a9cea6d2aa276b155ff75470230ea28735d9f36619f85197e9a9eec81788ab85

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
Size

186KB
MD5

4aa9fa508c29d180182fd46b458c3d45
SHA1

11887d2a2379f3fa20b641bcb7beb21eec6f3b68
SHA256

a9cea6d2aa276b155ff75470230ea28735d9f36619f85197e9a9eec81788ab85
SHA512

f320c06d04b4335761ad2b6717c775fc3433657ada320216ffe5d6f31e478598c3c879aae81a0145b3b619373ee729f434bc17f26632e1b5470259f524a90589
SSDEEP

3072:Bo41Fyay14bZhykPagbGUlcP003HloLhJO8cvaFmzj4et8CyPJYbwKgkDm:mj1aTdPabE03FuKaFMyPJYbwVAm

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UwwYgkwc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	UwwYgkwc.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2036 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

xYsMAwQw.exeUwwYgkwc.exe

pid process

2508 xYsMAwQw.exe
2696 UwwYgkwc.exe

pid	process
2036	cmd.exe

pid	process
2508	xYsMAwQw.exe
2696	UwwYgkwc.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exeUwwYgkwc.exe

pid	process
2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exeUwwYgkwc.exexYsMAwQw.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UwwYgkwc.exe = "C:\\ProgramData\\ESkkcAQw\\UwwYgkwc.exe"	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UwwYgkwc.exe = "C:\\ProgramData\\ESkkcAQw\\UwwYgkwc.exe"	UwwYgkwc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xYsMAwQw.exe = "C:\\Users\\Admin\\KYYMQssQ\\xYsMAwQw.exe"	xYsMAwQw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiUAkssw.exe = "C:\\Users\\Admin\\SSsAUQIk\\jiUAkssw.exe"	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kkkIogQU.exe = "C:\\ProgramData\\ViAssEMI\\kkkIogQU.exe"	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xYsMAwQw.exe = "C:\\Users\\Admin\\KYYMQssQ\\xYsMAwQw.exe"	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2732 2716 WerFault.exe jiUAkssw.exe
2572 2664 WerFault.exe kkkIogQU.exe

pid	pid_target	process	target process
2732	2716	WerFault.exe	jiUAkssw.exe
2572	2664	WerFault.exe	kkkIogQU.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1924	reg.exe
2504	reg.exe
2040	reg.exe
1624	reg.exe
2380	reg.exe
1580	reg.exe
2768	reg.exe
1696	reg.exe
1608	reg.exe
1228	reg.exe
2264	reg.exe
3052	reg.exe
2380	reg.exe
2824	reg.exe
2836	reg.exe
804	reg.exe
1496	reg.exe
892	reg.exe
2448	reg.exe
2704	reg.exe
1924	reg.exe
2952	reg.exe
1288	reg.exe
1568	reg.exe
2204	reg.exe
2340	reg.exe
2896	reg.exe
2384	reg.exe
1640	reg.exe
292	reg.exe
992	reg.exe
1712	reg.exe
588	reg.exe
2212	reg.exe
1608	reg.exe
2868	reg.exe
1408	reg.exe
1148	reg.exe
2828	reg.exe
1244	reg.exe
1464	reg.exe
1288	reg.exe
2264	reg.exe
2260	reg.exe
1740	reg.exe
112	reg.exe
928	reg.exe
2944	reg.exe
2828	reg.exe
2072	reg.exe
2520	reg.exe
2924	reg.exe
328	reg.exe
2880	reg.exe
1348	reg.exe
1228	reg.exe
688	reg.exe
988	reg.exe
2588	reg.exe
996	reg.exe
2564	reg.exe
2232	reg.exe
996	reg.exe
2084	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe

pid	process
2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2780	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2780	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
988	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
988	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2832	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2832	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1424	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1424	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1696	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1696	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
240	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
240	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1448	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1448	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2352	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2352	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1304	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1304	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3008	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3008	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2720	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2720	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2376	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2376	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2900	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2900	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
928	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
928	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
608	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
608	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2428	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2428	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1848	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1848	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1992	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1992	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2084	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2084	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2784	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2784	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1216	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1216	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
760	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
760	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2668	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2668	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
240	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
240	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1464	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1464	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2712	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2712	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1068	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1068	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2612	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2612	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1492	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1492	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2888	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2888	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UwwYgkwc.exe

pid process

2696 UwwYgkwc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

UwwYgkwc.exe

pid	process
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe
2696	UwwYgkwc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.execmd.execmd.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2732 wrote to memory of 2508	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	xYsMAwQw.exe
PID 2732 wrote to memory of 2508	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	xYsMAwQw.exe
PID 2732 wrote to memory of 2508	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	xYsMAwQw.exe
PID 2732 wrote to memory of 2508	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	xYsMAwQw.exe
PID 2732 wrote to memory of 2696	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	UwwYgkwc.exe
PID 2732 wrote to memory of 2696	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	UwwYgkwc.exe
PID 2732 wrote to memory of 2696	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	UwwYgkwc.exe
PID 2732 wrote to memory of 2696	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	UwwYgkwc.exe
PID 2732 wrote to memory of 2436	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2436	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2436	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2436	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2436 wrote to memory of 2768	2436	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2436 wrote to memory of 2768	2436	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2436 wrote to memory of 2768	2436	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2436 wrote to memory of 2768	2436	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2732 wrote to memory of 2744	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2744	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2744	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2744	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2600	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2600	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2600	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2600	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2564	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2564	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2564	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2564	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2732 wrote to memory of 2412	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2412	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2412	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2412	2732	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2412 wrote to memory of 2608	2412	cmd.exe	cscript.exe
PID 2412 wrote to memory of 2608	2412	cmd.exe	cscript.exe
PID 2412 wrote to memory of 2608	2412	cmd.exe	cscript.exe
PID 2412 wrote to memory of 2608	2412	cmd.exe	cscript.exe
PID 2768 wrote to memory of 2756	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2768 wrote to memory of 2756	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2768 wrote to memory of 2756	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2768 wrote to memory of 2756	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2756 wrote to memory of 2780	2756	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2756 wrote to memory of 2780	2756	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2756 wrote to memory of 2780	2756	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2756 wrote to memory of 2780	2756	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2768 wrote to memory of 240	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 240	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 240	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 240	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 2288	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 2288	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 2288	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 2288	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 2336	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 2336	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 2336	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 2336	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 2768 wrote to memory of 1744	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2768 wrote to memory of 1744	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2768 wrote to memory of 1744	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2768 wrote to memory of 1744	2768	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 1744 wrote to memory of 2200	1744	cmd.exe	cscript.exe
PID 1744 wrote to memory of 2200	1744	cmd.exe	cscript.exe
PID 1744 wrote to memory of 2200	1744	cmd.exe	cscript.exe
PID 1744 wrote to memory of 2200	1744	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\KYYMQssQ\xYsMAwQw.exe
"C:\Users\Admin\KYYMQssQ\xYsMAwQw.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2508

C:\ProgramData\ESkkcAQw\UwwYgkwc.exe
"C:\ProgramData\ESkkcAQw\UwwYgkwc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
6⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
8⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
10⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
12⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
13⤵
- Adds Run key to start application
PID:2216

C:\Users\Admin\SSsAUQIk\jiUAkssw.exe
"C:\Users\Admin\SSsAUQIk\jiUAkssw.exe"
14⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 36
15⤵
- Program crash
PID:2732

C:\ProgramData\ViAssEMI\kkkIogQU.exe
"C:\ProgramData\ViAssEMI\kkkIogQU.exe"
14⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 36
15⤵
- Program crash
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
14⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
16⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
18⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
20⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
22⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
24⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
26⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
28⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
30⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
32⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
34⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
36⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
38⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
40⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
42⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
44⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
46⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
48⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
50⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
52⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
54⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
56⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
58⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
60⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
62⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
64⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
65⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
66⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
67⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
68⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
69⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
70⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
71⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
72⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
73⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
74⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
75⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
76⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
77⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
78⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
79⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
80⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
81⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
82⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
83⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
84⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
85⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
86⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
87⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
88⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
89⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
90⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
91⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
92⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
93⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
94⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
95⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
96⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
97⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
98⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
99⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
100⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
101⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
102⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
103⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
104⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
105⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
106⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
107⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
108⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
109⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
110⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
111⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
112⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
113⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
114⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
115⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
116⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
117⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
118⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
119⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
120⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
121⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
122⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
123⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
124⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
125⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
126⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
127⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
128⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
129⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
130⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
131⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
132⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
133⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
134⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
135⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
136⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
137⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
138⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
139⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
140⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
141⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
142⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
143⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
144⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
145⤵
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
146⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
147⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
148⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
149⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
150⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
151⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
152⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
153⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
154⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
155⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
156⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
157⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
158⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
159⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
160⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
161⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
162⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
163⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
164⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
165⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
166⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
167⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
168⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
169⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
170⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
171⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
172⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
173⤵
PID:344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
174⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
175⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
176⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
177⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
178⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
179⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
180⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
181⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
182⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
183⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
184⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
185⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
186⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
187⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
188⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
189⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
190⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
191⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
192⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
193⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
194⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
195⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
196⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
197⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
198⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
199⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
200⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
201⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
202⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
203⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
204⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
205⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
206⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
207⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
208⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
209⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
210⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
211⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
212⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
213⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
214⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
215⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
216⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
217⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
218⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
219⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
220⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
221⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
222⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
223⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
224⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
225⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
226⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
227⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
228⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
229⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
230⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
231⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
232⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
233⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
234⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
235⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- Modifies registry key
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIsoowgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
234⤵
- Deletes itself
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmUAMQMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
232⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOksYQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
230⤵
PID:1436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pKIcAkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
228⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgccAMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
226⤵
PID:1568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
- Modifies registry key
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WmAMQEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
224⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LssAcAwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
222⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dKEYYsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
220⤵
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
- Modifies registry key
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qKAcUgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
218⤵
PID:2740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecIEYAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
216⤵
PID:608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoUIUIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
214⤵
PID:952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
- Modifies registry key
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIMocoAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
212⤵
PID:1416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qEMQMAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
210⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
- Modifies registry key
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:280

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIUwcMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
208⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgscMgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
206⤵
PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcMQEUMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
204⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
- Modifies registry key
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQsYAEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
202⤵
PID:996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eaAYIMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
200⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEUQYgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
198⤵
PID:2616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcoQUUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
196⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOgksUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
194⤵
PID:2576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCYgUcUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
192⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQwIwsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
190⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGMUoQsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
188⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
- Modifies registry key
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKMAwYAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
186⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGsUMwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
184⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies registry key
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgsAgcYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
182⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
- Modifies registry key
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- Modifies registry key
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IaQEUoQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
180⤵
PID:2592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- Modifies registry key
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rkMkokAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
178⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmUwwAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
176⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEQwYUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
174⤵
PID:2580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIwsksQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
172⤵
PID:1960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAAYoUIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
170⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECoUYYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
168⤵
PID:776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zisQIAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
166⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWoAwYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
164⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYocAQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
162⤵
PID:2648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcogcEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
160⤵
PID:2660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
- Modifies registry key
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEcYsAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
158⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkwYkAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
156⤵
PID:1868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyMEMMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
154⤵
PID:2056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies registry key
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWcIsAQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
152⤵
PID:2348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkYowswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
150⤵
PID:2504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mkYcEUQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
148⤵
PID:1216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGUwocAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
146⤵
PID:1248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgsQgEAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
144⤵
PID:2580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqkQUsQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
142⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEIEkQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
140⤵
PID:2008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WeEcAkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
138⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEYEogIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
136⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PoMcMssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
134⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
- Modifies registry key
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYscwsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
132⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UgkoUQoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
130⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NAUMsMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
128⤵
PID:892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSwEEYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
126⤵
PID:1020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkAswsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
124⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuIAAogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
122⤵
PID:1892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGgkUYck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
120⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCAIAssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
118⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqQMsgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
116⤵
PID:880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aSoAkEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
114⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UeYsoMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
112⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIoUUEMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
110⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
- Modifies registry key
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCUsYMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
108⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- Modifies registry key
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuwYIQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
106⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies registry key
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSkEYIUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
104⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyUwQIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
102⤵
PID:1476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuAoggUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
100⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aSUcUgUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
98⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OgUMQMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
96⤵
PID:688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOkcksEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
94⤵
PID:1252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IkQcowIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
92⤵
PID:1724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKkUwIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
90⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\woEYowAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
88⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYwAAgYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
86⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaAkYgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
84⤵
PID:2488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGwAAIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
82⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWkQUUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
80⤵
PID:2704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkEoMcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
78⤵
PID:892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- Modifies registry key
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\juokcMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
76⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgosUkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
74⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yoAkIMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
72⤵
PID:1224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMskwUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
70⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WskAIQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
68⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jussossQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
66⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
- Modifies registry key
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cigUsEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
64⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Modifies registry key
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKwEEgkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
62⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sSoAQYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
60⤵
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TagYYsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
58⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKQwQccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
56⤵
PID:1200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAIEQsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
54⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oScUwwIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
52⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
- Modifies registry key
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sOQsUsEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
50⤵
PID:488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkUUIYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
48⤵
PID:2648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UuEUkgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
46⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RIcsssQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
44⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\roMQUEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
42⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcgQgIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
40⤵
PID:2952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIMgwYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
38⤵
PID:2792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tGAgkMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
36⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JeYgQgUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
34⤵
PID:2796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOYsAQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
32⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGYUsMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
30⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEEMosEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
28⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmwAEIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
26⤵
PID:2792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwsUAQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
24⤵
PID:1868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQEcAoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
22⤵
PID:1440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcsUQwkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
20⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAAsEIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
18⤵
PID:2836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMMogAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
16⤵
PID:1624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkQIAIEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
14⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fogoscsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
12⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QyscwcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
10⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hWYEMsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
8⤵
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUQcYUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
6⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAsMgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKQQAIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16793744651815352640-1411229139-1022905401137561574212059870155352988242022135825"
1⤵
PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10244712541618602948817815485815590579-1178842383360984605-1439508866-326305308"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1799308367-3195896441131141168176050828520397461621746625755-819927865666586206"
1⤵
PID:1312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1148272386633592372904735484-11279151451323547328-2222956-1378478527-936507643"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-366229918-190244316318019196252058089765494927170187024401614789055331452077146"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1133989722-662217701925381023-1190898946-117501447-1446410952-1778989337531668975"
1⤵
PID:1532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1756277796-282365159-1684160245-572554881-575334749-2759202573034014211473090505"
1⤵
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1039901375-1119473568-1600913261-2749316671969555004-103265790540095024-228768148"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-375002050-1555573460-1197362319-1493592331-1466609693-203509834719343206221092130910"
1⤵
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18654811562001475328-8292764932063032382-607119934-374347831-917012149831658421"
1⤵
PID:892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "893258965-2047382915881241371511148284-19736599661703501117169225328-1985774555"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "185557653066922022811361307591415425498-2179222321163213350529121446-2143953410"
1⤵
PID:1408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2092398906-1758575395-356319135797340782248502202-2054479617653463800-2025379753"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18605870071068574043-5784985041986704479637933281-667932555-1263111369-618013107"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1964133866-805778595-1983138657-580569409-16507882153703237220105062342096698848"
1⤵
PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "38429571642728729-380761311-10865160809876997305284832771039942343894135934"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19954934821120444776209501791341199428-117845030012880235462893972031805111261"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2606561441751144433-44814393387803926175683015-799129265-992856000-1664604480"
1⤵
PID:2496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5130506520507252801662363651133421862-3020285112090255924272284672085338067"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1061406540-18620337411310902743-1737814992-446711705207955907420981003532140872594"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-136371825997727119610171726821573887627214756555-12615171631558922897821222995"
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "903698032-534970497156878345-1701465987-2065552391-856758590-162326746-1294926088"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1272021047-1712498435221441901890753110183676576119243765121335886727541859619"
1⤵
PID:2576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7251954341895010412-71524736121333232051611955302-1887499695-924809746-1302566978"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1110765531-1127721802-327113217-761161883-381798933-19192319101885402894-1995130885"
1⤵
PID:108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1035843444-156914051-332485131-302590595-553491733-899755166-425804658149917667"
1⤵
PID:1696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16118735901386571790175524399-1092236733168766144-2023196013-800315191-1332193942"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "324785066236562799-1376632434-1171557360-120845473414952008166956796391877566552"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "662258882673406944-12010798310808471781998746696-17857722812075261799-1681721743"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2118305212-10713826906682527421807244670-1724457088-99220462016463512521696553133"
1⤵
PID:2496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18987071232576879712079130731-242751328-1212957757-19109422711792144033-894723710"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1223938641-1884915404-13381557201825260539-1151747989-1069689856836099720-669754726"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-448635777-1931154780174557318371295426721637-1784494701-12050618751313736759"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1626679573-16449908951250306253-837229028467346591377113581-6681405521932117014"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1358226472-1042545009423257919-416472811284922401888204114-521109489-1660359837"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-42785225603231965-1338741432137793947-312471467-559176766630637433-756963778"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1243519822-392227078-1243529796-1370908154-598632936155553554287244507-416453525"
1⤵
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1937814706-173415028109754092620999760581029859326926440995-17002658971820267989"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2145277972243799398-1049779253-764688217-1326110105-8558760144932241771487814316"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10485973119194758207783515171559886920-1709248760-257610404337505671-1138453638"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1598573470-16875033191318000975-2005654718257292552-2026427914324980492-1406160813"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1601280953476436094-1895002321165046161-1144826175121443039841696909-1571062465"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1000672585788842601-1137589455-145890037772623296442298375-370461388-1041001108"
1⤵
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4488436841460921662-116717889817186445-117842246504250068-463040661-607333492"
1⤵
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12133287231166791308-1467372265154240759711063124-1174259615-1088293418934854632"
1⤵
PID:988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-723845443-542735837-2834578524989215781686443893-934323250-13459809571578664190"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-480369320-16699669811565569736886452554-1080821878-918207162024235111-1586547520"
1⤵
PID:1212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2005333564-1825615665-81259751712736480641629145586-11940298471466616904-94139258"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-940918636-1611578428-2573601112076817384-95248868-381840816628853918-33263643"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1871962167425306034-18510535433943438532110805053-14724925701499237788-1060788175"
1⤵
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1432351755952673260850735633-1018406854-1568534736694895562-588398698-1148419204"
1⤵
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-43755592518220921991848498052-1499610330-1100702535-10688150749173633-379900580"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-562477799671562146-378034597-1136348663-2909009531462577121-550083151-93927892"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5151311091772126078-9836360881264232415343913681603319392-7130815211977878583"
1⤵
PID:1448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-367984111-79445824236442571-807818029514689426-100446692614568456-267946389"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2066234095-703269207-1180509705-1074741543-9769650831300082817-10371132688379365"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3525166071446044838115539814-748824067506678343545735165-1195193004-1144069331"
1⤵
PID:1460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "598069958324616895762478931962797827228539409-1953483203-429762131-1892774588"
1⤵
PID:1200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "476858973673011392-1222272075-877062693-13025258103614656221296372800-1674105877"
1⤵
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-542553226-1687947218582830655606468747765486222-1538627737-148920411686046956"
1⤵
PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-286555744-190359142716060265452088729607-904428331-604931450141106244-1738654557"
1⤵
PID:488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-992070212-912990169-2042445032116236398-7997984471859924815-39310920-1393116825"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1793228853-690018224-76337778813173111682068232679-442625275671469327-578707342"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1949383250-7023330999650217641755751704-1522088946-269392764-840414613502194898"
1⤵
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4622571791784300387-11234436371847850556-2101041602-1212386856-16569970252121220492"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1511119037-17169371534611247-1103859345-17623987961579757662-454231190-1003341437"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "623681937-1303188634-1545281091-545977374982843610-1283463841491254780-2106622876"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2113857585-797736765708510167-10518263741082921809-1151572333-2141484694-2045188594"
1⤵
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-30785386914132506261833293052-10390127631628705886334279829974565172-1544346770"
1⤵
PID:1756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16168021581110405526-1497843653-861135120144540198814707174-1823345600-1920886434"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1999363690-20020558471803090181339554417-273249297-585596292-966297550-963998801"
1⤵
PID:384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1488143614-2008496646-1702869089-1067823910-14193436841069958639-193659899-245433974"
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14550660-1910030600341245541-6582432291345423395-153469787676994094-2135526010"
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181651583144308295516818443362090556895-13918289585212136135758577281394030255"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1625455421-1561600061-9019207439853803831100976127-44219247817599497781082887157"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2810104-1186277830-939366003-131138842519518018904517300991125616380406934070"
1⤵
PID:1348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1874866978-2140206934-15396847381826472245-19468584131446348437-174714775783371971"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8282044451019617149180395794415543454675169698431816159272-261362651443277340"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2017325067-2007667860-125131650-1684479116-2043788509-1893356689-19657947311347805975"
1⤵
PID:2832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9643428491036559698-1855744028514808922420701675-16946135421241113858-1105635142"
1⤵
PID:240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1427617887754466234520089299-1691276883271975949410388078461015831805725408"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-294716317-212879650142442210383470780118970758-702446231-1505669706-266930486"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1127573778-18002446431885945401-668973201-1505768047-1596289450-18610905821530707815"
1⤵
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ESkkcAQw\UwwYgkwc.exe
Filesize
196KB

