6d8e7697a09363ecf9150887fc5a2084ba84f9fa0600b9ce269323ce5462b61a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
Size

193KB
MD5

dc4229425e844f005b38928831df7b58
SHA1

8a5b8c851a37bea0e0f1e224ae7b630ea29e80b5
SHA256

6d8e7697a09363ecf9150887fc5a2084ba84f9fa0600b9ce269323ce5462b61a
SHA512

bdce3cc1ddeb3ef3ba9439c2b41369c59715593f8ef41f537098a49a5e8ea9f9175478390d6558d876b7ff8a84b22ec6dce89613c2bd5337fc14517bb3f592b2
SSDEEP

6144:zA7Eud7wrDlqjRqHSjU48Lngok43fETVa4y:kd7sxYTqnXchy

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kaEAEQgs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	kaEAEQgs.exe

Executes dropped EXE 2 IoCs

Processes:

kaEAEQgs.exeUCwEgMko.exe

pid process

2332 kaEAEQgs.exe
2440 UCwEgMko.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exekaEAEQgs.exe

pid	process
2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exekaEAEQgs.exeUCwEgMko.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaEAEQgs.exe = "C:\\Users\\Admin\\kawYIgMI\\kaEAEQgs.exe"	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UCwEgMko.exe = "C:\\ProgramData\\pQUkcQoY\\UCwEgMko.exe"	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaEAEQgs.exe = "C:\\Users\\Admin\\kawYIgMI\\kaEAEQgs.exe"	kaEAEQgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UCwEgMko.exe = "C:\\ProgramData\\pQUkcQoY\\UCwEgMko.exe"	UCwEgMko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sqUoMkUo.exe = "C:\\Users\\Admin\\JAIcUMUw\\sqUoMkUo.exe"	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SAQEEEAo.exe = "C:\\ProgramData\\Ucscscog\\SAQEEEAo.exe"	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1152 2500 WerFault.exe sqUoMkUo.exe

pid	pid_target	process	target process
1152	2500	WerFault.exe	sqUoMkUo.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3004	reg.exe
2560	reg.exe
1076	reg.exe
2684	reg.exe
2248	reg.exe
1708	reg.exe
3052	reg.exe
2828	reg.exe
2740	reg.exe
2396	reg.exe
2016	reg.exe
1172	reg.exe
828	reg.exe
2940	reg.exe
2724	reg.exe
1660	reg.exe
2436	reg.exe
3044	reg.exe
2028	reg.exe
2036	reg.exe
1168	reg.exe
1528	reg.exe
2640	reg.exe
2996	reg.exe
2784	reg.exe
1412	reg.exe
1604	reg.exe
1556	reg.exe
2904	reg.exe
2064	reg.exe
556	reg.exe
2928	reg.exe
2768	reg.exe
2632	reg.exe
2364	reg.exe
712	reg.exe
2824	reg.exe
608	reg.exe
828	reg.exe
2768	reg.exe
1248	reg.exe
1820	reg.exe
2644	reg.exe
1744	reg.exe
2388	reg.exe
1168	reg.exe
2948	reg.exe
1244	reg.exe
2304	reg.exe
2780	reg.exe
1172	reg.exe
2556	reg.exe
1688	reg.exe
1632	reg.exe
2576	reg.exe
2504	reg.exe
3000	reg.exe
2368	reg.exe
1744	reg.exe
1668	reg.exe
2624	reg.exe
2028	reg.exe
1360	reg.exe
676	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe

pid	process
2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2132	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2132	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1272	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1272	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
804	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
804	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
624	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
624	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2312	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2312	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2492	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2492	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2456	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2456	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2016	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2016	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
488	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
488	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
324	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
324	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1232	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1232	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2496	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2496	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2772	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2772	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2892	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2892	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2280	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2280	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1036	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1036	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
324	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
324	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2688	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2688	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2808	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2808	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2788	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2788	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2456	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2456	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1860	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1860	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
308	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
308	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2512	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2512	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
828	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
828	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1528	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1528	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
676	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
676	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1916	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
1916	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
312	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
312	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2548	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
2548	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

kaEAEQgs.exe

pid process

2332 kaEAEQgs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

kaEAEQgs.exe

pid	process
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe
2332	kaEAEQgs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_dc4229425e844f005b38928831df7b58_virlock.execmd.execmd.exe2024-05-24_dc4229425e844f005b38928831df7b58_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2400 wrote to memory of 2332	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	kaEAEQgs.exe
PID 2400 wrote to memory of 2332	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	kaEAEQgs.exe
PID 2400 wrote to memory of 2332	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	kaEAEQgs.exe
PID 2400 wrote to memory of 2332	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	kaEAEQgs.exe
PID 2400 wrote to memory of 2440	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	UCwEgMko.exe
PID 2400 wrote to memory of 2440	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	UCwEgMko.exe
PID 2400 wrote to memory of 2440	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	UCwEgMko.exe
PID 2400 wrote to memory of 2440	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	UCwEgMko.exe
PID 2400 wrote to memory of 2596	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2400 wrote to memory of 2596	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2400 wrote to memory of 2596	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2400 wrote to memory of 2596	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2596 wrote to memory of 2732	2596	cmd.exe	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
PID 2596 wrote to memory of 2732	2596	cmd.exe	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
PID 2596 wrote to memory of 2732	2596	cmd.exe	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
PID 2596 wrote to memory of 2732	2596	cmd.exe	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
PID 2400 wrote to memory of 2716	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 2716	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 2716	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 2716	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 1764	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 1764	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 1764	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 1764	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 2504	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 2504	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 2504	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 2504	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2400 wrote to memory of 2532	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2400 wrote to memory of 2532	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2400 wrote to memory of 2532	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2400 wrote to memory of 2532	2400	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2532 wrote to memory of 2544	2532	cmd.exe	cscript.exe
PID 2532 wrote to memory of 2544	2532	cmd.exe	cscript.exe
PID 2532 wrote to memory of 2544	2532	cmd.exe	cscript.exe
PID 2532 wrote to memory of 2544	2532	cmd.exe	cscript.exe
PID 2732 wrote to memory of 2984	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2984	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2984	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2732 wrote to memory of 2984	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2984 wrote to memory of 2132	2984	cmd.exe	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
PID 2984 wrote to memory of 2132	2984	cmd.exe	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
PID 2984 wrote to memory of 2132	2984	cmd.exe	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
PID 2984 wrote to memory of 2132	2984	cmd.exe	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
PID 2732 wrote to memory of 1912	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 1912	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 1912	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 1912	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 780	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 780	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 780	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 780	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 2128	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 2128	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 2128	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 2128	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	reg.exe
PID 2732 wrote to memory of 1580	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2732 wrote to memory of 1580	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2732 wrote to memory of 1580	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 2732 wrote to memory of 1580	2732	2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe	cmd.exe
PID 1580 wrote to memory of 1716	1580	cmd.exe	cscript.exe
PID 1580 wrote to memory of 1716	1580	cmd.exe	cscript.exe
PID 1580 wrote to memory of 1716	1580	cmd.exe	cscript.exe
PID 1580 wrote to memory of 1716	1580	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\kawYIgMI\kaEAEQgs.exe
"C:\Users\Admin\kawYIgMI\kaEAEQgs.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2332

C:\ProgramData\pQUkcQoY\UCwEgMko.exe
"C:\ProgramData\pQUkcQoY\UCwEgMko.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
6⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
8⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
10⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
12⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
14⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
16⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
18⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
20⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
22⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
24⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
26⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
28⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
30⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
32⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
34⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
36⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
38⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
40⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
42⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
44⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
46⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
48⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
50⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
52⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
54⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
56⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
58⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
60⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:312

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
62⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
64⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
65⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
66⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
67⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
68⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
69⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
70⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
71⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
72⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
73⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
74⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
75⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
76⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
77⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
78⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
79⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
80⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
81⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
82⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
83⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
84⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
85⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
86⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
87⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
88⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
89⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
90⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
91⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
92⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
93⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
94⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
95⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
96⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
97⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
98⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
99⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
100⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
101⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
102⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
103⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
104⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
105⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
106⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
107⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
108⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
109⤵
- Adds Run key to start application
PID:2244

C:\Users\Admin\JAIcUMUw\sqUoMkUo.exe
"C:\Users\Admin\JAIcUMUw\sqUoMkUo.exe"
110⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 36
111⤵
- Program crash
PID:1152

C:\ProgramData\Ucscscog\SAQEEEAo.exe
"C:\ProgramData\Ucscscog\SAQEEEAo.exe"
110⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
110⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
111⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
112⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
113⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
114⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
115⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
116⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
117⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
118⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
119⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
120⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
121⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
122⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
123⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
124⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
125⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
126⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
127⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
128⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
129⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
130⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
131⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
132⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
133⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
134⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
135⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
136⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
137⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
138⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
139⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
140⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
141⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
142⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
143⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
144⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
145⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
146⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
147⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
148⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
149⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
150⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
151⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
152⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
153⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
154⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
155⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
156⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
157⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
158⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
159⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
160⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
161⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
162⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
163⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
164⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
165⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
166⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
167⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
168⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
169⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
170⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
171⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
172⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
173⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
174⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
175⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
176⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
177⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
178⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
179⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
180⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
181⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
182⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
183⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
184⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
185⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
186⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
187⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
188⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
189⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
190⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
191⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
192⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
193⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
194⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
195⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
196⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
197⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
198⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
199⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
200⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
201⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
202⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
203⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
204⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
205⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
206⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
207⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
208⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
209⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
210⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
211⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
212⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
213⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
214⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
215⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
216⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
217⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
218⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
219⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
220⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
221⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
222⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
223⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
224⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
225⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
226⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
227⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
228⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
229⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
230⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
231⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
232⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
233⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
234⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
235⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
236⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
237⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
238⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
239⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
240⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
241⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
242⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
243⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
244⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
245⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
246⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
247⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
248⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
249⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
250⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
251⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
252⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
253⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
254⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
255⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
256⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
257⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
258⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
259⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
260⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
261⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock"
262⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
263⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies visibility of file extensions in Explorer
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- UAC bypass
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZSIoIQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
262⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
- Modifies visibility of file extensions in Explorer
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- UAC bypass
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYAAEQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
260⤵
PID:2664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
- Modifies visibility of file extensions in Explorer
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- UAC bypass
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCYkMokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
258⤵
PID:2220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wakggAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
256⤵
PID:2952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
- Modifies registry key
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQQAEcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
254⤵
PID:1456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies registry key
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMkAAEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
252⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASscoAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
250⤵
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\twwkMgMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
248⤵
PID:1284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- Modifies registry key
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqsMMgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
246⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYoAUMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
244⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:1456

