edfe85d5aaf502eeacb3c35968db2684a53c50acdd54a4e7f545778e772e2895

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
Size

942KB
MD5

40a0f08f8ceb929f709507c4f8e5de6e
SHA1

7385b0b3989f5acd097f274818eabbe9fd2a96ad
SHA256

edfe85d5aaf502eeacb3c35968db2684a53c50acdd54a4e7f545778e772e2895
SHA512

fc4f77d3d58519791f7a5e1fc814fc8c68d0e9a38d8cacbddd076fb1097ab77f5b1f87e122b757289611bc1d67c2c37007ae68ec1c32b5588c090f6111591ab9
SSDEEP

24576:V6roiwLpXxrJIfZar0jZPrFfOSl8QU/W:c6xxuRaAFPrcnQ

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 58 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 58 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LQYMUoEo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	LQYMUoEo.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2524 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

LQYMUoEo.exelgksswIw.exe

pid process

2792 LQYMUoEo.exe
2608 lgksswIw.exe

pid	process
2524	cmd.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exeLQYMUoEo.exe

pid	process
2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lgksswIw.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exeLQYMUoEo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lgksswIw.exe = "C:\\ProgramData\\vekkgQIk\\lgksswIw.exe"	lgksswIw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQYMUoEo.exe = "C:\\Users\\Admin\\WgwYocUA\\LQYMUoEo.exe"	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lgksswIw.exe = "C:\\ProgramData\\vekkgQIk\\lgksswIw.exe"	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQYMUoEo.exe = "C:\\Users\\Admin\\WgwYocUA\\LQYMUoEo.exe"	LQYMUoEo.exe

Drops file in Windows directory 1 IoCs

Processes:

LQYMUoEo.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico LQYMUoEo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	LQYMUoEo.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1604	reg.exe
1048	reg.exe
2116	reg.exe
2832	reg.exe
1888	reg.exe
1272	reg.exe
2464	reg.exe
2504	reg.exe
2412	reg.exe
2252	reg.exe
2008	reg.exe
1572	reg.exe
748	reg.exe
2392	reg.exe
1984	reg.exe
2536	reg.exe
2028	reg.exe
2036	reg.exe
2432	reg.exe
1956	reg.exe
1156	reg.exe
1948	reg.exe
2400	reg.exe
236	reg.exe
2084	reg.exe
828	reg.exe
2472	reg.exe
2804	reg.exe
3004	reg.exe
1528	reg.exe
2140	reg.exe
296	reg.exe
2560	reg.exe
2216	reg.exe
2020	reg.exe
2936	reg.exe
800	reg.exe
2664	reg.exe
984	reg.exe
1896	reg.exe
1984	reg.exe
2444	reg.exe
2632	reg.exe
2624	reg.exe
2676	reg.exe
1600	reg.exe
2308	reg.exe
2780	reg.exe
2208	reg.exe
1700	reg.exe
596	reg.exe
1280	reg.exe
796	reg.exe
1420	reg.exe
2024	reg.exe
2896	reg.exe
2004	reg.exe
2936	reg.exe
2716	reg.exe
1640	reg.exe
1888	reg.exe
1212	reg.exe
2400	reg.exe
2656	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe

pid	process
2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
828	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
828	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2560	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2560	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1784	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1784	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1464	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1464	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2492	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2492	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1212	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1212	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2020	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2020	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
900	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
900	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
736	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
736	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2852	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2852	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2972	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2972	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2492	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2492	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1196	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1196	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
940	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
940	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1564	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1564	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2996	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2996	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2308	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2308	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2816	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2816	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2264	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2264	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2340	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2340	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3036	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3036	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1740	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1740	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2228	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2228	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3020	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
3020	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2888	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2888	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
560	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
560	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2340	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2340	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2344	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
2344	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1696	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
1696	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LQYMUoEo.exe

pid process

2792 LQYMUoEo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

LQYMUoEo.exe

pid	process
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe
2792	LQYMUoEo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.execmd.exe2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2392 wrote to memory of 2792	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	LQYMUoEo.exe
PID 2392 wrote to memory of 2792	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	LQYMUoEo.exe
PID 2392 wrote to memory of 2792	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	LQYMUoEo.exe
PID 2392 wrote to memory of 2792	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	LQYMUoEo.exe
PID 2392 wrote to memory of 2608	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	lgksswIw.exe
PID 2392 wrote to memory of 2608	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	lgksswIw.exe
PID 2392 wrote to memory of 2608	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	lgksswIw.exe
PID 2392 wrote to memory of 2608	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	lgksswIw.exe
PID 2392 wrote to memory of 2592	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2392 wrote to memory of 2592	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2392 wrote to memory of 2592	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2392 wrote to memory of 2592	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2592 wrote to memory of 2728	2592	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2592 wrote to memory of 2728	2592	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2592 wrote to memory of 2728	2592	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2592 wrote to memory of 2728	2592	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2728 wrote to memory of 2380	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2728 wrote to memory of 2380	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2728 wrote to memory of 2380	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2728 wrote to memory of 2380	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2392 wrote to memory of 2472	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2472	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2472	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2472	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2464	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2464	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2464	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2464	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2460	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2460	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2460	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2460	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2392 wrote to memory of 2516	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2392 wrote to memory of 2516	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2392 wrote to memory of 2516	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2392 wrote to memory of 2516	2392	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2380 wrote to memory of 828	2380	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2380 wrote to memory of 828	2380	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2380 wrote to memory of 828	2380	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2380 wrote to memory of 828	2380	cmd.exe	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
PID 2728 wrote to memory of 2440	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2440	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2440	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2440	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2524	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2524	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2524	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2524	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2680	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2680	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2680	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2680	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	reg.exe
PID 2728 wrote to memory of 2264	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2728 wrote to memory of 2264	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2728 wrote to memory of 2264	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2728 wrote to memory of 2264	2728	2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe	cmd.exe
PID 2516 wrote to memory of 2640	2516	cmd.exe	cscript.exe
PID 2516 wrote to memory of 2640	2516	cmd.exe	cscript.exe
PID 2516 wrote to memory of 2640	2516	cmd.exe	cscript.exe
PID 2516 wrote to memory of 2640	2516	cmd.exe	cscript.exe
PID 2264 wrote to memory of 1624	2264	cmd.exe	cscript.exe
PID 2264 wrote to memory of 1624	2264	cmd.exe	cscript.exe
PID 2264 wrote to memory of 1624	2264	cmd.exe	cscript.exe
PID 2264 wrote to memory of 1624	2264	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\WgwYocUA\LQYMUoEo.exe
"C:\Users\Admin\WgwYocUA\LQYMUoEo.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2792

C:\ProgramData\vekkgQIk\lgksswIw.exe
"C:\ProgramData\vekkgQIk\lgksswIw.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
6⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
8⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
10⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
12⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
14⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
16⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
18⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
20⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
22⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
24⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
26⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
28⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
30⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
32⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
34⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
36⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
38⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
40⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
42⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
44⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
46⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
48⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
50⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
52⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
54⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
56⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
58⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
60⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
62⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
64⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
65⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
66⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
67⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
68⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
69⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
70⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
71⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
72⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
73⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
74⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
75⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
76⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
77⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
78⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
79⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
80⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
81⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
82⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
83⤵
PID:480

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
84⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
85⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
86⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
87⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
88⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
89⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
90⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
91⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
92⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
93⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
94⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
95⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
96⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
97⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
98⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
99⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
100⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
101⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
102⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
103⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
104⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
105⤵
PID:980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
106⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
107⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
108⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
109⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
110⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
111⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
112⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
113⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
114⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
115⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock"
116⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
- Modifies registry key
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\umgYcsgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
116⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkAkEsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
114⤵
- Deletes itself
PID:2524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
- Modifies registry key
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAMgYEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
112⤵
PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\veckQwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
110⤵
PID:1004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGoIEwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
108⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWskgAQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
106⤵
PID:300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCMIQcYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
104⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByEQAkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
102⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
- Modifies registry key
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUokAsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
100⤵
PID:1888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ckgQQsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
98⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\awEQQkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
96⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIoUUkko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
94⤵
PID:1196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jWcQMIsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
92⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\huQMUUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
90⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqocYssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
88⤵
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgkYQwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
86⤵
PID:1096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqwAcYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
84⤵
PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
- Modifies registry key
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIsosMAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
82⤵
PID:3004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
- Modifies registry key
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KaQIsMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
80⤵
PID:528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\omskwokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
78⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASwEswgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
76⤵
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCMkMEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
74⤵
PID:796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PcYkkUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
72⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIkUUkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
70⤵
PID:2452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUMEcAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
68⤵
PID:2752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMgskooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
66⤵
PID:2172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\asQwQYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
64⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Modifies registry key
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgwMkQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
62⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:288

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMgAQscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
60⤵
PID:1444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOEgMcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
58⤵
PID:308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaYskwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
56⤵
PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rkUMgYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
54⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vAsEYgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
52⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOoIoQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
50⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Eegcksok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
48⤵
PID:1724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKoUowkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
46⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WKokggks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
44⤵
PID:832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JogkYsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
42⤵
PID:2524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncoAEEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
40⤵
PID:488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyYMccwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
38⤵
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgoEkswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
36⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymUIkMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
34⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
- Modifies registry key
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MiMYQMAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
32⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IssUQokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
30⤵
PID:2844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tusMEcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
28⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMMAEMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
26⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pOAIEEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
24⤵
PID:1664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSIQksgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
22⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sycwMwUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
20⤵
PID:892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WokMggAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
18⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmEooQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
16⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OEcgwkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
14⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgUUowYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
12⤵
PID:1900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSgcYUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
10⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fawkAkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
8⤵
PID:2372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSgIcMEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
6⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMUIoIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkQUMckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-60000012-17643629621025314590-4824706291215877597-20824514261749337018-704168709"
1⤵
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-689316747615347470-187617608-1614591975815857396-489783973929588308403194238"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1498131035-2037684426-1441463963415277571436354347753242731-958598925-2089954538"
1⤵
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-819462754-926072816-83353388453697887112893482-366373867752517733-954751388"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1555677597-1323196409902074987995346122-935820246-337162334118164585-2088630079"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13752285961598389866624998377-13957531941689775756-1583330317155099989-1937216680"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9903105671950464777-19846443771515083037882250960272591940-638025289225928641"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1556396386-1534385366998924371-1333950772-1378229761178429251487654962581084"
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
324KB

MD5
88279334f3d0b96fa200139fa1819361

SHA1
f870e53f57043a52535e013c349235ccbedfacf0

SHA256
d0a37ea08658dcef0d62a4c59fc0c6c21895e169e222de1b6716040eda60cfd8

SHA512
57e0a68fd2fcb6588b714b29f6fe2879996a7099ab23401b9fb5291728af1ca4a5133276f5c6d6cee496a6cb568728175c9afbba37608c7e48cd5314d28de7dd

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
248KB

MD5
29535e50b19a40afdb7ce1c2bc6a1eb0

SHA1
1715ebc52b51f2ee36bedb041c1494f8888b4474

SHA256
0ed609d5beec4c718e61ed672c43e86a205bd7ad184b07b0b19764a5a5681f8f

SHA512
da872f1c701c745aaeac5ca3616bf73829910da2587b7b7222300f968faf23fd6a2bd767af291ab318ae9fd8accbe953c96d40c3a4f6a2285dfdf24c3654ff6d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
224KB

MD5
4c336efa49939aaff3be4e57264b8c45

SHA1
b51aad1708c94dbe772f2cc5666524cd2d5f2302

SHA256
765bbd9bcb56d6025058e3a9768291c1d463dc501e4136cd61946b64161e9f1d

SHA512
8105ba76f5c104278ff1712b02ea0933d2ad1359a6c955670ad0df41adbc9b6eaed0c961e3d4cdb8612bf949442615511216bac9568683f47904c0bce530e0db

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
227KB

MD5
682236bda38e10ae3115b1c1cb7705d6

SHA1
8e4bb5c5cb61d671d86fb147fdf77857d0fa081f

SHA256
254c228fbeef02e32f65d1b51b95c0c756a76eab3cb51da880e2fd7d1bd48735

SHA512
c09fa878a141730c71a0f5e39afe45da8de6a9899e95f896227d73933bad8f1605eb3d308b5bf946a047ccd828939dbf38a0ea145261644e38671925f8204b9c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
306KB

MD5
aa2133ef75ebe0859a27d2ddf6101f30

SHA1
29a6ed0e8e8c17193693a7a31d800d9218cfada9

SHA256
6370e36ab20516d1f6c20635092555145b3a0e30c7212b85c400ab6024870d68

SHA512
37eb35677c7e878f95c26ddc64d34e7f27dfaec8b5d134fcd3fedce0b7e26a17dbd3b750d4c45c7e51fcc09193a903ac43abc9c8ebf8025e1e65598f983db258

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
221KB

MD5
15c1e983e35d55bec6ba926b1281be0f

SHA1
060cdd7e623fd981ade3a3de71d4403b5c293f7f

SHA256
0a79e7da933f62cb656a6d4a5eeb9c1ec6d59d93838c6a13f27784a73c6a2ad1

SHA512
162b582482026bacf3d5636de6f9726f0b35e99d83b2641e07c8374d1c6da1fb961273d07fcdbfa2cecfb325545dd558fa5bbb6e0a54690ac373001b10a4cc29

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe
Filesize
246KB

MD5
fb35a62939fd50ec4e53d1d3d24c47ff

SHA1
16d21f39f6d03c99e7a03fd316e9678e9c87bfdb

SHA256
e6d0f9ee0782e4169da09fa71d6420e42ba0a763741aa5411683c36abbefffd1

SHA512
17b0d479db926c84316c791fd0fe4196bd8c3f6e4eeb984a44316e971685367d5ca39a20693e7430570aa3fa8e479a9692233a9150a34110ee82e3d66a178905

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe
Filesize
251KB

MD5
d04535d21854e62357d540345c830396

SHA1
a1d2b8757dab9dac5c8863966ad3ff34974806d0

SHA256
f9fe84264c10f9b048bf5cb158dfc85d27886898318185930872d5fdd92002ff

SHA512
8fdb17c6987b305a921446d04c18878e38c783f2d16d3f015f3fca40dfa60ceb0eba1c202ce26bf8ec7fdcb50893c63742ed6af656ef98157489ebeb890ae266

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe
Filesize
236KB

MD5
86fdc021669f8104f05e28d48dcd8b22

SHA1
6a13895e274449b777aadce06063f63c17765b09

SHA256
919f339bbd09e6107b23cbf44aad67c1a69a217296971fba9ddcf6f24ff11453

SHA512
12507654d4015074c68cd56b7fccf464c6e35b0db7f6589c3e19b197595df492c0f4b491cca9dd8e4ed45ca6ca93ede7037e677ec0b0a83df543bde738f06696

