filesize
621KB

MD5
f8931535976d90393b07417f883ce57a

SHA1
ae61f1598b33339abe4091ca64b548518357fbdb

SHA256
d7e29a7d932eaca1fee2aa630f93ef659a8245ed8a87f02d084d41cb2da2a2bf

SHA512
12fd8f6d5578c231a6fe171fe67d7afbb84f0bc008c18afc56b9d18e0c8a27f5b2cd2a92f38dfd20daafb3f187d122ce597f34fe4c43cb1d85e4f385729c2bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGsQsQIY.bat
Filesize
4B

MD5
a30e08593f3dd3008ac664a47a7a577b

SHA1
95b484cdf9677c014457f9643e75cfc42cfcaec5

SHA256
bcc5e1632697b0122a5bedf3fb8566c8bea9de1e7feeeb21a19ca189a12ae020

SHA512
e7928dcfedb85032c5252cb9986e28c6a4d29df8eaa541cae5be4648707a1e68eb83ad7196692df264de473ea14241d14c7e06c87ebe5e3c3d23588b40f047db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMYsgcEM.bat
Filesize
4B

MD5
243ec93b143580db068c423d29af536c

SHA1
f76a67156bcab0701592cb3cce4057a0552552c2

SHA256
984d44dd36a0926cd9fd3227a92cb82a477f537868288dd027db0b6ef3b82d7b

SHA512
4d4fc8850ffe616720c1f44147a7e4d40d4e721c10d243c560e7ff31bd31517cb4d52dac4a169a2aa9628605c42dbdbbf309e7bc02ff62d8af16bd83a39ca985

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcIoQAMI.bat
Filesize
4B

MD5
1e0ace53b72d5b8a6f1912e401bef5cb

SHA1
8181b1d69bba60438dc53364eec3ca5ccd1cf700

SHA256
021ee775356e5a80541ec52633a361b40dc3919f97ec843f383b82ce0bce5534

SHA512
5fadfdb778e205c9cbdd5023c248b2022d6ac8f08a3add40ada071b54c047f948849c0f4ceac4e0c5645c12f9589725cbc1c4515be64a7991d7db5f54ea7e41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEUA.exe
Filesize
245KB

MD5
3481ed658f6e1379e52698aad56bdf62

SHA1
f8fcc7f9c14b65534d4c21d8ea2b1610810c49c3

SHA256
d21719c9d0be4383beb9908287c0b917d1bb620ceba9e706853059fcc3819c0a

SHA512
ab9963da661988edbf8f685d67e7533b3a4faa4306b5fc9dbc0f99d2a886842e098317aba2ac1f401f9fa51e322dcf0606b5244a62a84291e3ae60a693841116

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEoc.exe
Filesize
222KB

MD5
37719502b94bf4bf694b4d73c00c0990

SHA1
e7f90b7a2b53e47b4a1b32ebfd435441b4d0e8ea

SHA256
bab8c8c1bc33de4d401a208b9ce9824dfce08e3319e488de32da99e79da9c281

SHA512
f480260c5f198270757c12547b2714708def7bed5a6f55b3a8b0876929e5f2de82aa9ced86a973e0ac83db583077877fdbb4dcd757615f5882a91ed27a12df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIco.exe
Filesize
235KB

MD5
78553e4a29c1e41a07b386739f6152eb

SHA1
5f906915524eb4322f9c0fe1bab57dac899458c7

SHA256
926da17addc9487d86954c57583733eab0b3bb296fa4c438dfe1e22927fec8c5

SHA512
e76f9519f0f05ab23dd3cb1116deb0a2d98db740865540ff480399a2eafb91c73d92e1880358ec5bc9c0e8f18a302849029176fef5e11d678aabb882498360f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uKEwQYsk.bat
Filesize
4B

MD5
daf528c76d31c29704797dc63f055b74

SHA1
1731a2ddee57d2e911b921e2760c4634983e928e

SHA256
cbabdbf1f701e84c864642ea43ed4f926a297b04368ba99a392ae8d08b9063a3

SHA512
9c2ea3799746143606c6f8748792d327f86f0a7c9fe2fbf2b26d84921ed8ff1941fc54621ad9a90911e754e37ad980bdfd236ecae0b3f8401225c580d5952725