MD5
815433b13d65bb9141eec3c2227e141d

SHA1
65e77e1180a8306043db16dabd5a60618f0f26e7

SHA256
1901a02b3688a85276b4a3793bc0393f0a260e6b91c03098c582cab78ca6af3c

SHA512
d7841c8589e880df8c9626e9c5bcb621eeb715d962fd1ac18a42d422ef588edb2c2dd4bed12f140b1044e018b46751db27b7aa65a2be54eba92028627bf50473

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
214KB

MD5
4ea40fc5e49e284280b14f4b525519bf

SHA1
dbf243421e3771c56f6be705012fc49ebead1e18

SHA256
2af9159835445082d4f4c82b1cd82795847b846226cd2e68e53d64da48c94558

SHA512
ea229f3e4c2e5acc5060d4b10d8b6c0f9188a29fc25530c358fb2d831b51e684dd487dd3c06f95d7bb052e524d748c2e0fe91988c10d2b71f8ad7c0f7415919c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe
Filesize
248KB

MD5
e1161cda7529e8c474f6ed4ee1689b1b

SHA1
596618d1a7aefa56bc4ee578df149739f60cda21

SHA256
181594711ec5bb828edd0d85af7aa5f42e96786657dff2eea4706c6971b4aadb

SHA512
c0996c72c65e602a108c7ba8e95dad51acd761b6e54a0d266cc0293a7b6096320b4d9da953af2b198d3f6c9f3333b542836de549ea5eea0448d6711f260a4c79

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
Filesize
230KB

MD5
7b5d26ebfbbc505349b315811f7659c0

SHA1
29fc5fc4a600bc3c267428e2425168b6cc482df4

SHA256
f5a0d38b17fc008830f6ce904959d6d83a1dd33f41dd50e6562f60ab56354e7a

SHA512
acc1072e73c85ee6f3ad097facc740b7917cd7399802df2bba2e3c3642ace7e3d6f842fd327d5c56e743477e31e55bbc24dce77ababd90bae3f28a230ca701a7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
232KB

MD5
25617a1b026394198aa793e87b8237ed

SHA1
52bc36d3a5e8a6809b798164f5b0ddc3d9371334

SHA256
1da2528b559e5693bc2c4681f8ee5524b4987f2bfa9d72a2d7f7351e84073eab

SHA512
09edacd1102063e4c734a5ead58b26d0ba17414a3ace693a89de341cc52ca01375e14c94fe80e66b574cbbd8f0756495edd855e2edd190e540ead621941816bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
Filesize
205KB

MD5
7fdfdda85abee5799b801be5cc8df991

SHA1
bef7afec0c7074bdf1015fbb8834e3e002362b92

SHA256
d35715b78c0b2c54ca0bde801d4905b8da3d1f24dce44a15c58afd72f39028c9

SHA512
4b535915c9a77ba5433e8b6fcc9b5c0a585035e9f3b66b3a9c1fbee8ce0ea44e4e2d5e58e73238f7e0b6cbfb5b37ddf4ca28ca43c797b451b586a07eb515bdcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
219KB

MD5
07cd08c2afa53fe2f8d79ec06fa52adb

SHA1
1fb5cef3dc5b3a024c7a3be3f18673a06d392854

SHA256
6e970267bcfac41689f8d77c7e06712edf6eb0b32dcb2f297d8d549c7dc85248

SHA512
034721dd66a4637bb9e380f9463928773ec8626b39eabc6ba23b2a11a613c64471834ac042a0b0fb116eb58a1c928067feefbe1b53dd075e01320bcf96731d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
Filesize
183KB

MD5
038e2853798ff3ecfe10d8ec7e40e535

SHA1
df946f75c2bc1c6f0ed178f5edd2a4bb99b4119f

SHA256
2c6c6edb4d216dec8e0f0045565ad23d640c072effb68909359a70665abbddbc

SHA512
0a684bd3cd5dbe13927d3419eb5855b691511f227b94a11dd31cd6fbb4bc50c983e5b6444559a8d6fa288deb3f5315988f664f576084ad2a67655bb1f41f76d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
Filesize
212KB

MD5
319ea352bb844dc456f6b9f2fc75c635

SHA1
640bf6dc85650d7d5c63168a927cf0ca234b5ac8

SHA256
cde21fef88e4983a725cd3b5e48eca2064a9d9f9735717f3a0d5caa041cfc87e

SHA512
51f18f3c71b905fc8f2f6ef1d8fcdb1ddd3f072195174971f2e13916a23b6411c7575b8f46c87316f5ca748cda098d11b4bf31e55cca62b1d38cc8bcd9879efe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
198KB

MD5
ba9ca3bfc2343035347eaa67282f91b3

SHA1
e92e0d0fda6fa4d91217667fb731219a2fd9da4e

SHA256
acc9a6b7ab25ee8107653115da417c7295b5b87e9c37a8af17e18356689031ba

SHA512
f7f264552211090c5412aa70c8744ae285a73f07ab80ff3fd2ef1becad1fff49ac584846dfecd94dc80609b6274100d36e6e374987d90577174a1abde1a68c1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize
204KB

MD5
5f1845f750c59b604adf6e99ddba3782

SHA1
61d13764f6b42a40cfc9ce600f372cd940971a8a

SHA256
2a67668ad27a6287b94ecadf35e94fa370194a589a6e701eceb65e5e867b64a8

SHA512
5bcade2c4727a709dd8f51f498c0204ad2120c0f8156c4b727fd86916e13c2356244fe867de5b45a51d6d01499afe5f0870c68c3c15b2500fc594414e8453d1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
189KB

MD5
e5dcece1b6cd8e4ddff9813d7a05f411

SHA1
bc285b6627caf73402724136e3d153b9f6252685

SHA256
60095b2d17f20d30fb2278b88a5d30e2e1e0ccc3b65f50d9542eb52a93d589a1

SHA512
1e57d18e27b3c86dda411b31d5c4b3942f0db95bf2598fedae96002af3ac08a32878c67e37430a5423ee035180c8794acae59c93150ad8e08ef6b94927381346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
Filesize
202KB

MD5
3665d8e1b0df8be5d0732cda89865b8e

SHA1
ddaa074d714875848627a3edfa8f6642df1ab8a0

SHA256
188aded9b117230c88b959342a89c1ad81d90075df402a746d4f19643366f9e4

SHA512
93c7caf3f24df1be9088c58fc19033c768d71d1657b50530144ca68b0ede3ffea488c6a6e5e9e79442f94be4088e92a4c55417598e5f516033a2241dc0d08249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe
Filesize
214KB

MD5
5c6cdf362691f9dd342dbd09dfbf82e1

SHA1
4e749eedc8befe789d1ce1e6357e9877a5cc18ea

SHA256
601a9943008f76444bc61786ebcd76b433fe0ce484a90e1382109728ac84cbad

SHA512
5675f125de8c66905f79a5b79271814045f98fe45ad301b49cdfc487b78f7d05c194477b7e3f9ae449c0beefa5d1c0f9ee56d5c1a7a594602541c1a947430918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
190KB

MD5
ba83de7bdb964ca86a8e144b8ab36168

SHA1
63ceb5733693c89f08a3729b1bcf2d2e07c380ca

SHA256
1df66170583199d38565942494a389843d03c68db693eaad7cfc05ab05ea12f5

SHA512
bfd3c3b0aa324166ec53947c8e94bdaf6129b1a17c94d8d6d39dfe0c8077eb8c49daa5345725443c2cc510192018397e66514935ca6896efe509deca2ef4fc20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
187KB

MD5
74ce6e6991d601f4a59c9684b8d3091c

SHA1
6fe0a4a85c286fa090281427d9209e5df7c0fa9f

SHA256
fa1778ae32ba46917c6ae18a71fc38965cbbac9a6956b003ae77b5c2250fd25b

SHA512
bb550ed3229b8c20380454eff30a5a1052f010603e29883515f09f0cf9a20b1df7aa524d4eb4580e070432d18af7569eca46a4cc133d3bbab018d829aec9f916

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe
Filesize
184KB

MD5
ab251b9327d5608727ddd12626e18dac

SHA1
842ccb3d285a09d2ffbc1f621954cfe35c60a16c

SHA256
0cea8fc7821499b5dcf85c31aec6a4254f2d107d46a90ecb68ec40044740ab31

SHA512
4a7ac671805e295817cd36b682236e5a827ce145802e9108a8b0b7c4b0f322caaca4c49d4fdd1b92908a26b1fbf5f2c1d904bf4fcb798d8fc38b252cc388599e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
Filesize
188KB

MD5
8c29ed44ebc834cbe393dee59ea4893e

SHA1
16464db4c89a48499809383f02ead827bd921043

SHA256
2d925c94ad4fee4a5c3dccb1ca6ab50427b87f565fe29600d7deba4c63df2362

SHA512
695603297cfcc3233926d487e134adac39807a34a7dc6204adac9c6e5c1bead0278edaad74a6022e75f293247267ed8f15e5a77e06002d1d1257b661d4ed915b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAsm.exe
Filesize
1.1MB

MD5
85e53c83940e57cb3a120bc6ba2b9547

SHA1
0758faf723dcb25a3c4fd8f1e7d1bcf5ad754764

SHA256
8facdeff3092df610addb92844041bc348b591a2be99b0739da01dd9c80c10ea

SHA512
e946409effb39645fd3b1c9d9ed4d5f09134477eff92e00f93133b63dcd13f98b155f824e07724c01ca64c5b59bf5ef7f353edeec62aee61707cc704f2d5cca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoMS.exe
Filesize
212KB

MD5
5c960704c030c5b16f5c59b6e9138d10

SHA1
994bccaab8216802569cf960584c56f66d4dc90d

SHA256
e3cf60355a754854687240964d726ac40db9b79a753b82a9580f836cd915f255

SHA512
7526e709e7566a71dc5654a28987e4d4c5e0873dcfbc34fa7274fafe19cf34b13176be4a53b32a65cb3bd80edde41f5666424c52fcddc2beb5f5352ea585649e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AssMAEkg.bat
Filesize
4B

MD5
b996d7aff21347094010180c1909e5d2

SHA1
c50fb75ca717b686fa6c07e36777d61192b81c09

SHA256
73ccbe2cbcf629be2389be187ed954b88582abf1c9ffb598b2c7fa9a1f4f775a

SHA512
dfc1291c1aa401a0a0f46ce9aeedbe7cadc2fa1ff83cb4806273e96e421da51ac22e1eac0d28061829482c685643fca24c518fe6ffd66685c41cb51749b2ed86

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEEe.exe
Filesize
945KB

MD5
4e5b16d1032c06f3e88328375a12f71e

SHA1
8af6427a54f5a1c5d2f45293279eda3b3281ce58

SHA256
9a873f12fdbd10f8df154589b64a40ae7fbe071200277afc86bddfb584637e9c

SHA512
611012cf194140b3d3691f8ed17a1e342d61bbe9ad6a24c5a6f33f16e66673eefbdb3eb3ebc95851a9aa0a903301f034f5fcadb3bc01fe38d6a0ecb6d79b2160

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMgsEwUc.bat
Filesize
4B

MD5
6896403f30d99871d20f26257ed50fe0

SHA1
87e2c33a0ac09a4bcfb6aea31a30b4798c8984c2

SHA256
52a3b1d5a3c86e24eabf5c8efdb885ffc1c096860c4b099e3ec8aec99fb9d4dd

SHA512
f84753a080610743251f168cc6a565272b1cab7a3e2c55ab44c0b0b5cf6a3f60cb53c1932a69b56c3d414aa7781367790b4cdb534f3b45c738debde51fdb9456

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwYs.exe
Filesize
228KB

MD5
e09c750810fe0a75abf58532e15d4af3

SHA1
5917c344c0c2b4f1ac1f7b681d04766267e17ce0

SHA256
106a91f2a32ab2dbaf6e320f1143c7e99db7028de7612c19c6394860e34de14f

SHA512
686c1a491920acbf01c4ecf868136426407cbb7c77cdea71754bc4f8fb9027289f528339e6854c771dccc1f333822714138dcc8b76d2759af898081769d5ecd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQAK.exe
Filesize
230KB

MD5
86b895c7b659fdac91d312f7dd203a6c

SHA1
537bd2e3c07e6d4cc7d656f3ab8a3cab9d66877f

SHA256
c194d7064ad9f6015f0496b4ba2c43479592b2121b0d505be62b70d8ba14a80c

SHA512
5d2db253f3042087329c8511d570b6666d564fc9bb907a8ec805ac046f5072beed327a6dba0d76a1db4f29b93dca345a7e40c844c2f72deb2da3de7f651d0e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUwu.exe
Filesize
1.2MB

MD5
704f02b2503213dd10438ab4f64aabac

SHA1
255918aad8ab479ded10377291a5dd0e98b8723d

SHA256
f7fef5e0f5cd3bcaf01f4d0e94f3a3e6d15f5ff1d7661eaff5de8b930a0e9820

SHA512
dc7a43c27b1dfb9f0bdb64381ef75b4cd24daef956fad7e2f8e42b8bbbe3c558d23d69e7433370b41e77fda81d439549f626c8da6923b36fb390bf355f5f10bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgUW.exe
Filesize
189KB

MD5
a6238659809a21b2ba995794a181333c

SHA1
b0e5d16ff0a62fab1e236a5b68042bf06b12077d

SHA256
5e370fb5be0dadd8d72f7cb10ede25d71df293772f1ab846d3885765f7a835ae

SHA512
9fd1399255af7647d89b2754021ef98789816144ee62f0998f2a94c523d897ca685da88e530d7ec3d7bd1516931b964a0da682076ee2224bd40d089636289a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiQIQcAk.bat
Filesize
4B

MD5
63e823ff8917c0203ae96021e8b739bd

SHA1
8d938288d8eff21e0c77f7fdcbb58b5fbdc045cd

SHA256
4544ee5993243b3b924b121828f2335f078431fee57185aeaabbea026806f245

SHA512
7fc474f2c2587eb9246f8733993867f702f3c42656c53cd905e32275c3b83ac66c7dd2bd54880d3aa2e617e1502b04c6838b1e3b8e0cf212690d8c35fab7e653

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cowa.exe
Filesize
240KB

MD5
4e71841a51458009b8b0eeae8738daff

SHA1
43a89cfe29fa5bba9900aeb3fbc6d05e8e0e30ad

SHA256
80a304dc68625088820ca70593c73a030f1c8a6232588536e7ae857138350d58

SHA512
175a9e3ce4976c553c7607afc77411ac3760642beb6e55b6d3246212eab6230f24afb9b964f75341e6534e2a47c0cddebffbe9ee4c5477ab39d7020da1603e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAYgwEwc.bat
Filesize
4B

MD5
e056d42269ae8d6ee16550c2534884df

SHA1
5f53d9e240dd5cddcea25a51a8b388ec8ed87d69

SHA256
d7daafaf21071a6374ef9bc200659d29fcd43caa39df9df913ee030d333019a1

SHA512
9a6bad4e0a0f8088388bb31a6fbfa508c8deeadce843a22a9ebe9ee83716216569f04d1deed2b412a8feed07baeaf10dc39797c33f41236f1e48a9181837c798

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEky.exe
Filesize
777KB

MD5
ea0c408296d7a0bccf1b9266ca396e4d

SHA1
f0aa6725aa2d37b51baeb2712fd7b5ae11b1de34

SHA256
71d96828eaea2909f4fff467a6690b65510d379bb9541fb7414f50d747ff3b5a

SHA512
f29092735ea466343e337b624c1e0c054276b73ade3981403631812a9c9d01849f1fb98d2b3f7b69ccdc088c07eb5a38cee74f3a06fe6a39f9734e0a98d2adb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DesMwMoA.bat
Filesize
4B

MD5
85b3ea09322334fe30a992034e8fcd84

SHA1
03eb578e9b5a8f6987e7e94692bd695087579b8d

SHA256
f0253996377b6d9b447f6362ee674b95eb305f9cd9405809d71650d4f81c4e76

SHA512
3501efb0b1e38db38c135821ed27dc33919a1fe800a8642666674962b91f5f64efaded1a8e7ca886449004398104c395035551173079d63964e86beca66a5525

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmcMcccA.bat
Filesize
4B

MD5
f664bc122ab7f9b1480f52ffd4ee20b7

SHA1
fda96b01e0ce04778d12718d8071e6d63fccb1f2

SHA256
330a3b08c4dcbcc5f1f11fce27d3394c37c3eea3b17ea7b16322a79079104173

SHA512
6d1a06bffe01f785c838067f4eaae9a24431cb28e6103325574e84be0138253adf19da9178524982b742017010c66e6799c1f5113e19936ad36688435957f4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMwQwMMc.bat
Filesize
4B

MD5
7df6dc34b9037ced8de76b753aff71cf

SHA1
0cef8494c7a904ca644224eb855df44b5a4d5878

SHA256
adb0453b991d8c414db14cb008acc0550d26814aafa12f65de158514ac8169a0

SHA512
c6a1956e40ffcbf1632a748705a943cec1a05341d25553244a65ce3dcd4f21f933a194bbe49dc4852b97d45720bc26c8ec859a3de9c92522445d119faba0d5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWIYIsAE.bat
Filesize
4B

MD5
93fb9958fd5d784ad6df56b6503b8263

SHA1
18c4607d1eb4ad91e157b924e341e284451828e1

SHA256
0e6c98831f07ba3c45a731fd691b1e0e715dbc1aa49da33dccdaf15f01239c70

SHA512
a8d11c292057a64c54b9faea4fc09d81d7a8216bf59c768859469d78b7437c627d9426ae43067cbc896e59dae57c4c7cd18d124291e9148cc9ad3750b9a31a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYEAcMMU.bat
Filesize
4B

MD5
0452ebb784950a124fa24a5a7a153717

SHA1
812b9125a223fe9748bfff174a56f8fe8672984f

SHA256
a67641e876546d450e6aa1ac85f7067202af6a00c0cf66c5679e21310f1d832a

SHA512
bc0a9103b9a724ac35158ed412896d7b962ee6c745cddd724d8cf2204f8576f081acd0b1ee8d78776d6be0fd0aacb82d8e7fc6aa4e2531b6fe498526cc11059c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYQi.exe
Filesize
193KB

MD5
eb687ca0cb602ed6043ec0b2fe80a085

SHA1
86aa451cd17f321f0abb927131bb686f96db53ab

SHA256
806e32559459d0ccacc6210c4897bf3b893758e49a3b1cfbe880f14f8d054f22

SHA512
9d15742a8a246fcd958c417aefbaff0db4070175b19299515fa0bd25de5a8362f99f2e41f2fa8a82e66bd1ee6de6712eb280fd478c5866b64e83dddb432dec79

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkUkMwMs.bat
Filesize
4B

MD5
4bac168c45e136f90037c81d59e1ac21

SHA1
c50248d2fd45b28fb5038c866b5614dc4e16e07a

SHA256
fc761f1aa1e25081039c6ac0933a6212bf987ad47c482efa0af20ae8cdd28d0b

SHA512
d28506b662a37926519989e16e2c816993fd35890b07d5a669727e0cb1a1ecfabaa4af50f4e10a88eb9f51aa605ea735edfe3db118b552a4ae00ee59a334eefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EocK.exe
Filesize
235KB