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqsYYcMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
242⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIIQYwQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
240⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eScoEIAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
238⤵
PID:1340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- Modifies registry key
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWYMoEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
236⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUkMYsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
234⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OawYkcII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
232⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUkwEoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
230⤵
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TiggUowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
228⤵
PID:1224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies registry key
PID:608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKAsgcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
226⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmcEgoYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
224⤵
PID:2792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWAIYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
222⤵
PID:644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUkYUQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
220⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
- Modifies registry key
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuYwIsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
218⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKUQIQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
216⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SksUoEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
214⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies registry key
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiAIUosc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
212⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VesMIwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
210⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOkAoMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
208⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYMMkYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
206⤵
PID:2300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FaokUkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
204⤵
PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
- Modifies registry key
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuUEwkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
202⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kaIMYQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
200⤵
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEQEMUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
198⤵
PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:776

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqEcwwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
196⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGYgEwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
194⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOAAkAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
192⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies registry key
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
- Modifies registry key
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuccIggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
190⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FaoAUUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
188⤵
PID:1244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FcUIMgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
186⤵
PID:2172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fEYwgAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
184⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQckAkEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
182⤵
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEUQEsQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
180⤵
PID:2688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
- Modifies registry key
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMIIYUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
178⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcwoksAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
176⤵
PID:608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKAIQMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
174⤵
PID:1772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XggsEIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
172⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lSwgQckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
170⤵
PID:1832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LeoEgQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
168⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQMEQgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
166⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies registry key
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MyQIgAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
164⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQEwwMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
162⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyoQYEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
160⤵
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceskYQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
158⤵
PID:912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NeYMcEkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
156⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies registry key
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkAEAMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
154⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hWkoUskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
152⤵
PID:2820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCskMMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
150⤵
PID:2188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies registry key
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGIoQEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
148⤵
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmYcEcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
146⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssgwUQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
144⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- Modifies registry key
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMwYkQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
142⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKkcUIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
140⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RIQMoccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
138⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
- Modifies registry key
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZiowQQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
136⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUwswwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
134⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQccMook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
132⤵
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
- Modifies registry key
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EgIsUkgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
130⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygQsYcEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
128⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
- Modifies registry key
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIEUoQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
126⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGwwccIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
124⤵
PID:860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKkgUEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
122⤵
PID:828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMIYoMco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
120⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies registry key
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcgAAooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
118⤵
PID:1352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYUgYUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
116⤵
PID:896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:2400

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uQQEYEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
114⤵
PID:1000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\emUYoQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
112⤵
PID:2752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiYUgEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
110⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AccUsUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
108⤵
PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOwoMQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
106⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- Modifies registry key
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAEYsAQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
104⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMAkUkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
102⤵
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsAYUQwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
100⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KaIQoQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
98⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQkkYMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
96⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies registry key
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\waQcQUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
94⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies registry key
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOEUcEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
92⤵
PID:924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\migMYAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
90⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEkQYckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
88⤵
PID:2820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HksQsckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
86⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEYYIMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
84⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\laYokIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
82⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOoQAgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
80⤵
PID:3044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies registry key
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAMgEogY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
78⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\acUcMUMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
76⤵
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUYYMsgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
74⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQYkUowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
72⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUAAwAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
70⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuosYoMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
68⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIEMsAks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
66⤵
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcEoMwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
64⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUIQkAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
62⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkEIoUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
60⤵
PID:776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AewwcwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
58⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciEwsgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
56⤵
PID:592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIEQYcQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
54⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zIkQIQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
52⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqQoEgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
50⤵
PID:2504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkMcYoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
48⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xkYokgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
46⤵
PID:1008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\igwIIMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
44⤵
PID:296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- Modifies registry key
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoAYwUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
42⤵
PID:676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuEYcIog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
40⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWcIoEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
38⤵
PID:1764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwYsUgUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
36⤵
PID:1076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zakUUUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
34⤵
PID:2656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEwEIcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
32⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIgsMggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
30⤵
PID:1364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ysMkQsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
28⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksUsAQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
26⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKQIwsEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
24⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gosYUwos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
22⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEcgcYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
20⤵
PID:1212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKkQQEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
18⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pAEYkQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
16⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaYAgAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
14⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zYAQEIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
12⤵
PID:2564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wygocYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
10⤵
PID:1192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WaMoMUcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
8⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yKQwksoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
6⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQEAIcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUEcQwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "243421431-2819510061831727454-652182271905059161-2041822932-2098433930-1963722845"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "635113364-1127720972-395397604-477796893-755288656741264191863657243-1749632018"
1⤵
PID:2128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-146355345514208013831549294485-2072647343748663510445556767-1604605254-2101868408"
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "243917483-1970060065-1192187691633048311455032143-1749055499-106797312-1937159400"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-90072774414290598426486394902038975241785455344-593904787-789103361516785972"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1995790012-630985237382902451-654428499-1788781366415472576-13697617571447383473"
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14765455921775543131208925471513266572251649179990621896478-1890792761324681142"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1001136370600464377809443117-301277494-1036234279757142242145441032406914188"
1⤵
PID:312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-155438194017885770691137868498-4276500981417572815-13344584378113572121050833238"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19715863771642264003249280121-627948408-1587823306-2089534356-497323932-623215899"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12156784944844855591195715688-688559546-62254101-303547899-1583186700-1983805603"
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-66153543010965313411460085007-903344186-7342705551263591882-2742045592028685861"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1267880379-1544242320-735855719-153561297624832827386516712-1963048963-1819080628"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "808470240-1072811983-2293533781675507637-608565297-379023139-293216217202385648"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1082255328-169102607-961187641-17745118141381919618-1601169369209848736759359895"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1348016933-1426806031-204064956811267452511855335193-1095839436625738923-744124906"
1⤵
PID:2684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2027773150-1832675913-771522105-1749638611-1109244656-1822305783-69459480270509367"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1294411726-13344501791574290712119696089-2041322091-3966464301502681829-192753937"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2033015652-295274013-1622503528-922953336-282053698-10722258-1256309917-2105396247"
1⤵
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13303314366101948371621924814-9398103861394991254-1736634452540133078-2011326003"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1457124203-504536257-18086686061298969888-1367845750-1202709934-1049758334834872188"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "576862416-48701484116329061431396971383-288479104-1107525830-1611046313-1193857995"
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-113073464712900258512907046381663943518760759181-1476091945-15888433-8238904"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "925754573578439660-540513054-387072126-1912725810-1306739148-667099268-2032284537"
1⤵
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1173958802-1245399448-17651651609331884711272257077-18211219751045156440-1749394216"
1⤵
PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "887116343-10277157691138152289-29604681332261781-200848741319053256521762189462"
1⤵
PID:540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1423732899-1652619305-942238651-919548024-980204300700011703513408167-687231730"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-798930856-767818587-1928570212-1076392126-1509384396-97380549-1975000581-1598940616"
1⤵
PID:1084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2102547871-100546514-14795883041902084587-1605922437-1819965572977056176-2131585986"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-185205548820457815165223651891843236988471270565-318714656-1898275200-250082899"
1⤵
PID:448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "711821989980848373-1147954695-660645555-1047503707-1467748815455345090-768628786"
1⤵
PID:912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17706503291853540338-1577609943-840501718-307532039077614491844516936-552726521"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "476191799-1222229484-20753108861489579716-32323790-1543298333-3883897191597470345"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1875546516511058267-13540913751484045760-1664016433891793781025418861836262200"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-566711322-987773745688063785303941032-1220910999-8127230669421517921094808237"
1⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-593203221-1165257539-72229899842633270683516542618099443081638645690-1278251615"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20643445304916107111565748167-541514547-2187191661496606983-8872247921932693574"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1124249139-12875809992312268391102062729-11023320-14981558592110738529-873763557"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2289563216371156476642007444320346601764296-673959002-1588193528-511982405"
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "368581913-16237221161929610111491503471305675316747530678765268902-444692117"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1902114658-1482709671-1988611933-38483885128707377699241936021378131412022302564"
1⤵
PID:1608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1365667685-4632048741285560860-398250541-900096805722110506-2061670925-1118125562"
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1626355858-1680643965-1512288759-6164028141683520988-7055689301126431605465723001"
1⤵
PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11767451811041649677-2108406895-4451080492116315714-1804194314674130888-1060536816"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1883065546273815746-185111546510679835241635866694637001691-1114382721-360371762"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-658162718-42698170017674914181863031776-1534507178-1995024388-1469661850-1214505418"
1⤵
PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "973844545-876385426190379191779594386-407398331-670994683265805508624795517"
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1433303555-1942078593-1706245854-200757749-5661568601409811335-11991595901147963443"
1⤵
PID:1412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "97107832819622721001541982979-179571157213608209771651553804-13713114051265139659"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-216773315-115590139-931617219133976336999064000916301434741417773960-2019044912"
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-698153287-18303246391374973750593964705-939131591-2053738773477455763-1883177529"
1⤵
PID:2988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "330007779698049772764753042-931162010-42250000317356535451904719398-1040721245"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1874845825608834349146232351-66206359-1118266194-61963859715239195332011963385"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1149854413-777055049411382912570201241099188104-10331703491678478621-1144974814"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "776571403256730627-9875156913235360311935974088-37917768-2505297271024314039"
1⤵
PID:1352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-93972248-1119356204-10067607644117475421147000061-4289307001115466871-1784890987"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-534368051813019017-237849987-682202089-1391268859940006091-358416004292951702"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1349718891-1360494185-248945622-1193496050-1890959804-881529534909363226-715844959"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20685419641618347457170799231-176169306512051856831536933670-1291127422-44621023"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8119612342090326661-346531851336008718426651067312359220-1183811943-389940911"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-496306096-254579278-1377987538-2099602451987565897-4553548522765853922076275125"
1⤵
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.2MB