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
Filesize
247KB

MD5
a4a89292cae1c69858db1ef8f6f96c8f

SHA1
0de837e53e2827413b63cf3df708a7158c892b67

SHA256
5c05cd6f96feb222b5d6d85ba53bc595fec78bbed8e36e536274eff23425fa7d

SHA512
7424e22f0c705e6964b84de151f93640a87df45b9ea1b4c391251c1beb4cf9b45e989e595f0741c3963975797413d6976ef1ff772e7d37e084513bdf28154f15

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe
Filesize
241KB

MD5
9db2a729451d79368820c15dbe681f66

SHA1
c86952368b7df75a73e7688435e5c78b8dd28bf3

SHA256
e8d7ffd48bfd8823bf67ed393c196ce5ff6b51a475d92cca5e3b5c2838ed82be

SHA512
858bb1c036648bd8067ac320213097042976c951d4f4fb27b90c066412aeae702f461ece4a623743b555b55323e1165f0e7ff298d5b6043f73de5638089251ec

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe
Filesize
231KB

MD5
b313304ca864136cabea8079256be42b

SHA1
26cf87c50d94378e887e30289c8b280043ec8663

SHA256
e731fc12d8b53c4f4a31d6f7aa7e34223700ec3dbe054b546790faa1d2aa3d39

SHA512
33ace414800a3ce3c0a867fb8c007a9c46363a6f4b0e262d4fd6034900eb715fd77b9e227e14f6e77453882aeff87f1c34553d7cd963ca16e0e92b009be1ff7c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe
Filesize
247KB

MD5
f1e75b7543e2dbded5816785e00ef4c9

SHA1
0b16cffb08d87a43ef6370bb510aa8d8c29737c2

SHA256
6dc92427253c1dc6d86b0a04f392a249abed229453751b1e1f94f30c894ab9ea

SHA512
57cecafb84e91f7c5e55826f099d3ff04d3f3bf72d5fcfa6b4f79102c0d1b95ca2b02c7b1b7a1e8812eda0f436d928a8b75091bc65022091cf5e8eb7387bfbd0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe
Filesize
227KB

MD5
721662d83f1c2e3f70b3a652dbfe96ef

SHA1
cec96d4d2d374ab64247b6ff4002fa22247e298b

SHA256
5da67172dee7d6035b2d6fba394f0d8a41cbc74440144b04bfde484a9d6cf276

SHA512
d5eb80c166ed275c769fe0055f1346183186e57903936418906affba028e4ef8d7a3e051f8a785b89b9988fcbd64ed1e9000b170273ea2fb7319bb17affab8a0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
Filesize
230KB

MD5
e25625b58b4b47fdc659e88fa4b02250

SHA1
6f5f6e3f76a5719394a3e3ac841bd213c5975ca4

SHA256
f35dba731472037a2470bcb05de0ca4a68bb9a0a50df839f8457fec6d265bfb8

SHA512
fdbe2f59ed21643f0862b0dc88d78f7ed1f6710e9dbc394877a3d103618608af8b513d2e9ebf28539a8c050e28501c7d56f8699849e07b12c15a94a87db70d4a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe
Filesize
236KB

MD5
cf5efc676d6c155c78ec0c9b473f9112

SHA1
f51f9795efbef3dcfe23b46c468f56eb45721ca4

SHA256
7029e62dbc4ff6cb5dd12e79d8588be392bc979b0cd3108f644c6d5fdf4c14b8

SHA512
25488d147e9bc1ba745f9c526ae49815a1f667cb5b29ea5225f31f80057743dd0a939e7b9392b8294c03ffe629fb941a635b4cda73adcacc4640a8ae3f3a5a6b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe
Filesize
249KB

MD5
a71af9440b9881f30894d11eb367f5a7

SHA1
16abe9bdcb0539e7389b0fe846dbe8da4b466499

SHA256
24ff1fec2284126cf1ba7f90a58e5b3fc91d4d5f84b9c30ef2f9670c12cf9192

SHA512
e46068bec9807129ada0bbf690468db45b37550a5bb3ac3644b7a4e27e484211259d14bd343a0c3e72371de385aff33bfdeb36facb4c70db8a0d1e3c6d09fa88

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe
Filesize
251KB

MD5
b5ba1d959c70368d88c35bec3ffbc0db

SHA1
fe1d9eb14f1a49b5817b02bdd7ae61a7404ba6bd

SHA256
bbe07e7ae3069257d9c1fba8e8b09f7a5afa98bcae3e3fb312f79e7c6c19b55d

SHA512
44edf6b21bc056d934c2a5f2a82bc7441639b0d1df1499a526162466d8822f74211bc8ad5d8b15e6c83cc6c2508be90677f4a00236eedc23a6d7589e20412b4b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
Filesize
228KB

MD5
30b632f7b654f0d84493aa07e429cd32

SHA1
83bdc4ab45cbd3d00ba83d4273dc332f9b5e1ff0

SHA256
51db1ba7501ad496598b0a4d20233446bc12ef40ccd938618118dd6c30e489e9

SHA512
556b723a177c3e0b83d3e27a31441fb7bb19ec88a5de476323d62adc12a1c6dafbae2e009628dc90363e3d3170d272d67439412b94f881320452fea751536ed3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
Filesize
235KB

MD5
4f5b94f5cff20542eeecb502ed4790d8

SHA1
d01ab2cccde82eab3978761c2933431ea07cbe7d

SHA256
c836d0bf82429882d33065ff91aef3acb560ec9758e6ed241c66e947f0620597

SHA512
eb53b0aa3d28ff2385629690f37c700b596ab43b5b58fe6a7a59a0d878e2578b84eecfbdbba0dd87c1c818bd36187aef6c52ed5302574f1570d61d744ef754dd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe
Filesize
239KB

MD5
1c5919d66f4141915b3b1d80e17da7e5

SHA1
adbf26cd5eac05eafdaf8f60f591ff5c4458b27a

SHA256
7cb6910b2c2dd6b9df40b834270ff212f10f3e918b49924e710e0925c266e74e

SHA512
3ac19d48e7232b97c6df729553176761336164070da78e393d0a1b3e03fbc8c2964123763e0cd824dfbae094e4f37b6e899e05b7025ebf06b6c5cf577f27a809

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
Filesize
252KB

MD5
89640d4d2295f96ea5769474fbb25901

SHA1
8d0c48f5ce0f4e141f18fc3e41a0c1bde51a24d9

SHA256
78fd5b8498e5d0c8f267d52cd9659e581b1c812d434fc91d568974e81e0cf7d8

SHA512
887719b63a5ea956d5dce94a59d1864375e12956dc372ca84354db8180db4ef6df550d769605542935ed54e9ae548a8e241cd116c0316b4d42069a0bc8a647b3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe
Filesize
235KB

MD5
83ae25807c1ecc1ae28e7b05d42bd785

SHA1
bbd934e5e99d28dcc79d274f193367ac284eae2a

SHA256
fbc7c9ca15f1a3b68683babfb5d9f5734a940b04716811f3f868790366d12b1f

SHA512
bca9e6325bbe9e923a08d3b94d413a04c257a9f182f149065a04fefd2ed4685e39c4e8bdf263f34897666555bdc80fbbec6bba678053743a725faf0214da3079

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
Filesize
235KB

MD5
fdc1c0559cf61c8097739c8348fd9060

SHA1
3a0f1d3455e05116ffd2f91f3b593a939e2f3916

SHA256
da9f3bea3ffdf02946b41544425c517dec4828f4c2ff5b37256d1535455af35a

SHA512
58ec1792f7cefb2d0a4ec239fe62baf490b8f481915778856dd7079557e888fba3d9c1b52ecf471bc010d6d6b53932c5369b4c942a957c070385605fde2f57da

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe
Filesize
245KB

MD5
e8000e3b9416a66ab29ff4ed744d0537

SHA1
2d82b65f822bd7e0235bf9f354313afd1801c528

SHA256
9d91ad760be089ec93445b8eb3c444d692ee775b462b1b6d2fa27c5ca261cd56

SHA512
34f4dbfba7d13c226d27f8ef337082f1e00de6947507ca3b5c59317e2f373f54d9f08e868c830fdd8218572d5c0afb192da469c034d09ea4f60472cf277f2305

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
Filesize
232KB

MD5
c7f42c52c1f56069dead7328b51acaa0

SHA1
888856e22dd4ecaffcadd7ab2e92d40da21918ff

SHA256
8b6d6f4675b49e9e1de8f5ac77ba34f09c4a7bfc352bc35ecae691327327bb90

SHA512
a1f3d596796f3630c554ea3c7c30e57f6225f17287b5fc67c61e724a4244095453f496f4e4c93588d204bb6b9a777b3b949fc9b33e51a55d869e03d5f2474587

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
Filesize
249KB

MD5
d3805c5eea5a5c33fd02f76210e044ba

SHA1
f4a47605ca1f0e0f4bd57b3cd945b4ea80827077

SHA256
e2a3522e1f268b57921f132830a5eaec2b5a14864db9fcbed547da2d0168ba12

SHA512
83ee3dc51e6b422a9eea52e8d7b7497ae1f4eb0fb5e0699ab1f56bc2cb06793759ed0e1572569853f786400dc1d0e2a20ab1cc06764b2583d2f7529fcb9eccec

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
Filesize
238KB

MD5
61b423d3560e7987cd853967045e13f5

SHA1
2d09097dbefc10046287a7ee8c93f4569127f745

SHA256
49f65fbcf15fd6f88fc7e16e2f57cc3d3969d013e4b0f53467f45048c625de3e

SHA512
e4f304dcaca1deabe44612fc9f8e6083043552264b03ac731d20affa710aebaa5d026bce1c14934a66d1f41bfde4c8fbf35710e2c27b70521b64e3e1c6ae7608

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe
Filesize
235KB

MD5
ad29b545a4291682c50f946693670013

SHA1
1a1509933c763d1104f143585d56f54fc8ba698d

SHA256
9c5f203594209835b36b6d1502b4c2f3e541d1bcb1d430f2d964ff2594515c75

SHA512
0aa6f614afe87f244796b0726db0abc94d28d94bf31dcaf2f0cfbbaab44291abe2e57f608aaa41a11cb1fde1276f76f5837038e2e1e0d2e50202442df496c21d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe
Filesize
234KB

MD5
4605b0eda4b66055c81bb5b1666a3eca

SHA1
6ba447d97b370ac0036c00147d77808a4d815505

SHA256
aef4a6420081167fdb54cb749283f7fa24127b33c53109228314c1d138c69fc3

SHA512
dba4d4eafdede49c6f05866bb6e90a1d46dfa4ef8aaf06e827fde1c2d61818ddccc2f3b040adbfdfd5c0654227ee2af5f312f7fcd22772fc70beed3607733b4a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
Filesize
236KB

MD5
411ce7cd47ea57cbba1ad1bdd50dd94e

SHA1
c51cd50346894a755efd0cfc40b8fc93601c62fc

SHA256
4761c79e08fac1c456a38857d04d68a85c628686264a7de857c945726e167890

SHA512
8bd589edef9f68152dcfce7209a63c5ec9d4396bbadb918509224a30aa6dde316ba20f636089b07c8be3ae9a3e742f6975541b9c97a7e222b9d6959ddf7c7727

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
Filesize
238KB

MD5
cdfc02a326ec196a718fc58073e97edd

SHA1
f7d6d3cf7e403451e7a891a40fa80219355950f9

SHA256
b357cc1a4e5f43eaf5333b6f35c98abb3569f54e5be977a727cf063b36d3b584

SHA512
3675b7a9aaf3bae5ac294ced8d56073778c512ab60e79dc13f66131f096cf0ce9eb479acfdd82c66ee664b87bc34b4a9c81cca53065c1884aa75b0c644d1e2c3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe
Filesize
247KB

MD5
28617f93c655e1237e5975803299bac7

SHA1
37296980469e5dea04c1fd70ea0eefcf9aeef5d1

SHA256
f0354d8ad42ebd5f1fcdc72c150e4ddf172e0c91e189ee605b3495779bb8e35f

SHA512
f2a1df59dd074a1eb4b1671fa76b698afe2a36e159499bb94fe03201fe87e1b7f64aebfc6586947efb7aaa046ad7fb49164d36d78c3cef2a6b1ea7d51dcdcd13

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
Filesize
232KB

MD5
f8046fa47c757d77e5b294c8315b0e0c

SHA1
2204c600296244705cc97101fad5e5e6652b3c20

SHA256
b7313e5edaf22a23677b26fc6209991ee3d9adb3698393b3fb9fb2da77f56076

SHA512
16e229a37876ab3a0a12564700eaa8d0ebd0799d50dcb5589a5b05f476e9cab0d36f8ed89b9dfeea217f1e0c652814024877ed3c5db466c1a65fea6d469456db

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe
Filesize
235KB

MD5
38eed5a0f89e95d8a51e90cda69ea364

SHA1
527f8b8460dc716cdf42c2b3ef5e3f8cf7104367

SHA256
21053bf6a88c8023d4d0b4afbd628a2a59c91a1e7d4dcbb2c3cdfc168657d126

SHA512
170672a21211b52ecd5e8be56f79eadac1198765bb443fd3c1bbe25c8ee1d6730b95945f7812fc580c6471db656e0c1c5a73c809e3adf54656f246e5cce83473

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
Filesize
235KB

MD5
8baacf003ffcae2927c6749cc5e63dac

SHA1
e7a869a62e20a927285d024b8ad7e3081055a9c5

SHA256
7c88bc65b0c05f42969639d3689be974c699567b2b1b679506150c06c40626a9

SHA512
8a8ed8fe79e119df05420715c6d0249906a8d23afde80bad724ffc2c14251db469f1c3c2e6cfd2e26ca7ffee5b54d00dbc9ad6303d2e5016a742d646d3b45766

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe
Filesize
236KB

MD5
2b852a2f62c4070ef8b09fc10a7d2c2f

SHA1
071b64f62fa900340434af084e45a51454dcbec5

SHA256
878a2701f47a057cd2c1a4cf66ba97d2f8ea1e06683799e82a9127d852a329b4

SHA512
bea34e66189c15fc69e108c4782c0ec508a7109598ee096eec34d72eab5c9140be4d0f786d220ff389b7a8abe673f1443dcffeb1d45d08ee8022116ece0b524e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
Filesize
228KB