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQcO.exe
Filesize
236KB

MD5
8e111fb7405abc24ed2f73654e11d583

SHA1
10a336963d77a46f4acbd5357794f6864afd63d6

SHA256
4ae4ded136bfcb98bf4d402522a20e71f0317018d3899c7108ee2636683146fb

SHA512
dc8bc04092c9829c5bda775af71498be682880053e7174c8f343c521120d6d2c85b708a8b0517c83a00f4829b44a8c6a1cf9c0d941c44fe01fd2936447016e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwW.exe
Filesize
247KB

MD5
1bcd947e7bbf9900c5adc453d02922c2

SHA1
140a621309b59243da7579314a27fd02573318c5

SHA256
f5a19bb49687668a12dd8e04569f115d58f819fb43ca1ae8e55493ce22e25ed2

SHA512
cb38fb408cd3604613a8a27981e5c9b4cdd109c0b71cf125c4c887e06fcf2685ddffe71712df01970f21fc5dc33b80aed2b4085bd6c332b50f0ee948eb0b3c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugoMgAcE.bat
Filesize
4B

MD5
b6f8809aaf9a16cd516a1c02be7c020e

SHA1
96c38cd0d9c94b07bfb5e138828dbc6aab526f08

SHA256
2f4376207fb151a38c1b273d4c823d8ce7df3ba7caf164a0cf649ebe7a30be88

SHA512
e4d06635d01dca5133f4ac32127f16d9381a60cc7c8190021cfd883ef52c3a0746563acd32902c6e5107c9b9cfdac9bfb03097b2bc94d8606691173122b1f1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuwAsAUU.bat
Filesize
4B

MD5
e74287967dff17cfcb211679353a658e

SHA1
de73009298dc3ad4f496739b890c2694c2a87c8f

SHA256
eb307ba48c2fee16c6c2d56515841469930ccb20e71494e136229f20469bc30e

SHA512
bce482975713f2f95592ad96bb4e162037b063dcd05d237c376b7eb60a6a91122e23d08b871078a9f0c6f6907a5da25a071bc62dba9466a3ca1c46d7a4c7b916

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwYAQIEE.bat
Filesize
4B

MD5
65d3e217447378633fd9cc7b461e4c2c

SHA1
c7f7a5729e7e0fe0e08d7755122169afb65a95d1

SHA256
df46a11547ab4e5aee8bbccf888fdd404a93ad224cb2c2eecb40295ee6bcee76

SHA512
204509cc19ae16dae9c21fbd654d2aad6ee43c23b0772956f2800ba3e805c30b2bb4f49a6b13c5a8b5db6c57f773908afb70d801a1645be9bb629e017817a739

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwkW.exe
Filesize
248KB

MD5
1b7e5c6876008a466c61e463d31cd07a

SHA1
c33de3324d08aadc228999cc201f695b3ee3ed2b

SHA256
0792ed90081aa67d7dd2b6e2b6b3d7a675935d4df6a0e3f96e7fc9ca246f6e99

SHA512
22496abd12c68e573e959a48397fb385e7d23a26b18bb5d6d09d343c97f7e8e65482a9412fa76454969fb633cbd32082b07e571961a7739e2192b3ade09bafb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEIAkcAA.bat
Filesize
4B

MD5
1d28f628e0628505693ac7c3c3981714

SHA1
f0cc619cdd88c931e6b287cbdcedf85978a2a292

SHA256
3613bb51042dfdc3f4e3953cb868f6c3f4daca1773b0c062e2f3577e66f08de9

SHA512
2e5c46b6e5631e93758e02ef056bb91e737c8409ef481050ede0a278c385d8b7184461538df71ff89526e17aa87e6d23966854dc5a209c83aff47f3d32167426

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUokUYcw.bat
Filesize
4B

MD5
8f69973d0326e9aa3a5953feef63738c

SHA1
6432bdf6d6dfbc6355afe321196dfcbba3cfcefc

SHA256
b528589d9ed047f4b28bace4caeaeb8f586168dbae5137e5176bc80807439945

SHA512
2a736eb43ed1dabe6bef64511e4e83f268327ec2e1ec8d9a6dad6668071715dbe99c8d829f0630795df6b70b2089f3380b4307561590474e58b08ed02cddecae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vagoQAwE.bat
Filesize
4B