MD5
49a8b4a644637a4ee17df45a75064664

SHA1
b73e54b24b4c0ee413ba08fd4953783464e38e03

SHA256
48a9605b47a622e7e54343a304ad4c5093c90b2c9cbc9ad065ac734a7e803477

SHA512
6b6eac8fdebf059ee4121ca4657a04ff267fd47bbb77e72023a2792516fabf6612a4c16f6b5d6c1e7d3e95ef67a45fd61680097148c280863fb8baf671a09ea2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
315KB

MD5
6d4b9832d10d6ebdd99b518cd17829d5

SHA1
25b775659c005d2b340da80c1fb9711f63c85fbb

SHA256
4165dd342f1972f3a4a07d4caa2de03229f3fd2c6da93a4c89ad8d3f135d3dd0

SHA512
73e7d1783faf4e9cb697f743b288e1c3279de77ef97d0f594acde038f6b874744a8881443ff6d80cfede16d6c44672ebe6106a2575456e001ec98f51441ad4df

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
231KB

MD5
dda7c000c298852c8d97ceeebd45a396

SHA1
6b04cc1a0836f3cdc813aebd3983c9b0656bdf25

SHA256
2dd5733255c3f280723162905ac437779e14e7f8322b5570474bddd622af22a9

SHA512
688be8fca33d5cbd8efa432eb5bbaccd3a6a19e73b036d64eb8df20e297eda1d237f7a49049baf49914889918ecd49e8430ed85197e761c2c7d7822a129bd16f

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
330KB

MD5
e06ec39ad9a2e8b3cfbfb70701bb1747

SHA1
5e71e576542e02e65eb2fa832aa38d4510595d54

SHA256
eaac9807814f6d567c98d6622946e0db27188ef96d7dd7b2380d34ee0a08b9d0

SHA512
dfc1998eeb0346e7f55691dc430921c0cf7bb5940b40ae74291e685cc53d2c96e1d65947e59474003aa62c2d7c42df1cd6408c10d1336c876362c67df2abc090

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
219KB

MD5
42ded0aec82885338d2311d2f4ce7f63

SHA1
48cdf00d2ad8e492fb2b4f7054ed006295005404

SHA256
5540f0e25995fad2d093aa87977c2d9365e5b20d17a0947026c9a9d6eab1dbe7

SHA512
21f37c649a121195ba7940269eaafdca04c2fdbc1302c1f969071c8f374fe5ccd5f9680f992462f45e3331db41a960a97ca4bf15a1c545fba7e3eaed34208448

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe
Filesize
241KB

MD5
5297bfc9e68eab04cf8a0265122e860c

SHA1
a5d2706e83c259e56be4cde5d448272b3bc9f28b

SHA256
9b749548cd6f816979679fc8d42eaf89be6f6761f2529e0748a38ed6ec8b3c91

SHA512
7478fdc8340db1527dee2504e33d65ba627eff8060ed3c0be48f029b08bbd21fac7d3690f26a111ed6b3e177344da17b260c19d4c0827999437925d8fbbc6cd4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe
Filesize
237KB

MD5
0471e65cdc9ba66ef0b3b7468b6632d4

SHA1
960c83e5446bcfa4a1d2dbd0c9a6c18ce65af935

SHA256
5744d754b26024fb6459e2b679ce17258d8145fee303285bf55e7d20e0640c67

SHA512
4606538f6f72face6b976f3d54e2423052ce5aee913be09035a80b23141e75f2220d6f5ac6efa0d78b067b9a4431e9a87b2bca650519b8192ca3fc0703e66d09

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe
Filesize
244KB

MD5
799c97ef8941d4265c622725a56e724b

SHA1
f03f66b1edfd8eaeb1bddba2886a3dcc48bd5aab

SHA256
6dcd21fb0b43c65156b8f5f5bbf3adb2467086152ee2b3bb1c12f313550939bf

SHA512
ee8457705f83be5f8f4ebbdd2ece48a489b7eaf4662f6bedc9129a80717795a00f8aa7d38d65cd5e9aaee60002a28b83cb872674fc395e0efe7ca5da5759cae6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe
Filesize
235KB

MD5
1a0acc61243d6a512a4019c37522b1d1

SHA1
1cff4080693216a2a9591e937e347b248da82f4f

SHA256
0d9964103a1d9d4c8912f3b0b20305f9660fc990c1e724398133b19627e21137

SHA512
bde1fb2621d0c364aae83bfe8ef1160e820762bc49e74aa04638623cb0edee1112565e3aac6398c799757f5bee20ae5933b273710d42a9de52289173ed9c786c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe
Filesize
245KB

MD5
aa26aeef5c88c4b8fa27ac3dec3e37aa

SHA1
483b601d99921e20ce1de3699c307134c08002d6

SHA256
b635e393a917c09237cf51cf55df2e67624be6508b7a4fcb60d280fe9b2fc199

SHA512
1151d523bd60ffb368179567fd04505dbaa39afcca6b262c3f5f802330d57d3a0ce9d99485ccf28be117450bc2424e1a4cb1027dfcd8ef6ecbe31727a3cac118

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe
Filesize
237KB

MD5
9be80fd4ee021520865b2decd65cbe59

SHA1
33050ed89cda3871d64015c3ec91bdfcc708edb3

SHA256
276fb1eafb17f868d49dbc31f3ca0d3702bae6aa9d5d75854a59a99b091bdb71

SHA512
6e4a43c8951fdc09361e5a2a28f91b1808d997376a4da9efc169385bf5722074d1a02cb65246a72a78fe0a4c2b4c1897039181c15ad29ea3fad120849bffb92a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
Filesize
245KB

MD5
44e81329fdda4944d86db9e4d73a7966

SHA1
8c67c01ee707d72924420a3c436ff7b8222fff12

SHA256
6ff5ab96457018605e2899508187ea1866710e604284005a7fb38ccd9091b41b

SHA512
d1038db94f37dd05de01d7fef789d32d1fe24ba8593e0fa1406e7e2fb1f04a54b19e8b11fcacf40ad14776c31b189a8ef2847c514bb799af71e89492e77c9d6c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
Filesize
237KB

MD5
7e1194f513378a9233ab975ee66a30de

SHA1
aa5b20059a587405b71e8153b1d625d976a50ff2

SHA256
99eaf4708a279de4b94611ed19fc076d180bc0922f7d11ac945f59a94cec84b6

SHA512
d9fa08f5f2116ba9fa6e25e9cff576f2a76b8082a9b1b9cbfb964623ccd25875b070f3a19ea124dc44a5d738d3923afb4790140497979fb56393e4a398b1b53c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe
Filesize
230KB

MD5
ea7e95e149ded6d5b0061914994da1da

SHA1
62621231a8ff5a0727050ec93f38f4097f76740a

SHA256
e887e025d4219d1852f88ae38b445ac3f5f3665ca94ce6c57f972cd038c65f89

SHA512
18614ff9bcbc5a7893d899a4b7a5b82f61623984256e49c96bd09af2eb87e54a231191345af9b173d8af57ccaeba028ba4ea7a7d4613ee160f56e2288fe7826b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
Filesize
236KB

MD5
14e903654f4cc52045950e5309004340

SHA1
a470a88dda048da246e3db6c5b2e8f2faebba419

SHA256
f809377c7f81ec53ccf961227f4375b84d6552f2520ffe077e6e817107e272fb

SHA512
f8cee0e7460c8578a802ad2b37a71df937c0dfee154dd301e74c73174ce26e358d7c54b00c6f63ed52c70d64ad7398f79308dc8d114a3e4842eab3557c0301ad

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe
Filesize
239KB

MD5
3923447019bb8ba669437bea42b0237d

SHA1
1f0effddad81a52428441464ecd6ab8a035f8d9b

SHA256
8ec7bfd2c5ff7228df1066074146a2e779cf2b12de90270aa12b6db84b07c861

SHA512
9685993bdd5b0c8d592b7207530880f448eac59be92e1714e747d136194184d45846c6c48991a0e1a97d93e8e41b2e16db0beef5684da5c240fa69fe37ab328c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe
Filesize
243KB