MD5
397d35dcc4aa00192f986069190042b8

SHA1
d460f4dfa0b36d98655ab247ef1e03198cd169b9

SHA256
8daa335e6fa8f72d8bd53f852c2fa8c32a0952bfc771259f51b4a9916ce68b93

SHA512
4e13b42bd9a9fa6eecf5b3758678d59fbf300f4acb2ed7043b174569a59c82cc93d0df52ab00bccf024d779ea45badc8bf88485864d24b20fe865a50d311bb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqkoEEwA.bat
Filesize
4B

MD5
165255a30615bfa1a69f2c3314de08d1

SHA1
6a38188c42daf1ff003302468a09b6f1564a5cc7

SHA256
1a87f39daf6cde0e597e6adf75be4e026f9ba132763bb66734881c04360bc424

SHA512
2f76a14546979c32120ba43233774cbd5120c763a43e3b8692b60a22148cde94c904a85016b93d4d1cfd9e11ba7db1f9ba85731d5a3acff656905fdfc9304c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwccsEok.bat
Filesize
4B

MD5
ffa9dfef3e792aca181c982fd256acc2

SHA1
a250c0bb6ea8e43de851bd4db70f682f8ed0177e

SHA256
7dee4200042e09da1b630f16e82e34605374ce01e76c28a1989d0b802dfe7c2f

SHA512
265c080ad6740fff0888585a985e34ddf3961b3ef5d155dd672a2a1500025457d88824ccbbc2526bc73c3691fb301c5df242b52662b372a957d70e53b7fe6a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\EykcUQII.bat
Filesize
4B

MD5
595a7e9f94ebb661eb679e6d548c73e8

SHA1
18beac7865eb56d5e0e52882ef21f2b8a6e040b6

SHA256
c7f0426f042453fa9a5590fb87408388582b8eb43b7ef86e44c98f3ac7c81bcd

SHA512
262529172b68e4837abb22b32d7fc99a3c677bf1db304752ef640a0820dd3516f8c0034777722e7ad104074b7e86e9b1febb2408b2cb7e9057d2d14d2b77b950

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMYO.exe
Filesize
732KB

MD5
eccbf550bbf1989e117015340c0a8806

SHA1
9cb8a6d343f52aed5da208c995727f617f2ea0ed

SHA256
7d5cb0d61730e661d0ef910165a551dc893fc9be09cf5bfb19fa9b94b56fe712

SHA512
a11b7a2fd7476b7070fe07a26e8beea085f1fb5064148cef5e988ef443132e47fc5a0fe9790bba563e8d4beb570abe4d12e9a3659ea654cd72997547fe539651

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcEAQIsw.bat
Filesize
4B

MD5
c6e63c04ba297ed5cccf22aabcaa753b

SHA1
9df7dced8e39fbc1c1c51a06c53a3fc433a1113d

SHA256
fa4de77b11773cb9007843011544d3647faa2d12f27471235f0ecb7bd959c505

SHA512
3be640c5e6748d3a16f26dc2b2027c5a436ce423c39a462766c0d9a863a29375322921b8c681fc42491b156a7733e47d3ce96891dc340533b012dc8a84445057

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsAAEQgY.bat
Filesize
4B

MD5
1cd4fc9b2431c3787f0aaf1376a7516d

SHA1
bd6f20476d5e0ed0ee737f09be41ae613c96168a

SHA256
6ecf3951ad257890fa1e3275a4703d6b5fb09dbd2ac47c016d904ea53f8c4426

SHA512
743a223602396fed3eaa2808bfbaaf061145d0f57b037e70f80cd4f644e31892bd4929a595a98343253aca0f3fd96e143da679cb63a9ac1c9d7069244d736d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMgm.exe
Filesize
249KB

MD5
a06c5b51aaa23232d1183e8b696c3128

SHA1
3e9f5c2ee5cc2ed1a2e8392424657c5c5f866f5a

SHA256
95adf8395bbaa16e0cd98f9b9313fde836b56e4ac42d7bbffe2a17812721d2df

SHA512
7f8f2612b00c4a9c059fa45afdf9a2779e86dcd69f21fbf144cbf1d1b07b315e9f7d7524ff1341b866c3f348f01f3972ab7211975ec010486bae438c8555a11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQQu.exe
Filesize
1.1MB

MD5
5457f98dc9b915ca8d6e4938dacd4c60

SHA1
0c3a6d98970a5c6786d591fb88e781a2e861fc46

SHA256
9ef47fd7caa6fc1a88b08dc44787ee700552eae88efc725024fb086b3d9e06de

SHA512
5a6f2748be187478471c859a8c430d112307b9652737a2f9e5b4d7bcd93dc4982f3da561e09a32f488a1ed21a7525bd9fcb106ba6fb0d60e8d77d4c3812dfc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\GggO.exe
Filesize
243KB

MD5
153d82991e45f860e07903d8a6c768de

SHA1
2f146934c7b430cc4fbb35583578cc547a4fecd1

SHA256
1c8d87b4baaf8f1b4bd319ffda1af5092b08ff8d237bd9541d8dfd2d03e6f148

SHA512
da9c1566c9ff8a520e15b1fb010f5d0348f71dfa15e2d504ba2a85a829d06647e897e4b61c2514fa45c78892d2e8dbb355673173cde11aca3f11f2c6f809ff39

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwMYEgoE.bat
Filesize
4B

MD5
070b4b333918b86ea56079411f77db0c

SHA1
4146a16425a0e54635c312aacb07b3ded6de1985

SHA256
f0e5cb079a8d722a8538e7c5a084ef520926148c75a7e5f00bd1f787c594afbc

SHA512
73794bba7d63ff39814366a1fba0f4cf046282ea467934366921aeb97d4dfc8d976c1bd972a2fb57571e734d0c0f9d108ee455a33b226eec578af9427fa30a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwwc.exe
Filesize
185KB

MD5
f31286b06cd59b979c7ae0a6bf324bd7

SHA1
4443e7ac9e7346e16f5907e2c9d9e0d9649538c4

SHA256
fd1db114a13efc3fa862d0bde9af0b5c4dc103fe687a015d08a86dd27a01a759

SHA512
346cb6101518e866c8130aeffd7834db15c149a9829a0fcd2b8fcba7d4042714693b162fd8a3e997a52cef8fa1c838b6103941c1a88dda6f96f5e51f8aa240d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKcokgUI.bat
Filesize
4B

MD5
f2c53d01c4c5369781691bed637940aa

SHA1
70b6d2e506c4e391e983f3b26a196a7b0411a84c

SHA256
47422cb4bf202cee32ac01274c1e7a6b8332e774269949dfd85c72aba3dbafce

SHA512
560f107ffaaf13190e3cee9c5fcb2544dc590c2ba97b3c8af783b8baca4c45d02d758eafd5aff15b85cc239557737b01a84ec43e8cf405c046c31b7b75ea7be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMMwgMkE.bat
Filesize
4B

MD5
819477cd2d4abd8347ea8e60f6abfcaf

SHA1
3896fbd514fbd4a057acc22aed1844649e0fe364

SHA256
ab25a66b4bc4c2aa82f63ca5a1788a013ec434c8a57afb995f1351b1f796ecd8

SHA512
2e6d5388c723d67acb1c632d4e26f354cafe51273b477eb2033e10107788506510b80a8fdce5b55885211273a7a0360d4d8cbb7b0fb207120d50143b68ca0f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMgq.exe
Filesize
793KB

MD5
8f0d30e8ef21ba5f9bf938c6bbb50f40

SHA1
d2c760e46811afa0ae2f6dc901a1f049e7229f43

SHA256
6ce0cf1f6e922f151521e3c1991ac7b6d260b4d6d768871b3026305c5550688b

SHA512
0374bbbeee206d506017cf2aa2fd254d8772ff639e51e03eb209c732f60a2db251c1601734418d0269837abe7db7785a5af8d8beab08d5e632c2e5be2fc8aba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcQK.exe
Filesize
1.0MB

MD5
2d74ff368182ac0965d0c1129ee5273e

SHA1
0bf88f0649ecc1f89adea4c92582058a83976cc1

SHA256
9756dccc6427d2032caeb3332b06e10136f0c0d570abd3f6bd6736e0cf74a8e8

SHA512
a3256af941c352e1d07b0525b400ccbdef27c9901caae7dcd2a762b5978a7e1a753fa8ddaa32f0d845ddb9f3b8312b171a80984f8daa0644b9a1365d6d519e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmUsYQAs.bat
Filesize
4B

MD5
d1d2756fff3fa6f2a505e082e3ed0f7b

SHA1
ed9f6f76e3b3cae7a9d74243f4fe2663e781c030

SHA256
f40ace95a5d5842569a2e7feddc686489ae24400dfad0519d853b759552f5911

SHA512
7da686f1e9314205ddfe47b2f760c8b10e4f4885b8c1e22ddca95b9cedabf2d2978029869b68639cdaac62779eccc5b5a44b24f11385891a0219928a615a2686

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwoS.exe
Filesize
229KB

MD5
add0452cd3c73cfe03666767ee806bca

SHA1
071b76459140cc5bc04de69dfe2e3f8e197cc793

SHA256
2658ce70ef1598a3a5b8a73d643c9b757d28e42905e50571b0ec879322c46d05

SHA512
0d0b19c2225468d7a1a2cd21f5d29dafb084254b562a5d940419823f5f762a0ba278e09beeaccf385547b08d43c7025d8397e254679a2c1abf07000ef0f90be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyUgAEkY.bat
Filesize
4B

MD5
9b2b260031c100f9c65360ce334b18be

SHA1
723b66df9a607a75bd9fb9046e130af0438b0f8b

SHA256
c27eb481bbd8f4b20de0c7b1e80d1a0b47af1c5c0ef9a93dafab25dc0219a7c8

SHA512
ccedc4c4e73b254ebd7daa9b7c44f2d1a91cf91d5acf79f837e5fb0bc126becf4003ff4e559c6d8a838b1c22d0568415430c10928984a6061b67270643cee8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIAU.exe
Filesize
632KB

MD5
acc88c763f06ea514068d87a70b67618

SHA1
1afbb11807338e9a74f5f054a5bc6ea79b527c8f

SHA256
a44f9280aa6820868e6873fc780f692f575fcd56938d2941a86c2996159d5c00

SHA512
00d70e7f35267d8bc038f47e79052346a4e858fa411585910e7105850144af2d538242b91e1e8799de76cf72c165df1955b96a15deb8e7ede766eb37d05b9a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKkowIsk.bat
Filesize
4B

MD5
5fe418b9bcf3d281efdcc3d460031aa4

SHA1
fbd7d956661062f1e0108040a54a05df5f4dd6ca

SHA256
65d6d26625dc907b13acf524570cd3bc9dd1c033e680c2f632bee483e3549e66

SHA512
3bf0ee8371872fa3ec184ae5b7901b118d868fd96ff4c44743ec1a7489fb8e81d048d8f63262be915446c6501c1fc725becec5f17f9c2150b49637b6d746330c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMQM.exe
Filesize
199KB

MD5
98fa127dfe75927bca2de03a96f8e6a9

SHA1
cea15e0499b7d5cf3cb8f03a189efa0347597c6a

SHA256
142912de35f7b875112f68965857bc6939028d3ab8ef255500f9001f415d7f12

SHA512
83951bfe51acf040409a22371b8c99c2943f2c1ffd7147cb3abdcc625dfd357152c3add4d426cd8e7a63cbd7f72ff4804e1cd3b8bfdd32a7fce14026dab3f720

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUsG.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IyQoYcwI.bat
Filesize
4B

MD5
8d014a4acfb3db76315529f8250177e0

SHA1
69e20c1f6dfeff5299bbe2029c91605f7f6a29e9

SHA256
50ddc6f40c094f3c6d85c24a15861791f7b50fdb4b61738f4a5ad3bcf21415d8

SHA512
ea59f320daf4cfbd7bb8a4851bc90a05f58770c30605de9553aded4813c21f6a10b5dd5ad2fa06e3895f379fe1f11c373c39b1d35e0812e0ca08928714c08e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEAAsooA.bat
Filesize
4B

MD5
6526e89a41d1d28520cd139ab7072fa9

SHA1
dfb24823a1f5b33085d51d42b38aff0fc8a5b082

SHA256
0b26265d04aa222d6163d4e8d23471be2c3999f01ad0183c5c506ab5f03c4715

SHA512
1d8e27355bb3acb85f8fc5935730a8f2c7ba9cefc80947113fb72dc2a85049f8287090c009dc43093a89b643dd8176506d5849542665974f6f5cdb8bbcd5db4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIMosIAE.bat
Filesize
4B

MD5
f383e59a6a76517ba2628b8461b94c3a

SHA1
918f8896a6f5c174dbebb7b3368ebdd7bb0e1411

SHA256
0544bf1fc3ef73738a66649d55bacb67d1e2deeda807eddf13ea3d085c733f08

SHA512
7b28ea42955a2eff2a4c14f37a27ba6f2aedd8085e8397dfb5547712c5d2f3071e12d58a9e1874a09177935ee1588bbf0e4d98832dc460a61a1f3931baa02b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUIU.exe
Filesize
237KB

MD5
0ac81074980086a89f9cd5bb022eea4d

SHA1
90cf7c37674472d364ee70a8a2d604f9ba31062a

SHA256
ec5aaafd207ffbc8ad52d1d7e815cfc6661a9b4644c021fc8465044b49ff34aa

SHA512
ec99c1a2bd7a7791ab2330a5ef0a562fc986ccec0483ad34599c60d1ad36724908dbb59c4234991b465e127be3fb18d7ea3acf51f6735cec409816780e1e1d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeEQEAok.bat
Filesize
4B

MD5
3b88d018d6e28242c0b94b89f6664fb5

SHA1
9819755a53dd6abf5ad78de79a881ff7bd7dd274

SHA256
13e9d7499f12887d1cf237051563904c9dbd8003f0b2cc52ac25ecb6a73ccb98

SHA512
de723dd16a6a2a7e97317b8adc58edc8379e92a8a32ae6787ad58de72dded69b86e493d849a01a46a0490c531748402703c0c7302f56fa9f1a332699035a4a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JigEQAkE.bat
Filesize
4B

MD5
f70f4d0531a1a0ad329eb64f645942a8

SHA1
ed18f2c2e59afb3f884f44f2dddf7de6332cf478

SHA256
51de2886e9fb9db26d53bc687dcdbcbb75d396915cd4c2694714d1c3d6dff35b

SHA512
7b079f561595abd1439390a420072ec7d685feffa5971b1592b43c5b4ef922cce86194bbf790809365b10542d4ffd6bac30b322d047fe7d94f31bf36c83c69ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\JosG.exe
Filesize
647KB

MD5
0ec62cb477ef0d89f9a01210ab65e8ea

SHA1
82c50e33febf3df3644f31818d139af1e19e9f49

SHA256
6d53b2fcd8916fd1861b33568ecfbf81c181630ffc98ef5a384f15d569c5be29

SHA512
f4100e963314aeb33f87269fb89fc755660384aa618d98e4468480c0a7ffa0812129d55b093eb6f763cf1854755bfda9ee8845d361f371574beeda584457e03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JskwgwUY.bat
Filesize
4B

MD5
a9adae661f47adb1a8a606a2f15de3bd

SHA1
bee0fd605832700eac15d34bd6fb450b44bd00c1

SHA256
5f03e1940c71eea78799db007054a6edf5b60312428c29658d6107228753f82b

SHA512
a3a4a8432e583122fd72c768a9e69b4040346ade5109fa4ec5af8d85d5675ee5d9d15441762ac966688359543c04bf5803627e4d67a78d1e45155bdbebd3b521

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQm.exe
Filesize
237KB

MD5
c1bbd693dccf9c6df97df714feca2629

SHA1
1f4c2255db2af725a67b4d3d75bf8998b9afcfaf

SHA256
c0a2012206913be6a627d60dc8a46a36042cdc0b70e65851716863ae61936f88

SHA512
204d2d2c861698cf1aa7e4ff21eed59605cf34eefb4caa181e25a9953af3d8580b277fa06f8da722ae6c34f9c416ed78b359f5a0b05ba358723aab14997e8912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgcy.ico
Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgsgAIEs.bat
Filesize
4B

MD5
6fedab14692e914a1102414b0ba15019

SHA1
19a1e23770308e66f44e2e4a568e4b76d2d5e294

SHA256
ce474dc99c0853a35c8b413dde4093fc6b5524833005ed9db88ca7942893dc60

SHA512
c8fb5226316263855557b0466727357c9b211ab406c568a52bc950e02d5be9ea43e1b3ec37d103107b5700b26cdaee9489f39d40b4b2a6e359f97ec72cbfeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkkO.exe
Filesize
239KB

MD5
1d7b08c5b1bbe130dc2ba492fa1d2869

SHA1
77105e7f0c46922b700b4188c1551b3d899ce905

SHA256
f4af9215f31a977cf7f045129a91dfb47f7b80d10cc5adb67283e411faf61e8d

SHA512
895d2dcc9bd9280ac53bf20e39ceb9ebe530443d8a00248621d8e11a19d14103fa9e11b1b0dc7d1d7d4a08f46f71cfb1bdb22403a1ca0b22e3bffdc74e92cd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgIm.exe
Filesize
311KB

MD5
57ad70a55c345756096a6269d97d0241

SHA1
8c5f94879cb8dc8467cd3234036d1d40f05d7c17

SHA256
20823a3e482c3971265948b9015da1b7b0bbe266509379c922182cd55a102552

SHA512
6b30dfae470f55ddcf4f4bed34b036c3a3b40ae4736b1bd1c1c296ada77e9ffa50389280cdfe6f9c42fc5010126b5bb7068a60b9a6c05808db3300fe3556d38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lgog.exe
Filesize
1023KB

MD5
f5644147ccfda50ff854065f9ae1d370

SHA1
d299c9f86fe393689d5e619d963153cf07c1cf48

SHA256
41dd6f5ded94d5de2c374a41339aac90adbf83dbd82fd4e5d5f37404542b3669

SHA512
d830f9f19ee02a0327afb7abf9d7f5c27c22fa5cd2b1e73ea479f32dac4c2da59addbf2cd3704a5a593f7fa2f2d090d94705eda50b3ba66341e7517079389f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Losm.exe
Filesize
623KB

MD5
a6bcca4fcbaaf7cbee58879b58397eda

SHA1
2b792a4ed14636a042fddecbc2ec6af06fa25d78

SHA256
6ed1a0d861030c7755688dcd8ba2a70c66459c9faf72dff70662e8af4e4385a6

SHA512
a8315002a95ad91e50a1fedac176117003022c075058cd88d783963e8ad4a00deb3a9934e8391776ef89e6697d108c877e6756a0ce4f878344f1a9c4f911b651

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMsg.exe
Filesize
8.2MB

MD5
d49440c22fc1b44f495ac9548dc1aaaa

SHA1
b7187de5f5857cc947b37eb29ea20406718f0eae

SHA256
8e4c821c3e68ac632441ab82f200c89d53ebad733b5c7e72d401faa2a138a392

SHA512
9ccfa7b4ec522130764136a565a23d13d43926c10769d3880028066fd845fe067a6663848be491ef941f6c2effddd606ab38e813781356ef1363f7ca249731d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQkgMkws.bat
Filesize
4B

MD5
2147d5043e94443128ce1931e800a780

SHA1
a597c6e76e25c9591248a583b82173dfb2c213d5

SHA256
e09ea0e7fb8162b1de06e41aad97942969fa68877585dff6b5b8488507ffdac5

SHA512
ceb57ce1b2aa1728585833c77b9195e81f33de1762920545e7c769c65e6515c478f1971667cb2e9ee2912f3972e5957f416dba0de5f274b5726d4f824110ffa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYwIwoos.bat
Filesize
4B