MD5
cb1307b2f74455161dd0eaa02b789e86

SHA1
6f5d1143fb6c364a103dafc9a01919e7849cd818

SHA256
a901759c7b7a29f59ee8fec2790731cf05b9554acf03a7b39529ae20f69cfede

SHA512
e1c3d6f95307e326c79e4e65d5c54005d707efaf5c2b7be515539eb708ead939fdb5a819481b02b090da36bcd71cc5ff547bafd436eb77b90bb132d7a5593e12

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe
Filesize
238KB

MD5
4b9b41c32d1cc3b740682e9e6535fa58

SHA1
092690b92f3e4626d9131dd23864a1411127b34a

SHA256
9818fab2c8c5c2ed13e1e6eed732b8d284255d251472adb7bb986cf013520833

SHA512
8577a74732f6e4790715390ed877505caf05f020a04869c4746c10b826ffb67e24e80e4c6d8b8d9e40d01fb382db84fe557c853b2d923333a6ecfee04ed47d3a

Download Submit
C:\ProgramData\vekkgQIk\lgksswIw.exe
Filesize
192KB

MD5
a59822f295ff94b25b24d8a205e653c7

SHA1
4a0a530d05bc6713b63bb4dbd75511b956c5cc2f

SHA256
41e5d74f92893c8c381ede1b22e667e52bdfeb8321542401ec615f12b333fbdb

SHA512
633155d42246f4f6187bc9ce300689f621350578ddc66e1974d3d0ddb38beaeed011b542606cd6566f87e4ad47e801e6e2b6356a44454bbcf35d75b7d1bc2a38

Download Submit
C:\ProgramData\vekkgQIk\lgksswIw.inf
Filesize
4B

MD5
ca4c55e0ac78019e5d49881c94cee9bf

SHA1
845674e3252db9bb552ee3693810d5418b7dfdc9

SHA256
c2c8feadd1373d287440b90e821befd681688c3198cc834dbf114e096740802c

SHA512
6147638d49f6c235b718d4bc483cc82bc354db6d1d9907440267676f7aa8e7bad2002a2c66c019fa3036413d57bb4d3e1d08bfa5ec5d7914fa263a06cd45fe23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
213KB

MD5
b563c58f976345a992ea5df2b5b94262

SHA1
ebc29077a5431fb58b5f79dfa08c9db706bac500

SHA256
0e062876122beb0704f5606539ea181ca02b0d8721de67507ba4fd46e65ad76f

SHA512
11cd4b30091a01768a70bb87f3fdede5606923100db84ee6eb73563867bb675e257ebc0f06db2c762fcb72a9710a425e69034e5161551ce6a5014bbae44ed0da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
200KB

MD5
3613e41ea5d73eb572cf52ece181e928

SHA1
e3f8b1c35fd61f58e014b2db10ea7d334141e4fd

SHA256
b7b296492f3349a78df78be63ced2fd0acb0925adc22ef84be726498c9fe8c23

SHA512
e766ea4c5c173b6ae655dfebd750b1f0e50cd407561f52508e8a56a591ad6049b9c3d5ae602b8933dbaddcfdc7573177edd28a1119766697846d36216c8ed4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-22_40a0f08f8ceb929f709507c4f8e5de6e_virlock
Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOQMcIow.bat
Filesize
4B

MD5
8380fa0b5aed74e2299d6909952c00cf

SHA1
51d14f481b194b8850111f95b40eed616857a4eb

SHA256
9abf205b5bcc45c1bafb9ed58b2648a9da2a5cb63ab2ab8466ef5357204593b1

SHA512
cb6e675057bde0e92a182e19983c34f80fa2ca84ec8fbaab78f473ae1a69ab33d0bcfb170f96dc71b749e71c5ab3a9068b1a564ccbdc391565b33591ce627f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAo.exe
Filesize
239KB

MD5
0e0afcb0dd23561f841be84107b8d1ad

SHA1
b3a0c275f576711b4fca5b892270716502c6bb2c

SHA256
1bed841cd939efe10d37471dc91da5c3a536b1d03ab9baebf5cf758dc8890b35

SHA512
da1470448d416f34dc416dba4ecd3aedf167625a8be372706d2e59944ee30f7472b19c9c87304e8e31f93598b55b267678afd2190e0bbdb403c27893aee79ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwkIMsgk.bat
Filesize
4B

MD5
2b50b7b248a0625e3568e668d77ad104

SHA1
e2d82e627988f3633f776da1362beaab1c60af08

SHA256
fe3ab1ed66745b8cf075ee4d482a933d87f43b654e746c9de4baa1af2d714e38

SHA512
dc657c03da0d89eeae96097895cde87f2c08d96808e46000448f3461081262458cfe0788ca154d5ca0de08d02de683a6b6a0c78bdf536ce202371448dee99466

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUEoIcYE.bat
Filesize
4B

MD5
b35b9c7f6df764a34817e62fbbbb4bb3

SHA1
86223c857689167c66feb9b1e95f8ad2a9df39e7

SHA256
295315614a8720df297e9b2cc5ff5b71c6a90bac40376f451558f8e972cd500a

SHA512
098b16a01668ca1571810b0e2780048007bfe22aa14283484f4b20e2ad6c3a59ae4f243f2b572333e63ebe4ac3cce7ccb75ece4ab200aead860dbe3e7a76a777

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGgYgkkM.bat
Filesize
4B

MD5
2a6eeb8fb79b4e5fe36166122f9de003

SHA1
db6f12e4405d2db7400bcd55dee0978f2f86836b

SHA256
076616e8a48d07cc1fcc900100ad59a586a7ed5304f8be21258a6dbf2680c26f

SHA512
7745c0c349807be2bcfee48408485f3d5d64fbb8b9c9cf52e280a317355f263a29d6c9a82c55b9db6f936e179b78b8ecc3a0386858f2fd088dc32d61c719b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMoYEQwY.bat
Filesize
4B

MD5
9c90769a8c34a597ef051072f6247180

SHA1
9c7f30c874b50b6c954467746da5c50ae7779905

SHA256
4e86524de00d5bda180a31587ca69438ef457bbb46caf14b1bc83dc58985d6c4

SHA512
4f2e22d595e94db9892e8dd8959ee68f704dc8f16c273489997d488ec373a398233e479226a2099581af9236bcb8b76e0349e55b1a2c0b6188eec227453d5d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgQEsoMs.bat
Filesize
4B

MD5
82d3f4911aef01f68574f5d3ac3a5f85

SHA1
c30a3197c2086288e85a07a86af2ecb264cde50b

SHA256
9e09cad31d473b1eb18f679453ec7650ecb1f8196fdd3e1e57061e13c8ef1249

SHA512
2ceed87d60a5338e8077ec471a80c69a01dfac1793aa0b2afe221f57734656adeeebe4c7df6671e67cafed19d874f53ef8881332210bd21dfb20c20c5ccff0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgUYQwEM.bat
Filesize
4B

MD5
d9ef3cd087622b3a97666bb903d0071a

SHA1
ea6011e247989349c2c9952a76b48ab496467ccc

SHA256
46f03ec8eb67d6394edfb903b13c24a22e9527a5e608fac658e849e58779a96c

SHA512
7fac93001cc9f0892278daffd6e84d99503a8311ad5ee8d85cf28d45c6f9cedd8e7e52a018539512c642c08cf1e9703fa54c0321e7d86ced9943c7f5f09e5ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkQUMckg.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkQcAsIs.bat
Filesize
4B

MD5
4423db1fbaf12ae71cead48823d5b4e0

SHA1
3d7426e452693ad421486bb463a73f37298176a6

SHA256
dd5950157c5c18636e2e6ab19875b5b5087fabc6999f57cc39adf351e2cfd304

SHA512
05c5b4f56252fab4f5409e024e82a87d6cf4165056bdbb1c74bc231082145147652317e8d18fef4103e05846a4f5882483e4e5d8664de68bc9270788b68380b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkoQckMI.bat
Filesize
4B

MD5
e72bbff2d8e66e2e76a286dab0e7a6ec

SHA1
b66ed0dd528cfe362a64c6d4eee19a791bf81957

SHA256
c89b239e94552b3f82d7efb6e37b624e52f11fd72edaa09af77970eeea2368a6

SHA512
3cd93b432f50d81523e29a89b0674ef8209348dd3661d91d6f729e43b20208a56acf8dc3932d4a141fe2cb7b489ef3f6020f6011ef02fa7d6c920e5b5f6199d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoUwcsww.bat
Filesize
4B

MD5
c87bc08b176bccedc6146fb699c91680

SHA1
f389c1a9224727246cab350b632eadeacc5b1d75

SHA256
b144858793ebaf611f5504f62cc1353622bfe6f30d7f726b7148ae168bfb8084

SHA512
5e72d14c7d9c4555eef4dd7061f74200f46538d97628f956913453dae0a89452abeb8a10f395969238c38cd37634a7d4fa786b7894963aaab5c59058aa46f37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwIoAsUE.bat
Filesize
4B

MD5
1e99540eed6e98d58e3b3c65fdf98aab

SHA1
39a72a19547c31fc40a65a56e0d5fa55186b6ebe

SHA256
8f4879891e433f68d2213af7ee5856171b914403a7ffd7028f475b021dd25496

SHA512
9c2dff04356f8ada8db8911fb21f93322cce1cdad45125c8ec73090db5d9d4ede70a85f06bf8096fd8fd4bb418a96e454a49bf63a363f0f8fc1e8aa7118f368b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwm.exe
Filesize
1.0MB

MD5
3b2943a8e7ff097b749feaf53c1e22be

SHA1
c19184a9dcf0c2c71ef8c9bbc250c21b5995a0b5

SHA256
0a3f329e21349012c84541d5aa66ef2e4eb5740fabcad66a105409d900cf110a

SHA512
3193f6608991fba36cacfa59c94086cfb81d9fbf304f578bf03c356a19d1204532257ee243cb2cbbf3b72af029c741f21c7cfeec2f58c74f4499807d263de3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUYi.exe
Filesize
779KB

MD5
39be193366a10f456833c61676848474

SHA1
84bd34f76207a1390018cb638c056c9b06dd4dcf

SHA256
c5810aecc19cdeaf4b49cc517e0675fcbb42eed25452ec3c4df0447c4df79c9c

SHA512
36cf9e346a034ffcaea313d9a00b6c936c552c655d811e0b2aba4d2ff3b95013fdfe622d12b779f95aa48f081c8f88cbec42c2da0810df685e873721835caad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekkg.exe
Filesize
4.8MB

MD5
fc14fce75ff6ef0b909644622f392717

SHA1
c371dbb4aae93b77b39999ba7a7cfb75ba216bec

SHA256
903969c0e546c4cd6c9f0dfa00d4b10c554c51b023311e7e0a44cd12435a940c

SHA512
36f24a58de9522fcf59e32e91e06773869cd9d57d9a817d9d1728de490650b5194623d614943203ac8346ff7603a39da12a850b855e1bab5669785cbfacc4281

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwME.exe
Filesize
236KB

MD5
2f9658a9f18aaf36bd5f098d1d145d50

SHA1
090229794b0c6a25fdc5b7d86a104e5cf061581d

SHA256
27e4a99cf17eede3e6a39dda1f27bc7264edc2c02b410c6d1bcf80312be13f66

SHA512
0e60a3bcdfcb248682de54ca5b3f1b7ac27f5c68f74287b6945b8ec8c8c6c0ef816565d7f70df4937cf93207a65ac522af248febfe5caff89e444f0f4cfbc1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGIUoQwA.bat
Filesize
4B

MD5
c461141a9878eaaa2b0bae7d6721d9f6

SHA1
5d5c67ed10b4e6fe44e24f62ba2ba2b20c836684

SHA256
40cc214dda2cacc45c2ca0e5369830de6d0c9606c7fcfdc6f59361d5b5a89314

SHA512
cc8646011b342634d2736c0a83b8f161d95b9adc53138f17ec672893aacbb1a9fa1734a7d02fd5e0f44df80428c968b39cf0974d3769644a944762a23d60257b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAUo.exe
Filesize
648KB

MD5
fddb639167cc119f21612708d74f83de

SHA1
ae40af38a2c6c42ee7428f10b6ce0dc8f217dd4b

SHA256
1e8606d79fbfd388d6eac29ca1668a8f8eaf6c418c63078d9499b359c2ed7ed1

SHA512
6c20e6e832d0b6146e34255bad3c49c5b741628c9588907121460a162eec149928f696f7c77e179c705a57b86f3b66f02a4dc8d8d0f3cb4bd89e9df8bf360c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAcM.exe
Filesize
201KB

MD5
6e79410fb36c3cd80d68200e2d948ab1

SHA1
b5efa889be9b05ca6c5b930a15d3dedbe6ed033b

SHA256
a0a1700826a9ea287c0715f3684d0e658566cc0c9b05e97a05ddae8cee0658c7

SHA512
036536718c6f8246d73da52003f0c1e68b0e7f76c4c9f6bf6c19f861c9aef13f895071fa1f34ac2da45bd679a67143e60843be2659496fb4b9e7412c06d680b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsG.exe
Filesize
183KB

MD5
ca709ed77f775e3d96580228fc149fe8

SHA1
de87b0bb23aafeee0f9bfc9ec279d0492e0c8fa5

SHA256
30d587475b8845b1043d16a59bde4bc4faf5188c7982efeab7c28865ed5ff508

SHA512
8812433bae91181c32d6301aa83a324fa419f19b3d91bbb0761bc41feff9a1c12b52768ad44120662edb927c13a7c044486921e7a25a9937a37759e86fbd4d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUou.exe
Filesize
227KB

MD5
db3664600e9722944d0528ae458ad9c7

SHA1
3e30723fa9976cc997f3c6c1c48624d748697b96

SHA256
002f3616996838f4b0a3a1c353c3c7c9844870ddb2f91cc55c7224b833616043

SHA512
8f9266d5b7cf1543c83b89cfecf59e4a5c7444cf5db2c6e7d45e9ae49dc3935cab84a59956c456e2b91f0614e233b490588354b3fa92f77b233887c7ef46fb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcMK.exe
Filesize
226KB

MD5
75b00928911edc9dabda54a34e969fa0

SHA1
9571bfb681729ae8d934e90de0de7f74b8eda10f

SHA256
b5d8f6850f8bfd125a2824430da8419e24ab914c6c181ee4af1c114231545bc8

SHA512
6a04ac4c96db05ac7d9324f0415499bf92eee350c4b2e8ced77132c69a66620c3b7be34bad9e150d4dc5e81cbcd20b08d38ece6e084b99a70230d9db6bef575a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcoC.exe
Filesize
237KB