MD5
28e7a56df36415e587d9990df03dd02a

SHA1
6c04c19631cdd062aa72f7b9be8aa65789bf439a

SHA256
a563742e7256a3b26131b8c5af26ce53335a56892e065de43092c72c98f86b31

SHA512
764c0ed08ec39025e3788705665fa59c57e833b70060585e31336f45070d94941f6d128cb94dec15b4a685b6e01923afd03299715593e298e9b192d7ed8d3f0f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
Filesize
244KB

MD5
74d484f5629334f1c355a0a7c1f193fa

SHA1
e27f36fd0e74346cbe24c28c094853f0387140f5

SHA256
567922e536cb5afd58cde67da0a7b3c9896a338f41c5439a705cac46541c9dac

SHA512
829f51195e770283bc400c63d491adcf2c763c61171865dc66eb4d9ba0e76fc20cbdec6317b8f132fc23090d84347a31f837a5103e43454b484787813fa56df1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
Filesize
244KB

MD5
39fc139a479567a6c17ba941f43b7094

SHA1
6edf2336eeea91178ecbc8ce0560f1d7d64b7f3c

SHA256
1d37fc8955310387244c4321f594db2be14628fa53dfdcc0122ab9f38915f3b1

SHA512
851366cf9f6ecac0ef50e36b4a980c53330aeec8a7ea584e320529e087379bce3005b1dfa7ee94d9da5be43858f6ddea3707761c7c21af5857951ff6999a57bd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
Filesize
239KB

MD5
1c073458985f76a9926640b4c8e2ece6

SHA1
5422003ad61c4df48daec884f7cbf84f2e346302

SHA256
027e12487d5b0e50243234b65263087b8c37164467e228ea8baaeaa5c2662f15

SHA512
81d74d1c020a04d6d63546445975a946c95043eebb207309e02f833a5294d5a88a781f32fe7d8c9bca73b7ae325ae1fce31ca26b3948075868bb2299461144b7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
Filesize
237KB

MD5
aaa4f7990b791e6003be19b1134b0bc4

SHA1
adfb0d11dd29a36aea496d6dd06c926f443bef56

SHA256
fecdb0fcb06171f919c1d16f0f9b0456e15a8a6a5e551de106f046104e389451

SHA512
41dbda4f5c7c6e9a8ab425f544fc8b616e32f8722c6507c56a95a7b3ffe19a7bfe886a52ee6654e95aec2cb8c4128411c8f0dc83c3e0f5cae1728ecaa486f725

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
Filesize
237KB

MD5
8756ab200040c2636344fbba0ff6e2f9

SHA1
dbc746ce934d6fb547dddd9d1f4340af646059bb

SHA256
354a7278a9284c339950d4114683532722b61fbbaabbde47ce9535080b5ffb49

SHA512
72eb5a5d3104fbddeecd639ce7c652c8d8a0bc583686aa4311d7b35284f7874706cc52208f75930c9971772e769ca5e867a3c9a2a7d17ea2dbd5de02ebae4e67

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
Filesize
245KB

MD5
7a45c511a94554adda30907d8795fddc

SHA1
58c1da2b6da3c79707bc1476737db87e6faac394

SHA256
22717d996044c8480ce8810d5fd34738f7214a4d03479a8bc399d89a60554f45

SHA512
6c7ded7e6bbe27f9d698726592e5e1503270dd596cb6ef901ae780b626896474a130ec2fd353dd63ce4efa35a09a3b2809c2970cba82e37ab6d634ef2510488a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
Filesize
255KB

MD5
ae19d9134bbb17cdbea9b98511e13b9f

SHA1
8eda9541f0ec5da98fb3b4af9f4dd74495e36e64

SHA256
f0f101e55089c67f1b1acbc0ba2ff5cdc789bafe819922c53fb46c105766a884

SHA512
f8e78bfd65ff4707c35274359c2e5732bde396c9c780540dafdadc8c6bbcf8ad8ad3f3ff4a4a922bd3c6b6d1757107ee2de051161120adf13a2dc19846c8f26e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
Filesize
245KB

MD5
f47a49169767ce7906812e772de727c6

SHA1
8bdcbaedff8efac20afcdddfa8dffdb0cd0b4214

SHA256
05c534999db0f7bf3cd632be2f9bc9270dea34f5516db37c71b5af2e2501d9e0

SHA512
e62ca28375ea64652710a82551aa1ea711a9bc642ffc6d3381e81dc2eb4f3ad88ce594c99664daa303d984c3565e0d6b2e27329eba82c568932e3410b9d41500

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe
Filesize
237KB

MD5
f0838b8d5d7e36e3d01f08fae2299066

SHA1
f63a6ccb08ddba51467226278d5aac72db2680b0

SHA256
25a357dd5b24388c1e09c475896999ff13b81f6a3db173afb78f2c932d06d859

SHA512
b857ff0627054093f78ee593b9b622e34823cb747e4fce80f14ea3f5bfa6cc21245c3add17818b4d03f30d0de5332c7e520e32af39d3205c5633a80b9b72a0a6

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
Filesize
832KB

MD5
a3cbe39c4908dbcfae13d7f61307e8dd

SHA1
234127c90cef7e5bf0cf844e89a9cf94ee226727

SHA256
c00b3d1f6d53e20ffb6e65158a386f9483415573226e6fd00795e4b243aad88f

SHA512
e7de68a00bb7a2a63ef82a6e783c37d54dcbb8097784e6f5b9702b3a66eda164eb2cf672be418d91bed4a6ce31b334c7d2db741bd2eda1f7d102e85a7cdfba90

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
640KB

MD5
0ea8586dded557064eea688123dd90e4

SHA1
faad7949c99fc12a37fdc7b4ea4a12a3c2658baa

SHA256
34c7e3aaa01a91b8dd6481b498083bafecfb7c48a1b3e45509ebfaba1c6fa436

SHA512
3546b5e4b90a1c4ef44f3b832028cc69b9e55b45df9b6c6478c673c3311037db9ba0f576662b9f0e8eb6b8425b89f4b1280db54cc3118211725e0a9b96d8eac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
Filesize
199KB

MD5
bfa843bc5b5883c6130a018157162de9

SHA1
affca9ada658ed18193845dc061ad7bde74eb469

SHA256
e1f3f3b8de1b4ba6ed5540891cdee32aa3a5bd58f99737cb935a582c25b741cc

SHA512
98ea6774ee395a574babbf50d734ad07d21e0070d39b206fe6b8cb4563b9a69bc466f8ad63ebc7b942474d6325bd58e42d25076357b95a9dba41e5b3a20f3a72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
Filesize
181KB

MD5
50975f65d7e59e84df03793ba6c25923

SHA1
d3cfe4142e886025222adf873a81a150a698aea4

SHA256
f2e0554d0f6e56e8ce3d478558185c984afe68b07f1f62e1a98b289bd24a7b0a

SHA512
b82f9a9ac43c84c30a6cc7e77c8d5ca5d3f2e3af87d81f1985805a3bbb8539190cd13f489b29f93e32d6b6d39438b23ee3dff807131cdc8c5e8714634df938b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize
195KB

MD5
286cfa6955dabb5215c33f5b1046bc92

SHA1
96bc4a72c0222dd28e6f1465b114ca9d4db4c2da

SHA256
5312a1f871e3dd7de8dfe1e06733f797fdb5444d8c9b356abf5fe75a837a9726

SHA512
d2241e7fc4d170cf35dbdf15db2ee55252ccf646ad11f6884ed53a3c0ec88057576d67a1ca5217194dcf2ab458f92033de4a1379a137a2ab756683f1772e5276

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc4229425e844f005b38928831df7b58_virlock
Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAoc.exe
Filesize
241KB

MD5
9d8039e27b0b7b0ef903effa079a153b

SHA1
db133627dbdceb1adff68159bf8221665611c16d

SHA256
145a211897aebfe34d6b95006e0e69afaf3e40d0f1438481ef0fdb4822f054e0

SHA512
126fc1791137289cfa301644bd890891af31de3ab0bdfe09a2743e3cda38544673416722a48f4d21bf8b6e3783480224ea5f3a3fb05db96a59bdee2fd4da23fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQsg.exe
Filesize
1.1MB

MD5
7301e5c13543ab7b9142d0cc7044e79c

SHA1
d90316c61e771a3b232c66a2ef3b5b4cfd9a94ea

SHA256
8fef1096cfb60bcff3972144a22028234af0749a2d88f06a97cfeb0a628e6945

SHA512
eb813a06779b67427f7a8e1ac3608596cb906e2d47564af230ec31029aca18a0073fdc88944d62d784e7fb69d66928b3fa3526306b1ab7339ac7bf7bd6e561fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUEoEkkM.bat
Filesize
4B

MD5
fc7bbdae55316a9888f8e0def9d39880

SHA1
9a904abdb0ba1428ced7903dc239731a6de865f7

SHA256
645a2e3115326002742e77803318318482ccfa65ab6b3da495c8520fd064af34

SHA512
e515e95f32081e6085d70d924b32744d397816685503d6d5502ae91cf709faa301903e7c681c50e4e40bf0be58ef0ca0a5b30805cd407fe204311ae7661f806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcAQ.exe
Filesize
236KB

MD5
32b44603214f582c745d40d6475cc4a0

SHA1
0b5ba91fdba79909a99f70ab5163caf11b770877

SHA256
82d46e8f806ac4125ac94ca155acaf7b4b28b5c5d729dc239b51023be51f388f

SHA512
9949ab18bda15fef2685842ee1c59d80cd1b7bdf6cf2ce30599a1a7165bb0bc90ee569539c90f049688baec941287b5d1b67d30e2b584d6539600a8b8324f97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkMY.exe
Filesize
241KB