MD5
2507a204f203d6d1e31fccbc0a92cb2d

SHA1
53a90871c1c9d2e50ecf8cfefaf794b08804ead4

SHA256
102f3f585aa8b4c247a0fb0b852372d7b7949b62591d4fc4c7f7b76021da529b

SHA512
b5b50fe20ff3fc1be62eb5aa808ddeb35466b66fbc75a5e251d2e4d7a83246d059cf974d997a60e9ae7d16df41b13fa50bdec532d4a87afca3aaecff3b19e116

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiQkIwgU.bat
Filesize
4B

MD5
8c113ec009a66521722c40dfaa68f492

SHA1
0ea1a18b594472195333b7dbaf9095248650aed3

SHA256
a6168c4b9c447e202dbcdf6abd033b2bd27f4083f11f9cd6e7a77bfaee3a4c49

SHA512
9ae1ff9d564270b2b8247e6646eb44009998a642b2e7d45e81290078263295306097dcf1df7e586511d1f4b01b4e184401ea63ca4a5ee2c7f7d7fd4c37c7f406

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmQEkUQg.bat
Filesize
4B

MD5
7e388a4d3d5f987be46d016110e3f022

SHA1
bc97c946cf31238f0ea9d9b589d2b8c4e89d33b1

SHA256
afb90327e2c2dc3c1761e4df050230896440725d3b8b9e85f2500e85004993fe

SHA512
d5389f9cd7b6a03ee9af854382fd3b97cc5b2ba30f4d3aa28a8f09b0dbcde4b4a31a1690836087193ab572d0bccc426e1efb0ec4058ec78fae57beae5e4e3142

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsUsAYsk.bat
Filesize
4B

MD5
4f87486217b064c8d88214def8170496

SHA1
d2a468600571b623490537ded4a8a5ebd34d45e5

SHA256
d380d97a32e831725f5f88115c8ffdfe066cf97b331f1374d6fbe653b3709711

SHA512
abe1748c9784a1efabd15580c431095a7967c7846208a227b5c86e4c26ffd5bd1b29a5b693b3a03b632fc5b3d62ce50e6f6926d68ddeb9b5ec90007e04f55e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwIS.exe
Filesize
228KB

MD5
8cb161f449e0964684493ac19eff1fa8

SHA1
13ed58062af95060c58b3192efd13b76a9ac8604

SHA256
905a5cd017ac1fbe830f4330af8d0eec2022769f24c4c83209e6cd6fa1c081e3

SHA512
f3d1a778de435b99951defb1c0284016b0109bc8f6541ed239f5271926c2c5687f0d0ac2f97770e70e9de3f9db55d327e6e2ba816d3c9872ebf120f6aa9365c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NCMsAsMY.bat
Filesize
4B

MD5
322734e50aa8b7be851177a0a9d38fe9

SHA1
af08f7c1efc540a831f25f4ff8f89c1f63461157

SHA256
517cc09b12f41fe43baa6df10b51877e42cb12a12e079b1b10dfe6c851f7e510

SHA512
593a52848198bd636fd3fe661b9090c6f15fe5cbc1312d5ce6c192caf596f3bfdd3d64ae407b438ffafce2158cd067555f269feaad03595335bf2568c4d281b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQoy.exe
Filesize
238KB

MD5
abbac4cd0007d952c87dae47d74266f6

SHA1
29819e4242addfaa14acc2f60b6a4e0560f4ed60

SHA256
29cd571c8afd22ec5434be5bd51444cdfe9da53f0fa170e392888586468a544a

SHA512
2353874c6a430806b6f93b3ee3e844e0342871cd9a7aa6506c8473055c9a4275bab3791b638f9168184e16acf97330ca7f6bea84a2362abfc873ae52776aa33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgYMsUMo.bat
Filesize
4B

MD5
db23a60f4df459f0a9911073a9648b85

SHA1
e325d4282810e866d42b5dd821779751108a3700

SHA256
93d42d7b02b3b1e110ba6ee70d95305881ebd5baa45c8a0c7747b0b10d9b6e05

SHA512
bf4fc66519606cc14dfd43706bfe70750c1b66a0f3f1f48aa22fe57638d9cf61a8c36ff1d83e0eb41316c9d062e34b69915433e0822cb9428c19e7b215ab5240

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkoEoQEQ.bat
Filesize
4B

MD5
0c642a3fa119884fb71ee347900da2c4

SHA1
6ca40751a4057d105b1f3cb93780f2589cdd2e34

SHA256
c0d4308667a46e8fcf1f6bf3261255904978d07ba3834523612c53af33d18abc

SHA512
b2b9eb94708c6f026c4828b16db77f7ad6234bff0bb6cfe6fc2a5151d0a16db35cd28ae488844cdcd8676096be0eaede89c1bac4d361127c527736313f010e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmIIscgQ.bat
Filesize
4B

MD5
6a40b23517a11ab5862f4446a29fb065

SHA1
7840a653cee6533a9c7d37954082bae2556f456d

SHA256
b721b759879ff9f04e4cf4ef3052aa8598e449df65edc4caeb6f83a29133d460

SHA512
5fca2d3b02c8bd9839851b924aa5aa959eb88abe6b5d50ac9411a2b23161eac61af9a42f7b95efcb51af5abf69b5feca0ddf46f2cbcf30c971f93e06f568e443

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEYw.exe
Filesize
251KB

MD5
5800903f9712f2e2e3a14d8cd49ea918

SHA1
38adec2393ec354b8d7e0284064495027d5e96a1

SHA256
36e438b23bd5f07d64f088b0e048aa2a0dfe4d0f8d6c46a611dc4f5482ce686c

SHA512
331a7839939d734f473353dac6b9b4182dac885803ed974d921003e3c4ee554e4216f6de60fab4f9fd60606e1b36151b36565a1d275d3514bfd4ce7e04ff7d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUIk.exe
Filesize
221KB

MD5
052b89befdbeb6c798c4677085b3e730

SHA1
45f3daa288451b15aeaef8d61c57dec4aa2ec384

SHA256
9c5b3aed8ed811262735f3a9cf5cd17912e03055be44dc82d83e2c44c933b04a

SHA512
5cdbd9175b9ee60cd21ddec5d10563024605d26cfe7e97ea0e581964f233af0c82f5c88f76ca52323afd97c76ac8ba802196af9d5d9328dd08277f760a6a9a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkQEgQsk.bat
Filesize
4B

MD5
b94efa296f7b44222dca0d338889322e

SHA1
693885cd746878cc9634f2a30d058ea826527e93

SHA256
4d9d9933bc0be1bf8b2a38d2e7cb0ca09c48dc93d272a7615bc794d8d92416b4

SHA512
a03ee759f5c241e038f676d2f1772ab212cf378f4e3e5e90a346a67a202a4cc374713da88ee44543add6ca156adc8e3bd1b1ef5408483e2140f2ce49cd99997f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oock.exe
Filesize
232KB

MD5
7e7a15518b9993378f5b2d2f9d35ea33

SHA1
a606ed039af14a11fef99ac44741d9ef268ad92f

SHA256
40f23a31f90f9274ed0f580da4c8a27198dc86ccee9c5b8798c14fe2a05aa226

SHA512
30724be72753fb4e0e52800b839243cc31abf90a049f8cd3ba048868e0ebc9de56c10b664eeab53d811340690c38df49a75ff7e890c2d42f7c7cd3eba4dc6211

Download Submit
C:\Users\Admin\AppData\Local\Temp\PKQQAIYc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcUY.exe
Filesize
819KB

MD5
23c5506e0dbc62b01a532ff31e601cb6

SHA1
d35b80693ae095426d5ed533c72229e5c0a8e0a6

SHA256
e03feb84be80e65569c7d74d849ba07d30111d18aff98a83a9c85f8ed2ac89ef

SHA512
1bd9ee0a2fc4f3446d27a8d77d11aec40e77e478415a647c9c14d2606c8126043078326e6e5b43b1c97b82014e1ad85297e3f60f3baf9e310c42af8bd4d09bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcwO.exe
Filesize
188KB

MD5
c6f9f903e1b0cc1f6fa20fb7b9d5f273

SHA1
ce7e1f7770cd6adce60a874fff96f5e7cb56a012

SHA256
ae834ac3c41230803a0874208c8f4764d819dd2bdf0b8839ccd53403913f40bc

SHA512
62e160b89241f4b75cbbf3744880472c70ee2528aa81b203c82cf30ac7827dbde6dc585e978f334ec75c1d7bdca926cc4819e0fe3d3f5a6a66c4b28a6b1f01e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIQa.exe
Filesize
518KB

MD5
f662f0e31644c73cc7a6c936303aa6ea

SHA1
2ca2d1fcb0f6bd7418dbba694c8d112ea16b894c

SHA256
09e04c07982a689bc1230e7f71d014abf0224d8161bcd64fe82e14e446487841

SHA512
a3c01de4ef16ce73c5770d0d95fba0127f71699dbac42a34c8b52e3c57aec0cdd274aee3e9fe039d889afe98036b1c65a12e4300a6cdfde43a3f1e12122565cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSsksAwo.bat
Filesize
4B

MD5
cb5cc6e7d0da514cc2b69150aa663340

SHA1
b38e69f6468cd4d6bed997cea8e8a889d51b2337

SHA256
aea8fadafaf28547d11672c7b1847992db49a7e185f7f247c52e4d10aec1d330

SHA512
da600ec43caeb89ca557253b484b59f369732226051032357168d97aa5b6c749d11b82580c719252718b7042b7a2659e2c899d323e6dead4ea0c363864ad8454

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYUEEkYg.bat
Filesize
4B

MD5
556b69595e7cbf081cc73197d8a4dff8

SHA1
20d6879f0ce8a7e06fc2410e61e91803ea3fe172

SHA256
f55104ef861fddbdc2b6794204bfe204339fde5903918d2f3c8835398dfc2504

SHA512
0cdd2ccc50cf0c282351ccb48be2c9fef998253956941f548d41aeab04060d98e1dc078de8233fbc0d0a77fa245322914321cf8f1bb6a09c4bc5ac56908d4f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkwa.exe
Filesize
1.2MB

MD5
a67a489f1d0dd5a6fb5358cf6c2b52fd

SHA1
160b803419c00e1d8dcbfb0fb3ccdeeb454c9d8b

SHA256
49a426158b3863c62373f1b682409d4280ef476aa0d4e6f9dd031c98ca0ecf34

SHA512
6cf935ed44201d3764da022e357714c189e2fccbd4d010b52a6db131b09b9352ab0f92f0b898b027bee2105869f93cbac6ba34de703ee6e262275da2ad3ee501

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoAK.ico
Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGUokcEs.bat
Filesize
4B

MD5
e62aa0543c00c277951d33ab78d84fa8

SHA1
58f67b86a89e4ebed3ac07c7abae84fe9d2e5641

SHA256
7ba9f9a4fa7c63ea95f70714f4b8a0e83594dd58fbf48cc97becf69f592af29e

SHA512
832f5d8b4710a711a1f82e27568f47e4186ee063e65d9cbb7a272860bc73a7d8bba6ff0600347eb111f002552794407182cc7073c0ee3e7132b9f626ccb70bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIcE.exe
Filesize
542KB

MD5
de142b3c49cb8e7f530e08750269e4a2

SHA1
99f9985c714ac5683c38e3e61bfb2c1bb3ed82a7

SHA256
d99c9a1973ff7c6ae2cadec3b598fe82014e52f759e7b1a153a814090a65b9b6

SHA512
e01370d29902311c76398c7f511029999ae4adc6bafdef79b0d1a0fdb7e01885cd92cad52abea64a69e7643b575f1838113a8e1ae8b70696472b82bb8cbcc2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSAMcgsU.bat
Filesize
4B

MD5
4a353f21265e39816fe576d08b56df72

SHA1
40900647fdefbbfd6b82d60a92eb1630beb45695

SHA256
6d6cb6de399236d329d7148bcd06984bc27373accdc7b396614bea37aeabf966

SHA512
cd18d56cd04b33bfab28f8e09040e088b1b71abe4d953b203d3ce4cfd30dc0ed3fdaaf16488043347d8aa267854e5939b6c549c64c109d0a007059437779f2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUUw.exe
Filesize
4.8MB

MD5
2fde7a883557a00df707ce4aaac064d1

SHA1
9ec86833e315e49fd616f30744bb03ffa5853aff

SHA256
347911bf2372de6efd3cb8cf2520e0dbf6a4bc200c5baea8041fca17cb780321

SHA512
d8a81d1aab82ba6cb9a6f9c9fb6a896ad6b055d63ccd63f5be6a8edf84a487c2c588c345908340d8e453db980f6dc027102b64fe7663b76a8879e0ffec04b75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReMIoIME.bat
Filesize
4B

MD5
ba75c9ec3a2a34c9ab74814addc2ba19

SHA1
199a5165a9759cd62bc4683dcaf3da94ab938356

SHA256
b777f054815366de99fbe793dc62aca3858ffb7ee650d89ba6b96e2c3085c494

SHA512
92f456c7521e37ab985ac8b19e8508335f57a387e8e5fddca9cc1e1c39e802635878529f6de0a02d58dbac3c05ac4c0e148a4b861af4ed5ce59f7da905e50d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwwcoYwo.bat
Filesize
4B

MD5
da3f7d67f16f4f445972eac40a0186a5

SHA1
1987c58e78415918eef242c1840ab229bc2a8eed

SHA256
e325f5baa56b1ded11bf9a389870892c03660181a2b7affe6f60d56b6f488f5b

SHA512
77a77d790ac8322e74b4947e79a0a59b1a8fffde4ee57b96263a4f0f564e1fa045b8fcb592cf2c31634fc7b4e58a12636c8b4fe73b0a78c1b23ca443c36d6bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SssO.exe
Filesize
230KB

MD5
c9ac47600a61059c3cd01c5612fc8931

SHA1
1250641e83d4afa1ab6d9414936d40c1e4ce93bd

SHA256
3af9639afb636e414810fefb1a96caab6e8ae2a4a54c3a5d03cbc8ef96f525c5

SHA512
005678460767f7b07ef70c803b269808f5be9f8e5528961d29827167c86a9b629db95be97767e5634602aeff503007e55fc66a450634431ce468cd2c4f0f9a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYwG.exe
Filesize
236KB

MD5
8b6b30fc7c828a97f46e761b14852038

SHA1
a90db8c9d40649e16cd041dbb0160a774c780946

SHA256
8d03dd3b1f57571b47a06c479c026f7fb7ebbef1fa1c494a57ca3afe10fe89ef

SHA512
dff134529e1188706361bad30da292aef5fb5effdc03ab9be5bd6e98d29c1297e48f77bc1c2feac315ea68aee2ef74808df9006ceebddbceea83164d3f22c6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgMw.exe
Filesize
253KB

MD5
9ec716226f7dc2b5031a7ad26add061b

SHA1
2a50477c9a72a4feb76f85af2f79e5a0ae839271

SHA256
5aa2bb57a8f3abc4966938d52e3cd524afe115c8f8ebef90bd26c7053ee52e52

SHA512
36f00d638c7ce634be7471d4f5acf20655d61176b93b799cadd8e6edd4d9304fe06c0b5d93137dad143854926e959851e0d8edb968f87ee606b4f9ff109c5c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgUm.exe
Filesize
232KB

MD5
08a1fd647c99f002f4c9864bc7658ca5

SHA1
3238e5d6b854b6e16a124855e2fd82519cc06bbe

SHA256
01f01bb36836bfbc708400817d485ac19e279e81eb457751c2bf1032dde16d4a

SHA512
b7678c9edafef063a1166d052c0908405676436748febf6fc0b89fce590a809ae67b0d853890113009f0c504bce7887dadff16fc193f97fde95d998120d76912

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiMMwcUs.bat
Filesize
4B

MD5
b087fc34de2493a76a11ab286e1ba596

SHA1
e480385eafd287a3bfe7b0e8759699c9b33080e9

SHA256
3cd96079834e60d32d56871b122c185aa9206bfdeb9730945db55f530bf4769e

SHA512
c9dd8cd925c25457644dd7d7c7f151f7919a6af7204a651ea4086a9371f1a2a02b38c6ddfb008b41f5d3cca19a94b17ff3591727db449c8dd2aad44483da1ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAMU.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEQMYcAg.bat
Filesize
4B

MD5
5d7977a7281db60a2b13a79b2c5ee899

SHA1
a25866302b6ad71640f5a9debedb62037b6a4e81

SHA256
49a743d59d26d2d9097d8d053e612fc582dbceebdb4c4e4b51ba0184a6efa56c

SHA512
7e3fba604c2a1953a23c5625b7d78f52c0353db3dc6ad917d45e8bf9b7f60b468a7db922fee5b7491d718f86410260059376be8de9377b468f983534b7d0e968

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQkS.exe
Filesize
231KB

MD5
2d28b9d3faaa06f4d3b91e96a96ae2f4

SHA1
721437c18de6dee87b769328e44981d8b0aecefd

SHA256
6cb9893270b1b26fa8849bebd60d15a00eeb56d27bfef9cea4dd474e46693c85

SHA512
31efe496146730555b9babd8e836ef359e27485c3c4d959bb1912dbaa57f9ef7fd0488c46ff29eda745f006688c537acc4abc8266cb18bf4d6054afdf2b3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UiEckEIw.bat
Filesize
4B

MD5
0d2fdd55102e9df1d524779319649ef4

SHA1
696e5ab9cd136d6ceaac35826830b7afb342a846

SHA256
432a524796212281e049022c65e4c46e1d61c1b061405a0d681bcfaf822f8571

SHA512
3d1795233207ad817d08d9778f7674caf6981ee52ccecadc9db9b701a5923157a5c811dfe62f12a9c5c22c08d510e5b3275064bc40ff0a75b43240d3eb1e04f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAEu.exe
Filesize
233KB

MD5
9e4f1c5dc8f50a359d37305b4903e242

SHA1
6fc1da8553117a3a669124f7a9e7503f6f696ef1

SHA256
deca522451a7db67aefbb9d6569f5d462a65354c72c039df5ddcabe3fe9eac21

SHA512
b6970f00e22bbb63b74fd3b99f57009f2d3e0e9ab90a3dacc98a01925289fa525fa540b0c514adbba778d9c413489911a83130598f0147358df3f4833ae2310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAIwskoE.bat
Filesize
4B

MD5
3ca7f21a77939e856268b22dafb88c73

SHA1
3a31cd7a230db7095865fb384827352e523b0ffd

SHA256
1293adef2b6fb6dcffe291473f45f873f662d25967405a986914fc42e7dc6062

SHA512
a1f5d98155ce15e833ae4ae7b67b37ff5b92bf5654e630e9d4ba0e3c3d0fd6eea04c04f6146dfd549a18ad0b5083542c2fe234cc15a031f22ce721f461477fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMQIEYsA.bat
Filesize
4B

MD5
043b817b6a76e97c6fa413322691f32d

SHA1
6bc14083891bebcf58817d5170103768e415f20b

SHA256
0892b39d2a2a61157dc88b97ea9b41d59e2e467c86932b51652ba289e024671f

SHA512
5dee08a681dd73ff1b2ac1dce73bf6f2257a10d011d4ca6336de7a9417ee58b3692adb18ec02431bf8e875ce2c7742b33ef16f061c2fa008dd6304f29418d87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQQc.exe
Filesize
244KB

MD5
59197b980e2e63be1c13d393ee65e0d3

SHA1
3a2569cdca126c142246262625b6392360b5a8d6

SHA256
0de2158bde2bced62f7c7501af487ab19205b2ec9b3c2cfc535960038fc65e1b

SHA512
d92050049147e4ca6469ba405bf749ba97df8d1b9226aca9198162ba9940bdcb0fa4e6be645b8d363f7485162fbf7bc77bfcd880a7f86c87c9a44015500be933

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeYEsYAo.bat
Filesize
4B

MD5
516e22d6c06741f4c11bb20168e51771

SHA1
39587ab03228f831be3df9b969d78ac3d1e644b7

SHA256
4610f7c8a34b2617ce1140e32dfcfd00a7cf2ac9850b82f4a9eef329e58530e8

SHA512
aed2eab5f366588570560da6c811cc8a65b9ef50679a408fcb42432acd5b6c5993062905d94b4da473ea10e05628ddc5ce888e2a771545cdaaf6847ea39cb07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgUQ.exe
Filesize
226KB