MD5
ee75e9a9af0eeffa990eade04b826df4

SHA1
3e890748c68cc3ffaeb7f1458ca6aabc91cd9fef

SHA256
8f3306467424476be8f51e34c8e41aa27265ba73435b3a08ea2d75d9c17ac3cb

SHA512
485e11ca54016d492d3a0c10b282067a5b0c5e995a2731024453aff40a61ab7d89aa759588a038e6e4166ea53a722191c9a16d6eb528cc9451afd98c4535fede

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmIcoAMo.bat
Filesize
4B

MD5
9c57b4ef2c3041f6bdeb80e8143d05da

SHA1
ab2e5aefcffd38f73081fd72901b16f386770012

SHA256
b19535bd3cdedde9e8985ba499fbf8aa8af28506023be93c6ddb6796b05dce4f

SHA512
76dfeccdce0d273d1456b7258a7113a4fc5874f55b26b9d424da3e8a91fff27304caa4d99e85f1fea2a38d132050fbbae9c97c3a76996f21094f877957cfb410

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYcwcUE.bat
Filesize
4B

MD5
0222419fd6b04384c944303a70780908

SHA1
c9c7a547c5f83ce61a68e437912e6b09424be483

SHA256
5f8fb4408304ecb975fa29577dc0636a5454fb5cb62270741a709cd7bb590e92

SHA512
64c87237090c256aca72d55dc274ec1abea08069feff20201c0b432d3cb49df7e4c6fd66ba8371f28e477079decd0dced45a2b5821821f2986a341b358f83228

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCkwAgQk.bat
Filesize
4B

MD5
c29afa522d6e8a791e08839f558b1e04

SHA1
edd1f788e8c2525aebec062567f9ec5bcbc55fd9

SHA256
7f12d1fba6d8b5ab9a912ad9f40921d19f8ed0076e36f36da7d66b0e5150bca3

SHA512
bbe83c016febb8af7927877cba4c65b95ad2247c90e6f3fea5ead4044dc5440fe842141e1686c7f65841e51b4f5e92ebfe39fa316ee70164b86dcd4f318eb4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEMK.exe
Filesize
511KB

MD5
64d4796dcd9d858f3144d1c47a50c84a

SHA1
883c28d4c376278e5c550ad0e91b10c57ff62b1c

SHA256
4b6b142a07050e093fe79b5f7ba14f9dde3ce9eaa0ce939eaef0ea19e4bc2464

SHA512
8989c83a2b94999333d3d036ffb396c67edd52f9c659292407ba4f9f3474181b2454e7b648a3fecf523dd2f81a637ab87379ff4e6c34c141bdcc3294aca1c056

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOEIIcwA.bat
Filesize
4B

MD5
1a6f759ce92904772b447c9631987c7c

SHA1
c3d5e10f80157d97d04cd4d4e4f43386e1ce2223

SHA256
643041b903b613e6816365b323a60cebe4ab280fa85f3fee3e701383e8c85843

SHA512
13e606897b91d135062c2a34ac2b54952302db432df140ab751705103810a159570a29187de574f883c0fc8708ef110b4a7f8ad3634184dede495cfa6c931bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\waQwEIAk.bat
Filesize
4B

MD5
aa7a7d825c26fe8de1661f43c06c68d5

SHA1
27095abb3ec5f868b29952772b824e65d0bc399e

SHA256
52428eb4daa07a926ec5b15761f4a8b5c6202546a95d3c6a0feafc6d2ed33be2

SHA512
fadabcd1b8916c21ef5862ab3da179f859185e2c71cd743ece35b7ef1f4195d24065d01daa3f7ea4a04db3f7f2e74da2c9d7fdc48207c8933ff9fa7969b25f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgoI.exe
Filesize
946KB

MD5
40e8309e63091f8047766d577263e295

SHA1
8fa52d94c3f2b71d0d9d4189f3188299f671e779

SHA256
cd0f3e7bbc4162eb6e19213e22431da6736cccdd30881a9a91196654856dfc2d

SHA512
f59ac9bb79c9df14ba6aa9aa15630819ec56274d566722c7e96730583eff3b8be0e466de4007cbda5f5f1b79ce8f3cc6f868f5843b1a81fa9b91fd0ffa9df351