MD5
28066aac93e58d44b71b27bbcc787781

SHA1
03c586da0286bfb630fe8d651530d1f0646810e3

SHA256
d10e4addef7053a8722ee06e5d6bc97b46ca954e22061a2c44e9ea9da4b6bfc5

SHA512
928cf4053bc9ab73805c6fc877467543d26e206693469378e38415355f1953af625b867db79d9dcec7d5e09255b0abeaa93c62fa463b789ffad8c63bbf7a914a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoYm.exe
Filesize
252KB

MD5
10677f4be73513f0008c4884ea2bf573

SHA1
1663c78f26dbc2368dbbada311cb229a9b937b49

SHA256
cd1b1437045df88f8b82bc5176352ca3e497693791a1f5c2aea890198b2fd83a

SHA512
fd9be6acf60b8c1696bab42775bd0d341222d5bde6755fcccd50b98013627a0f67bbf732545ecb9677d496892642882963600a9b2fbe9bcd657aaf3908829964

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsYo.exe
Filesize
229KB

MD5
08e0aa50eee2c8d5ac80c799496ab647

SHA1
e5aaa1cf178b15bc8f788aaa235e45ff7d8586bc

SHA256
ea517b8a040548111d21e50644c6a83b3dbfd66eb26a68660d51466dd2a29982

SHA512
6175db57ddcf638551e1a27287e80f4e2f626504ced6b0d28dcfc368f7da1fa83128643e9fbc2e7c022b9c7eb2229968d05b58690becda5b22c13e9711939a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AyMYcUog.bat
Filesize
4B

MD5
392445085bad4778420ed57df962f7fa

SHA1
ab6f7e6718082884af18742d65d777fede30a9db

SHA256
141e400167c4cda28febc716948392fb724b738b877d21b85e10aa1002015ec0

SHA512
653422d0765c8e3f49f33e2f0f4f791fa788ea319336447cccba4ce125744bbb77b22003033b0fc59e9c18f3d97b615f7a734273242937e31de198ceb42e0fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQYIwEQM.bat
Filesize
4B

MD5
9269d10759be290af7e7dfbb123e1fe9

SHA1
0b8ce52c31ea8e7256387ca781297ff696ab773a

SHA256
58448d912ff671ace47f45f4a4a8f6a4988cefb74a9be23461952a561af63932

SHA512
0eda899aaf6722c5fee9c6239e02d2f03c4e46afa1c8e8014d5a7fd57599d433e57d9c7b61bbcabd173e2d7ce95d63186b4be9775b160c9103a208a53ddc0f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYkUoAUk.bat
Filesize
4B

MD5
14cae6b7ab0c79df497b99be17963251

SHA1
10ea3a8495a58efbaecc8f54cc2d111828f804a6

SHA256
b5d0b411ebbc1de8cc1744bffc02cbdb0a04133492475b8594b895b55d104e23

SHA512
334a63477a04e8aed0891f796eac28faf2dd5845b42e052f056168c2c4806a201606a7ebf2ab0f685cc119da6435a4bcebdb01953921e43fc2ad84842deb89f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYsAgIEA.bat
Filesize
4B

MD5
bf1c7b205e893d403faad45ce12f44c1

SHA1
fce3d31a6647cefb4a7e18f8cff8c7e351661e88

SHA256
81b28af9cf6b8ec2fb2ed52a7393b5309c17dbf1885eff144b8dac64f11aaad8

SHA512
e2f7af5decbd9bf6e9cfe3c2fa8dcdacf785fd116b6684623d40a8de3e1a4c94c83c8f065af2ea65f17e428a1cb932f8adc2a062070a763f56bba117d5e4e82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAEc.exe
Filesize
229KB

MD5
af6fb275bb5d52ebeb955aed92c70bb5

SHA1
5f1a206cc170a6693c20af8684ffaf692496ac44

SHA256
defd49fec76c9e0e7ce0b04f19314c9fc25ea4abbb59e3411baed7c9184d8a2e

SHA512
8c4f63918277c2dd06d08e14b6d2a8a5210742860b7167bdf36eff8ac3d63fd9304baa047bafd856363510fef6b55ccee80cf64da94a4c8810900556bd341bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGQwMIgg.bat
Filesize
4B

MD5
7f60d1ee0497a76faebb4dc1d3d3d000

SHA1
1c60841264830bf550fef6f33e120a885a0312b0

SHA256
3c74397fcbd14dfeb33f56d8b5b968af2941546102a6896eb0957d577b594aa0

SHA512
56b4560ece5708ba5fc01a28bb5434ed1f405c9326e4021786bf49ed00ab760158352ff0bdc30634666399bb490ace206dda12c6ab3e20566e0472467f9cc610

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGgEcsUA.bat
Filesize
4B

MD5
ec457722dd4aac1749aa320a5ddf9eb6

SHA1
fcfbfe2296434afa30e0104ab1e6533ae32f4be0

SHA256
05f67b23a8824a66e38c8213f7b4d9463e28b41d2398bcf0294c5e5d54a3430d

SHA512
304acb93bc79b06b485670b34fd1739bb8c723284dbb1c2b2c8504178f2df13b2d7717bb5202619af65f7865393f98374ddef68f108da460d81ec40dd3fd7c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIQY.exe
Filesize
228KB

MD5
56b94028b4c4e6331a184957da62064e

SHA1
a07ccc6fb7eeacab6111acfab3e8c0df55e2f4c5

SHA256
1f38f5a8e2cd8ca4edad0cf686c5be6e520bddceb75c4fbb558b7da08bb82536

SHA512
df617f42bc751653702feee47139ad02467d4cd371124ea345812d19a4eafc27694793752ffa3f179b5fe13b0fc0a972e96f299babef9c9ff02a6f57810d0778

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIgYkQsg.bat
Filesize
4B

MD5
d3269190594dbd34b3855aee583c5f8f

SHA1
e682bc3ebbbdaf2ee85b0210fbdb0f895f1eeee3

SHA256
1c6a50f99dfcd66cedf49a1e43d2d98ff79fcf78516b45a6988d64635abebd3c

SHA512
354b581f3c60aa2aa1ec9d8992c94288705ece0687e452649ad0450e636ba992880988c045825c6c6c4c04e22242522e65d03ed23d48fe5be7afb558b1543fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIke.exe
Filesize
246KB

MD5
3cba758859ab586b81d42fc666ac6f7e

SHA1
e8bf61ba31992dc9ce94fcae14739a344ace1283

SHA256
396289aefaeb3b57c7cb2cbdd5facc78a401c8382acc6bc10609c2421bd3dac5

SHA512
231191797770a9ce23d553ebffc41e08cca0cf55b6a8564fae3f6d2ca91052d482578259042b624cbe63a515ecf7b46c4dbcdc40ef58f34c1fac72f1776cfc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSAccgow.bat
Filesize
4B

MD5
4273342152d84ab15dc65c5adf5a09af

SHA1
24de682d0b0e516fe93d707a0eb72ca1e420894b

SHA256
108f6ec80e2f0218ff1d0ddf1f70411dafb2b6a0539325fc1fe604f231e0231c

SHA512
c573ef28320b6afc4c6410e8f22ea40715e8db6e930f09d095e9f7d3e011befa1bf05085f3cfc650217d10772372c0bd2d6dc1e6943cce856f295f06865656b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgo.exe
Filesize
199KB

MD5
c2621e598ce4c33710eb5350b1ca7280

SHA1
7958d349b52972ce229ad2e1d89a421ca9c8d0c8

SHA256
cfc17714e41162fd1fd4bfe623b457635c4936c474a354e8188027cf2ddff0ce

SHA512
232db6226f6346072325819edd9876af653a8ad3d895afc0f149482f1ff3f49d1d87bc98494dc11c6c7461fe0b53a686a70c7a5969e64a0a5f0242eea17fa5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYsM.exe
Filesize
249KB

MD5
f6a42c07cf37790c8bc88c065bb0374a

SHA1
7aa0654a81e7b406ccef5fcb2b274e5ad61e766f

SHA256
f528ab36b72e84b8dd0c477eb8be2047e1da56b1f294ae83fe3cabf1fcf4ce93

SHA512
e86363e11e825c3cdc1d2992707109f5d71abc0471530ee0fd905374bc9bbf1e87013685741a9c5a5115a1c96ee78ae010fa2f239445941d60798ba7da82225a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeEkogUA.bat
Filesize
4B

MD5
b18917a3da2de1d0996bdcd63793a4f0

SHA1
8b1623022a2aef450c967d65f58ad60384685224

SHA256
539b947281c20bee40dbbf02f24d16c00213f75ec16ef1629801d3fca79b0772

SHA512
1a59581adb37ffabec0aeec411a526b4775670b97482aeb331d6bcd1dc21d6707211447911e2960a4c600186d273caee09d42719b8ddc5640c0ec3b62c18c416

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeQAwAYk.bat
Filesize
4B

MD5
779c9af34aea85e0ba8d40dd5e5b2ce3

SHA1
d6da487a8ab12a87907c1968a439f59a1ade3369

SHA256
94dc694c8cec8a5f78ea02ffd410842d58d6bec0b14158f16eba710f76cababb

SHA512
3edc206a4721277aa2e9a6f1c5684ccfa0410364f680c0b58e518454a5e2c16a0eb47b3ec4abb2d3b416fd9da3b41a3c2443f9123f1668863f06ed0f3512c5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CikAQIkI.bat
Filesize
4B

MD5
f176b3623f4da097680fdd8674542a47

SHA1
d90b345b564b10a4e089fe8500a2c7ed90f3daa4

SHA256
51be6e28f57dcf40ca3bfc7d0622886720d81195a2011ee5365d83e4965a88f3

SHA512
630cd3530ddd10c2a80571cbcb4d560e58440537a535c93ce361a87cbc3c38a12f2301f68bee38052ad23cd467b2471ae6609d619d8a12919508ee55121dc678