MD5
7447d7bdbe3ca6db1fc06423803cc296

SHA1
e04fedf11e6e9e9689a15964bb2189f67786b1d5

SHA256
844d03352b9b4aea68368da6dc12d559f8c6c1c3305aecf44e0b3ccbfd987287

SHA512
158f580c4a5a2610e5a1c4f51f6b5972ff0677d7b5d67c109f2fb0ab850b3a33b43a178b77962e0dbf1ace93689780bf39a22933d89f4944751979f00178a981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gksw.exe
Filesize
959KB

MD5
a418a3e6dd9c63e8dddd44f5b081d0ae

SHA1
e9db846d40ba7de56769be134658dc719504ba25

SHA256
be942c39813e97566d7f4b3fbfb263f914e758496e25bbc382c7f19894c0a666

SHA512
03430289215d1a0b9fd7a5d6cb5267a7bd9aef89cc4e8f24dbb84302feda6e9bf139d1d115ca223e29974bc5d8ef23364eed424be8c94fd1d2f7081462799484

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwMU.exe
Filesize
1015KB

MD5
8137d6bbfb649e20dd14d3d5a3c5e297

SHA1
0fc3a63fa94c01f830ac46fb5ceed07a16162e8c

SHA256
08088d96ea51acf2e6efbfbf577743899099bfd650dc86264d4debda2477df91

SHA512
b13b98fc710a32f6cab902464653efe91d87a7e64e6f59010a4bc5a8e20b50b8cd53e15b30520c829d72cc87c3e7daa27dcf5b59c76fd4c0cb5c997e680ca84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwcoUggI.bat
Filesize
4B

MD5
e1e4e286d95faea2e82b33a2aaa5ffa1

SHA1
5635f34de1b7bc23c9faf26b70ffc351ddf6ad48

SHA256
e9c6d85a3f3e213fc3f1abdc393b66cc9b897b0f3c52f81de7fe8be23ab64700

SHA512
47a0de3705af70c821cbb980bb3e4ef69f4ed8918d2d06bb4576c277b0eb345d16b5e2f1d8067a92f45f0c1badcaf2c38ab92e69580f90bc4a6ee92004ff8f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSMowYIk.bat
Filesize
4B

MD5
72d81a7f493f7f6f81d928be37750aa0

SHA1
e50c732bdf01fe737cbf6f155ae0c3f3fb384df6

SHA256
0bd77c215cd053fd653320aca779e5e3f7479aca387e9fd56dc6e73417161e53

SHA512
0d89bc75336a92e7250177aa372597851c3ac28b97e36653ecf1827bf4b86cf5bb2cfe70f371e9dc4eaabf6d0dd46dab3c897b15a2e7954405165427dfa2530c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMoC.exe
Filesize
242KB

MD5
5edf4151fc433ee3ef809049f84be597

SHA1
c502af7088d0d1b09f24c0cfdf41b2dcc9c934bb

SHA256
f85d68118cde5adb69f59d60fd77f084eb9cb512f888a80de9e63bfff37cbf1f

SHA512
2f66a3cce88ce9532a0b48908340b48d0f1d2b83a5787ff02e27281ca4aa98ee9d693d4e329e63724dd03e6316ae0bd3e40b7409ca768fa59dd0b682763fc1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEAcEcY.bat
Filesize
4B

MD5
b585506642873496a8b0071ad2fb8d92

SHA1
3227357893e05fc6e52ca9c9446df4acea69eb77

SHA256
3b914742fc25c41aa9d5ed14b26071424d21c2e6698f72a01b8b16234b3cec91

SHA512
a8d06b7fb1a30ba65e69a9cbf38770ec942dc6d3d242b849c2e3ec7dde982fac6c8eef637e224e710fc4c6b3fea49b4763a9e429b244f3f102409f7cca2700fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkcU.exe
Filesize
248KB

MD5
a1fe2a33b509e1dc18746e0e861b0c63

SHA1
747e3c384ddcc1db3f0a38cc1d58f6771e39ed3d

SHA256
6cec83fac29b113304ad6e88641b829bc0580a2b56272c1519105fe3c6409a4d

SHA512
5f7978d77f84572f86e44c0382f32e1ffd7c4754e05b2eddec5c26030cf283c8e837dbca03ed40bcb43fa6078a85ebcc7a4ad3aff2c6064d7d5515d7fe4aa9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsoS.exe
Filesize
198KB

MD5
b0a4b1fcb175797f8d43c7e678773dd2

SHA1
b08a87f73dfa8e87b17c3a7efd149238d3577956

SHA256
b1c1a36ee83b80b81c69b9d3d34be7b169dc3746388f1e86ad3002495bba0b44

SHA512
bb67945ea476e509183f01a305b8048f64fb249fc4290ac00f5871312abce9160f5e62edabdadf97a56cc7354701ae16f109122a4ce5021c1204b34c5a901f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwQo.exe
Filesize
188KB

MD5
577228ca4ab90ed2b03c0215333e2bec

SHA1
46893e1fcb23cee8d05dd75a2d3ae25002def162

SHA256
fb65810257d1b7c571466dd6f7c32851b594f0fdda391ab50719bd2e8e86d0f9

SHA512
98e3d6f8a5d327c7ab1530ff701e513f51046a9dca3e66c4873a90f20c59f0446c49063ff9bed42bacfc55d4081a6a5ef1356f2ab74e3b7f92e0933c732cd6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIwA.exe
Filesize
244KB

MD5
88f7821e5beef2bc4591402f70e43f68

SHA1
5944cb7675f8e839241ae582db7dadca1f828fde

SHA256
8f090642da14f3ddeb35d535fc26551a1953e3b6974620a766a46f387ba28a3a

SHA512
873c1019f610e2dc3419c1df9add679e9cda55e190fe457c4e8227c1c9f5ca4f9b5cccf0c7862105d30424fe244424b9bf5e38c0108bf86eeeed2ecdc7ac2b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeYwIsQI.bat
Filesize
4B

MD5
67f97a3400bd475a36f15e30b4e7fc10

SHA1
7e4359c8b61a22550065f10d54727eae81663992

SHA256
d8dbdc395ba2b87104472617a2ce04ab8b0a3ba208f28f00f3dbc0adb89e0667

SHA512
d856bcc6e91b5a920bb3297711c60e9d604c8f3c847f7f4a0d69e6cc187d997f5131276b594c00da5ad6de1679fcba56a35af532c071adcd0bd8c29b6d56719c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkgU.exe
Filesize
962KB

MD5
15217ffd82e3dbe3ae2ae1871dfde8b9

SHA1
6e56494897c7d53f2f7c3349208488699400ff93

SHA256
8c0991a8d72f9e0f80b6d79627a1af31e183f31947ca5e103414e0355dcbaeea

SHA512
7eccce11b8f0bbc10c7815676f412ff96cca8b3b67432ac9fa17e1b0744e9b4f1986f4691f03743eca20c9040ee2abc949958e918b1b4198c6d3ee0417e4a80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KooC.exe
Filesize
193KB

MD5
d054f798963314c68b0e298c762b73f8

SHA1
8cd0f012f3140759540064d200c682f5a158bfb5

SHA256
344c0cb0aa6db472c55bb4ec88e2d2a9a50405695936030fd830503466955bea

SHA512
219c5da5e275c40c51657b23422255447b16ced298ed13612620b4e41c7b8e897882fa688cfcd8c1e131b9f197346b0297a9b8d38c8ead9798c5359d4484d968

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsQgAwwY.bat
Filesize
4B

MD5
a38e62b84a1ebbc541a82eaf26795717

SHA1
75f2a95681b63be6dbce9eb62ca7e5f989b65362

SHA256
44ef5525d44af145d36af28ee7e2925b3607e868f3c7aa8dda464205ae12685c

SHA512
54aef2d8f7dac1cc2da103dee347ffabdb9d34b53403cbd5ca91876628601eea51b8a6ba4dcccf587a7ac752ee26afd2acaf0d5b4fbc53fc12201d46b4ca3525

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwQYsMgc.bat
Filesize
4B

MD5
a621b80d3bcae3ddb8b5f9b6904965fe

SHA1
85ba2c6af7ae416b26aae3ba6be227a530fb95e1

SHA256
207a01fa0c90150367774015225d1dd34d2ef1965799788d9da940ee7ef0937c

SHA512
a6f3acdd7440f62f50054bec6b676f6502aa1bb4e446de70b0b5222f312a551c0d48d162441eddab80e9e2bc7d8de37d2a40b5ee4a17d232ea6509d5cbe87a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEQg.exe
Filesize
545KB

MD5
ed733e2dd5515edb857d021bbe63e13a

SHA1
0dde377f2fda7f4593a36ea6cfcaf08011d9a315

SHA256
3efffbd0df84e1de9c7017dcb4dabc0d5e6b0dd1d0e5bed0cdf5713c5368ad48

SHA512
8f4edd6b22676238385b15c7ab1a0a03feff12015ccbf1fe387651e8dbcd40383e148baa9868b3a83d0f1b044ee68b1cd33198611778c3da7de428ee13a904f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQku.exe
Filesize
199KB

MD5
9a84a9aecaf1078d636f598cc248536e

SHA1
af9f562b3191a130591d73bcc63e91c369aaf671

SHA256
0307595f1a9d7d865aca8b7a6e84390bc85e7aa0c3a4622a9df8e91d4e6345ee

SHA512
e5c512cbdd2dc1b8633a8787c01c8bc8a8e296858c5bcfc656be3d6730cf29f42687a195e93847de26326529934dacd48fc8720355ea9911c235584017950cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUIW.exe
Filesize
213KB

MD5
17736f7dc814d392a77667c63ed2eb34

SHA1
2f2d021d21ab8908eeb212cc3511a9858b13861e

SHA256
baf7bdeaa6bcf4d028e151ae3577b5d6dd95c1ef2c8e0edd9bc11e179c3013f6

SHA512
d8c02841c5896889eca2153bc94ada401c793c5b38110d8d3655688428071d3cea1e6b741ddb65ea9a8f1c2e3648003cc3667c1fb1ff72f9e10cbf1409576a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkUQUQgc.bat
Filesize
4B

MD5
c87b9d17652a60f11a69e4d7420d3d7a

SHA1
209eedb453cdb3c7d47edd3d82b1d8301268ca57

SHA256
e2507826ab185f1cb02c66e5ce27e3a3bdf24b011928a7f386405b4d243555c2

SHA512
e92e49b980cc1ef89382e13a054df165b0ae81892b773247b2e5507abd152d985a084cb3e10bdff11f204028b3b8ef2157846e658e9ba6a31032bceb47d54638

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmgggUsI.bat
Filesize
4B

MD5
adde9e625320dff5d7a56feaec1d603f

SHA1
fbfc3faa17b84eee7c31e2f69a5e33810d0e1e67

SHA256
b730383a6727726d3606368c03899d034c0bb52e4fd76ce71b8018911c62f6d9

SHA512
b3af419fea467dfcc5b7575ef271ae0f9395a0006f2232573e5d8ab3dc2b2f1e79f4100f64ba040fae1f1110c0b144bec527a3c6ae312c320a4d438b2c988657

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owok.exe
Filesize
198KB

MD5
d78e2d1c3e0f2b4abcbb546e7e4f05e4

SHA1
bb23e6563ca7d183be0b5bc398b262b2676dd38a

SHA256
be74f21597b9d62b21d002a0677ca2469447d85b06e872d16ff210f6cec7eca1

SHA512
2755637a30897bc70994dfc54cc9c4f570f807bfb5097e16b070f352760c235e76679bb8a818d40868e625f15a1d4908bae7589b07739f52323d0489c6edf2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PecoEUwU.bat
Filesize
4B

MD5
b1cbe20b40dd688ec11b992be41294b5

SHA1
ed20c52827ea8cd0e4f71a06ec1a005a5376351d

SHA256
5dca8154726670ada00d71a2800a8fd6118ed830001de7770d77a13d124225f1

SHA512
153972b17e43c1be687142c7674051a4798fb5908c6c21f3e61154b310d09e270368e423b1b57c914458d8d13aa3cacdf31ac20cc3a6502e9d2e77b13e90171a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQoooYMY.bat
Filesize
4B

MD5
9edeff2d9cf3f99222b9850a6da29885

SHA1
3f12bdbd3d20d33d1d8b9c055f9a70c629b4f10d

SHA256
1b4096f1dcd6e5fe27196d6a0d1a92b8bd891c534b6c0878b36d1c7a3ba3c5d2

SHA512
9978e1eedce026e7d477698c5689c9ca86b50b74efc68aee1c767e76ff3d502206760c2bd2c88544e0d63d0bc296783c225d03b08820ac03323f19b480880b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qooe.exe
Filesize
236KB

MD5
6b9362519766f889e49dd079fd670ad7

SHA1
4e0d876ab3fab1f6b52f133c0a129e1a1504f5de

SHA256
81b4f85fe6dcb4f1dde55780bf6530962db994b8279d61a9e33fada5e70ac1bb

SHA512
b383d2f690e5221731581dd88c65bea08e97d1406c612dac53e71fe71b794f83b822b9726156c9d8b8b19ebc042931b44afe34ca21cd8e3afe222431839e6131

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsIQ.exe
Filesize
245KB

MD5
18ceda236fe5f419c8bdd1fd2a247edb

SHA1
9c73d9649f40e954d3561d25a27761934f469d1c

SHA256
dd5844893508c4c700a3327cdc8f8a759ac457708167d434afbb789bc41303a8

SHA512
3cb13ee614e1991ec287aefa10d1296336b32a53fd61337842e624a9eabca8e08729353cde851c50b43b88cf6987136fa861c0c3d2393efd8783da605973654d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qswo.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwEkAsIY.bat
Filesize
4B

MD5
6d53450c11755b432b0178ff22521b42

SHA1
e45743ad240704a4305456b25dfa5a2dab64e606

SHA256
6bac3ae498ef267ee6bc6fa79f870acd980ac80d8ec4992cacd951fbc34f1a9b

SHA512
b38bb2342699443b9900c2b172f85988925ab4fb238ce67f51896d398254cf31a8113790c2ddcbc38973fec9e20fa953c29adbe327f89e3f78cb8dcbbc749647

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYgsIAEU.bat
Filesize
4B

MD5
5859c4e749b90d9cfca7cd8d318752c8

SHA1
fa78bda833f480775f2911d22f663e5bd7ce4f4d

SHA256
84eb72d6a49041b995306b636e7cb1648d25fbf8dc397e0ac32148054464a8b3

SHA512
58fc672d94f1d24e55eb20d16628ae1cdb9971236e19698402f0ab3f5dc2fad0d5ab2a0f0d38dadd5a3fbeba6626adb41177ec6329dd38dd84a6f19fe20b16dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAMo.exe
Filesize
244KB