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkUu.exe
Filesize
231KB

MD5
d4e9e4a33f3a4827dcd267fbbdbcd8ed

SHA1
8832a878f5962b3ca0ee53fb469cec337d3eb6c6

SHA256
5fc113186c24746c81ebbdc40afab42a9ff310a1fa6aaea6a87d2d0d922e377a

SHA512
fac4cca6b7b9e7a4d05b35a5a639480b1faaa77f25e1a1985c15ae6cdd4ef988309754a1d5ecc7fe743812754284d46d7b790f2f0a2854f756f13d97e52103f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\woIe.exe
Filesize
633KB

MD5
0135f56102cd54b6e1016366fd258d5a

SHA1
fa01d6ec867c1f58b816206d84bd760011d1c137

SHA256
e10fce53c103ad4e0dd9bb7dc2edd4033f6018d81cda489d5c39b7b72097cb65

SHA512
652e2de7c3d43b5c0336b96aad2dcf47ae2ccf6d93fde87204169a2e533a40bb7a40b897ecca9ff85e4d9ab367624dc7a57e3c9b7cba6ba2685c628b9423d738

Download Submit
C:\Users\Admin\AppData\Local\Temp\woks.exe
Filesize
228KB

MD5
9f7507588992f58273e01c4613844766

SHA1
dd34b6c40f844077a5487bb3f90fce5a0960ec5a

SHA256
223b2090301284b03839f3b66bb37c4692fb2a177e8f41310ba6e9e5f94a8802

SHA512
6a206670c8d483c8b45489c691984d72689d8d78a789ec33e32f60c67312f0f951044d46c134780151a347111017129e5b2ddb59126454e0b8dd3309ec2f3317

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQM.exe
Filesize
242KB

MD5
34af119bf0c165c76e4a8c34e46dafa3

SHA1
a0c5d425ccf040033d312533a54b50280518ff09

SHA256
0053d3a948922dc5f5fcbda06709362aa8e6a16db8d46cd3e27ab50d70873afd

SHA512
d5c819bedea5d16370a1fe273830465dc7bc2220bcb3314803fd0d8446a2eaea3bf6f60511ba6f34a425ae8496b025bdbe0fbf9d300d8a69e4a1e62f64fcedba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwcY.exe
Filesize
235KB

MD5
e6ec60781a5bf4bdb086aab7e14c0c5f

SHA1
134d86aff7b3c5c11b1953c5b60f3a61377d0b36

SHA256
91a4ad5c129b760a836bc59b37dd07be647ac2eb6dee0d9c6987e810f8094222

SHA512
9ad09d8e41ef19bc2f31f3d8dec7847fbd38f137cbec4a63f0dcfc45c1b6f5681923a8a94496cdaf4fe58448c0db9b259b992b320d42910635bb7c92f879cf9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUwsgYoQ.bat
Filesize
4B

MD5
4ca201ee24c4b1ccde7e75c575e112b5

SHA1
9d8252e10d6586e4c68be0be5d784792b49a5f4e

SHA256
398c94d8ab515cb8806032df1791315792292af7aaab7389deded488baa7ea33

SHA512
7dc29a78c930b9fed6de02c6af0352cd008b9a606a35af1b5e485c4aaa950b07c97845cec00bb96e8316a6e8af645602a3c27d882d18635c7fcae8d16808f255

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWEIEMQc.bat
Filesize
4B

MD5
556174c7ed9b91444e03fd5825e78c96

SHA1
a35220607866877af8d63a2dbaed7662285bb893

SHA256
4d1f04e6957c059ce8fc8adef7a003ea71bc650c57b3a9e171146ba9cd5e23f1

SHA512
4909f6ad93f35faa9fe1de55807dd2eaf233b96b0f97c6efbf64d8153050762c171d14f9b1d178c56f91fcd8e282b6d265b9ec2e6e4d17a08b94de30da421cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcgAQkQI.bat
Filesize
4B

MD5
d8a5edec3027dc19e2055093cb406035

SHA1
78cd2f081e06879e1e55dd28e5e213e940572f14

SHA256
34b34e5a5460971f0e282308f3f4413e9dc0cc68fdea8e3239d0df44277763fb

SHA512
317e8d3d64e9fd0701d4727a0087bd29ad7905e66aee6b2b66c1885ca54424c7180e2aebb5fe73787c1de6538a6117c64b929fd7d4f94871468831dd8f18d1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkgkgYIE.bat
Filesize
4B