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cssm.exe
Filesize
989KB

MD5
f8ec5d6b849a717cdbc5b841fcf64609

SHA1
3683683eecfe124b5753a2165c201f86f2cd4c8d

SHA256
0dd7372d713d07ccbb04aebef5808280b02e5a64c09d255730f94ec531735830

SHA512
af3e4008719cbcf59b4619d41e080d696fcb160bb089f021f5934d0d3e594c5a41dd1d4a1414fa0f39d24323c4ed448675bed2407f63b2d4c5dd7f4bb9aa9362

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwUoYIoU.bat
Filesize
4B

MD5
126caf2f9f543d099b8fdd8d8cdec47c

SHA1
0d54d02a6c159f5c67bb9bd4c648a6a0e70b2236

SHA256
beb687ae57bcc0a98d5f1e28de3477fec8a74a45f5c887c93a98ad571d87cc6d

SHA512
101f4200b7e911365336b85a7873a87179f4112186cbf1b64e0600ad0d472429d93091f48e02e4c60aa2e02cdbbc13709cd1b28846d7f730119947b603035989

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyogYQMQ.bat
Filesize
4B

MD5
b307a51f4dc663b6a9166ec2448a54d9

SHA1
0566461904e6c86725b001e20703096543b13481

SHA256
bffca8b8962372c515656169cf072dc120bae886b676d8cba237f3f0d9608c92

SHA512
46489b26eefbab6d57a889a48ef96bb485d2a6317a8419fb2cdc7aa165ae08cdc8f9e2e6b4507dede54321d88ec802879be9542318fb06bf1e3b3c0a27839e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGQYMkco.bat
Filesize
4B

MD5
745e09a6ed7c9207518016c5670172b9

SHA1
771865d656211cc737f6cfb42b60fc3c1933b03c

SHA256
cba284bff99614fc398a0d454cfb0674c140c68a8de7a35c4c7ef54ce3f701c0

SHA512
a27ed652bea2e0c3299c6a822f2fbfd1f12e41687c978019b9eda0bc548ab468bbed07bf8ef950c6c5cc3e01c012e33ef93496c26c267fd7d5c24224b9bd41c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DKEkkgkA.bat
Filesize
4B

MD5
506af4b951985c1e0bf4eea576541cf2

SHA1
2648375d56e09c24c3e383ebcee18edacb85cbf8

SHA256
59ddeaadd0b2aebc57880bed3d93fc7994cdab4156532a343d4bad9650219a71

SHA512
22a5393dbb3fd669028542ee4be6a694130a2cdb925c02b41dc9708a8dd034385c1e8237162c6269cfbabb34c41718c2b4b7b968153b140d24ffacd1ec1af1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQgcAIcA.bat
Filesize
4B

MD5
ddbf4159d0af831bbcf46172dd3a9a51

SHA1
829943e22e946335c969f880202d2138bbd7e443

SHA256
bb09ef39cc163204e35fac6d4045e2d58dcb73c6b7341ff67d91c119d8c9f10c

SHA512
4db82d10be2dd594488fbe871e416abe8fee62ed065c2d7cfa2907cc175a3b96741727db09ef5bd6be9fa3c1dd950ceaa09c06fbf3c6312a62fb78acb32b24fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYgcYcQI.bat
Filesize
4B

MD5
d96de147303f37f888235b24bed1bd6c

SHA1
0aee43ed51d27afc29c9f287d7581d0f9b8d31ba

SHA256
035d78d084381a21448a91982f2c652b0ec6fa274ce204399e6fd8c8d7f490b3

SHA512
c11dca82f1b37b2ba729183f1c1d4272299c7f5f281f2c21e81341555aad5a51ce8b959351e6470343036ab27197b950e2ab4fef6e192b145aec78d05999bc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\DaUgUIIo.bat
Filesize
4B

MD5
7e995f47436339bb58297a21b9d98af7

SHA1
a35b331c9f250ccae6dda38430894c09df39eee8

SHA256
5296f56ab917f1d741b225a422b6bb87e1512a7ba56d41bf93f8bf8d89c712de

SHA512
d9b230e49263612ef6d577626fa376ae00ca4b0b2bffd6547dbaf84dd705c35f27623f288f7bb1e988e802f6f855383fa455578407a9c5d9df9179b76415176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DskcAsYo.bat
Filesize
4B

MD5
5247cb6fe0b7aa68d363d956b1e630a1

SHA1
a428559b85569e628c62376d4098579a3d452afb

SHA256
76a15f6bca82ee0246a4b8cacef6c2b4a94fa9ac985a89396ecc5abc1a243a5b

SHA512
93b6d79621cd092828c2da6afc830b8d3f797b5782ab876cf913806bfe6041bcbe811f4bf4d3b87b413c94778fab0c646a829e9f6c87eacb707b064b86dd236d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQIUUgYs.bat
Filesize
4B

MD5
196b97e1613aff246932ac35bda4a77b

SHA1
f423a267b4ef59c2052056a34f962a1a39959c8d

SHA256
37357e30f45c40011a5e460adffcca8d773e999793e1e53c132fbb438b58fb74

SHA512
236e8127893d3988a3f3e00532c16a0537a762c3670b3fee1afbd3d83d85e2f592973e4682a4f3399d6476e3ec83485091cc220297dfb380e454ed341927e285

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQsm.exe
Filesize
198KB

MD5
3daea1990e241486c0a3cb7b4aee6454

SHA1
e4a6dd70bc20c28ff77cdbde3d945d7fd4a62af0

SHA256
9377276c4d970bdc3c5f5ba3dadab72b918f5b29a6784397c590a894ccb74317

SHA512
e0754c8a144af602c766bedae43d038a0fec9401488b3746781fc7646ffe7589a1898f0dcdb6da8c532152d878c21ffd16263bfcb3af89f1628480a1e1eda3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwEwQEU.bat
Filesize
4B

MD5
5aebb9e01b7fd8894180db7709ec16c5

SHA1
74c72d16b94dcdab94739affbfe42af4a412691b

SHA256
a20ad473c330531d216e4f4a2ada1a676e35a7d0e375060a2971db7eac7e312a

SHA512
fcdca26572307092d0219391dd624832b7b0f83844bd7c5358b4a96fd69d8dff2343514ecbfe444a213be20d1966b747ce5035571f61dd65b52d641b54b1cb21

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUscskoA.bat
Filesize
4B

MD5
738334d2f0200cea3b19d33a6a2421ed

SHA1
48bc15c842718d35053aa9f8213299d34c92e32d

SHA256
ae275717d2e5d01982fe00655e7d85367bd010c009c65dd3bf5c65b1ecd641ee

SHA512
8d2cbde9c258f16b4ce593d6384ce0d69a164a454c28afae3c455673afd87ad830352c81f3a187faaa0f25f8f53d546f0b4054644ee8c6b48322e1bafc09403b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EaIYIIwE.bat
Filesize
4B

MD5
8305d3cd977fae79d319e1ccd70bce93

SHA1
76d1887bc84a6cb26a0cfcf9ce0c4047ad141b30

SHA256
c1ec381c4e6943b255f84318c15d450bbc766b4b51f0b8d93748a7ccac234b75

SHA512
7cb88757fcdfd7b2ab7cc3cc8947341bdf20759d9e605d1341909af1c4d39a6a24a72809336576f8da6da916c76cfec1f8b4aeed72fbfd292e3864e23bd71eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\EeAsgAkc.bat
Filesize
4B

MD5
3a01459e6429bfe83feb4db5def1826e

SHA1
89d0c3eb5c22fccbdbb60acdb7cb3fc088453fdf

SHA256
a46659b3addb765b2e58b3749c59119a8473a9de498ec769ebd9dc48c3cf14a8

SHA512
eef1177abf9eb73e0a420baa6487df0d6479a4795c75b7ac7d7dcd0b099137663812ab577ba9bf4e4e68c888cb1737722357447d44bf0a89a0850fa2b263232b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eoci.exe
Filesize
1.3MB

MD5
3a36ca8d3cab0c5d570e36f1ae6d748a

SHA1
4691e4f90d213fc14384f7c48ef77609fa006709

SHA256
a0682bb7d5e9d26a1e057e49efb4a9fb2910567a87eeb5312be92d6cfac3887e

SHA512
60db59dfc825dcc061c6429e21b46f4c6671dacb926d947aa4240ff933ba9f4294f3eb60f2d84b881264a7ebfc4a500fe1dac3a5a62a58089b3da69790873df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCsAQIgI.bat
Filesize
4B

MD5
5d1245c8deb329b7329aaa417a13c234

SHA1
92f96a52e252d833fb1caf6ddb0302daec654a8c

SHA256
edee36175fe3de60cc02b0818476b0e6a82e1e2ae2c475f8a7856e44a1e74336

SHA512
b7be2f9d32f1f7d08fd1748cee7b41fc705104dd6bc23d3f08b12d8456df16a8f3399581526e26a7c6d6cf9910a9b65ef5d894e3fa8584eb699f2d2deddc4394

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUAQkQoM.bat
Filesize
4B

MD5
8ac6d87f0932cf349c2c5271c3c0ad5f

SHA1
3c31380d60616c397c134bbab7f0ba7d2c137813

SHA256
1519a3ec544b501c15ce3f7e7da39c9c8c5ccc06e52809526d81f0bc27da15d5

SHA512
b5d65616fbd73c070ee62a90b012015856783a20e70d17e2afdc00b74b1536da9dab60bcf2e45986625b37f6ed62abd14c75cb5a809c9c064f636076751862bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWYggMcs.bat
Filesize
4B