MD5
e3c97251baf9f4467ef029340e6cdc6b

SHA1
c0019e6fa50d50b411a2f07c22ff9cb965f466f1

SHA256
84ec3ea3bfe6ea7e18d018090e2967c5dd4c0b9419d33707d53482ae17de4f46

SHA512
58766aeda839240b954ee211ad94a14d9ac0106e22b3e592ee3fedc30ad2389912a072d71d6fae502cbcc9e20cee57d75cedc59c36dfa49685c1e39460565750

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIG.exe
Filesize
228KB

MD5
f755688e212c2205dc198d83c9854203

SHA1
3aded11d566bc2630224bbb749e37a2e11e0a97a

SHA256
c90f9ab778b9cda8619e18423eb555483148699b2bd29b8045e2149135a14953

SHA512
c47cae105170f7526b04a19c8a52e19981f82f1b34587544157e27ad805eef38bdc93dc8a1a04a81b609e863d3e8ef324814f1afdf76c164654347e0a1a3057c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwsAwoUw.bat
Filesize
4B

MD5
acc905def243db8ed1e4873cafa5c83f

SHA1
b06d69bd39a597de3be3f57c84edf6378887a288

SHA256
71ac1788a2b5b53c232f1497f51cb0c1cf1c244e4814244d9f87579abdeab27e

SHA512
e6bb2981e0dca1a41ccbbc619560960fe01b5b59aba56132f305842f0723ee80d09cf269bdbd39a8c306c8df920608fcc8766369d6223cdeb8424191bd1f1e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMEwMYoQ.bat
Filesize
4B

MD5
b8c675c2680bb1b6d4f54c929c123843

SHA1
89ed2d906ce9871aa4080f762a57f0809e247f34

SHA256
cc85407b73149a905f7da6d69bd20b138dedae4287b955d93cf634a1b7e17142

SHA512
128e910a039474edcd6867865c1f60bff2ea11851f6e9599cfcb4eb92720b2795e4d4eed57ff54e962bbb17a74e9c30663713d6402451b9f3359c314859a5216

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tkoccwok.bat
Filesize
4B

MD5
cdca82fb8bced80be6f8182d24e66917

SHA1
67b6e3359a18337e710667bcdd38b352910f02ac

SHA256
19eb80642961a4b63439cd2f363e0e41271b6baa317855fac6a79f5dfcc16226

SHA512
3124e9fa3992c33933f2d5fb930f63a12ac447eeeaa36ebc60acdb8441d655dd2d05c20a509ed939c81ec83696ac16197b4da322d62b9fddb1fbad90fd79a62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMMG.exe
Filesize
193KB

MD5
77e268ad292d05c3ce5d30ad02770a64

SHA1
65416f76295843fe51c76420b8314bf3f527ad04

SHA256
2032b4ad202e3919d0d71c94ef69138a126f4b66f693eba95723b3c617d1400b

SHA512
d03ccab01b7a9f5989f72cfd67462076eb18241c167b97abda0afda736ad590d4edd7b981fff2d9defbe74803cd19d18d43fe32ad1a3bf93c813b5179d7162b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOQgAgoI.bat
Filesize
4B

MD5
7d7e1a81e2955d65bad66a518e56497f

SHA1
030d05ec2d0741f38890afba4ac64ca27931dfcb

SHA256
07ae72abd3cc49bb556dbf45658f965e72f86aa4e8dfcb0a9a471a6162997d70

SHA512
002655587a25a4efd7a1f8acb2ccbb05d28996538c526c7b1809d05b5d5823200b87d3aa8dfdd7a0a244edeca6019fc6f72882e07ed56bb8d63e8bab65a3d1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UaggAkck.bat
Filesize
4B

MD5
24800546e60ec802d1b5ce434a4f6a5a

SHA1
53ad925a5c4cf22ad806c4629a5a1da49c04e6a1

SHA256
1387a340c1832a527256960ca35db2a612358500417f4ce35a3b2762a106e132

SHA512
25bf94e83cf518324642a5f8352b8b021db3d212a4e56326dbf93ffeba98076164f74c0e4b0c088a1605e99e551d49e9b78f96bd1bb3fd5a6abe570dc34bf17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcQK.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgcM.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwws.exe
Filesize
192KB

MD5
6b9ffb9a7d0995a4b6b8e791006e38dc

SHA1
0bb6d3257c9b5cc88281eed0864b9b4872524f81

SHA256
671ce0d7062d06ac56cb58cae515a5b624c94f0bd16253a3671a82da4c8051b0

SHA512
c087ed9b1242498c54b85b90176299cf2a2d15cc062834b040943b96c4daf3ed1c5c17dd5ae3ebbc4931778684d90a56cf75fc0921de25eb5cee2d58680d3a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqQQooQI.bat
Filesize
4B

MD5
6cab4f1d10ebade3b83ee051932af38a

SHA1
4199cdd6d63559fb826507f06a554f7740e73c31

SHA256
4ab4707e23ace1f11074b67e817197014f8b692a24da1b5f8dde395b64358557

SHA512
b77f604f95ed131d83ab7e6fed31d3ca17d7e2d4b631fc84e450d7164c54973b3b422d66a56b450cc842742502418f1e8dbbe810c3b7c9cbe0eecf374f5740ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIIA.exe
Filesize
234KB

MD5
31998a96ebce108ca6ca620d32cd2859

SHA1
469fc75516a2680c0126e4887d1b00448b195c88

SHA256
951f8a55fbac3e6caacc8a984fb98f9c3005a875aa4c4bad5a9412e10fd6aaa3

SHA512
aaf096bb086f1687522becfe8a05c7c4d02e6076142649d7c9da750db228a7a328232a402502c55ae92dda29a37f6d5e4c898383119ba4caffff94c629217aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOIcggAE.bat
Filesize
4B

MD5
a60794d8311de540a61aea77b7592aec

SHA1
485c6e21ff340933c05b250376e4d0814bf1d384

SHA256
b54422fea0c943a0f1afa8e74c96ed2397b075058deda8335834221d4dcfabcd

SHA512
8f7fdb3e4d46fa4bad7349784cd0240e8f37e25d3bf0e54b4eb1c4b9a4a9ee8c8617f50faff93cfacf3d51c16a2316436bc9dcfa7265e341fc828de71a7238ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEU.exe
Filesize
233KB

MD5
4bce8a21e169866c21b6385535428a58

SHA1
2c2f241f517345ad12b55d7dfde2e667a9ab1bb7

SHA256
3c9f4a75e582f871bb7fd4a56a85db83f1b294d5437955c79534052173d3291b

SHA512
a37aed364e9e4bc284417e9e034e7e12582927bad983b6bf3ca5825e8e461adbdf35cc2054ef3bd1c68e3c8b6c5ce217959566b8ea1b4d4dc3b1caa3e83b199a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUM.exe
Filesize
243KB

MD5
431b6d805211f48b349682b0282ae604

SHA1
7c69b4711d7314e02649341b6e1b75134f80b376

SHA256
7780bd96966e6e0a38df110dfe2cee376392eb562821daf52d77d40dd87dd366

SHA512
9d8f5b54db7368a00ceed56117c6c014d7f4b713610db0fa8cefb19de8d813a7c021e1eb5d6b77bbf2843fccf09cacc5e3a77a0f495c3b8c4bcee05780b19284

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwEK.exe
Filesize
485KB

MD5
684c1ec75f576f349b9fcca5fbb6c716

SHA1
69c680a7914ab7c26eba013ad7df6d04d74f7a16

SHA256
3c9b73f470a662003c3029ad8a0a59b078713ed053026cc510a405ea807aa426

SHA512
c01d6065759470fe7cbae372f587b44b60b12e1c8fc26cf286a60e59eae3cf5a0fa79913092983f40a69b60d9c4e908ca94c86e9f343177f0dd8b642bde5902b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwcG.exe
Filesize
245KB

MD5
5bf5a54cf87a0184516b53cdcc331c3f

SHA1
eb1faad94fc687eada0e2a06610ac8664dcb370f

SHA256
91aedf01975ff7654fc19a6dc01ac9f29bec0161685d9a925acf0bef1afdcc5a

SHA512
77133a0ec6a6d931d7d95e786ed09b879ef76965835ffdc415512e986ab81f50265ccb38d3ad9a2c5c0a4d40792a452565a34f9ff79f2063c4294d8aaca7057a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGQcUsAs.bat
Filesize
4B

MD5
eac67c4403e9240c8d6e21b0f69938bd

SHA1
7f656453f7d88ff353dce498ea128c7c4317d5e7

SHA256
4c6c522cd4a9e3075fd5b662247502feae579a3398a859f6dfc92c21f8a4b905

SHA512
d8fbd13bd944988a19724a2fb39dda2ce89551c9ed49baa9d7be88aa50fe0a2b30e587a5f682210d3be50dcbd04156b022374fd5fd3340e1c7e27f68361bbff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQMg.exe
Filesize
641KB

MD5
e8477cff7af9cac2e03d8de20a334170

SHA1
45ba23e4e2d5bf192a083338f0605944b1682dcc

SHA256
16c716b571859dd5ed612846e01dfa8e58fbe0d3d5a247eedd329298de1187f1

SHA512
6c15bf181e60269bbb48bdcd59051d951f170b876b7ed4f403e459abbdf9f94f7c7fc7492b2a2ac30b5dfe17fc9ac3c900090b3c30ff2319fe2282e90a3d15b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\acAy.exe
Filesize
232KB

MD5
af78c794fa0563707359c49a67b18817

SHA1
b6885ae90819b14536b17ae911d68f579708c518

SHA256
2b7eaaa65b6899d442cee21b321625444d889f64756e98bdc066cc1de140b043

SHA512
ba83f3b780b1a06a6cf50d8bac58356c749cf35da014d5d8a092fb1d111a5d90e0714e07c9d284b964471195ebfbf1baadbdc226f0770ec1351dc7a8c4083c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\agIs.exe
Filesize
206KB

MD5
646bc4f9c7d9e8ed7e9ce19354a69630

SHA1
c309aa433a8e044b2473c4a5c4fe0d9286f45005

SHA256
f2248b91518285724b99713f7388cd3ae626830116125779a89fa4d96ffc06a3

SHA512
21f18508fb4633c596a47b47c7e3ad61aa8da3fba66677aba1e2a0054e2c990c2d0d9a1d3a4ac43501da5ccc951e0553ef76cd6f750830e4b343b7a21cb4abce

Download Submit
C:\Users\Admin\AppData\Local\Temp\akEU.exe
Filesize
199KB

MD5
09ed3be6e6a371212d547b57970bc860

SHA1
9344bc3acba605c190e478ab105d68c2461a1901

SHA256
8bec2a417c70b3527207bc57436a091813414a48b824b11e17810f3d905ae4d6

SHA512
8e914798c27311d93da5e98af83f0f02cd25ded9979f0f522f3e793050d61390105d7decfc2b7ca2959824678c81c5e50c70815c97e3d401624be126e3e82696

Download Submit
C:\Users\Admin\AppData\Local\Temp\akwA.exe
Filesize
250KB

MD5
0d1d238353b034c78815027960610798

SHA1
e679d1e4d7be25e00eb5cd20c5c5f1e899e4c4d9

SHA256
0a6abde1ce718f57f651bbde80e74a90a17eb3f365b6c06bf23d148e8afb67a8

SHA512
d960a6afcf7848c904ad49118599b562eb98252845a74c536017719fabe421c90258b247b13f03cb1326580fa9f31b011ec10e4f4433ea1a674602a34c8a5573

Download Submit
C:\Users\Admin\AppData\Local\Temp\awoYkssA.bat
Filesize
4B

MD5
86b6f6d71d111f19b5d4e1361b703538

SHA1
58e1c0cace2913e9c4ed668cf3641a636f7e3e48

SHA256
d09e0debaf03f324f1f2883e0e320baffc876fe181a94f6f35189986f58d8062

SHA512
183c93025e577d81554bcc6b2bd0e5ba467de308ef3e38296f61a2245aa8d518c86f06d18270eb40fbd90166f904ccbd2ddc2ad4e88531adc0b3a145d553337f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEYEkAck.bat
Filesize
4B

MD5
09912909b75ba8dd84a86cfa5a7377c1

SHA1
de0fac9af5fc5e83cddcea9d3ba99ab6e9aaa1a9

SHA256
ebda8ca251a1373fe106b94a3b3377f0b194e4ba25e6a47519e5607f12b2e549

SHA512
5cce9c2f199c55900a0c20be99cca72d3ab2ee64071922a78f70de6c2955b8fb6e0016100e1b15f12111e16aabbfd44b6eaf84b46e7af5471b597a030466102a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIgEgUUI.bat
Filesize
4B

MD5
1248d50fbf3d806e4a1d162a6864d4ef

SHA1
428cad2ebc45aad00f287a615a9a92becfac6809

SHA256
73ecbbdc9015f831c9b1202247ea29d4c1e4d680121adf142254b22e79fcb331

SHA512
c001854a4e5b9ae40815c5d2b861bba0c6b14d262e5b0d7bb2648df12928a7371a82578723075b715e3d301e6989d34d1bee16edba3936c49a0119f75781c8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bssEMgYA.bat
Filesize
4B

MD5
b8b553556b9710d68b7ab04c70efbf48

SHA1
35035f63cc15dd0dfbd7f944bd11371beffeb2c6

SHA256
142ee5fefbeab756c3e53de9bcd8c8242bfe9607916b3553f155f9c910966fa1

SHA512
e848a029abc7db5779afc48de45b9941566d8779a06b6a8adfea7fe005c6f20f56a1cca72434f6baf0059c87f7087e659644929158c397b5b68d33e2f3cc6934

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAY.exe
Filesize
835KB

MD5
f5faf5ef651c1159bbf630d532e1d60d

SHA1
1ed62009afe11d54bb8496275a1a422a7bd90bbf

SHA256
0da2ff498fd0f634bcf6c819d45beec8c617b8ef9aa071cfd4cd0106879e9dfb

SHA512
8a5b1e35ac237ba023771675ba83eb7f338189733591b520e35bbb1416f8c2d6bfc6192ca55565c4e7d2eecbdeef42254ee912c9170835f770bdf77ff3f1a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIgU.exe
Filesize
242KB

MD5
65f7089ca65b3a3021c01c07cf0fba4a

SHA1
eee5ab04050c911bf20ea549b313edbfa76932b2

SHA256
4b4d3559bf8d4e653d4ea796582e874de9f530ed5dcdf55fa7ee2706ce0cbc29

SHA512
7ab867a118ba2e9d2dd0a6289b3bd95b1b05d87b9da3497d6a7db385f9247d3d920525750ac4fd420defd163255f67870a1a08c0a24b5f9ee2b199ac99644176