MD5
5e57fcde74b953cebe4ccd288922cb7d

SHA1
307ab49683e71d34c9a1573d48ecc000e2fc500e

SHA256
1c04a0bdaca54aa99fb766d62b1a44a52b0656c0090f61055b4f665469d0dfa8

SHA512
5d73476aa426d75a2abd3bb9972489bf85663cecfd69e62d85b14c481791ad19d9058b08dd9af11183b067aae5063fac96e756e0fcf3dbef8e2db0d8f770bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIMU.exe
Filesize
230KB

MD5
2e63f823db9cc2a36c3dc4f6f9f66dfa

SHA1
166771ae6081e851bc73a861e3a992b00775d959

SHA256
165809c2fc9c65f5337a3bd06d0d0db7e3b9cada7d4c4529b9ebc3e2485c6597

SHA512
25d8f2e0c26aac59314f7bc6a353cfec9bc306fee5b9bcdea673550b800a0717908ea9ae55b1e246a3877b46ede953517c2cd46933ca6620807f6002f8c1f2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMwM.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYsosIw.bat
Filesize
4B

MD5
66f23fd00cefafde18ea2ef50018691f

SHA1
608acc54c489d76ba7b02e0e6f08a78f7fb0b473

SHA256
c20e68a2767d7bf0b9de37c068f16b96feefee57030b33006fb85da5db637a79

SHA512
bf31c879a38f3af04fa0e9430b0fe3c57a07b1f23bf3dceaee45b7a456b74ff4727237b684f4ac213a22c5938c8207490883087be641545589f43270f7acb1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUcI.exe
Filesize
659KB

MD5
0425693f3a0e8a91920eeba562c96cac

SHA1
a899880934866718acc67b4aae3cd84f61f84cf3

SHA256
fec77ed6a0c2f83609dc7c7d064424f89a793aaf3a582c7d98e81a2ae5a516e9

SHA512
3dc8a2522b6ddff3d298d4de17393944ab81e52f01342b8a8698fcee30244e150361ba0590236f6ee15985f9e862cf5502cc0dc52b93bf17bc8fd5dc24e13187

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYIq.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYQG.exe
Filesize
483KB

MD5
a317b1347d48d7a998c704edcf44f0cf

SHA1
c0f23099283329d4fbd4d6ad3fcdc46bddd7b3c5

SHA256
8bc60d1742d32301cfa44f5a8c92a05e231029601ef505b777cd3acdb61bd060

SHA512
870eb9a205ad2705d70a99a4116f8540358619b611df52ba2403383d318d51e8883305f4a42f0d6ca97093bbb04c1fd7bafa7ca06b3e85da6b4bf105c03d5c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYQU.exe
Filesize
644KB

MD5
9aa76741d0e8598933f757d100777ecd

SHA1
711c27205a6cbbcd33e687ad26d161a2f29d45e4

SHA256
c5cf90f87e2ff3332b57fcf964b12c574436ea759222f8676acf093800057357

SHA512
886e6af355b5066323ac4a2db3aa72db179c04bbf7ace9199e313c66690bdec6b73a62327758dc6d630cff614d6eb94f43145a4a64c7c5845593b7922a488341

Download Submit
C:\Users\Admin\AppData\Local\Temp\yioEIkIM.bat
Filesize
4B

MD5
3ac94147f36d1db924e8fe029ed30508

SHA1
9e91b28ed48d4fcf3c4b92c6f49bbd5c46ed7fb4

SHA256
4100873e11254f4624938c66078db739002da8665f0999df7eb37dbcf2034ce8

SHA512
15c436f4e50e8e9bec46f565e25b0dcf45c8f1ec1f52b77e6aca658218c06c7a737ce166d264ea5d9c24824fdd25054797de504fb6049a975d07fa3f86b93c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykkc.exe
Filesize
243KB

MD5
899af1b3555592cbe9b1a188bd4d3a21

SHA1
986e31d10e02ad26ccfe271e8d1adfc57aa77726

SHA256
9dcde8eeaa6a1bf41d2f26f256e20449cc27af11a9917f086133b54b6bf93fa4

SHA512
3ca314b5c016fdd62b038cb67a8c0e3581f74c26b23c32a132bc5a8de5d8947e8bdd9762234f3808b5cfedc03c02e88c0039aa2d6845c29cceef44741a7ec759