MD5
fb8a52dde4c413824a4e49c1cbfa4104

SHA1
ccac5f028b7e10fec965c6f73eff47f3c5b43e25

SHA256
c18b2092e9f5c3a2148a1ddf0a5d793904de1824f626beacaf5a4bb27fa9509b

SHA512
c2a66923e9eb3025eaf3b39e1a2758fcba84a91b2d7dfc4b490327b48878e732f709a30d0d582fefa12e9fd9bdc5c0f157636b147bcae73633457ea62d2424b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkEkokco.bat
Filesize
4B

MD5
e3cd3858467fbc6006f6940015a6999f

SHA1
6b80c4ba43731dbae5334f4cd0629db496a5bb6e

SHA256
64ba96997b2fa4262d16830671f5e1e781adbbbe1bdab3673f0938cbf2297051

SHA512
d3ad63a4d99436fce41d4c71dbe52e1ddfa6a8c46301151e5280d23cc9116cf7d9ee10c9afff24b0eb793a83abbdeecd54ef4470933e8057a3eaf47c23cbb8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkIW.exe
Filesize
242KB

MD5
cd45185ac42a9b3748c5c40839be207b

SHA1
0a4cba45398bbc20cf9376071527e78e42bbc8cc

SHA256
21e237ebd7e03f5febface66952a7a08f59a638300d626636b49c5a7b0566c4a

SHA512
e0471dcdc06300dc5ba8939f13840742c2a5169aee138f41dc423bf485e1cfea7ef5604e2005637ec3a6143c36df9f9ac4bd1450307a32a182c8ae44553a9ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VyQcoMsA.bat
Filesize
4B

MD5
35042491ccdbd8a311f1b3dd03c9aa19

SHA1
c8bedfc500647d174842ee3c635e0f33db7e607a

SHA256
5a6d505ff0c34d7cef70ccfb1cab32d69e510579d029aa7b41f6a9f0280c87b2

SHA512
95135670e02f6b87882a421600fc0d6be1d21154c595b4ed9f05a6da07127844973fd28bfdd6c9805dcd04006b0d56d3a3640865def94965cf1381423390ed75

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKMwEEYQ.bat
Filesize
4B

MD5
819a38a9b8707e45259850f16eb83cf4

SHA1
dfe8494d1c8db5a5ecc25bc425bf68364a3763a6

SHA256
b4b38918a4c890ab9579211b4115d9d433ebc62213ffe1df24752542e0681626

SHA512
ebb1a86b1b962af90f518d5a94bc7568cff19c776efe14342d2b5ffb7829c62c56a2223f5de5906d865dae7eb7ec1af746e8fdaccfb000f554a558e1ddb07cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIi.exe
Filesize
198KB

MD5
921e13ea8749aececcefed1830da8fd5

SHA1
ddd2e44e228bd460b41c5fa696e3017ea9150731

SHA256
ae8ebc42539e9c4b8d208cd51dd455507e1098ae8d60181e16109905e302f26c

SHA512
4a45bad4af6881ce52012ed6588805d2e7f1987d680a4ddd0ddbb6d1ef3839d5591f1a79759304b9850381f93a02242af5f59efd14e372c2de7c9c473469d655

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgsm.exe
Filesize
714KB

MD5
85282648fefab705764835a80a13bc36

SHA1
960cac77afc47c7ce322379848605cd7fe31af10

SHA256
643faa3f274da4ba9e10623d4377fba97eb07c3cdfe6d1471e0d06203f699093

SHA512
b05752bf595106db1adfa2c4e024fbff5319cdeae3dc2a881f40f7409dd782665f25da5184fa4107e062ad336172901f86e44be0e717c116e493f3f3c2631e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoQe.exe
Filesize
242KB

MD5
55f2e4bd9013d8892a615ce358a3fe5f

SHA1
66f689c31ac85481982488570eb6c6e10ef6f10f

SHA256
d3fe78fcfe3a82794dd9754941f3a0deced6e8c9842f685c72f4f523c2f2fe5d

SHA512
c3cd02a468f326b29d26ffe7f285e92e4868f2c041a82a18d45762538a8311abf784fb2849305948be6342bfd460c29a8aadea4d4df5197356c6dbf138019c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEAW.exe
Filesize
235KB

MD5
27f8ccbcf650673549e164423a24143d

SHA1
e85a974e54aa5afd257e720f6559ec2b2a868b47

SHA256
2798dbeea33880bd6d2d2ce22f8658b5c591d688cf2a87403959f7bc5f7b757e

SHA512
01a3959dc692bcb1c9d0a19e94ae3fda3b15ea5ca88926dd67f65cba70050bdee4d63f25b4077dab84aaccccffff92a64409883b672ca8088318b66934f68d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSsQcQso.bat
Filesize
4B

MD5
bf0bb31225a418d81fe73c870b8c7618

SHA1
ded85d7ea789d9af2472899e1e60ea90ea359d25

SHA256
e1e23c3bf587b1ffd3198aa6e9531c99f4d88d56541d53ab1116a36d8c92347f

SHA512
400edc0bc12f973e0c5cd562365b43d2a1d6c0bd63360aeebdf96160d5665ce5936de9dcf625a197f0353a44f7c069862a14cb2beb4e5caffb43bb0b70eb49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XmoUsAgk.bat
Filesize
4B

MD5
cb9491dfdec676310c9d42db64e9b887

SHA1
c2fe1a062c5ed189cf658966f2e195906bfb6eb4

SHA256
e2f019a50ab99f9e340aef59a655eab30ee3c5d75b3d4472ae098ea3807c4f0a

SHA512
a3a166759e84df46e35b408afa84aa816ff3750ad8b867edc88fd0cd7f2791f814f5c382ed7256f730964094677e897db6fa93024fe2a7916e68795bbdd33525

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuYwUMEA.bat
Filesize
4B

MD5
379abe8c6dd764faed02e106ea5d1e9e

SHA1
f04d78e2f0bc38cff1d4de80717a3e593a266db7

SHA256
ea7b17b40190176298f06ab18a9ec3d415d6c7f47353d850b179445bc635ee22

SHA512
d79a8d989f2add29493f98314ad7cd1e68cbcc58389617ce1bb8680a6ea684f9d5b19eaa4312e5dc8ff28c5da58929ef29dafa058db286f59d01f5dbb00eb03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwMggwEw.bat
Filesize
4B

MD5
67db161059b07e6f00abed108bc2d513

SHA1
516288e820293d33ecf09f96fd16bda84fdf1497

SHA256
a1047673979f98f1eaecbe321ce730b61c001013db639bcd9fb6a51cf4e2f399

SHA512
700496efe0191616025e572bcaff82351dd80bd8a48d112a553832cffcd469166619557231a201a37bfc89fdd434040e5f19f59fa27e67d69d4e711839c35f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCIckMQE.bat
Filesize
4B

MD5
80097e7128fd87c7d4fc23a37819bec4

SHA1
923b68a8620d580eb3e1282b20d2d54529895a27

SHA256
05816533398e86e2f9220b76c9fdb5f86ebfa6c743ddfcdda53e2150a83182bf

SHA512
f4246ddd0e135a434c29f99944a26ce67f40054349b57fc16467acb5c5afdbd111366cc5d8beb9394169645fdc2fc96ebbc521a7823a1a6a3cab54fd029d6afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUUA.exe
Filesize
234KB

MD5
89f724a51a8d09f502508ff2d15dacb1

SHA1
8c2b94276f87401e41ce4eaaa9fa2badabd0d60d

SHA256
93d3f576a2ad7576bfa2e309203dfe0a54144982981fefe818e7f3cb6b9bdc9d

SHA512
5d48aa951b851cc073f2ee15d5348ee3731f3421b08c9719c2a7523fa65c176c85748201d4c87f95d6c336c6a50b2130ff7f8c65d7e2c0a03c26ce75dec67c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsUwwkck.bat
Filesize
4B

MD5
d791ba3a905a7eff195ba730c593c68d

SHA1
f0ed3bb4b7dcdbe2ba00820e665f028da8fa023e

SHA256
99fdc04c8f8c1313c641ac7180d1ce411842225a9ad662892dafa0a8bfdddb7d

SHA512
a2f230676402093be4845d1a9000c725f7a14a6681e8ae123144fcfb81ead9111d02700b5e3a98a4227766002393f5dea3f03d38352cddf6776bf8c8613e7eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAQsoUYQ.bat
Filesize
4B

MD5
20c8234f77defdd7774b120aac294223

SHA1
c9bc22aff88e41c62f597859f20a376c31411005

SHA256
757adc2529903047b8264ddd722aff389e1bbc05c8a7cdb64b3bc637348433bb

SHA512
c175848b5871f9dc2fbb29541330c36f824b9bfb962fdb4dd1c3b5ee0b44f58d9bc3746739a8cb7984ccf4a81a034f63a330314da3366b9bdafbb9a7aa912d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAwO.exe
Filesize
235KB

MD5
41755742e49858f39e0104a1b81a914b

SHA1
4599b80fd5517903d77255c2bdebd12ad80c3d94

SHA256
a51b47dffa2c72bc793e53e4c33c8edec0ce1f5e90002da3f0e77eb89c1ab12f

SHA512
b9b11421e818402501da677d759adb862421a47a03d41aacfeae3a00b09349fbb59a4d5aa16094fcb6a40326af8ab14a33b6840e4ab76938bc4ed3ca153f49c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMMA.exe
Filesize
236KB

MD5
f089cfe05b04390f91726352fa35741b

SHA1
e4ae635fd9551c6e9b7fbd74043bec1cbef8494e

SHA256
586ad1d2ea667b75280a5d5bcdb2cc7cbbe2b7812fc8c5b786469acc950b29b5

SHA512
351ae13c9537bcd69fe29b150cd30b0742ed3e6c39175e382351fa6196eef321878e11cddf5d06100a1f6e5aba894771bd059407b1118304618b07be1bdf09a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMcO.exe
Filesize
246KB

MD5
f6a2ab62c728abd052a50b8823bbc639

SHA1
616c67b328a6c9efaf2bcde933e42fb66ce73f4b

SHA256
77c02625b6ad45bc8417dd4687e087ba2886154c79231ac5d694248f8b16b12d

SHA512
bd1e34b638e36b6d41f80ae27debf83e57af9eceedf4cbb0fc4a20e4e5c3d5511fe7f8bc819d41b3cacc78bb2b6d49241fe25c713acccb0b80f6b6a4a1df766c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgwU.exe
Filesize
244KB

MD5
ee3e0a901212958a94e4d0bef4b5bb72

SHA1
3c2d09012f79474b8f94cebc69259e65df3874a6

SHA256
b7ce630d6a62238053f1bc8905560597156286844f296f07ec459f14d56c7035

SHA512
967e101cda373fdef784457c237e117659c224c715a2f46dfca9116397f0b7b2813916ac027bc0bd806cf0b5abb214f39691f8e348de5fbdb484059570fd3c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoAgcsYo.bat
Filesize
4B

MD5
c972e7a1ebbddaa43bf8cf7df0ccc5de

SHA1
a3d38a1ab670966e35f3302aaae9ce2cef3a3908

SHA256
c39bcd97020a5458c61219beacb706c19fddc98327266b4fd7b02687b3852aa7

SHA512
88133d55090db9b349e3b0a73cd8ae2f9b619b384d5ea62a6179ae234405374d7f1e543c2100817d6634705eadca067beddfa0a1c65b363d152e4c7d4fc3ca31

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEgc.exe
Filesize
240KB

MD5
b1a2dfc69db8c1c0b6d97cb7df982ebe

SHA1
396e95c6b195644d349c05eae48afe41cb477518

SHA256
9df2ff9b65247eb90f3bfc7344155e7c77ec6c018696712d6a1d29369ff2e429

SHA512
12a5e8ac030cc63d650ac31e0ab061f23e5482099d229a40952e3eb20d90931c00bff8fbe918e2d118ef611cd90b24c3de1b75ee23a30e9475b816dc299d8918

Download Submit
C:\Users\Admin\AppData\Local\Temp\asUQAsYM.bat
Filesize
4B

MD5
04fe5885076749371708ffb93f9a68ea

SHA1
08467734333b7fecd117f2b4e84081bcbfc3a6a8

SHA256
422240171963e706126c25c78823c114ba4b61cf2709a044e5a8b23ddd230f26

SHA512
1d32e13864a7a1e353ffb3b7a39f05750049f0a9cbac2d244432216753bc888f3157c7ad58c3e425a81b995d3628397cca078a17f21aee36226510ab0eae484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\asYW.exe
Filesize
784KB

MD5
5f7285d0c075cfb2a8cd4aac013330f8

SHA1
cb5329b07856dab303008b4afa7cbe3a0ad4a5de

SHA256
1f66644ba6ee9a76c782cf85d01f382e9441fc5b9c81d4d8092c42c8c9b6d587

SHA512
d558e6f4825033c018df98863a3a2092ad1d0a52bd28bbb8bb660828615c42ba540d096d5425c35d3e949075fb64194936e214af8179ef46abf828ac70e00f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\aygoEUAg.bat
Filesize
4B

MD5
1700460164b47deb61bcb89b4b1f6476

SHA1
319bbd9a879080f2ae5e2548041a2784cc68cba7

SHA256
fb251d7688720dc3463c9017f8b4685d093dbb6e1e2732d5f9966d36e998ccf8

SHA512
315c67d2684abf3340ae6d5f22b575080fad44b7816924b5ac4d78dca11cd9a0b7f2da483398073be0c6ac5f8415f1435c12313308ac97b0f54813279dd343b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAAE.exe
Filesize
4.1MB

MD5
c767d57c88e21eb6f640a54211d71f56

SHA1
3ec571d5a5d3ef7d5e955907c58bccbcc3fce1cb

SHA256
5a70b6c8edd47f7a1609ffb1ae417e8f72f2a93fd2ea246b5e1994162c2939d2

SHA512
11452cdb9cac99e9d63159837acc5c7026fbfc5cc1888c94d57758819be0babcd9c13637e5017e81dd5b012d980ef5c0e7b0d41078c6a7106fdd4288e0fa9bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEgk.exe
Filesize
236KB

MD5
87078401b7b946ab9771c91d862ea1b6

SHA1
a43e58cb0f8b2e541898823d6e436970fbbc1f6d

SHA256
7046e62eb7833f33b78b74d7553241f95f9fa9c6bc6ec7f25508dc3ead0979d9

SHA512
5b1cbd4fcb08edb35c49d16f0ab7d93702c717237a4391c72a79c7dcdaf0e2ad41a46a2ee0bcc4ab530b81f1ae9e15ba19d1fc44d8a30099bdeed8ec6796ccd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMss.exe
Filesize
198KB

MD5
d74bb6d48517da055911bf4ec97dd82e

SHA1
0e48b146f138b8764db5963daeea7409a1afd551

SHA256
29065e666e960b1656b0252e11899db78d576c56069797f4d14107b30f79a975

SHA512
3d40fcdc6ce8efa762078143f7155b5ed556e72943c0d23d1f2d42080e55e276bc5b929b217033480cc1d9f17c33488d42238759f65866d3526677415993454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQgs.exe
Filesize
564KB

MD5
cb74669ff059658eb9a623f8852eae55

SHA1
83271d909515dadd4ac5d285e81703980bc7bbf2

SHA256
af6f38533ddb9a813a884e4c01fc00a3f9c33dd28c6db69ce2abfb645933faff

SHA512
8da6432109789c7785870bca091e970a30ea63d0e43745f2a1f00f206800a85e338e7a06bc605484f079d4500daf330bea61cf96fcb01b41ca1cbf93c9461d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQAW.exe
Filesize
240KB

MD5
b5c73e9112129d5647ae93c97dfa3122

SHA1
2c6c4815449d0ebbcadd6165cbeb4afd132585c1

SHA256
8b01c05435df145129a989680d68872b75fc695d488509967e577532b480e4c2

SHA512
e5dd46f559cc6150e77e742ebf4fbf6d771de1c98aaf380cee8d4337e2a3cde2a77c17fb57846e8a2fb75d1082b2f589623a74b266403e7a35225efaf486be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\cigQcAws.bat
Filesize
4B

MD5
923ebae4f4e990d4c99a9c8db0b1f500

SHA1
5e560fc80cec105c8ea8c447d4f1500dcd5c96a8

SHA256
92e4c24dc1cf2c01f2b7372b4f155be3daf62773daf22dd8564d4bf7a54d77a7

SHA512
8f940309c86d12301f5c8e34c5649d14b3919b66672e6575a61f8936e18c10adf57f1cb594b0facadef14d7b0f11117bcf973855c56322ff09a943a767b50150

Download Submit
C:\Users\Admin\AppData\Local\Temp\cskMQQAo.bat
Filesize
4B

MD5
283f786377885e39ae17d95b60ccc470

SHA1
af3e70eddb2806b873e9ad302a9a1d093b83090b

SHA256
7a5bf7746512b805251aecdbeb4a28ecfb33cf8883c04eaaf88880de235f1f34

SHA512
85889109b37c8b660cc6375e98f219e69ec523470e8bc860270bbff7b0ceadf9437ffe54b8dac61a49d846a3af58763f279af21a1d2fbeba7ce8361f5ef129fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwoY.exe
Filesize
230KB

MD5
ed0f38f38013befdfe35356c3b3192eb

SHA1
b8f210571963d0d8a2d6eae331410884012158c9

SHA256
16f999b62d14b82a929d7d1f3925fa113ed498f814e2fbee2d4e133ec37c1962

SHA512
c489c950c814698bad3bc4aee9f22e9ba508622b8f1d5455d0b226ee74a4c356b4ceb25715ca501fb06d8f91087d22bd25a5a57c0048325f6d27034226d1bb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKIkYEgw.bat
Filesize
4B

MD5
4487b27704c73ed0c2ac634a13b16286

SHA1
dd4fecb7558f8a751b411a9020ecce4cbce6f471

SHA256
b1b7178657172e85ad4bce862a8fce5bb9fe2cb1d65d2baa91d4a2c47a7eb45e

SHA512
4570945862e0e0b840f56a32211f05a4593f0868db7770ca6bae066b6c637b09cb34b0d0882a30ee8b14e4fd0f9895590ff59e05339ebb92136cfb4da07ebccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQoAYQog.bat
Filesize
4B

MD5
46abd66535c1c471e742924ac961142d

SHA1
ff71ea2c6ad3059cb1529a89ae54681922382b22

SHA256
88ac9b52a370e74b4eb63935397d5be4c5954bcb238726f5d2db08851b3746f7

SHA512
2a098b66dcfb8aefa5b9a3bddbd669ee02564464f0c229eed47ce301ed218427e82eb5d4206802e7ddf046339aa93341f751434ef4f2d3293321e401ad095ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\deIEEcUs.bat
Filesize
4B

MD5
9e5719235b72855ae8fff2134b983a94

SHA1
1be38f9c64b84c68364bcf8480b164803aef5282

SHA256
02c70b7656da4916d86ba4f6538dbc592f5d66df5fdd78f51a4687c16cf4eeb5

SHA512
6cc97903203d36b8215a87575d6a680a4adc728474d9f06d5196fad34b434a83aa2be4ed96b46054bec3faa01e0483ec748a1bfad145c3c17d3039fc12bff85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgkK.exe
Filesize
243KB

MD5
58a3b7e85319434f3b86b0ae68d8748b

SHA1
ada303e9c9b26e9e8214889464d0668ea5defdff

SHA256
01907d3c4b79e04c4877babc9dcca298514f67c670acf44810db3d145d24f52b

SHA512
5c77d069535638f5c5d475ddaf53fb80624e3b5aaf9e3f3235a6cdcd830afeb31a85b18987e1a00a3e64e150d56025f7649df4ba0478eec4c3d70e182c1fa9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwIU.exe
Filesize
252KB

MD5
845e5494ecb78d11da013604a976d585

SHA1
36c053996601acc84291672118a4cddcc811a3c7

SHA256
ff60e33597a6a196e880e3197a03e19d804fb6ef0aa00aeace7c31bb3d6ff1d9

SHA512
81b5d99927ed855d91df9f7927b9ac5073a040225f1e294a91d432b1c74db85984d7d7d854c5965647f882b0c1f41f0905b8398034d764d4a72d4ba2cfeb3b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyUMIgkg.bat
Filesize
4B