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMsg.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQgu.exe
Filesize
624KB

MD5
527a1f0ef5b2549d10cdee55ae0f45de

SHA1
d34e16873dc36951118a23f816963b31f9b841e2

SHA256
c3c5ed4383c2fac471ebe889846625ce20a8bdc0832e85fbd8c786d4e92d55a8

SHA512
1d2e53c4e8a68e105ab26eeb2a98efb1228e0d7e2959f6e875702302b7561c57ddac97236735bec145577d99926686201620e22a6ccb7fc307f1c71ac486f661

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUIC.exe
Filesize
313KB

MD5
b830e41608bfaab9febf9a7107f26d92

SHA1
b65dca4c9144514a38a1d4c74d97b5381cb0c681

SHA256
03e4153d01c44b3479c5538be025420bdbaa87a129b04fb91c8b52e998a55d7d

SHA512
14d0cc2ba94699b0d9ca523c0c4b9be50e6a2d4569642b891b3990d8f18d86d999232ee650dbb8661b5fe24cf008f820124cf9d2ae102e6fad0c33baf8bc2020

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUMa.exe
Filesize
243KB

MD5
95cb3bf89f0419bdcef4204f8de800ad

SHA1
e5b36176f623a9d1f013a4da64bff864f53e06e4

SHA256
716cccf59637705ccf6a4f6b6d50eec933c5f79f7298b800220fa601f91e3a12

SHA512
46961095ca9086721b01fbe61e407ffd72edcb0f29c76a56d66dd28c69fcece6f59f718752a4b41bd748f50ae49c3d5974546895b479bc4a4a545f68c4482a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUYm.exe
Filesize
252KB

MD5
339e5e18f2fc561248cf77fcd8f46417

SHA1
988973f0eb52e88c8274ad1159e55ddd03887fe5

SHA256
fe10dd2598298dd09b7dd8a18bf513b528c8247d3f43a42d1e63f220c4555423

SHA512
e04c7608990d715ce36eafedb3ebd9d761159447640871b669a62366e64820e86cb5cca76d93b1b298bb18924bd435a5454ed07e0755e0efd10906c9d82d2910

Download Submit
C:\Users\Admin\AppData\Local\Temp\caMQgAoY.bat
Filesize
4B

MD5
a97c066b1dfaff2ccf67dc2450e9d0bf

SHA1
bfd5cc62e38ee28aca0e6b157f9671c3f7446a8f

SHA256
a02b290d9a2392e60e86def2bcc360f381539e88d15581a5e6017c3ed65bb8f2

SHA512
5b8b43feef585eb99b188f72d1688e56bcff8cb285e7f170378fc53201178df90108437eb9cf8102ef86b498310b53453a316bfbe9d0ecce0333e83f82dc7202

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgAu.exe
Filesize
225KB

MD5
80cd8080bee44dacfef1d7a5b2f0439d

SHA1
59158bda6634c3594f1e9f905dafa0fda92e2269

SHA256
452a280846482d53c750d4c57482cfe61ff40acd48ac337de4d0968339ec6fac

SHA512
294a5eb73cb9bb6e7698a40fcf192e972ef643eceda061016a0d2a43d774ef6f6e1d512cd1ec04490e647a9951db3566197def46dcd181678178cc3e6f45a78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEYAQIIs.bat
Filesize
4B

MD5
27e504067d29f1c6d1748c1e748568ce

SHA1
a5d5b4cd8e51ba969e39654b18feb4da5a0c5cca

SHA256
d4a80d38325ad8d470afe09ba9b744a2101ee7b0a370533d7acef3e77feb7a44

SHA512
0ace661db3fbdbfb9e4751aa39536507529a4b832800706d7cceb2dcbdd40a13068cecbe591f9f10c7974d1feadaf727ee964bf759f82729708ced1e85c077d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIwcYkUU.bat
Filesize
4B

MD5
e4a3b36010eae8e257df6892be1484bf

SHA1
dc861e1851597cbc188425dcb031d3efa07e3813

SHA256
d68ca5e8f3f3e3da33f14d732df2889ab718c4128a5e67c48984455302c67886

SHA512
63df011bc00739f13416ddbe3e1c8e5d73140c129d744bfcef76cafbecd40ebc2ce785793f31d9867dd0197574ca21ae1e7c23b773d8af7ea23c71a0059a19f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMC.exe
Filesize
241KB

MD5
1d15abb68d8c51f1a677882a246dd1d4

SHA1
3e135ae118665a3e3199f9ea61fca8aeb41c5f08

SHA256
82c2fdd7771ad623f36e1adc00f14d352a0003f23b90ad7f199572a40c8e4965

SHA512
b44de6510c2b5155c5c7b1ac6ed4f8b630fc7d7f0986fde8dc01d0d7452440f3a3d768d0d50486c9da91167c2a683c266d2c8a48fd3782feac3cff8386f86542

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUYS.exe
Filesize
189KB

MD5
a18a850bd64a87994bd56e04a9735e95

SHA1
a1b1a2416effd9de35c7358ee478ca9db5af9162

SHA256
4e8f59767c66178ded4ee470bdd67a6b5221e5c05eb88b4e808524b236431889

SHA512
07c2ee33664fc629f971a1d3590927087a779e7c342839ec7332b190335fed16b1feb09509e54c01bf693519a59206799c5739c4ba81cdc3bf75b19cafbe7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecsM.exe
Filesize
203KB

MD5
19487209766f2fa599355b685c4269aa

SHA1
52f73bdf8faa92fc4b0e1dcad127ae7c8a80696b

SHA256
728aab159855a54cecfd12cab320b2e9611734c558f928fc176b09eba0e1c1fa

SHA512
34cac1e6cbfef3597a99e64d260efdf0322516df29ff322c95a0c9d604a8f887db029b78151c2ae4f7d3197b4f3f44d7cb3d7adb7ebbc67435fbb67b5b44bdb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eokIsEAk.bat
Filesize
4B

MD5
02bbc92cb4effcf7d22ddd53c7841f70

SHA1
9ebb7a0f77842c92638917aaaf75cb6e7d4e74e6

SHA256
22dd3bab0b5618b13f9b43484e855256131e2a929b0b0936f58c510c995693ce

SHA512
19c517a39d8b0f831321d1bf7ff5f6b1ac580f78c2036368c60d3c4c2a085190fbbf3c30aaee946598f466a68586d0ce0cd585fac8c67ab5ce203a221ace2401

Download Submit
C:\Users\Admin\AppData\Local\Temp\ficIkwQk.bat
Filesize
4B

MD5
56347f4a76751ce3a4d57fa181e5cb7c

SHA1
5f1d9612112ea004edde66c767efb92eccb961b5

SHA256
261b878a66239ff9efc83f2994aed7ec767eda1fecbe3d42f54bedc7c7abdc57

SHA512
3302861bef29c0261c19ddc9cf976a3643b2259eca0a5f3457f35cf386a08b0d9ac18ca480d01d1e475f190b53cbcb0dfab1c9dab064e2c1254c216f2777b6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsMgoAIk.bat
Filesize
4B

MD5
99791063dbd932beebc8fcb75b3087e1

SHA1
2f349dab35ae8bdcbff7bf0a2c673a6f3838780e

SHA256
605b0c345a1dcf7ef76c400d0332efe16228215f65470e738cb357fb51a3008a

SHA512
53ebc6fab4eaf899c88f6c1c24742d39f2790d50011bd5c1513bc31f0f2062225a10d6cdd141854e5d0fc2b69ed72dc3099065ba628007640f041fa42e9ca295

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAYw.exe
Filesize
202KB

MD5
0633882ad66114ceb3d468c7494e8227

SHA1
0db022dab9e440a9e8604f0f71b99e13bfa6f1d9

SHA256
712906ab1ea528e953fec9aa0fee2af56f50b24079411cedecb427db5aae6711

SHA512
b0fd9dfd5d20eb84d3c953027799df113037cd4ded577a47c0a593d0b8ebccbd4b2102e937a27f1345a999c7920df63b0e7b44cdbbe21ca7018d92c5aa79d8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAkQ.exe
Filesize
236KB

MD5
04e393e807e89029a983711af3861bc0

SHA1
0bad15d8c3a0814a1cd972f728c6d8867fd72e85

SHA256
85a55ea778381b79d48a3d4c4d4d2b208e80e1d17699cd7d03a33820e4f27c97

SHA512
a648be2da486db42ba2a615e06d46ffbaac993a3c3dcbe668bfdbfad4f0318a58c3f4ed794cd095be54bbcf39a9596fcac41d345b32939980815b224901348b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEgo.exe
Filesize
220KB

MD5
3f5744ead5e5a4ac1b791a50b636f19f

SHA1
de88969ba1a4bfb4365470809cce96db1fe91a48

SHA256
66a35d9bc94eb02c6ec13318f4a66555e2bea88866c12e66b1937e027d339eaf

SHA512
8c5b8105f1e76cf89da8fd30f2eea4b1bab529434866da6fc7f099a296ffee917ed7325f6094a7b80b44d07c8cb17b312ff5a9738800b2210a757cea85afc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggEc.exe
Filesize
797KB

MD5
7afcb9e7cce65e3719a7612ed292f193

SHA1
3561a11f37422e1c9a3c46398242399b0c5a0d3d

SHA256
710bb199b6e2c8b6ebdeed3e0dd8b8112f6af1ebef87aa01a241c7cf811fe3d5

SHA512
75d8aaf5382a6034fbc37c46e7eddf951adfa0b505212e7d2a16f208f94bb90ae3bc3f5ff1056f39514eafbf6dc259842b27e497b23f0f12c7ada714646766c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggcu.exe
Filesize
241KB

MD5
cf232c66495fc11552f161d9450de1a7

SHA1
c33dc8a0f9458437a25c631520dd2df372f90bf3

SHA256
ba00d42930fdccbe9f4936cc4629758d796c3159a840c41ec806f31ce1228411

SHA512
0bf26ccabad539a4af459901876e25cb45157794a1a919b0eea7308a633e1c5a7e34ceeeaa3ec09f26509580b5b4f443c990b609b9c976f88f8e660cb8184476

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsEU.exe
Filesize
234KB

MD5
22099d320a20c6632dc0ed874d7454ba

SHA1
f55b31c41265c96b801692dd3825d2c08c28df3c

SHA256
aa0c32c9a417fe1b6de8a73a68bc983c560965292c7ffe9b1af0d2cb1c1e8be9

SHA512
0b46bd67a82a4c93a5c3254f7809889e492e88d76dd5b7ad273a7ff84492e752f83dc0c68f763b1843234d8cc6b3731e19ba09dd4634e43d15e9226572904964

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwMw.exe
Filesize
243KB

MD5
fc096b4c243833325f6f328d5171cb68

SHA1
6734b863938dd16964653e3a6c765ee5407d4e1c

SHA256
ddc9c68c04e6d537467239c94410bd48058650090483bfa5a8f81a0357383d50

SHA512
c266aa4d857016103e1d2a19a898b5efd3c06802c0e6c1fc91fc00ff3743494ba3a280b056e899b0ae62165a3da7ea2f548e5ae35984805000cb9fa4bc1f60f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAoUYQQI.bat
Filesize
4B

MD5
ec97929a7a1a0364c350a8ee0dbabd65

SHA1
229633fb16b85af388191971b8136c9b3aeb2009

SHA256
bdb95468b7a919882c664e5e93d1350a432517214e00afdf77edb9c4fc4e95f5

SHA512
09587604208c78115c1803ea44d3cd1640e2613bbf99417d22bff7fe38f9d8a0624f1ad3f6cc415f9abaa32c8b837249233a514ecde8e68ef4c2c2a7b1843e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIQO.exe
Filesize
557KB

MD5
599a5f387215062fd1a35976ac2761ce

SHA1
741d956e61409b439ae6ac58367412c43eb056e5

SHA256
45a63ee7eefb04e005aed9d826fa409de016b5d7a6a4451c1cdaa1dbfe3a52ca

SHA512
ba058b5f2a1a115c752c4052368eecdc89ed2f8ba1e45dc377c868e52264f8c3d3e841d9e63761e10ad74ea7a877f8ddf70b30c9171d8ed9bbbcef84a05247c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOoEAMIE.bat
Filesize
4B

MD5
dffe9c0d7f97cd804caf28003bbb19f7

SHA1
b9b2c4fe11f912efef104c0443dd395a49544c22

SHA256
10a3b2d10b4a4aae783660803db251fc753c0738f422d9361c277793c3b143c8

SHA512
b6874eb2c660263b7b2b4f644aa6b25893e9a3c0f3fef97709da9ce47b1a210cfb53a2b939d5ffa7072ac210d4dc96075c7e306bcc7fcf47eaef13687b72aa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQYU.exe
Filesize
867KB

MD5
13c4dc0cb996759d66c04ae370549308

SHA1
fab7c5b3d8daafbea9c461fac05c8cf5565bee31

SHA256
b4e634201b06de9aadeee25da4c4cd654e1eed003e24981630ff3f1ccf5b87af

SHA512
ee5ca1a5b2994db339d54283751dafc5b6895c882d7510a9b31dccdcb60026ac868e97ec088ed8cdb16325883fb8406561fffd702bd95b46bb071b3fe5c371c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\icwC.exe
Filesize
250KB

MD5
becc61127a248b7371fd9e143280fc36

SHA1
a87a80d4cc649fc476ef357a94a7440c649d1273

SHA256
e84a2e9ed688b77ccfc1a8b60f7901b7a5e812104bfaedf54da950853285d938

SHA512
2e8f717137049a41c0e4dbc1ab433cc33834eb69d868afa1d36ad64c05e0d5918ab7a0cbd390a9af43bb60814056988e3e03f167bd9f644f0e8128521d8bea75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioYQ.exe
Filesize
312KB

MD5
0a43f48672c814be539ed4a984e8e1df

SHA1
81af8797632d3cf4511b2c8032f282fe31e8d254

SHA256
69c5c5b1c21e76acf69cd01bd0c534a60bf67ad58da61bd0e7579963aed0f5fa

SHA512
7ba12a93fb790f5a99ca4bf024210aa597c64f1dd574f3922b6710a420d3267eb9c17d506c7556d89c3847bbab07bd57f2ed48e8c25e28c897f5c84ddc03bf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\isEe.exe
Filesize
252KB

MD5
09f93740d6a2ece62f0b1e4fb2e153b1

SHA1
02c875a9a80eec1f53c1b2e5545f86baaee005af

SHA256
9a82e447dc5fe106938a35db8708205fbf800918669cd2bd54b5c38338ed553d

SHA512
61f0dcde662fc8a808226898886753fff820f19504f35bb973870f0baf1a0cbfc73689d324d43be4f8e285ff51fb38d37a88cce4b6e775d2bb6d1c7bb89d87bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\isIe.exe
Filesize
629KB