Download Submit
C:\Users\Admin\AppData\Local\Temp\yowkoUMo.bat
Filesize
4B

MD5
88721d2df1b4140c5ca2a9ad3651bd19

SHA1
a39f69cc5b196ec1efa1746a3a5cc78eb02abaf0

SHA256
a01fd3faa90c8ef8a9cec3dcea826ecedf2a344741795428a356cfab1187a2cf

SHA512
1cf357307c4b5231eafaceed9389c43f3763146d384873a94e1baa833ed986a45fdfcc3bf5866759be5f8edd8e481c61607eeda3bc8cae5afe133f73f8580007

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgAggkow.bat
Filesize
4B

MD5
f03ef494bc4ba7918c116a9fee149361

SHA1
fe7708ca9c873dc7fdf6eede9c432c47b6f15336

SHA256
9bd06eea4b69e687382c3598ba058278cb54d0f3aebb943fe60ecca271fca40a

SHA512
a8780eee9b9ed156c16700a112252636eb9dd54587dfbf6628170a0772077cb08dff7a46edde221375d5b204e536dab3caac661f79233e93c2f182a35f1ace7c

Download Submit
C:\Users\Admin\Downloads\SuspendRestore.pdf.exe
Filesize
459KB

MD5
abd21f76a04c52e9f167522dca98220a

SHA1
807872daf945692c19f910d8c7e4581a059dbbfc

SHA256
2105d4810390a0384c0adc827f01aa359e66719c5036d62dbeca9d5c6a69e533

SHA512
5eaacf9118ae6aebc2eab995d8c30247bc1f7f77a455a780b06a932e9bb424876943fefd9b53df6fe227d95978ab42a044ccb2ea69bf6979ff2849fa1f8fedc4

Download Submit
C:\Users\Admin\zigcUYoU\niIsMQkM.exe
Filesize
201KB

MD5
b495201dc87bb14bbc80b68c164e3db1

SHA1
cd18b9b68b7a4824f798f7b4283795b6f7fcace2

SHA256
b5f0f35f90b3fdbc7e18b3f1401941e6cb3c8076d2a0d207b2b9df951d37332f

SHA512
679074a09366dd40494358f79ae492e190584bacec3f0cf44606ba70861bcee086470affe5b61402fe95b710920cbe310a9f2495c42b5fcc3ffbc8b8fcee4d01

Download Submit
C:\Users\Admin\zigcUYoU\niIsMQkM.inf
Filesize
4B

MD5
902e46958d502e91058e60909a356812

SHA1
f6869adfa4126bd123fc8b95889c25ca9b06adc8

SHA256
f7df5843489fc18c6b389456ec4fa6605a2d81afcdbb1903fb3f8b80b512f8b8

SHA512
3f83ba03c888bbda7575f3a95bc4dccc7610e942ffd44d3a55c7d12b62692f3fb88c0f367f5b8919c1b08672401024e0d4f15d4f736df19eb7a375b1a7aa6613

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe
Filesize
1.0MB

MD5
84469b786e52fc9af07ff899d54c99b5

SHA1
9490c93060bdb4fc19811168ef51601dc85fa52f

SHA256
9e8a8d54760f4b5e3f58824ac6c041748cc0e40ad0de831b79570bde7a5e1ee5

SHA512
af07f26d4565227e1a8266bf53e3f5a7aa18365dc7cd7c04c6c95695e75d0cf717d58ca023c867be7a073ceadd02b3c1c4d0b935fd9256d9a583e9c62736f175

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe
Filesize
941KB

MD5
c98d0aaef5d14cb359437ba0f62b6593

SHA1
18f37ae9ef118d6a172e97d40b77d4d0cba05f27

SHA256
f63863b7fd8199ec46c6831fa187d766e221a7ae056e36f2065364b9ef84ff8a

SHA512
296b1332a3458c546e233a698d93d419353b8c323f9742461db11d52967541f8f089314319302c17a22e4a3ff88d3c42691a1f2b9f99f59e15e4dabf704d591c

Download Submit
\ProgramData\QqIUsYcs\iucgowcM.exe
Filesize
191KB

MD5
226e4d0e798661fb3ef3c9c4730a304a

SHA1
2796f13f4cf207b18160bcfe5c0b6b7f254d8c72

SHA256
4c91ffe972b79cb007ff06f46e145cc96705b0adbd70617455a4c2208ff563f6

SHA512
a250aa26b6016caf83e281020e070a9a437896369aee79bb9cef17701ae31ef17e68459923513cf3321b8e9c71088e3f70c0908ddce270b8de22eeed13f4a99d