MD5
74bbc31582726aae6f8e98403dd34807

SHA1
fd3b80809b2691992f1faf015f8c84e17075c132

SHA256
116ec965c0070c236f14188758b27f3e2d83f46585088692d9523cc79ac8686c

SHA512
5ea665b90218b9e4e43f9540646ea38b6c248b7b8c4181c4a78b88bf8e79c6689d9f565f7f77efc2fda2345d3e0ca87712b4e90714a104eb3a4f6904f78c6ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAUK.exe
Filesize
190KB

MD5
fab75ed3e560acc2884fd872f8b5b98d

SHA1
a4f05f8ff145dbc9ba70ceadc92be7b1487b7ad8

SHA256
1ce2e434a7f49423ac87d22b1dabd0c01403f8d3213c495afc6469032fccaf7f

SHA512
b48ab8d1d1480695763237da1aa473de06d5f6db31bcb90662dc53874c5b398ba3329ea96aaff0cd0bd306c567dbf8a87f9972d307752c98694b62655d1d0c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIgy.exe
Filesize
252KB

MD5
55e0107909d62fd3de68f8cdf5ecc961

SHA1
3e01326936ee107f805bf498387195d78f09636c

SHA256
2b1192fc7c450a6775df20a1ce6fb1fa5badd722e88b54e017fc97df197be9c0

SHA512
f5ae5e4c3b32d7d02fedfe47198e2becee029256716f91149bcb51e704381205a0937b6c2fc03f603d8850a289bd1b16b135102bad7eb1b88baf24b89aa59661

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIwy.exe
Filesize
241KB

MD5
c99c03eda8c2a93aac72c65eea473924

SHA1
c3715738f9a2e118eb430c63f9ba2ab4be3d656f

SHA256
c4b0d4a5c620a51fbccc24b46b76012f90ba006b97ad6e7dfd119e323bdfd03c

SHA512
31037a570fd84c716f421e55e12abf104ccce50cf1da5e39ccb0a87a0553791d10af16c2abd0e44443695a820e387169864ed60698a99a787a7e48a56da08709

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMse.exe
Filesize
224KB

MD5
b8be0225122231a62eb77ffaa54556a6

SHA1
9dc7a1b2be28eb46f6bee04d49939356d5202011

SHA256
464c6d03bfa88b8f88372e9fbfec7c1ca3a6753d5364e57996b6c56f7c75db90

SHA512
db018440c6b521405a75e7b5d3d35b7522a06491ea42165c253c7e413144cdc18aa9ec1ab69f80cd4cd81dcb477e9b3aded3fc5b06ba5e9925d4e5fb55ae4d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqUQMMIE.bat
Filesize
4B

MD5
4f8d5e9933f34cf5f8b22c412e163da9

SHA1
41efa5790f559b7c729e0a0c300d156f76af85f4

SHA256
2e8f5ad6b27c784daa93289fab95b2d87ac80e36f30a31240c063778daa314f9

SHA512
63ebdbe7e1291b4eaa3f9f7aae096f8ef5fbf4fa385cc75ff89126f1113ed9e0227f3f3a472587ac22e4085d0016308911093e4622a2c1de365192264ad9cd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\euMokYIA.bat
Filesize
4B

MD5
57032bea30dfa2534962dd19fed456b7

SHA1
e4a3ac483ef1d7ca30f61255ae75a599fa2499ee

SHA256
ffff733c14dbf0def3bb05fab9de3a06c93cfa163267fb01def34bdd103951e6

SHA512
4dfaef5c05a493e115c53f58d8b376ae23beb407c2456cf7ac0de8d9dff996dfff53051bcd8bae532aabe1d64958c925363fff62086ef8a089035ea33254cfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewsg.exe
Filesize
247KB

MD5
72100837cf745838a07473fbde92d98a

SHA1
baaa1c716bcfbc4da8e063060320fc3cf8785216

SHA256
d7ced6d67a77c5dea6094b45314ae1f1f1ebfd3223d09f3a2c38aaa02f47d06c

SHA512
c99de4ac84947af349fc29cf2526a4f30b7cd8eb217fc3be46507572c7fd336b59459777431e2856ecefb837c8a0c1b50a5b7862edb763bec6805bf40c5d587d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEso.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMQC.exe
Filesize
953KB

MD5
a1aab56d1b848ed64fc4edf36194c2f8

SHA1
34f7e7bb9cf3a1a1832f9dacad2e050cae7ffc0d

SHA256
ae46caa934e3c062308dfe06ca5bd3665eb98b0797f12c70a458b8c1a710ec2f

SHA512
6ae16fe5719d7c007bb695bff608201451dce48c105d775060cc852e62321ec49a27dd1bb8dc9ef86e64af023f2b8a9bde0843c3ac0d53f85b87085fa9f3e345

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcUM.exe
Filesize
250KB

MD5
dbbac4efd3bcb4168a9784c02b7eca37

SHA1
e50c46ece1ab4f83e124f23604eeeff2fdf4023d

SHA256
034ce29e4f392f2910223909efcca3082eca9976bcb9a8339f26f8c298a389a4

SHA512
91f66cebc64c17fd1ead2743fd14768665bb355e1b846f5c1882fc9a43aefacd933d39e7b8e6b7a7eee924de0ce0e0742b223885ae62c23f11ab10de3758b3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsMM.exe
Filesize
637KB

MD5
3b02d79853c1bbc2e88464f1b82bc5b9

SHA1
89c2a0c6de5af2cab5d03c6a84ac9ea4fc43edb4

SHA256
0b11dd331e39304ce6c45481679c2d98b3d19d99e7d6aae1cfe31cbef186287d

SHA512
b6521d2b82e50dd92888e77eb00a4afe99eb28c903ad06ba806204ffdd28a7772b8b3e1a951a610e383992c9ae7d86ba36353360cf8f03a6722d68f43300ac2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIoUwQgk.bat
Filesize
4B

MD5
87b657e5118d1fa197ea6315cd96a81c

SHA1
4df22c0520fee8fe44cb1541ecb878efc7553507

SHA256
f1b6db2315c96abd19318450376230e2c88f97b6772f1ea647ecdefc3fd71986

SHA512
399cdfcf6aa244fbaf5d553521cba40c02c433500d8cd2cc01bfb6a15222d3fad9c990abef78277eab91050c1d0c31bc7cb1a7af6850d50ab0866919712b2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggoUkwUI.bat
Filesize
4B

MD5
3ab403fcfb2ea45110aae996158b2aad

SHA1
ef4fb65593c520473acb31cff39ded6d7b36d89f

SHA256
67487a9f9cdf0cc48036fcedb9ea135198acff33b0ffd2ae2d28c38af91151c2

SHA512
22ab506ab69788300b943ee6cd9af0571834b8cbd908627ac742a3e535e4870fd3a83e26552547b61e3bd1779d719152616012e07213320879e1254a6028b244

Download Submit
C:\Users\Admin\AppData\Local\Temp\gocMQQQc.bat
Filesize
4B

MD5
8ec85354819ef4f745f28d77cca2234b

SHA1
19728c2b5388124a4ea2b5d3ed039a0f91471b47

SHA256
51477c3e226e29cac4856b071c9c9e7060cd63323784957e78745cbdb4a341ca

SHA512
4e713f5d9b3aa5d0b8160933a945199a85847495dc0e5a083d06e1bc0cc1a5dc26f824f3d0631253eb0411c2e5a6187879186dc0358fdbfc7d021a98805dde0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQwo.exe
Filesize
227KB

MD5
00a1ceaa2bf18fc2664c990ed682123c

SHA1
4284b5f6a3afecf62c94672a04e05bb1dcf9d5b2

SHA256
e3e57521e17640c17e8cdf27212b5877a4f4cfa1c0341a8cd83d93d467be33aa

SHA512
4f5fd2639a99d97a6c119ad9862530a27d90beceb1d47bc3e369249f2e6490d6a17e161fa23a0846241c20768d43ec20927b989feda701bc0b2732361645819f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hckg.exe
Filesize
230KB

MD5
1a7726b08476a63666a820cf2a7348e2

SHA1
22ea711d961c828b2d3ac31259ddccbe3f7dc172

SHA256
d914f2a84cdc6ecde5e0426acb2eeaeb8ac55c7045437771980c7259bc753d50

SHA512
1c30298a15b1e85982499bd1ec46d3cc6089b3a241d31c08b31a5f151c0238da97e0faa20d04c53b8f5330de503633a36c7ece6f16099fa144622352fcf51c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcso.exe
Filesize
246KB

MD5
dd385ff6c8de9fb9491f9c1ec4399915

SHA1
d5aa7b710aeb1b493a43e5883aa39d517cd9a1dd

SHA256
4630234c526e861bcb96fdd7640041245c59c4ac5f6690b039802304bcc6405f

SHA512
734bfa8aac76ad355328b97fd26c8183b9a886c06d896a58e26d52b28f789e503bdb7773d89ec1ca9061040de2e970b4db05b487a8ce82a2d3df21998fe16387

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgIm.exe
Filesize
241KB

MD5
0507ed2af02268059331c9f7576af605

SHA1
4647bc7f93bf429b3715a0fd3e82412bea17f6bb

SHA256
8cc577573fba2f64e3e0ce147e1308e23a076e6f19fe101ed48473f4a54e674c

SHA512
bdbc2b0eb12f84f6f882c5eb4f1d937eba2ddc75cf206e0c911527e89ab050de130e488c527537dc2ca8196717514f69446a867bd6db301eaf362c9bfb761e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgsa.exe
Filesize
226KB

MD5
3ad6a769c45a2c7ddbef80d1ebd04d4c

SHA1
13b74d5669ce2e95d1d6d671bd90709723b8380b

SHA256
5e55117612d571614ec29f0aa89e50a0232a7fcb6086d3ee0bd45b47409a332e

SHA512
6ab969c50d02e1c96578d299f6ab5ed583ec5133178b88ab4b556a0d25d0cb135f7d2f923f9391096bf23f9b40ca4444782538f2dbc4df87d88d5ebfef8ada26

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkoA.exe
Filesize
255KB

MD5
2e247b3612a814d415fb303f654c9062

SHA1
de239b0fdcc2290ce5dd5f30166b78fa6ac566dd

SHA256
a570fc73923d01a4296b170d09112a5b08432ecd39f8c8d53253a37a52a90acb

SHA512
fa2b3227705db74871c199a294f8a48b10b99ab145cf7337ce8c1deb5103946b7676012e8aa5a9e110a4dc8a748856f456490bf4d9cce2e569aace814d4c9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hocMIEQE.bat
Filesize
4B

MD5
6946cd5e229fe2cb13bc933856192039

SHA1
e46568fa6253254e707b0b4024e9208b8f38f570

SHA256
ac502d8da979128c0d474536ae7119e8ae63f2b9b012fd5900054545319451b4

SHA512
5237613e974acddad8d44f9727000f65a882020df29e9c9558dfdf2e6d7b9c492f651935a1188b40eefabab51a4c2bfe35cabb2fef2df1442cbe1a07cf96e965

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAAQ.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIkk.exe
Filesize
235KB

MD5
bd05e4c6d19f3b31317e56c681025bf0

SHA1
e019e42e7f993fb7e0e9dd10e35e51b2c79b77cf

SHA256
ba4fbc9d3ff3b97e3d3a0e949f4cd5dd49e07ea82b46c3c346626f97f08c42e1

SHA512
7fe153d0a1ddd246a3f115a3ffc047bb220dd430c42135660f5cde095121aa41c9cafd28a08084c12af64e84b248c8375706ff8d80f7757ab2b251f173890230

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYYokoAs.bat
Filesize
4B

MD5
cdeaec0a0870dbef592218690552f6d1

SHA1
bd8807de46a9334a9ad3a99b1bb9fd9154cd4038

SHA256
3b509cf00483507d53e1241ee97739599fbcbffa2657bc39c1605de79a0a7e79

SHA512
0904f1f52a4e9c3bf54bb19ac1446c674bd01f6a162aae8455e282851cdd64ee3e0fa8b778bbc4c20797273a17441e7264cb7fdc30ef7f75fa14157351ecaf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\igIS.exe
Filesize
882KB

MD5
62853e25e893bb1e2b092f3b8572981c

SHA1
e82c6cfda718089eb6d2ddad69024500f8419e09

SHA256
78eb593c252fdab6d01ffba0ac9f13def04f89c438c9534c51a36df368498374

SHA512
519ff5756d0692ba5c56a1d0959aef0eb903083c13608e19b08683988f546514c30c0ba147864ce78ab91cff47bf406406d0826c7a91ceacfaa23d4921fca63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\igog.exe
Filesize
235KB

MD5
8464f3cd531fbc318496eb699d53bc2b

SHA1
5fe0babafd72195a9e50b3d5fc6cb4db051e4fc1

SHA256
5749e24c02f4d821e0fc4940bcafee8783d4a25c5ee4a75694bd2fe141302e6a

SHA512
0a86f23b418d1e2ebfe4485154e5cf3419002a953009e304c78e68ae76f6098072b0d9dbcc86540c9aa6645cf96741fa0b352d86616270471d42aaedce35264c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQK.exe
Filesize
581KB

MD5
5274777d61035b2c9c1fb541ec07fe73

SHA1
6a4bd6b5f01210ba451126a9b062c17e896cd20d

SHA256
1f354776fe18d815364e5cc2e27e5d9091448b3feffc4f89b64876ca46f894e4

SHA512
1ddf4ecbab429aa5846b3e053edd29081fed76b6c703c46335965389e4022f15a1e5f919b0aebe912568afceb11265218471e85529502ba0a68694361dbfd3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\imMskwEw.bat
Filesize
4B

MD5
92c9ea9ddac310b6eddafd64bf923fa4

SHA1
af64833ad9c1bfcb1cdfa9c7293878d5a9e04d43

SHA256
f10b7326c0ca9c04372ac48f436852b72db3dff5c29c3af610e35322e93e491c

SHA512
4a3712f3b050e003f7fd68163560887f13cd2ac886f50441b7916fba2463c7d0c5043fe178b5accb05465486c7107e216197ee5f8e3326212977f0a226262f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYIY.exe
Filesize
223KB

MD5
5c6318ab2bd10237798c16c180cdb6ee

SHA1
46dd600b53bd3995f21bc7e4b2c33fa89ee54a2e

SHA256
4e60cd00f3eea317c3d17966b76041918f214903f6a2e7c44e1a6e40ae787d9d

SHA512
c4c6fe41e5608bfae2fa51b381df6798cdb78a0b649e3dc5d552be99222a3e71885cf7b0586c158b426c9d9c558041284c5b29ec5f801691f56b672a769b5d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgsy.exe
Filesize
247KB

MD5
533135927bdb5a72380f116d22b8a9a6

SHA1
53b27c5b742861b6ebe04632dbc58ca6f1830d76

SHA256
cb04755419be5c08315cb31fa6a0c606485558f236683c435a7efac0e8d81310

SHA512
9034bea422a5df65dd59427c860251d5b6eabbe38a2fdd72ad071100232dfeea7229a021f201495279627722957eac3d906315d4d92c326e09a68a103546a69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmsQAYcM.bat
Filesize
4B

MD5
483c9b57f9a1367fb7424e268e570664

SHA1
1ad98a640d76e1296e967324d54fc0c6a4a26c1c

SHA256
3d03c9e8dfed59d8e1e1407278b0c53c11d1c7e0e09ec6e78df2c3e05d21cde5

SHA512
ca0d025a4bc60d8c83b954c50443c7178bd57ac451d7b19b53efdf8e395d02b0fbf0a4985015fde3b38cc7578d0c214689fba2a450fe25a799b10958533b804e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIW.exe
Filesize
236KB

MD5
0960e469b42e51456b31bb09b423d341

SHA1
3b0532ae85a5f4ee6f5d0c2c47c5b79cb6a650d6

SHA256
97863b000e1c4a4b4f2195566ed7102d50055c39bd15df3883fc95c6d671b810

SHA512
1ada4f64fccdf949eb6c1f2251784adc9b30b60777faced1565a592e38643cdb2584275a529c610f752226f5688c6e816d99596498b0515e926284081232273e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYEI.exe
Filesize
242KB

MD5
a148825f5a7a49f53182a35ed2458df3

SHA1
d8ab745df987562e151a98d6350abc7e3798ae04

SHA256
b4f0b9e6a7a80a78148b83ed1d36f58a11e607f9d2d4e8b984501bdfe0304b7c

SHA512
97f87d193025fe9b9ab91d49b114b9f03fb0f466963f244f436ed41aa2392b68899f0e3bb44e87b9dfec358f64d447298f33ba958829c2bfcaf86c2596233acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkUW.exe
Filesize
229KB

MD5
dd2bd6150b018a55d85a2f31343ee326

SHA1
8b5c4bf1c70c640917b1e9f043e6956f1fea5876

SHA256
b700bb33a7caab15039d12186d7f1b343c30efc44985b3fdaf0084b210a5e787

SHA512
373940cc61af7645b46428f16ff0db712fedf756b11120d9357d1c939a7ce174bd5f6b044aff273a9a6d4609ad8ff1c33c3de693f2019d90d7d8698b2c7fe3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\koEcggsE.bat
Filesize
4B

MD5
e04bbe961fd7baac4ad818caaa53b3ee

SHA1
885b250e9a8d5270bf60e34c4882838a3fa9f1f0

SHA256
bf1e8cf718119f56c209d9572af688ac87eb7bb960ace5df1b95cbed078c7977

SHA512
fc143dde4d3b731329175c23530277f6d3223fdfb2bf3262beb89b2540f22a8ee604bc5537b3c797b6a05519756c09ab80262794ccb96e6d595f7c5873edce2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksck.exe
Filesize
319KB

MD5
920b24033fc6770e640cb40b45d25b22

SHA1
a85da50bfb32bb610da77f4a8af47a031cb1ef0b

SHA256
e08009922e7695e0a6fff086f83ab9589997676bd9346ebe4ed51eafb88ec064

SHA512
73ae7eb0032dbbd103d4898a13cf86d3bbb73a164cc8846953ed51ab927f66be74d55599e9a1a229f9b0da81d794267c5d184deabe414f582f1af90e11c296bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwgG.exe
Filesize
228KB

MD5
29720973ede99b26dd26aeb97b0aa796

SHA1
2306a6cce7642c34c16e064e51f1ba084f5f96eb

SHA256
b5b5b83861452f3b890781c39d973d6e1b60bc4097d1a45022e2c8ba91db50b7

SHA512
26d8a8bdecf9f688f89d4532a422d6d3edddf766cf9fb817e4d3006016a0dcac2dd5c7d929db492231206757e8898208e47ced9f9ac8f631817ae38ccfc0bb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMAs.exe
Filesize
1.0MB

MD5
33d4650f56a2b8454fa525451b2f1177

SHA1
92c9b3055d022f60acc565e9124d1c704bf40c7c

SHA256
e03689db80ce3f3b2b64976e5e211353bf4b3137a6a89053ef027db376a0a374

SHA512
6617f336505c0478bcd1bbe18156198ab833bf87172f203a7088f920cd0b5df71c058eb90a1ccc05edfab74fe7081e063bf37690b2e40a8ba99062b5ed6b2bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQMk.exe
Filesize
736KB

MD5
bc3b86cc6f62610e7a35384a070040f5

SHA1
428cc31062aae40c19d30c909ac90d4e991fa4a6

SHA256
535418264668cee9dc3416d120661d5367f0eb1cbd8f6b4868c0e1ee09f1aa54

SHA512
3012779436bd9eeb69206b3971252deb7d8c946ad43eaf14be800584f11651977ef5c0c624037d29eebfe80193f4306cad0f8d2fd466d71123e39cf61ddbdc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkYokoYk.bat
Filesize
4B

MD5
38ba8aefc44d041b71ae9682a9713f8f

SHA1
fd5aa1c759d5e7517a8c1f1c82c1c2167ad022b0

SHA256
f4d1e1d425641230efa0e348d58156a02cba580eaa0e1618100fe21641919576

SHA512
f01b5c2a518fb90fae4b8d73bb5ba3c513098e2534e9132dd5a9d0db5b2cb145ca14d70aae4e547eb7cffcdfdc1b218dae8453116ac60c4810dfb6a135198a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCAAcsMc.bat
Filesize
4B