MD5
ddf15b881f28326717477552ae2048f6

SHA1
5b060cb092e50345d6d12f49c99e39711f5347d5

SHA256
00be4af91a9c9600e2e72d42b0609700aa37fd95e29826d345aceb42dfdefa11

SHA512
7c810a4363122fb27b0ee9fe0afc8b7617f6986f32cb16bacd93cf675eb5d72d0232f517a640860d5b8499646200966b66fd47d29dafed8018b47cb68a93f2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FooMEkok.bat
Filesize
4B

MD5
f67644ccee654e67c0f3da0ba8f15591

SHA1
04824dc8d7d9e1352676fa05fdb5a3add28f42f8

SHA256
bd8204e91fd1925a746a372b908826d438158388ce21e651c80be4ee1049cf70

SHA512
317ba1507e85dac7c66249f8517a40703c4edcca9bcfd4ffeae675e80fab80bac1dc2df5293c966b24c2838a6bed7b04d7fbb3d0b490c5e834421cd703933304

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQMQ.exe
Filesize
231KB

MD5
f24ac8d1e294e6e98049cd4f25acf20e

SHA1
675b369e539a5702858bcfec4bc868e1db43d8e9

SHA256
572280fbe3030c4ac8d342d8e1ce71d4f82d8c48a279eae2e5c5442e734d5efa

SHA512
e9867fd772733be1465349d6fd6581db44324b189a1aeb20b6906485dbf0e907216b916cf16f02f768f21dd942ede51bfb5313bd5c8720168213230da053af8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSEMEowE.bat
Filesize
4B

MD5
0058308a09f77dcee4898f8522c92af0

SHA1
619bb7833fe27601380c91d4b221426cb7249b64

SHA256
17e0d6117a26947b63b1389ea52380e24412ba8909ea56eabd3e9dfe495f6855

SHA512
896bd16b810e3682d1def9e4179c6a5d65125946ff071a03e11dc29fbc34aa046f3bd09ad4910c792b1d86e550754afe0b12381ce1e02f79c60fb138cc98d378

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUkYYcoo.bat
Filesize
4B

MD5
503c3f26e57831923d1ece375a9f5e6f

SHA1
dab2752445757c020b7115bed33e3341d4537b3a

SHA256
7f75322387b23433c7fa5b38ea7e60932600ad1aac2200049afcd6d940a1397b

SHA512
f1905fa21b0f4f05b6d0a90e5103dc355baed3bcf5004b0e91ad160dab44deaad085d82e00d804b5bcaa7921cdaf17601ff9298a59777b636ca1aaa642c75f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYgE.exe
Filesize
825KB

MD5
c6cf5f9592bef8be4b3c1eaabec70a1b

SHA1
c925d0de7043548c261e3189a6d82265b4e66c67

SHA256
bc32ff393b4634972c779be54fb02416f527919f1fb1fc8ee5f23de557682e22

SHA512
f2a9c8135e58a364b3f92676a65dfa81fefcebfc91b46ee3daa1b134af928a3511616361c01879bc91949e4ba68e44b5ff3c60e88d7d64129c5b5cba5f3ec19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcIMQUYk.bat
Filesize
4B

MD5
a7d731f71c44792ed4a76ced06aa85fe

SHA1
f388a1f4519892c3575eb607a88348da1f069832

SHA256
116f029fd60b83c8eb1f056d5cba7200a3c53681599c307c688434d1db671633

SHA512
557f361a17e54d8fd169d4c9fdbc1d88621a289b842bd8dd8684424ebe5644ad6412f77c8e0c3b17f960b00a91dabaa70267e6e6ba9c05209456f8343f754687

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmgUsAUE.bat
Filesize
4B

MD5
dceae484d0655fcac75b899b1f1ee5fb

SHA1
4b603d259b45cf21d2aff0a084487e5592738e9d

SHA256
836abd402852d608126d6ee6e8b3bac66b3951b39e341209ca972b4b07c07081

SHA512
512cc8283789979d0f611034255c20c487c68b7b84a6c7d905a2e303e787ca1750e916345e0db2fe0b78ae4e3e2fbae16e6b80986a88b79bd71793de21b164b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwkIcUQY.bat
Filesize
4B

MD5
8c20567716995737001f7d3fffb3f422

SHA1
278c1e8c66311bb0831b0e7b7109b5acf01d84a0

SHA256
8838a996a6ec58869ee22084da475c3ff6540df777939446229bd8e0f4e7052f

SHA512
c77a11acd02f5c8035f29e6ec4dae5d983e3f79cc3f68204e300225b1f801e71dc6eeb1ccaf0812004255dadf0355199a0789b5061dbbec025103074061de79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQQO.exe
Filesize
630KB

MD5
d858f9e62b06471bc16eb69c27d90354

SHA1
6a3e35268413080c0ba38843720a23858789a232

SHA256
5153113fdde621c5be32f2edd9acbe02767042b8543c0a32517b9dc091a4dfb8

SHA512
3a9be97bb31900d8eab9a254d258fab6a9b861c6148f874431632ba67c7126f008c9a5e4709b86c23f8eca328ed973b006d0a1efe228879e0b4d87f66183f845

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEUMQwIY.bat
Filesize
4B

MD5
94c9e38cc1dcbf6566f27ba1a4078fc2

SHA1
fbb136034f9350b8c1fe541bc7eed17f316cde8e

SHA256
fe90edb5a50e18f86b081b32ec650eebf8bd1e3da1305d0b468c0ebad3754b48

SHA512
af736b9e57544934da07df16fea52ec836670a4958d89bb31f9e4f486e1522e3dfc25462e63a927920e374e7f5c5e363e0421a6a336fc428e09a3f66e58bb8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcMYQQko.bat
Filesize
4B

MD5
df82cda59a993fb6a146cbf7a4cf63b6

SHA1
a2bc31462b3884f7425ca3c4e40a431b902e270c

SHA256
bd475e8676773c59687c8ab0ca2b9e4836cfa9a98e71969a162d9b661d4d3ec6

SHA512
cc7a97ba63b08e8f57c698efc74e2af46b5514e2533e0b61a63147310d97f9b94f2948e21dc11c3ff0d7e050c065c2db39139f3f166f673e5f87f99c1eb6e1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcYsQMEs.bat
Filesize
4B

MD5
a5097ee6b59b64bb6441db82648244cb

SHA1
94f7860878f2dd30d8cfddd4000bd8c1ae09d055

SHA256
5480e55be1c0b49f00526a2e082396d3f7ece68b66ef4e88c3460f74fdd11e0d

SHA512
7828f832b3ce6a3ca3f9795ce88ef325823ec762c621a871da9df3f4115881db8f1fe69efe5be8824b7916e9d1792464a3a54e17fd836d9bc8bb9c0d4fc33ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmQQAoQY.bat
Filesize
4B

MD5
777b28ad63558efd1bfff9c1ce176968

SHA1
da3697e6bec2c7c25ee3db06c6e995990ba11d80

SHA256
eefab18b24e9afde340aa30ddee310d6ce00d7d9e2cec371977896f0ec769ff6

SHA512
9f11d41091f3d6750f940e2b05df8a931060b40578d5aeb2ef4b8ab9eb5ebdca75678e812a58284083543a89d56cede128cbc4a4b94cd5133dc2fecd3230148b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIU.exe
Filesize
191KB

MD5
4be95f4defbad57886258b5661cc3fd4

SHA1
91373f774805cf368f4d4c71b30c29073108d808

SHA256
cd9ee8f08ba5a3b7ca09f1e5be959d03255b475359720c484320632d10418b38

SHA512
f94c2c446755c1fb285cf011cd3b12ddf73d598b1a728ccaf6b63720bd5a085ad811e8ab3ebfc39066aa031b48b861c93f7b218b9f7dd5e2ff8989ec3e5da3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUMQ.exe
Filesize
232KB

MD5
2dc152485141dcaa0acd32be201c8a35

SHA1
44acadc81c3af15ee3e1f1e19a38780a8114b07b

SHA256
b3ac39c949332d7e33f0a4de8c2c749470bfeb2b956ae59757d301663b62091e

SHA512
5174660375bd26d26647ed5776cd62d15fc6922aaf85d51187b11a17d8334cd126b28130d9d08903d003ca62a46d3231efb94e183fd8fc675ec3685e535951f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeQkQQMo.bat
Filesize
4B

MD5
b843097edaea5c8e62c6335cc29d5c6b

SHA1
ded88a70808da0b7d28ee1cadb4b91e5903888f8

SHA256
5455e796695eede1b0dfbb3c676f50bff0a3e9b188014434544a874a77375b9e

SHA512
d9f4721a861a9ff10a4112b9615549eb994cdfb4930b4509f3ed8f908341b9ce41ce5a0fb88a9cde45ef9cfd3e962a0992059a050373fd6f44809419717dd3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kggq.exe
Filesize
542KB

MD5
459a0f2ca3a9e06e0613b3ae65b8a0cf

SHA1
f0fae6ec1d4126b5c9a16b11100ebd14a951b817

SHA256
23f8223f7905aa96dd841d7dc844c334427ede703c1436a300b46559ec763085

SHA512
ae2eb4842b7af6cffb7fccdf5dc6f1af91c09afbb63359dacc923e6ad86a1a46159efbda5595f7ba8731976562841dec513bb9fe08aca78fad94a661a903a8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgwgEsYY.bat
Filesize
4B