MD5
dba577a4f7accbd70ad519760bd69106

SHA1
1865e0f8cc68982485029100e0c209927fb31907

SHA256
15bf443101ba26de1d5dd1144bd5fc7d8f9c6ac34d210adfd461ff4f1e427595

SHA512
3296a0301d8094139533e58173e58ac96ab6759d55199f1dae6f4c8fb889b053af09232f93bca7e1fb7d7e4ba2c4800af328106f2798e0f3123f4b7a1ccb7bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIc.exe
Filesize
1.0MB

MD5
c185876416dcce6f9b84c8df1fceb5dd

SHA1
33d26eb85534f7969841a0950d49843570f0e401

SHA256
7831c468fc20707688a79b885cf1160952d6cb2645d5ff55dbcba4b4bbb5c105

SHA512
926d267c0983dac95051abf0c4a15707b19768a8bf25c21670c01b745e499b44f487d416e4a8bb4f245b3e2eeba2492eae9571d6fd71a1e8ce4304b6b398ba2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwO.exe
Filesize
244KB

MD5
e87fa5187420fe653ed0f1c59c6d57d5

SHA1
a1cd96e5ebd57cbb0a29ac22adac501505cb1b7e

SHA256
5bb634eee85f652eda265848de26ea4997be8356e44fe1c361455deb1c739834

SHA512
0a3f848fdddd6a6b69b3bff80b09bb0bb13e2c8916a6a584480a61a74dba632b5e1bafa06014158867d8cab115dad7463e06d3c6f7c76e5fec77faed6ac350a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kowg.exe
Filesize
222KB

MD5
0207a0a91fc6cb5b3785073aa4ee89e5

SHA1
94c86a62233a98a3864c379971f40834a516b1ee

SHA256
92650ca92e3f2c14012a7b6cd76595ede0a0e526e309475635520ed1f650db37

SHA512
cda9ee1d1defc388b33b2e784c76eee386374a2f42e1448755ba194263a0924f5739b4fdf97b42b1aff03aa876593d99b45f3894fac100e88f666681bd3b42a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwMS.exe
Filesize
238KB

MD5
645a848b724d4e32515ac6abbe6e9869

SHA1
4d135c82c394444ad6d69a15d02a848159b558af

SHA256
e13a3fc3bac3d1e643753e7a5d7758f42fe8212c7251bbf0e9614afe3bd8e8e1

SHA512
e78ecdec1b6208f8953e416b8aeca2a63a843a4e7e1e26f207818f8288fb28a3fca8474e8068c1bd1f0498f71e9e65a907ef60b172062fbc8b45403d09a09967

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgkscAMs.bat
Filesize
4B

MD5
764e7c5808e0164bc72bda1c86ac94ac

SHA1
afacbe1eb9d32e5c8e166e9c0636f5febeb6094a

SHA256
bacfcf3ae13520b7b8bbd572e530940e7d1892eb5cf9ec76017f618a7cea4a4c

SHA512
c3de2bfdcfdc40cb4beb01ac3f4723c638350163d303ddc9134267f3b7fd454a87f86f13487dd2e2820b8ec1e11ef68698ffc8128884b9b2888a197753d6b9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsq.exe
Filesize
722KB

MD5
0e5c3fb5ec54411eb28ad2e41f48eb4f

SHA1
de9b48eeb2ae08c87e43a8712c94e25edb32a660

SHA256
39f060bb9043b2a3a376ceb88faa35521440eb183ee8a181c851af3d33767d24

SHA512
aa45ee45d1c8c1505832af56c581a2778008525c3214ca484b7498ce70639e9ae954b1d0f76979d5b76b99eeb608d36cd54b4ea6ff7c3c26fb91cbe6ab737802

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEI.exe
Filesize
240KB

MD5
b6bd958b64614ecd2111b7899c42c98f

SHA1
d130ee23b4abab1209e730103abe64d88f37951b

SHA256
733ae9b5e5f18d6f81ade0891ca54731957f8e20a20ac7f98bfa5afaea35d4fe

SHA512
e36a270a64c7bc73a852e0b3147bdbd467f5b6400c7ae0e3f0c93a51369902268ce23028db6cccdef029dff003702252b274ad29906a96795c91f1c32ebff5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMQK.exe
Filesize
245KB

MD5
9531d00103664133ee8568b846cc36d8

SHA1
7aee299f9275c00fe05b12040c6ccbd3a24e6804

SHA256
1c80544ee5d0c2c55a8340f154dbe680fac36ef6cc3eb6cca788f68380c3e1c2

SHA512
0c7f8c13d15f2733e7862a709e99335607be2aac3eb95c0f519f551f371208044a94f8f2aea61c49fac3131ea46710f3d19792c53bc00583dc12042bc0ffede5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcMA.exe
Filesize
185KB

MD5
88df88ab54a84b83201d19242d66051c

SHA1
b57c635c1c8b38287d7943ed9f597b92cf9ecb54

SHA256
1fc6af4e55239028b2cc7aed622c09367a4132ad5ee1b8716443285836af2197

SHA512
185638e39825c30ecb0bc9e3f2d3788425a90f67c342af4cddb80a624b41466f4e14a094ba1bfe44e9582b80dd26a3d0c9c366da3f2d99009078d3152e03ba2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mggo.exe
Filesize
912KB

MD5
9a328fad8a427b860d3c467fe94771c0

SHA1
19e245acb3d70bd9b582847bdb7fa098886317a4

SHA256
81f7744629648335a86f4cb1960aecbb596f780a52edbeed50d0bf6c2591ebd2

SHA512
9c5d11e542cccd69de02393c408290c0ca1bde2606be9c419924475e1da19b7efa9bb110a7875c9ebec1c214eda71ec8164b7f2dd7a241c5a77470f57934affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswA.exe
Filesize
195KB

MD5
67b4ea8dea79f386120b4b48dd46d8cc

SHA1
0b83d450ec53e6f85c9bff0ebd26b8708a6a318e

SHA256
79e0f6d154fa1f4e099ca85c895b82130446486f5c2b8d3b6e88ecbb1e0bc2f6

SHA512
05448f23fad26abb5a219edb5833df7aaed724559a46362824bffb717117115fe80808f0150486bb5eb5f3344a32c45f54dc11ff33940bae06675a8a1da9f5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwkK.exe
Filesize
201KB

MD5
67af5715f57879073382b06f5c674bbd

SHA1
71fcef99d48525ca86fc02f331111efa091a8d3f

SHA256
8147d113a93c2e47c6176cff588f3ecb569e527454492f4aba868e2936bfeef7

SHA512
6102897e7844dea98c3f6acff72a03de0612fe862437cb889b34cd2dc4a83b52756ada2f5c799eb1054cceed6c6e08c9da27bc06f7a202ffff50dc420f7aaa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWUIoIQs.bat
Filesize
4B

MD5
1cb316fa89b680a08129d93c11f35e63

SHA1
3ae803bc47e9b12f022fe78074c3365a862e2d29

SHA256
ca9e668a112e378534c855cdb2060d6d3849a049c440ad1ccea1f1620bb0627e

SHA512
84710834b2e7573848e06a5a70fab9c45a85450bd4b947a0fd71a379e7266b660e16dd94ec433e7d2dfc842f2acbfea7766788829738ef5e4681a131c6b19d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\noUMQoQE.bat
Filesize
4B

MD5
127d81dff312c27f22b527b56cc2dea1

SHA1
f6873a08ba3ccb786585aeff06fbae59fcfcd7f0

SHA256
8ee752732b545370a5b7c14f98eba6d8a667ff00713324132f11ad800627d147

SHA512
63ada68699e0962a28a552eb76b5a46bac908870d6779858d280e72e30399466b930ee9a870a038aa6cb7307f6a9c12cb0a898bd4c36f20b5714f0d481f3ec2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMMg.exe
Filesize
946KB

MD5
0f3c8419c2b2da6d1f08a4e914c5d275

SHA1
447f5a97237a225898108bd2165c7a63354d8877

SHA256
dfbbfe23512e6d385a2e9f6d0f70c086de781c6f97160277bdf757ba0ea768c2

SHA512
9f8b6ddf53b495ba91e432230bf4e6798bc2bf882a909ac04963e41a8feace1c09f57a79c42cb66af5dce587656e7d8b94ec33de36e12f999fe654d629ae231d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMcw.exe
Filesize
1.2MB

MD5
d204e3f1baccf91c521c11a965e5e8b7

SHA1
32c1a487817c7435f135540fe591b3b06fa43432

SHA256
9179ebe440199cdb81c34d0c03521dd44afb69344a0b6b38e8ef1a267b3613b8

SHA512
55d6cf91edfb2d46336e23472be4007207eebd27f2cfb84029dd7fb4822404f61e69353b9305a0be7d3cc29ff4fc57431be3e9d4e8f6069905b9003c0cf78477

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogIU.exe
Filesize
822KB

MD5
53163b15283796be4ed7524853d2fe74

SHA1
0e56aab7db613c32fd471e8511a8e0382e398941

SHA256
970b7f00591c6376146ad63ccff9c5f5e89e3a8b3dfb844fc64ba9597878133d

SHA512
61480c6bfbf0d94b07d8abb11aab8738cf7f7230f9e7cd83f5b619552d590d13e4ad6e938194f826289e4a59db72a51a270b8c9467ed8228e9a7a7abf6a40c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSwgUYcU.bat
Filesize
4B

MD5
6f4730e098074b97e46ce022aa351d10

SHA1
a4746b4d2195f67f2849b9cb3a3a076b06f524ef

SHA256
bbf8a413e4ef5318f26baa2b27021b64e413554aa5cd8a78f0886bd415148a2d

SHA512
5d3fafa631b67daac85dd704100aa6622acfea77d0448688680b47df6b32d949c803c4bcf7362a52f1e2eeeafbc4846cf6e3c147c1d6f4d6983d045651c7dfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKQkAMgo.bat
Filesize
4B

MD5
94c36c251221d2bae4aa16db26a676c6

SHA1
f2b24691f739c2ddd228c54c0668db23016a9b66

SHA256
e329974fe96676889e64928d15f45b7fb5453f32ebb6febcfb5db926c3d8a0ff

SHA512
ec11e012412b9fcbe96dd01434d701c3867e8cddf5d759643d5963b07b4001fdd368952e71d798e300b2bbb6f00fea8cbb62f46f755d03cba6142549fe9d698e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMcU.exe
Filesize
230KB

MD5
d3e16417cd20f8e4fd18b1a59dbfa45a

SHA1
213331d5c04403662ad0ef8ccfc8cf735c299b47

SHA256
e1d4f593d3f9209d9f4ce448104e3fc35418af9f0140bd1b60b5bcedd5e18016

SHA512
53b47a98a1059171afad9d287efc70cff0c79124a4e4b61668ec318e99be1e82bb95550d4c7d606847eddf06225477487320d0095aba676620dbb3e74dc9b521

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcQAMMsY.bat
Filesize
4B

MD5
9a8950d16a26008f3fcc24b8f7b3ce5b

SHA1
22a9e9a86fed3ec0e901a79b09546518ccd32b2a

SHA256
3cc8e3dce8538b90fd94b5a99cc36f4e12647becb1a009d8ca85c1e2f23a18bf

SHA512
369285a010594b37c5f3e2ca86c99bbb1400c6b4b949502759abe93b7dfd8a38d095970eb7ac0534748b7f852ed540f700f4f15ecaa88e4d6784c972dcaf2b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgQQcQUk.bat
Filesize
4B

MD5
8407d9f120565cc155eff5bba4ecde7f

SHA1
27f2b3706eaae1cd1e32ef3a7415c4053ba85718

SHA256
e785cccfbc260c1286331f4032c2fb529b620f023ca9f91914eb53a52ba8abbf

SHA512
7afe9a60d614b17b548207740c32c2e23f3cdfa548edc1cd8bfae52c0775d9314efc85e305de561644c2245bb286988657ceb14c3864e164c4d73b814380a021

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAUogEws.bat
Filesize
4B

MD5
c375a44dd796946cf957baf67e0b0870

SHA1
3a8bda61254a13b31b4d4e98402d674878af3d99

SHA256
f5b1c0465e71bf122e05843a436cbfbe0c0aefe42b3258478f2ea943f7a1b5c6

SHA512
e21ea7dd0f36c5b012c39ff3969e9a41647feae17b2d4bd9fa34fb3191efd5350e7db8d2e99a26fcabd999df26ee1385b0e72c185acf358f464033a32bf72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEMc.exe
Filesize
223KB

MD5
c3f88721474b2f0828f0191b5552b762

SHA1
657a904d9990576761a9b6e75ef302e8627dbf30

SHA256
5985512a2039f6bc45bd5bd15840c3f4a00a46148b86e98c79583092d1353363

SHA512
43cd1a2feed74e1dafe2957b4fb50a9e0ba746b1787bd987d4ff5342deaabb3211d6784e596bcccc7f0a51605a75c46a24d1b3ab8fd2daa35bbf51bfbc0c4baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIAq.exe
Filesize
191KB

MD5
bcf13343c22e264e3f98c8ce784dd0ce

SHA1
08b4578a346bcca7f97f19bcc532fc319e9a3157

SHA256
24bbe56415b321454bdc1f5ce8548b80afb17de934f73fbd1f8c7cd9abd32890

SHA512
dd0941d180c5e4705f20b2c1dbce2c342533c294654dfa3def6f8fa5aad2f2e33ece7e4f019dd38bac2fcabf25a0bdc63650ce9879fc782227163160c38729f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\socC.exe
Filesize
211KB

MD5
575b29c1ee6829cb82499aa18e2b4c71

SHA1
0ef7c233f4e478e2ed01d9eecf3fd9eccde9d8e3

SHA256
5f735a161a18669776a98515be5d781532fd3c7276ba8d5263526c68d687037f

SHA512
c722362dce0b3af2957cf4c822c2165e62ddbab23e2fe3835277543df43a3d8316ac6ba2e89f3c199c08efe5ff9a2077bf5b90b5d65006877b8370068da63870

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEy.exe
Filesize
194KB

MD5
872925d24605456f922ea6bffd4ab5db

SHA1
321b3ceff26b5f82bd42b68e68d4aeb7552256a0

SHA256
39073cdd115d103e535b712fb0c977c2394beedb66c8c8125889bd06d0362c1c

SHA512
88a182bcb39aa957ae9037f38d8ecbde09ab55acbd6826489042408a432261aa749b787dd3412caaa28ac54635f7404e9d1b87e622101789a33e920731d5e307