MD5
79ff886251c6060ceadb2cc3278cd519

SHA1
58d2d998107cd9b11ee4e3d20d9805ec19978fe9

SHA256
2709cde6025aa28520cef438751e3470ec60b350a3b2c558e89913553fdf05de

SHA512
7e6220f59b32b5afaf77984c5c2080d4b8e540f220e5b2d060284eac2eda3e68d527780507be693cc3636a4b655b137f8a86f197e28f85d1be6e804491d64bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOQYAwkU.bat
Filesize
4B

MD5
a83b05edb6b4c83da1924e57ca2c9018

SHA1
758d3063810961af09cc10089139daa21312b620

SHA256
19b1a063c3e264ed363af704c1d4b3f186654f6089e4f508588a4e3435511f06

SHA512
3b0dafc09cf2c4d91d1fe842e0499dca12df81376f031d039123f9c25c1c0ab4db3bc83a532e8e6068aae176ba02f08e886bbf06cd9dd5adb2f70ef5affef96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQUm.exe
Filesize
239KB

MD5
aa5396f835df6f50c9897be78b9b8c8e

SHA1
3f285cde0e421ca038ee21caa25c5b25f72c6861

SHA256
189b22800d89a889e69a4f6a97ba14853d634b398c84b3053b8206f844484d30

SHA512
45bc821b40314e973ceb3634c9f035a47ab5c617a8ae2456acc41753a885c8bef82e20554b2c5c541166cf92f0376bf4b4432566ac602046505307626ba44f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUAg.exe
Filesize
230KB

MD5
47757a8851e0b690c78968b2bafb22bd

SHA1
970aaf4e8be41f5c06bbeeedd20c48da48db0b72

SHA256
61fc960c4813d3c0bb79e793556d4ba60d618c3aba871359ba205eb73cdc1dee

SHA512
a1be528bb0c0100c01914b8763f14d35e1fe685d854c8214cf90d2b274f614d07360837eb0dc21a57816fa53bb88eda0bb900f9eb25b0f6fd07aa4a55be18c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmEwokYk.bat
Filesize
4B

MD5
33980d7e4fec235bad3efe80bcd5e8ed

SHA1
a8c7990a0c6046170f04f817b2c4a8a167139e18

SHA256
43200299fe90e1b107e93962f5c23d16cc25b2d68be39064f57fb248e7207d8b

SHA512
4d0052f5b3617e653f6a6cb67e0c5293054997fa6ac50bca59f8bc8f2178071bdad70d18f60eba2dca3d84bb2ae0202adc3a1936556a5d06653238f450ac4bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\moAYkswo.bat
Filesize
4B

MD5
b8fc96d9f887eb422def0c5987843c7a

SHA1
b0b08be8b64e2948fa4413c2e27044aec3ae16b5

SHA256
528f85b0ea837e8c5e9d6528e944f6de56d673d25b94501f95fbb1de370cd849

SHA512
55ff477f810e3a11cbd88e6cb14c077ee5fb26e0fd715c60c2df73886fb65d0fe1a828ff686b8538a0db292f36ebe30e3d82ae21b3d009cff21fc25be1e6ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGMMIIoA.bat
Filesize
4B

MD5
4f5ca58f368b5b446baad71c9939e0e7

SHA1
152d932950606d06463632c7e6d6d56954f5f8a4

SHA256
43cf6c5840b8dbc4862bd33824081dd123dd4f2e08b23de605b8a9f2fdb0ae1f

SHA512
d88ebdf908e398e65a78bf17933c6c4b5d51624dda35832cc9bd2393ea95cebd3b56cbf2f1d96eecb5121bc6f18162776fe606792ff90522f7921b85ff1c8a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIUm.exe
Filesize
231KB

MD5
e3ae4edf44cb4a1dc63185cfe29617b4

SHA1
2b2e3fb888c03b544cd4071ead6502b5c04bbfdf

SHA256
37e7816e1181598670f794d0812646b8c1ba20a92ccb6c900abb6b18e78f0d1d

SHA512
320ccb112b9cb29a5cd6536d7ba474f70e85ab3b32ac3aa741a12a3c850223ee47b479a122c3c0d698af55340715f0101e310741582c9d0a99aabc693badb710

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMcO.exe
Filesize
232KB

MD5
1c634ad0290005db44ae29c0721fd389

SHA1
5850501118d395b6adf3a9f740160573d4d26c83

SHA256
a39d900e16c5f0170a5c1248fac9f281542407054df4f38776d299b176c20211

SHA512
2cc82656ee81732f12380a732bd650a22463ffed38d4ebb34917be4383b917a1ebf15fa2580e945f653985e6a8d9849cb21fc3c0f5c845d561a23a7790a1e8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQMUgkQo.bat
Filesize
4B

MD5
22a3ee36ae167f60482e7431d8d3aca0

SHA1
e07ac5821660ff2d666862075b40338443072425

SHA256
eef2112446cd3b4c9d6f2aaa1a77f70499746017e15373ce1d828b038ca17b5f

SHA512
d91dd855b6fcd309fe08c02ec4af2b679a834d02b40422f0a767213e7c1c64900235fd130dcc2abd0118b251ad9a6acc5b04d1d07d978ca5233d8fff9210b493

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSkwYAsU.bat
Filesize
4B

MD5
0faf26c5dc7428e7201031e5eb90d125

SHA1
cd78dbac895b167681b1410c66268aa0c0efeb12

SHA256
15c72098a89ec597e197249b22c0ba77f76a85e61fdffd72c708d9cad313054f

SHA512
bad1d26e79f6af0fbd4f075bae8a0cd880c5eafd41969d517bc8e0e8b8202e766b06ca7a50cae2aecac0d5c3dd628c419c0840b56a38fc96d66a3d26dd017c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngQU.exe
Filesize
253KB

MD5
d53fd1ffa16c3d4d4037e64b753a042e

SHA1
9bbc86c35fc2cb74f88d0a918fa8d7641f31b143

SHA256
f0ba9d1cc08c576aa39007b28d913601be0cc66fc2aa6b7c060e939e053f2944

SHA512
827099ac171e263901f7afd14fff7c1bccccedcadd99b72a62ea7307b7e80581b3995e9096cf19b015793b3b9fd2e6f696782020d67e8d75b2e22af5bccd17a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\niccoIAs.bat
Filesize
4B

MD5
ff59d225a45e81986b3af253c2f212fc

SHA1
5cb55087f55c036810c6e6e9bd3e0d82ec6bdbdd

SHA256
450eed73787aa626f35543bff045910687062ec2fa0450baa88145774b2f6515

SHA512
febeeeb544db9bab3f8bf51bab15e638baeb994e49268e9f668ab9cee751b4ce0f5c5bc785ef268314a82e38d41878add4d75fa6b91c133f4f18542c21157767

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscy.exe
Filesize
186KB

MD5
798ed32092d085938b5a70e9ec4df2ca

SHA1
a38b1cf641a9762a9fb0ac65ae04ba04ced8db1c

SHA256
a5eeb6e5be6e245fea31b5bb04cb4f352d0b48fe66e57d71fa7d93506efc3949

SHA512
b5f9bff4892a8234f8d127fcba66942881632b3b3e7e0b263e47450e34ca96a8cf53530a4805b908e7204b9b517ab39f73e618c464ac822c87f6f896ff33fb83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nysoQMAI.bat
Filesize
4B

MD5
996925f5fa0ee1f09f26d9ccde4a28d3

SHA1
7a7aff21bdb4307568b339174abde26ff049b616

SHA256
896925e8ef6d91a7e269d26ce4fb7c2b5615e2dcb57a280586bbae00c2f5472d

SHA512
425f5c3c76da30b16490fee824ae09fc2ca349f40109cf3ff7cfafc4a90093625b52efa15247a814ef4dfdf7e9a91a676632b36f322a779ecdb81f11f161a116

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMYE.exe
Filesize
232KB

MD5
ce694126131c6bad111557feae2bddf5

SHA1
cec3f605f30e72b4324f20e56e6b5eb14cdb740c

SHA256
da789f22f1a7b6ad7e523b6ed16286aa73368cab998b67be78eb8dd973cac00b

SHA512
4938421802095dd535f70e83836ffdaa248c6be937a9d59418aefe5c75b984fa65b1b258af42746e626afc0336c3a1283ed3313378ff87e92cfda5353637ea84

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaUYgcEM.bat
Filesize
4B

MD5
eb1db18728934ff52d392e7f32348132

SHA1
8586c4d0fb4dd5f6e0c780e5a9daf14179b3c220

SHA256
4154cd98f01c8d306d7f87b492aab5fa593dffaac92a50a72d1d5d9f678242ac

SHA512
43af00b5ced615e6931111492844fc90ac5f2058e8964fde4ec6334694476f9da1deab28f721b699bbf8046cec6008265926799e9ccffb08eb2cd46f0018f636

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAcq.exe
Filesize
217KB

MD5
73f61cb5df50be8c5c53c980ef90cff3

SHA1
bd766fbe122a542a7a39cb768c830b0ec7e87813

SHA256
1472e4872bd32c4e73a91e20fcdb96efda5a4156221290dd72fa20ea9ff1566c

SHA512
1f61e955fe2182a2fe3801174fb6c78fb45720a5d1b02786971839834973195b1b835f3646f48ce7f078ed7ffc0cbf55e5cedb9aa8b69f1dfae2a2f2f65a70d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwwS.exe
Filesize
253KB

MD5
af44bcd97d986541a495308101596818

SHA1
56505f8a2d8c7a89d9af0706f3bfade6141ef85f

SHA256
3c31d6eb9408cc9a721b80f5c341b6f948e5b3351d289ae81fca919e95c44b1b

SHA512
9d0d8038dcc8bad6048b1132258067d482f76697957882d8c55d00eaf705157b91d0ec5eb3167020023992537be8fc354b4674c84d1ae20f10696810dca7c87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMQcYsYs.bat
Filesize
4B

MD5
512befabe8c2dea1e4eff83239cb0fa7

SHA1
7f395ab1943f13a6195354571fc86613604bb674

SHA256
fdf88b7c8ef0e29a005cde54bbe4feea55829955bc3f89b579af40bdaad4e052

SHA512
7e4bf6543e54339b3e0b754b43c58cddd7b1ef8b4975811d4037763d028459c5a3c9bf82a5d6853be2dd2bd90cbc6896a8e4006f26626c18b5a78ab91e9e46c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiQcUIQA.bat
Filesize
4B

MD5
2344a4fcca28920a4bd61f281601be7c

SHA1
70709e6e4bf98916ec539306abfd5a7f5fc7c780

SHA256
822a1d8ab65d62e547b640899d78b7cc322341ba14f7192282b81bec5be4b514

SHA512
0ce82aba82fbdc1b76560ee8075f48aa9c805b993d7ced0f8cbde5b314bcaf2bad75299b064667e24fb617b033b4040ff231980b9f19b223c6623138d2155b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqcUIksI.bat
Filesize
4B

MD5
1fd2fdd43c11014a63ebd25a4080d103

SHA1
e514cea0a94e3cb5708b2b0eb479105c83d80796

SHA256
0ba27c598e7750c36179b584959e0aea2a68dd2d5b66dfe155f0facfbd4806c0

SHA512
ee971b04a8720db60bf08e06219b46d64b424cc938fa2118670d492d59cd697366b1451c73b5bf3bb79f14b56e3c3c3648a958e4a934648d67ed4b572ba42e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqgsMMww.bat
Filesize
4B

MD5
1544494efa953f85020af5d2187f6861

SHA1
82826af53021109619dbe9f33b4b6a2ebdf3f719

SHA256
19b36f13777a40949b34925f0168ef06272a2339ec31103768209d4767ff48bd

SHA512
89608ce8f4d11ad034e165c29d4f44e453331982bf9c7e46fad0fbfa28d82aa3b0ff8dfffacedd010af1c5934ebc9d5779381f4039ed97726f09cd9ff637dc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwEkcYsQ.bat
Filesize
4B

MD5
a0d3b571427a162178ad5ca80d9baebc

SHA1
c148c4c85f83c480a78c3ffb826aa01f4895e23f

SHA256
aa535016ed3fbe90db48bd70aef1520620117b959387d39c77a520657cb72260

SHA512
9e3d7ba72c6bcff63358e5328bc176f40a0ea82f7ecc57a861d42493979c7993daa8651597a720617d53270c2832dfbc8dfdbe216549a1cc6e766febe6658da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rGIUwcYk.bat
Filesize
4B

MD5
4d1f3e76ec6dde429a048421a171122e

SHA1
ec866db77f51f7faa8b60c2d64d109314403dcf4

SHA256
e70f3389554ce92334548e4efd01c1ab5e49356c0a6116029c5878a09c02720f

SHA512
3e98fbab966c437dddfc5933b8ed94a94a23e4ec521a1a34679be58e7750988b2a07fa173dfb923c49f5da6509b124168a9cdba26f18d7f37e42d680467bfeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcEc.exe
Filesize
953KB

MD5
67f6a0498d6c27ab8822fe2d16a288c6

SHA1
b61ee7aa92258a27667288bf714b044e4f3cde9e

SHA256
1f7e7556483a151c452d3f356a67db0815973847742f6da2ea5e113e48e71584

SHA512
e4529076d0421e3341cb13932da30012bf6ea573e18c7acdd7573024de7a57de461b0e255f32c775a341758b36ce365a4f52c150a7833e731909ad40f5ddc109

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcgAcUsw.bat
Filesize
4B

MD5
f142fd00d8db7e0f10f7e26e69d5f7fd

SHA1
5311b4ca557ec3530ae01ff4a4d865e70d7b6a23

SHA256
d20b1015bcb899ea227c112325ccfa5af759f7244a707c37c825c836cec9b15c

SHA512
ae0f4b869f17324d1431fe090727abf050b4285cef492b356f846b548a0a1da0f2e9777ac146a609bcb1b1c2ee0065a5df4542978569e87340f685867e91ffaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rowYsUsk.bat
Filesize
4B

MD5
37b5fc2a1c9ae3104ef46230f01febbe

SHA1
5f4a0db8012729ef5c1d52737f187e1a93cac857

SHA256
d171975e62d2c87aee143f0b8eb299d55f5f5677557f7323ec3a84e3a31af04a

SHA512
e0a72610d1c6c1359546039b5a4fedc74919613e975f828e80fcf29bf2fb4bcb315cf7e52d0aeef41c3d734e82fae1fc913ab22cd30ffce1209b702b79b1da2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwwQoQos.bat
Filesize
4B

MD5
b12ee37a23f8e503e7f745fd8aae5f44

SHA1
cacfca87b2acb151ed9dea5e56249d28975e68bf

SHA256
b64c71db18a3fe73c3a78708cd2805941984f7e551aacf023304eb11203aa850

SHA512
d77486659fe716e4c2ac86a6946cbb13e7688340290670d2f7008cc55b9298314ef4ee4c8be742b4180238284bff0f190e91dc3bdf63df87186303f478e330b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAIa.exe
Filesize
227KB

MD5
f7717f9785a8a51ab9a9a1e606c00062

SHA1
14e712819daea7831dcb5bf37c3dfde1e8c1ffff

SHA256
0538b1ed80049f698051c2424f252a3ac8778f26d64dc44d48996fc94e988c57

SHA512
7209157f1d59d16758c2085aeaf7c43d20bf78c3f9eb33cebab1ce26457356685cd61dd5953fb8ceb131216c6fadbf0f9339966f8110cbf1013c2fcae6902ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIwu.exe
Filesize
239KB

MD5
e6734b2fe36ad8a5349ce05e152d45c2

SHA1
bc45841918d8a47d1d3e39e416537ceeb7e0a77e

SHA256
945d9d05bcd63aea4e8e39ff1f0ac97834f09a77d8fb29989255c649362cca4c

SHA512
3332844464218569c395fca560d2530e47beb92be5a1313071b3b149f07617565a043980141d5c6b071caa84e5ce9ef82a914d444190760531b63cab81afea1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQUYsMoc.bat
Filesize
4B

MD5
f25c88ff80b7c8c6bbc76ad1204e62c4

SHA1
ac375db7b43cd6c8d6750c6650c5a786377c8f24

SHA256
bb3d095548b4af759b52f97a819f0296a14104938702d46ed258e13cd745c10c

SHA512
9e0e9154e58e89e483312ce9a53a269ba15abe1a9a868dce08033b32c2f349c262e76105722b745fb444e7165f1005494fee6a8dbbb6f73157b308e8ce9f3414

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWoIQAAg.bat
Filesize
4B

MD5
c114516251ebbfa5d9045b850f325aaa

SHA1
f857c6ed533cad2d3817318288bd68d2d7f7c429

SHA256
f69bb459cd150dbed64b207889b975d224a6e3924ab70417aa0427aac4fcb11e

SHA512
14ed307d20e67a1b45df234683389df64dd99f3836022d78b600506c4c4996ea8acfda63552c7a6bd123f02051b498008356582ee963c84c368cd45658ccc070

Download Submit
C:\Users\Admin\AppData\Local\Temp\seAQUMIw.bat
Filesize
4B

MD5
2d34e3951c12ffb1718205ca39683220

SHA1
3a9e24af8b0abafe3d169b8220eddbe853478f2d

SHA256
392ed365b87943bf4e003ba1e2491724aabe1685a62682ee0a3b37873d03f7f6

SHA512
ca97198778ff97dd43bb626ab711685bcbb3e08cc24c19df49b6fc8c5c58eb09ae4336f58e1d6ee0db5d64d07b1b61dd90385b82a235ff1bb6bb261da901ee2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\seQMEQkQ.bat
Filesize
4B

MD5
e27ec28543ad8248bf42d069b615d85b

SHA1
c66c9cd9c6a34140a6b08c30b8ba0aa6dc0230df

SHA256
527c9ff3ca0e8acec24e4588a8314fc653cc75f664feb335787c71d5a4182b04

SHA512
aae79ef1ed8cfc1a55f0ed8f83c8897799835175340cc01e841577e78aa540fe483f5e62f987cc441b7241033b86aea17cf9f760921b85d408a559d7744719f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\smYgEMIE.bat
Filesize
4B

MD5
62d0fc056bdab39a496f97b79dc91d3f

SHA1
2939e038206a61198847e0a633db5f633fa8c8cb

SHA256
d4488505f6ec62cb891266f12bb6934acd61adb551bbfe4bdf9e35d8990987d9

SHA512
5a2af7aa00c07bb1bb23b1b13d543fce110ed9b8ff9e26d91ad19e1baf3cb4fd68424752cfdac1a7d15862ef7005047be7a2f0cd9bcb94c0b2cf0fa05172cdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAgA.exe
Filesize
244KB

MD5
d056618da8814fea91519edbfabfa272

SHA1
922528356883db3dc19c5f6804e3db4cd995754e

SHA256
144076eb974191460de038c926f72938869ddd964a3346924c916a8fde78fd4e

SHA512
4bd37045edeb1b2ade278fe730914bb2bf4fd89849b583f9f1c4a29202a184ebafec16fa4baede034cbde487c9ef122a99e88a1865a0e019cc2cc1514d6f784d

Download Submit
C:\Users\Admin\AppData\Local\Temp\towO.exe
Filesize
231KB

MD5
576ec18c445fbc559b5a3415a7cce2d4

SHA1
ede229c2420307577b3f0034ce08a01db2642c28

SHA256
9b3e63c5ae8e3bba1942405178b78b0207b0e757a7b5c1e0c6724584afd67d55

SHA512
90024d98635e5ee4573b3c65096eae12f5e48dd5023a01e0e0a52a3644a2a895971316ae0ececbf4eb28d4d1e27ef8a627ba96fdd9c8bc32cdfed131afc675d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYME.exe
Filesize
238KB

MD5
8bb21254c54c9a47b888fba381773935

SHA1
691e30c541f8850b1545a315f39d6f6cf957f2d5

SHA256
e61bdb508d685408d38a39ace7b3704f9e150afc42cf23ac64c69f9c0ead67bf

SHA512
d128f353d1ecb1e15dc332a5d91128a9bd1f4c915321583508ca1dceed946a6fa244ed4ea9e0616bd36f3ceb99c1a8024018f5c1b683bddefda28c6f35a3bfd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAAE.exe
Filesize
232KB