Download Submit
memory/560-308-0x00000000001A0000-0x00000000001D2000-memory.dmp

Filesize
200KB

Download
memory/564-231-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-229-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/920-286-0x0000000000300000-0x0000000000332000-memory.dmp

Filesize
200KB

Download
memory/920-285-0x0000000000300000-0x0000000000332000-memory.dmp

Filesize
200KB

Download
memory/992-118-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/992-141-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1140-405-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/1156-431-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1156-408-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1280-452-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1280-423-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1284-668-0x0000000001F50000-0x0000000001F82000-memory.dmp

Filesize
200KB

Download
memory/1304-156-0x0000000000380000-0x00000000003B2000-memory.dmp

Filesize
200KB

Download
memory/1304-157-0x0000000000380000-0x00000000003B2000-memory.dmp

Filesize
200KB

Download
memory/1376-596-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1376-556-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1492-635-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1492-607-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1576-284-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1576-253-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1620-376-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/1620-377-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/1640-90-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1640-68-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-500-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/1652-499-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/1668-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-67-0x0000000001F60000-0x0000000001F92000-memory.dmp

Filesize
200KB

Download
memory/1708-66-0x0000000001F60000-0x0000000001F92000-memory.dmp

Filesize
200KB

Download
memory/1752-379-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1760-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1760-17-0x00000000004A0000-0x00000000004D1000-memory.dmp

Filesize
196KB

Download
memory/1760-12-0x00000000004A0000-0x00000000004D4000-memory.dmp

Filesize
208KB

Download
memory/1760-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1760-13-0x00000000004A0000-0x00000000004D4000-memory.dmp

Filesize
208KB

Download
memory/1816-670-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1820-650-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/1828-678-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1936-238-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1936-215-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1936-520-0x00000000001E0000-0x0000000000212000-memory.dmp

Filesize
200KB

Download
memory/1964-468-0x00000000003B0000-0x00000000003E2000-memory.dmp

Filesize
200KB

Download
memory/1988-498-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2024-261-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2060-541-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2060-577-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2076-501-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2076-519-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2084-133-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/2104-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2104-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2152-616-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2156-380-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2156-403-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2164-554-0x0000000001F20000-0x0000000001F52000-memory.dmp

Filesize
200KB

Download
memory/2188-587-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2228-307-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2228-287-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2244-422-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/2244-421-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/2248-188-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2248-158-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2272-114-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/2272-116-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/2276-33-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/2276-34-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/2300-93-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2300-117-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2428-180-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/2428-189-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/2484-213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2484-190-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2496-606-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/2592-638-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2592-658-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-521-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-539-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-91-0x0000000000110000-0x0000000000142000-memory.dmp

Filesize
200KB

Download
memory/2636-92-0x0000000000110000-0x0000000000142000-memory.dmp

Filesize
200KB

Download
memory/2700-31-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2708-478-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2708-454-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2764-453-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/2824-214-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2872-540-0x0000000000510000-0x0000000000542000-memory.dmp

Filesize
200KB

Download
memory/2896-142-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2896-166-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2944-356-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2944-333-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2980-1122-0x0000000077890000-0x000000007798A000-memory.dmp

Filesize
1000KB

Download
memory/2980-2077-0x0000000077890000-0x000000007798A000-memory.dmp

Filesize
1000KB

Download
memory/2980-2076-0x0000000077770000-0x000000007788F000-memory.dmp

Filesize
1.1MB

Download
memory/2980-1121-0x0000000077770000-0x000000007788F000-memory.dmp

Filesize
1.1MB

Download
memory/2980-3912-0x0000000077770000-0x000000007788F000-memory.dmp

Filesize
1.1MB

Download
memory/2980-3913-0x0000000077890000-0x000000007798A000-memory.dmp

Filesize
1000KB

Download
memory/3020-332-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3044-637-0x0000000001F20000-0x0000000001F52000-memory.dmp

Filesize
200KB

Download
memory/3044-636-0x0000000001F20000-0x0000000001F52000-memory.dmp

Filesize
200KB

Download
memory/3052-330-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/3052-331-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/3064-252-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download