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIMUswMM.bat
Filesize
4B

MD5
110a1826587f1714957577313ebdae1c

SHA1
b43bf0c569ad9378609b4c23e2af13c44c0be184

SHA256
ac041b8fd14d311c578999d5543da1f0c7bd7294863fd1e6e144ce69f964ceae

SHA512
717ee260bb43255b791001c7f9c31a21007577752feb2d5a3e7e5dd40559d72fe66d88191063aad40068226fd97020b02a7f04c9c4e2bdd6308dde5debe94577

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIswsQwg.bat
Filesize
4B

MD5
ef2f09c1349b27f183b5171ff91cf233

SHA1
7fc1beee077350e47f65cb5668ad4c4e00353fdd

SHA256
155995391f4d0a0e28055d48e5ececab7fd296fbb5de7bbd66f2f19106909576

SHA512
457223715cc865930a4adae881982303ca767dcbd1861b6bb9903f9531be45bd4b5c81fecb054d54a4db731c440989a778e5cdf2887f90e0d23b8ca106f67bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYcU.exe
Filesize
245KB

MD5
e4d5b271e269999e4bb39676e411978c

SHA1
97ecae2ff12e6c7d6f8cf346cc35495224f6002a

SHA256
e72d89a58b4f64adeee76fa48a093bb77f5e76f5b32a5da117a6b30ac7fe4abe

SHA512
f6629b787fe837c9a002636287c1a8f18d7b99bfa2544e686373988707157586334e39a52d9bdfce5157ffd64d3f148aa4872e7f8374265dc1c3038b80edc6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucsQ.exe
Filesize
203KB

MD5
dc12f639fd0401083b758b2b2838727a

SHA1
3dbbb70785b30e60ca2c97e9a5bc7693ade982f8

SHA256
13e14a5dfa7e863d5441d7df5d438122e0e0be614e40eef29609ae6e2d1cdca0

SHA512
fc22b65399f38c434275985d4c94d2161ad6f4657172020760d3b20277fdbddcdbaddb645963a840ecd4ef94224e7eea1427d5c1599375282e6fefb58ee99d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugAm.exe
Filesize
646KB

MD5
d8615f407ec306866bf5475bcaf7be6d

SHA1
67ac9821c8672a63334ac89e1c3302d73aa701b8

SHA256
1568963a3283cf8f29fb6d04543834aeff86f1f621fdd5b913e06f771097571a

SHA512
cbd5d7ba29cd99e72acd4aa61c54eb65c7aa7d777412a1a8d02e7530f5b70a1bbd8e8d614f6f6aa39ba5852693d8b8a003de0450872f1e8b284c0a110bfa548f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoIu.exe
Filesize
250KB

MD5
a0a68ef63a99d338f5cce32797161831

SHA1
f8dbce6197afd26e045f7660a08f8c50fdc72c4e

SHA256
2c7f370ce3c75883cf2a2382ed2b05d0c09f31526c47de648d2d1c4b5f2c30e5

SHA512
307a7887a6d8bc8774c2eccb90ae14dee0f7a052c7572325b742c5fa036dbf35646bd5711e0be7049934a1c84cc389779a11aa6abb30665e4d0c0f7b34c1cc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqQEMIUI.bat
Filesize
4B

MD5
b273a50bd237fac482bfcfd65354d96f

SHA1
fa34361c645f89d9d662e3a4070def669c2e08da

SHA256
eac551375aeb12fb3ad2afde28f4d016aad992319ac959f57e748bef9edceb48

SHA512
4c1d5cffcba29edf9c0ab415daea4aef7fa8d0b1372885b1de0d6196862b5de4e5a12cedcfb1b77e862fb59c193cde099c2ab8ff5d66f510724750f0caf50fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEEm.exe
Filesize
228KB

MD5
3735814a9ccfc0e28b86785d5f28ca15

SHA1
1c58928ad6b27717bf3eb7a0eee75a4ccecb6a87

SHA256
ea483f5f56882c1c4e088f29b68ef9863595133943fdb3454b46514f3ca1dd97

SHA512
68cbfd131c5cd7160635adc97be91f6bfe742d559abbc2b589ce09696294399fd345d9200e3f0fa5895fbc679c48f28b2df9eadd7d7e7aa5ff596f603dc7bb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMAo.exe
Filesize
250KB

MD5
eb59bf1d9d9fd08c57a77f4508c17188

SHA1
593fae3d83a77989512958e0fb03f274b9f3a9cd

SHA256
9d82c05e199b7f263bbc91d26a66fd6cd8c97345d0f9d0cea68e175628806201

SHA512
aa9a129f67bcd1a93f67583aa5b790fd653991dfa31b7a4389e64c7930213f5b9680cf8f14b35df74eaf0e12a65c5f7885299e78195242ca1763fb7071d20514

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwEwsEgU.bat
Filesize
4B

MD5
ef0ad856f1346515fdc59df5968de929

SHA1
41cc01b3375e4686d5ca66972acb6146918208fd

SHA256
1a07461a99d2da96d4e7096db76ae1c2dd540d25bb245f1826e07583ce7ea9af

SHA512
42aa6392a86842c39511fe4fa583cd749e66c6ee939073056ceec54430678a069532ae1bab34e38f10f7c78ea74bd0c37a01b4743aa3f7a0f086b1f5cea19e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwse.exe
Filesize
234KB

MD5
86aba759e87673d7db78f6bd9693a897

SHA1
bf68c9c5944eb4156d51939d9e600a3a6f84cce6

SHA256
a3e23f2d6b6c997f2fd95c92434182b4a829fc30aefcd448883af90da1f6b3ad

SHA512
6f09ac0c35e0f59a376259d3e2df682fcfc18c1a8593f98bcf0049a0b773a90706081163083f7a87f730217b48275b09cdd8425f2182f49af669a840cf521288

Download Submit
C:\Users\Admin\AppData\Local\Temp\xikAkUEE.bat
Filesize
4B

MD5
8ead988c3db8752ac6bdddc16fb8049b

SHA1
d29b26cff2070da7a334456b2d8581509163b370

SHA256
865ee6eeb41b4d0150efe62af6225b300dc100a63c82f0b7b9b722035d5e1fba

SHA512
3e58eb38c2b494f2e94068452a58978880f07005722060b31386a24eae1c27282e81274f4e314449ffb835705fcf2932eced1883fa34c47ff3bfb03ff5202857

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYQe.exe
Filesize
745KB

MD5
47f7d24bed1329c71fb0bf8983f4474f

SHA1
85e00ec4727d9b8c329362f7773a4b8a1ad1a656

SHA256
24f3dacf1c82d78b2cbc4617b86393e273253f2901aee43bc164d801e4487f04

SHA512
9f9d1f2be70989dff6c524fcdec0a291e8ce08191af212f50f8f6a4f28db145fd4af3944eeb1867eeb051cc14d1fa67691444428799cdb07d02c4e6f3a9fbbfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAy.exe
Filesize
249KB

MD5
4a85fe04f4097d895ca02682f1dc11bf

SHA1
db32cfbf2ce7e5324507c48da964b7a385ad11bf

SHA256
6b163fabc48b219deb38eebbc65b47d35ebf94a505830b94fcd6d8a1645fcd33

SHA512
03b5db5157c9a4d0e72fca621bd80b6b52c9b26ed2adc8c99709ff0afe2a0f48bbbe3741db32bdf973d6e22f4653c1a902057f25637c70fabaea42a634632052

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoMw.exe
Filesize
241KB

MD5
2c570def8f79494a4359a62ed9984fb5

SHA1
3372933eda77cef762c59d133bb6690076bb5296

SHA256
2158b52bd41961d577464870914e8a370516b75c845679b6e54a55d2c5809465

SHA512
a90b413d9845149bb4841fb04f7c49d16eed5d01f4571ef518cc67d2d997c65831edee765d175380aa13f7189a89d0056bf6ed2f33e41c6b05567594d958cb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\yykkEwMY.bat
Filesize
4B

MD5
b2d00a7d5394d5399d19ac73f8b140ab

SHA1
693ea1b6587694d0cbf9d437057c73cec985809e

SHA256
c5b30e3a4e22cefc390326b3252f9300a842788ecc759542a9b77f39e2219907

SHA512
3d27d1c6a62673b363fabe2beb20bde3f783f415851b8dbfc9a442138a0a1d472b1034850c2ec93761fdd374c25de9253ba62846ce9b654683b2ec6b00612986

Download Submit
C:\Users\Admin\Downloads\CompareSwitch.wma.exe
Filesize
882KB

MD5
845a76fcf569e56fe1c77967f9c0f503

SHA1
cbdecd150e0f0b2a4a42c8f885e773c2cf1dd68b

SHA256
f6a38db3b6ffe0fc63aa563f263491044203603903695df46b21e6e52b8c8780

SHA512
44cb148088c6d955e30b9de34c1bc937c01a844deaa131b2a1e16e2af4a8c39da5e56b02fc44d3e67d8a97cb78b77524d2a2d16042404c73abdba5e083784c38

Download Submit
C:\Users\Admin\Pictures\CopyPing.bmp.exe
Filesize
1.5MB

MD5
1f9f4720081cf9750367d74b05418bf6

SHA1
216f2584d7cb8995b8e819270e5f5f1f46106f5c

SHA256
149093de23e2299c7e3eab854dd1d7da179e7835aa6be9115eed5bdfa4c2300d

SHA512
7f966fce233e759539067467dd4cec36e426cb44b3d247c5ba64116edb005900875259180fd291fa3f4644e823af23197fbba066faf2bcd2a7924429c4ae4f71

Download Submit
C:\Users\Admin\Pictures\ReceiveSet.png.exe
Filesize
1.4MB

MD5
c87fd6e94c19ea66592d5c71c17d317b

SHA1
0c0e8b59b08dc66bc715d800d92c20e2d1f6bc2c

SHA256
466e7b1fd9376a664bfee658e70c261518b8ebaec9550df0a0b0f62967030e8a

SHA512
c3756bb3f3f56dbd8d664b8c03506deb1d81d82f156c0195f895b9b66b3cfe45fca852fc02a93d2470333ab21b288a3281c9847bec67f81ac0917eed701c04b8

Download Submit
C:\Users\Admin\WgwYocUA\LQYMUoEo.inf
Filesize
4B

MD5
7430180d0b7e34b74f23639cb057aa65

SHA1
81302a77a8c48482890a832e918251b46b116316

SHA256
4fab2efe5dbaecc2333843b16e911c6440c24d772b83e5ba0d806c7fd67dae6e

SHA512
0507cd37af071007a59d59041e77fb1445b126b5f420baf7e283b83b74c3d2dd2f1f9a7e7172975aea5939c40dc6d57dd055e9533a64e015ecfb009b1c5f9ea4

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe
Filesize
4.1MB

MD5
15e8f4c8ec2114980eefb48e35919c56

SHA1
410cb0850eb8aaf563744b1999c54d2ee2a1fdf8

SHA256
69e1fd1ddc7d49569867d97a1e142f310d146d183817e8c662f28a645d771d5a

SHA512
89825b58d349f88aaa6f588019426581c555dd0cafad8329c3b5bee5181ffa1b8491fc7f9a7e2f80911bda418e9e263b0d28dfe89e05261d610591784237f190

Download Submit
\Users\Admin\WgwYocUA\LQYMUoEo.exe
Filesize
196KB

MD5
491587860703c869a5963c0c91109bd4

SHA1
3a0487da53a288ed2bac40857fa55a399c9c8208

SHA256
ad83d50db275a40ce1fc9d72fef5b3d51a1b252ce427529a674250d82caf9ac4

SHA512
6addb5f3034748f619b08b6e5059371a27e8ae1d4d4ac6cf6f230c91215ca1202564f29f1914fee361148d8c40ca2a6091b4a7f30d7330776f94f0145d8396a6

Download Submit
memory/376-401-0x0000000002420000-0x000000000250E000-memory.dmp

Filesize
952KB

Download
memory/392-127-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/392-158-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/548-763-0x0000000000530000-0x000000000061E000-memory.dmp

Filesize
952KB

Download
memory/560-673-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/560-645-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/648-104-0x0000000000440000-0x000000000052E000-memory.dmp

Filesize
952KB

Download
memory/736-262-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/736-294-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/828-64-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/828-90-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/900-271-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/940-411-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/940-376-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1196-362-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1196-385-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1212-226-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1212-195-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1280-545-0x0000000000530000-0x000000000061E000-memory.dmp

Filesize
952KB

Download
memory/1464-182-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1464-159-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1564-402-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1564-432-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1696-704-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1696-734-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1740-577-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1740-546-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1784-113-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1784-135-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1920-567-0x0000000002420000-0x000000000250E000-memory.dmp

Filesize
952KB

Download
memory/2020-217-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2020-249-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2144-622-0x0000000002270000-0x000000000235E000-memory.dmp

Filesize
952KB

Download
memory/2228-568-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2228-724-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2228-753-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2228-598-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2264-488-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2264-516-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2308-476-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2308-455-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2340-508-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2340-675-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2340-535-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2340-694-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2344-685-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2344-713-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2348-783-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2348-809-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2380-63-0x0000000002420000-0x000000000250E000-memory.dmp

Filesize
952KB

Download
memory/2392-0-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2392-52-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2392-5-0x0000000000510000-0x0000000000542000-memory.dmp

Filesize
200KB

Download
memory/2392-28-0x0000000000510000-0x0000000000541000-memory.dmp

Filesize
196KB

Download
memory/2492-361-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2492-173-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2492-204-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2492-330-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2552-353-0x0000000002300000-0x00000000023EE000-memory.dmp

Filesize
952KB

Download
memory/2560-81-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2560-112-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2592-31-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2592-32-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2608-29-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2608-3308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2648-644-0x0000000002340000-0x000000000242E000-memory.dmp

Filesize
952KB

Download
memory/2688-744-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2688-772-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2724-172-0x0000000000420000-0x000000000050E000-memory.dmp

Filesize
952KB

Download
memory/2728-33-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2728-65-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2792-3301-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-468-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2816-497-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2816-791-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2852-291-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2852-317-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2856-664-0x0000000002330000-0x000000000241E000-memory.dmp

Filesize
952KB

Download
memory/2856-674-0x0000000002330000-0x000000000241E000-memory.dmp

Filesize
952KB

Download
memory/2888-654-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2888-623-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2972-339-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2972-309-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2984-587-0x0000000002380000-0x000000000246E000-memory.dmp

Filesize
952KB

Download
memory/2984-588-0x0000000002380000-0x000000000246E000-memory.dmp

Filesize
952KB

Download
memory/2996-423-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2996-454-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3020-589-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3020-632-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3036-555-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3036-526-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download