MD5
1b40bdd76e614847896de17ff6c7ccd0

SHA1
ebd1e0d646a4ceafc0fe7d4a69829a52e230e199

SHA256
6f1b29e7ac5cdf76c58ce7bf628143fb11b3281c446b124258e07dbfba7f30a9

SHA512
4480e7691908c38198716511d3da707df54f28df499e2a93bacdced9bb1f8281ae548c838d5169ee98fc3cf555660841e15c45354b7afb464a01cbed151eea26

Download Submit
C:\Users\Admin\AppData\Local\Temp\vKwEwkwE.bat
Filesize
4B

MD5
8825885fb9756ea341da7f86a3e78e1b

SHA1
d607c84bf303bddf97d234e072495b4221dfe7de

SHA256
2c8b817212ec1a27d3f5b1c3193126a9cb01dd9d85877b7a6e95d08211271af8

SHA512
cb796c6f504fc636edaacf3a69db67823ad07d6e42606d9ea447766d50e4c5f03eeb972792f6f2897025f42acb1394777649e5e47b017f4f05cc982f754c96ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaEMgYcU.bat
Filesize
4B

MD5
e8c5420f6caa6cade54e2be4faaeda93

SHA1
6504b1258fa46afc3bad4cc690aab297dec4809a

SHA256
6e810280a81097f240684786775e6c140daa08cb149746746976f2e96a345b21

SHA512
95d3b490b5dbcf98edb14305c2d793b9b5fbc2d94b85933755781a99ffac2ffa8cda46b340cc219eb7f3cf849a40501678e7fa5c3bb533dbaaa648e443312b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgIG.exe
Filesize
813KB

MD5
4da5e1e7ee8cc2c1634101f64f513c1a

SHA1
09cc512e8b5e8fd051919906c23e821f188427a5

SHA256
16de1c659b016ccfb9c6c5539142d75a7393e60f788cc2893cc51b157540e7b7

SHA512
1a3f97288fa0d300493e1352f14455b16568365590b3ec4026a690fd3417f76716811390678dde31270977972cb303c28df2245b785bf803e58b8fa704398094

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgYS.exe
Filesize
247KB

MD5
55a61e79351b7035320e7b1ec8b7d498

SHA1
9064af3f396dfa6c0f0a6f573b73ccae0a865844

SHA256
025d57369f744643dc4dcf77c78a65ff5ef67271cd78891f8797334a4caff3a1

SHA512
804d9d734f4fad14ce0eccc64dd678ee1b328f5259c6d68ec5107330a0cd60ccd51023201534dcc8829070bd47e7f0d98ac4505ab4487427c1c0bb22da6c9eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwoc.exe
Filesize
228KB

MD5
237d47a0cc646ebf99e66a38e3022478

SHA1
0b7ce353d0cfbc342e2c54c88218eafd12277291

SHA256
cb605f31934decc82340a429ff652fdb07efe1e8a6433144e2d88414f9d8c4db

SHA512
7ddcb056b9cd05e7e997ac3ad48ee2b809ad2e174f32817b1bbc1edc8f08c9c1f4117258376d11f996d91215868c6cc612475927d4acbec636afcae902a59eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIcq.exe
Filesize
249KB

MD5
b0bc8eade5a494a8e78b05157ffe5028

SHA1
91facf4abd98703c71e9a504d9d6d0cee484d7fa

SHA256
3777c52bd3450d9799908a196bdd44a3f87af31c3dd457250282f4e32a6ca858

SHA512
c9530cac17a7ef09cbf84d83b252fbf8aff2a3f589e2fce03d92a8c9db95d6d99f18c16c29dc7b249eac3707af790dcbf19dd28854fe0a380191e2824c8e2f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOYoUwwU.bat
Filesize
4B

MD5
430420045412fb796ade424aa1ff0c1b

SHA1
30dd13da1abb134bea969a3adad19b2bff124758

SHA256
c2206f2bdbd437230da05c91fa3648dd71dbb27f026013a15d1765c7ebc9a917

SHA512
33efd79c307857335e3392879ca622374726b92b39c5328d17f9698c64a651ada06d4f69b4797589e79059488bdb850e126ff81931b99ae390d374904a0c7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\wScIAgMU.bat
Filesize
4B

MD5
dd3562b75c105422c417c4c46a1aa3f7

SHA1
a40cc116d5e1f032754bd11ebc4222a077abdca7

SHA256
b35371b3d8ad3f43588e6609ef0cf19bd15e8a4fb093411f60217d2166017aa7

SHA512
bdb265e0f7026881cba4a56402ba630426be2ab369c7f81cae8549ccf68faf0afa4e963e71f01d7a46b22b2b637f9a578a7d28c9e36e51e4df7b65228cea92e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUIQ.exe
Filesize
952KB

MD5
b467a7e1612ffdb025faf068ccf06fc2

SHA1
28cd827314ea60209749baf2ab0907f39b1be545

SHA256
6500b07c385736208797ccdf05c16d6fc625bfee852aac289899c0eb3fbcdd38

SHA512
89f5fa51f0b2b6ac8c309255f3b65617cab8b73aa6dbe3d84c1d7eed9977265c3502da5ab5d2c2074ea40cf78c48226d0d15147b03afb8f82dc5265e8094d05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkka.exe
Filesize
321KB

MD5
bbe003db8101ea3ce24ea2b712be3daa

SHA1
ed1e7ecdb9b2a87b0bd24e00c81ac764b51d20ea

SHA256
282542e041417f490eb571b0c47bf013ef1f5fc756212452212bcd7668ce018f

SHA512
28240e49041bdfb7f91946ffd834d1d7776ae0cb0cdf0a5721e49dcd16c47fa94998df6e3b6822c9b83dc24809a9ee334bdc6468618c10f7028ebe5e9e5101e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEUIkIYc.bat
Filesize
4B

MD5
f99ae8550089f65511018bd984e41cc6

SHA1
dde3f1ba52df9798e9f6a5ba16b31697b4a64daf

SHA256
5cb34c61f8dbaea8c00e7ac273eb36b03fd445a54b0b3f6fb0d17cc17acbb52d

SHA512
602895d62550895b0a4ca49c5612df3ac8963038fd8ee80f904b9882b934adb1de4f7a5301c9a4380867067152ab352d30f61c9433065df6cc2341d61e9fa0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUUE.exe
Filesize
640KB

MD5
967b0f0295a3893e040e04da19c6b43b

SHA1
cf057591c12f6e0335d070733b9483be7cb508c7

SHA256
79b9c589200f5a7f44ea0d6592cb1f46503a72b74907b9d970888a326826c339

SHA512
b1cee9b9e841ac34255da60573089514463e7bc47e05656e945da5ccd9cde01ddf582ea03bdf98ff27d1b22cce4d387e5bc6413ef3483a84daaa11a91e084a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkMC.exe
Filesize
239KB

MD5
8b5f5ae2527b4d68c9bcfa581af3e33f

SHA1
6e1278069b695daf914edc59a89e2264bc0d0034

SHA256
23f9ad8a08ac49fcf0477384b7d9571cf4384fbf7589527e881c0ecf242392cd

SHA512
a4d454694db65c6190ef512a81ad3b3be5588d7e68277dbbe48f568ae2767ec79bdbad970054f6ffa1b04b9fae3b98b6db8f994b0dac4e8ef583084ecb4b8a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoMg.exe
Filesize
308KB

MD5
33061ec72a178e94193f10fe9f6c2691

SHA1
370f424b6c0e1d273f0263072b95d04e2a924976

SHA256
56fe87b52def7dc2c6c19d9e7ec240d4b97e5e2183a07ba9ff0fa3636787465e

SHA512
c31c8f43a6b147a19c0b0c07071c1624c19e0b85f6e8c6e14c67e1e2fed9e3745c33858ff8de351a2a9959cea34b60b395e9db5e99ceca24e1750fc269962bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAoE.exe
Filesize
229KB

MD5
2a88bed4fb2c537a4887d9fbd6a2737d

SHA1
0ea8b58c6eac8ace64ed7c678d768c8c3c4412d9

SHA256
4be210b15f06643d2d48683f70e754be44259198260846bd4a5795cf90bf42ed

SHA512
15df890592d40565b36d4e1fdb9e9ef279443dff6899ff4c861ac866d90b254eefe36a962b6771b9f8ace02e353dee9a956832d08bec6493d65ad4522af9f22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAwY.exe
Filesize
205KB

MD5
fe69d55c1ccd6742541aab3597d3e248

SHA1
899899688bf53b517a02eab98e473b82d5566fac

SHA256
7ee30fe1d2ed4d2ba59fa15fa0d04751bfd10b6379f08ec90aac10acdfbfcf8e

SHA512
7940f171f6fa77898e36e1c6935482f1b0afc847bf08d455a0a9e1b117edac8b8f92b40e3f7179c17e26290a5e980751c827400616b302aa3d265cbbd8cd951c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAi.exe
Filesize
194KB

MD5
082ae7d8c4651a83c1fe0f2e2947a7ae

SHA1
9079481acf4c9cfefb8b84f01b955562e52c0e77

SHA256
416c25e59794b5c8b3825304691faafb9b69a59d69c76f8d2fac6a6966793ed1

SHA512
59ec23ede52b75321945523fa7796540e32fd2e3b255e6c683b81b746a1ba8beca2e4a303cfeb03997e127e9613527099f257ac6a200987aacbee81d1ec3dfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQoe.exe
Filesize
575KB

MD5
e6eba62201e1a683b55f3defc19b87d2

SHA1
4c5b1e6b5d6fa3506d26b338466dee74f56568f3

SHA256
a226beaed5b9f5f43dc6587140c22e4a89bc52e18c0c07c5fd66e92c82c993a1

SHA512
b860030522c1d91a3b544b288b1f4fe3c08e16ff6c8b1cf46f5e02e87fe65edc54307c81a4efa2398e0725f363d61077ebfac50cd6724294f90ed6c097ee7b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySEQMwkA.bat
Filesize
4B

MD5
34411a322cb43b140cd6c67dd2d682c0

SHA1
1e0da9fe7194346492f4ff444a51367d477165fe

SHA256
eb4766bc986f28098ead834e5a4b758f170bf854c2b8588881934d814b16e056

SHA512
2edfd1a793478c69fe4734b4396329914e5942c17106c0302f36c87b991dd32beda365df14a2f3e87e0df1e1715963cfeb727cb87e62180c1c9a19d0e525eb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycAwookY.bat
Filesize
4B

MD5
42035e42e9bcc3d656f5068891a0801c

SHA1
868a8c4d9541716404ff833d677cc207a7c143d1

SHA256
ae6b518e9989fa457c05441d0f3f58c3a5cac07b9cf4a1ad48b2ec05df9b0fb7

SHA512
e08b29e10a31b663ab4c9e350a960158c245ff082e085367654ac402b46680456a77d3a37653e1db4e7c7be1b0bc80cd8269cccc1725e06e1a70550924a6f7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yukQwsoM.bat
Filesize
4B

MD5
9359db6f474b1f889b596fedf08031e5

SHA1
1656f7feae19dd4267050fcc80ec242ef5d94cc4

SHA256
ebcd5dfd547c2939120d0ca9d7f2e761aefffaf96aa2d7f2387971c01e67a957

SHA512
8af114c4c30666fd5ce1f7bc65d485746e459efd5bbdf35e1eab4328970c47c44e087ea2179d0d105e17a92ebad1379cb37c548ef46ac6aaaa19e05b5a5b8b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAAUkwoQ.bat
Filesize
4B

MD5
602c8392e120e9803919124a99642954

SHA1
655391b2e05813f4dc79ab436f09cff6351aef0d

SHA256
1977a68c0c4b8c8e1dd0f7183f4c81071ead06a2e6df205e06c66b9978d4f44b

SHA512
0cc3be77eea7b92ce187c05ba775ade87c71f05ae981e5b4d7097d746266fa4432044125231b2f847445e34ae703ae33e32596ec6a6fcd2139aced0e0393c68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAcoQUQs.bat
Filesize
4B

MD5
dec64b13778d05a1d75d5daa5a60cf97

SHA1
d84cf9c2c4c5cc86f90e1bf63ffa92bac4c6397c

SHA256
7bc1d938bd78f6100dad623d7fc6bd6e1d4a25195b8fd791f094695a138053be

SHA512
70544c7be4a2eb7d906772928eb9f26bfa64b578f2e9808d796b8347bd5eae2b4a6fe090d599a16ee91d5dda1dec86bad86775996f3a586af06dbe159ae184e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIoq.exe
Filesize
227KB

MD5
c95bfcf3f43935726957ef8463ae751c

SHA1
fcc33ca3a017070b161bd90a8cc6ceed2d22d714

SHA256
d70305838208bc058d4f620b276ca07e3580b39191d95b7f99be1c7c7da58d83

SHA512
cacc4237ba14d3600c0556d7d81b9ec744f8a564fcecb1529fbeed550596bb5e8ba8f1e7a3f35c31954e64682a1303cc27359fef7e83694b7ba19a11242a8a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKEEIgYs.bat
Filesize
4B

MD5
d003c0469c67de111d7992156eee823f

SHA1
c0333356acef1e7d39fb1e47c3120c48a45cae1c

SHA256
6d05c31a0cdc53b9575cb1559a7c5b3476d98e59d6823803fdd4bffe0ed91b41

SHA512
3bff9793ac8e718159d93e5394c29ef6ee4e119e7c56001633bfda42da8b2053b043b185ec631a6666f7b66bff7e4051c2a0d3de20be81f2790f521446e73b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcsS.exe
Filesize
203KB

MD5
288b2d1f560cdce7f5438d75672d6ee1

SHA1
2554ef6c55b105793fd756cf726ee9c0999c38c6

SHA256
1a1b10910558f36b24db7b2ba0b417bfc21e3f7f9d3faf80e7677c0ded3d9843

SHA512
80733ee7520d9ace7ac20d12c64d63fd98f801390c2953c19217b996a6987d02b164a99ef8c5dc23573249ee48d1bd10a84333a4bdfd2694cd15ae3793cec763

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgkIsIcI.bat
Filesize
4B

MD5
7287f1288844154ce4775cde320d8573

SHA1
e3510f32d7db991dafca330ae07cec910404d6dd

SHA256
7311a150f9b3c613549a71150bf72e94ddffbf3994afbaade4cefa0fa971099b

SHA512
87a3d322d708de0b0b6a5a0fa2aa8a35a385d24f03315a2f645e0e2a2b10eefd7f2fba91c473ac59d001cb95e6ea212956dde5a0ba7d4e08f1da7618c80e9d0e

Download Submit
C:\Users\Admin\Pictures\EnableCompress.jpg.exe
Filesize
484KB

MD5
d0c0c8554e6a6e3c295700f648562dbc

SHA1
aa92d93637ea0369c8499ca5df334f4d0940bbf9

SHA256
bd31ee90358c1fef2d87376e3325ac4d4eb749301c8945f13dcaba3a66318c66

SHA512
ce7d76ae54c629d6d736ffff648a7adc992cfeb9ecb904dfd3587dc72717eafd0f09e4d9ec0f87f536f24c6e998d0ef04590fa10f6b255809a3d03f6cc97f582

Download Submit
\Users\Admin\KYYMQssQ\xYsMAwQw.exe
Filesize
198KB

MD5
e4a3220dfbe811b4334f74e1fe06be2d

SHA1
ad2c173a2b1a0b4a33930ab52dc95d1f9f96f720

SHA256
b9a4643faef0b4781c9f4a4a5392729654520079a8d52004e1cef2f06a1f2996

SHA512
61dc353e12558d8454a50ba6b7931106323c40a227b8fd8ceb48a538d4fc94f09a2ca44134b373f4e2cb260acbb28d911e7b8a9efab58bb7aa6ce88f67f841eb

Download Submit
memory/240-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/240-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/240-606-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/608-407-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/608-438-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/672-581-0x0000000000710000-0x0000000000741000-memory.dmp

Filesize
196KB

Download
memory/672-580-0x0000000000710000-0x0000000000741000-memory.dmp

Filesize
196KB

Download
memory/760-591-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/760-562-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/928-383-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/928-415-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/988-116-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1216-570-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1216-542-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1304-295-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1304-265-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1372-154-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/1424-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1448-250-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1448-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1464-626-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1520-83-0x0000000000170000-0x00000000001A1000-memory.dmp

Filesize
196KB

Download
memory/1520-82-0x0000000000170000-0x00000000001A1000-memory.dmp

Filesize
196KB

Download
memory/1552-309-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1612-335-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/1612-334-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/1696-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1696-173-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1848-485-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1848-453-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1912-452-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/1940-541-0x00000000001E0000-0x0000000000211000-memory.dmp

Filesize
196KB

Download
memory/1940-540-0x00000000001E0000-0x0000000000211000-memory.dmp

Filesize
196KB

Download
memory/1992-476-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1992-509-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2036-263-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/2036-264-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/2080-475-0x0000000002280000-0x00000000022B1000-memory.dmp

Filesize
196KB

Download
memory/2084-500-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2084-530-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2088-106-0x0000000000330000-0x0000000000361000-memory.dmp

Filesize
196KB

Download
memory/2088-105-0x0000000000330000-0x0000000000361000-memory.dmp

Filesize
196KB

Download
memory/2124-498-0x0000000000130000-0x0000000000161000-memory.dmp

Filesize
196KB

Download
memory/2124-499-0x0000000000130000-0x0000000000161000-memory.dmp

Filesize
196KB

Download
memory/2216-171-0x0000000001C90000-0x0000000001CC0000-memory.dmp

Filesize
192KB

Download
memory/2216-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2216-1064-0x0000000077730000-0x000000007782A000-memory.dmp

Filesize
1000KB

Download
memory/2216-170-0x0000000001C90000-0x0000000001CC0000-memory.dmp

Filesize
192KB

Download
memory/2216-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2216-168-0x0000000001C90000-0x0000000001CC4000-memory.dmp

Filesize
208KB

Download
memory/2216-174-0x0000000077610000-0x000000007772F000-memory.dmp

Filesize
1.1MB

Download
memory/2216-167-0x0000000001C90000-0x0000000001CC4000-memory.dmp

Filesize
208KB

Download
memory/2216-175-0x0000000077730000-0x000000007782A000-memory.dmp

Filesize
1000KB

Download
memory/2216-176-0x0000000001C90000-0x0000000001CC4000-memory.dmp

Filesize
208KB

Download
memory/2216-177-0x0000000001C90000-0x0000000001CC0000-memory.dmp

Filesize
192KB

Download
memory/2216-178-0x0000000003DF0000-0x0000000003E42000-memory.dmp

Filesize
328KB

Download
memory/2216-1063-0x0000000077610000-0x000000007772F000-memory.dmp

Filesize
1.1MB

Download
memory/2240-131-0x0000000000860000-0x0000000000891000-memory.dmp

Filesize
196KB

Download
memory/2288-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2288-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2352-241-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2352-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2372-406-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2376-336-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2376-366-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2428-439-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2428-462-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2436-33-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/2436-34-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/2440-240-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/2440-239-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/2508-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-382-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2596-381-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2664-172-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2668-582-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-614-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2696-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2716-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-345-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2720-310-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2732-29-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download
memory/2732-13-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/2732-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2732-12-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/2732-43-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2756-60-0x00000000001E0000-0x0000000000211000-memory.dmp

Filesize
196KB

Download
memory/2756-59-0x00000000001E0000-0x0000000000211000-memory.dmp

Filesize
196KB

Download
memory/2768-35-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2768-69-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2780-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2780-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2784-551-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2784-521-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2832-107-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2832-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-367-0x0000000000170000-0x00000000001A1000-memory.dmp

Filesize
196KB

Download
memory/2900-368-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2900-392-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2940-603-0x0000000002230000-0x0000000002261000-memory.dmp

Filesize
196KB

Download
memory/2940-605-0x0000000002230000-0x0000000002261000-memory.dmp

Filesize
196KB

Download
memory/3008-319-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3008-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download