MD5
e57505d5478600204c5c03bb620d9ebe

SHA1
16158ffa45642b1a90f68df4ba52ced7f07f98ab

SHA256
62495bfbbd0e89c3ce14d63e85cb7882689843e48c4557c1f25de4e46edece2c

SHA512
38b873930309a70f0fe3019b5e48ea8411d32d2da3ee39232993626405d9cbed7ac49db7c3839afc10a1a0c211c142216f382bf28f48b49789e63c3b6e64ed80

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmAcwsUw.bat
Filesize
4B

MD5
dd1e08d13deea345d03134465695ab12

SHA1
28bb5a71f520624d5e0cef4ad7a603924a87d1e6

SHA256
12c1d4551ce2fb48ff9e997ebc9a13ee436ce20ed0f826e59f5d701576f6fbaf

SHA512
5b89fe11d5bcbdf37e08c3e98160776158d8679cd25e4bd9adedd6a0c1691de13f0cfaae95e4d931bb6f53cdce8601ea0bb1f89b989cc26515fd351d3f3999f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsoG.exe
Filesize
243KB

MD5
17c132ee7856d0cb75962957ab14b287

SHA1
9fda20e3423e2c2816c93c7b3fe88e85377eeb45

SHA256
29c21f73aeff12cbd4c7e2043afd5b0e6e116f66cb15f7534d6e0c1502e54502

SHA512
8f5580572306141eb6f839e787ccbbb705e0a9951b04dd95ade26b74a0efb645326cda60e595cbf80fdf96e6c02298a586b5d1505e6bb7a5037634f34f39b91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMksEYUM.bat
Filesize
4B

MD5
962cd295e9dc9790225a76c660b8ed59

SHA1
6109fda8500d7d946c1e202ed55d04c3c3db40b9

SHA256
e0a11a17a1b63bd1b12a798d93bfee1d72090d22f3909dd8ea71af9d15ca3c0b

SHA512
371e85c0dd8b809c9dd4fd63c77a9664f6fdae2ce417e150dd79ca7e99708c43f916b1845ff62a0fb07002a218fb9ee36eda5cbf35715110d96d8f9a510fb088

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOgUAkAk.bat
Filesize
4B

MD5
3d4c972b74a2808eb08ca3aa45116ab6

SHA1
639a547cb3466fa5dbfba3e36edfa567a3d5960f

SHA256
cce5f40ec5bcbd85c3d98cc41df4c07b3cf05e1a501c3a0896cee288dad4b004

SHA512
2de9775d9e6fb29b451ee75cf4ba68fb473afa44718feeb2bcd2bd23aedd351fd704175910facd53011ad30525a4b4c03d3c0f1a8226085890be0880320028c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcUkUEkc.bat
Filesize
4B

MD5
aedcfa46c69678ea4eeb143f33800894

SHA1
6ed6061c12c53922cc99ab7f4de30b45dbeb0271

SHA256
85ce71ceeaa3d158b807109fcefb2da9b20e4ddcd0fca4f5d25737bbc14ead89

SHA512
64a5d1fdccff5c27d71523bdbf5c9f6c7903cbf656207bdec47dd246ba953fde82756edb131aa87d7454fd7c4efe8a486fdb002609c470441eba2cf80cc72d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQkgkcIc.bat
Filesize
4B

MD5
2147d5043e94443128ce1931e800a780

SHA1
a597c6e76e25c9591248a583b82173dfb2c213d5

SHA256
e09ea0e7fb8162b1de06e41aad97942969fa68877585dff6b5b8488507ffdac5

SHA512
ceb57ce1b2aa1728585833c77b9195e81f33de1762920545e7c769c65e6515c478f1971667cb2e9ee2912f3972e5957f416dba0de5f274b5726d4f824110ffa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkAc.exe
Filesize
243KB

MD5
6b1e5344fe2eb8799cc1030846810b07

SHA1
f31cf6c1e100f768bf0c52530b6178c8eee0d507

SHA256
7c24ea6a6c414a2063fcfa8c82f913d63e6eb65a40529fbb31beebe45c98d5c4

SHA512
5ccd2f1ecb2de285518b842ad0a28446055214da138f3d159adb09b098195e340ae814b612ef6346dd55f4d84ba43f23cf8d05807d3269394f81567966598e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\MqIgAMIs.bat
Filesize
4B

MD5
3a0567cdc06a616607f69faee034b382

SHA1
2ef3a8904d778261062ec74afad7adc5e8872b07

SHA256
d5a8be81debc3cdf19537dece132d6eb5f6629c5c3c1cc6328fe5241f9626012

SHA512
49faa76cb36104c844be5ef08a64e50aa68bacb381561ede5d38e8c0790cb6f693c85b3b890fc7f52b18d2b23d9397b611fc529791b0b3c3c0149970c5ad989e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwEu.exe
Filesize
189KB

MD5
46b51a4203aaac4b2a61b2122d2e7d8c

SHA1
1566ca9f3b6d78e30ecf07040c640e297c8fd859

SHA256
1d4df9fd47d588b29fa3bf17d2b519ab9bef94f476b47cf9b7331ad49823f83c

SHA512
045b10c99602cd1b8a96c8a00baeebfc9b4824ab85b53799a441d597c690f8220d0dfe7733505a04ad43d5888ea2aadcb5a6fc7de8cbea4ba303a1a02bc1cd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQUsUskA.bat
Filesize
4B

MD5
800fd636e061915443377f952cdaa7ce

SHA1
1b50d52833176ef0dbf9d1ad9553f2e2128db7ee

SHA256
337c076de33105548a454f94dd84bb0d1f942758de4a44a9ccaf981cb6dbd212

SHA512
896fd6ec2f65bb130c106320176a8ca937437859081d63580b2aad582762ce3e050d504618a95a35272d6917ba384e76094f39f595119eb071828ee382f5c461

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYsU.exe
Filesize
208KB

MD5
8d801156c548374efd06adeb48b7e624

SHA1
0745b7df71eff12ce1dd84d9ba7961adb1bfe711

SHA256
d5794c672659a64b34798b75609c90fcc6b01e1c4d13892c33ac3e588304d91f

SHA512
5dcd646c80c39a327336922cf8a2a23d7075a8e61b9a8b3743f6634d32b7308ff31358d3b2352e7132272ae67178dc4323594b37c96bb45c99b018b547ede008

Download Submit
C:\Users\Admin\AppData\Local\Temp\OccW.exe
Filesize
231KB

MD5
8855582687dde4108e389b1113bd385d

SHA1
c40dd3f71705d4813aa51c47c528d551590113c8

SHA256
922223d170b9d331efb549e3c9c2ec256e25ca065c7ce3b878f4ff97f676499c

SHA512
a67b5c402e814b96e56b2d3b6c729c06061bf2e69e31d1f1ed376997820db2909a463c0167edcf2ee2d0604d4429a90635b08b51766165c3708c5423e4fbcdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgQY.exe
Filesize
221KB

MD5
908c8f3932021a4077edcae37d24e405

SHA1
083c79ab7e345016c179a4354bef44a31813bc40

SHA256
1067dc7e4ff656e3350501cd20953d9aca507d60579d6ca323f17f5a7ae74e1a

SHA512
b713eed68f87ad6e669b96e322c92aee46162e6bd25cf6dc76e1618de89dd79bec733a2112943c8ddede556ff5ba3a133317bd56f0a0ce5205216f3aba3a72ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogwe.exe
Filesize
306KB

MD5
aab3e7a0013c92b3db401c712496a8d8

SHA1
0390c4c1d7877c709d8b2cc3fbf8e2b0ff9f7bb3

SHA256
43fd481d79ba4378e216ea059986d4ea5ffd85c953d3cbe29723f5d07f334f95

SHA512
bcdf3a65f887c7092baf299279d3dc846b0dc4f54740bba6e124bdcd7c09c95fd3a94d96a44225a677df233ff0ab328637b51c43ced0c9727588975e15f56cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkYA.exe
Filesize
247KB

MD5
5fba8a12d021d8ece9b1a2fd21644209

SHA1
38a2fd144e56a58735c20340d093d9a1b6af728e

SHA256
ae2205eb7ebcdc11e30b8358097202b90cfb9acad345c4a0195ec64c6534c255

SHA512
afb72a8eb0e3b30ea31c5d344ef18f4678c2f7f1ddb1eaffb287290ebcf653b6ded8671cadf14f1911ab07a0755106eef78dcbd3e230f6767c5dea861bfd2824

Download Submit
C:\Users\Admin\AppData\Local\Temp\OokM.exe
Filesize
239KB

MD5
a5c3c4783f1b76e2c0aec73f39917027

SHA1
aac62d1460e94ce211c4141c5805723f5df47f07

SHA256
b0a337d7f6057618c0168b18db2993d7f8ffb3fb0ece89136a9b8fb7aefc43e1

SHA512
5364a9ba2111ebd3547b812cf49216447414bc9c8329d6d47da6941857bdf7f06ede289cc4fde8b9961b374c7fe7cd641df8002725af76b5d07fbbe28f7053e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsAgoEEY.bat
Filesize
4B

MD5
20f283e13ddc57b6add84cd7ea638937

SHA1
d8690f02eda78bf03f961ad12f3320906d0cfaee

SHA256
aa6bd7c9382a595ef621e65164111ff277df1f6313d718d2954f3a7119e855ba

SHA512
852c035359960b9d1efac0b7333053af9c01eb1679ddfe4e0deae95788a94bbf2ba4bf94b7aa8cedf4cf33d81744897f28c4e6f73a2ccb3ce31edcbfe0717dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMIUEwwY.bat
Filesize
4B

MD5
4d616055f8eac3546061fee2379ec69d

SHA1
6b455f00a28fe1dd1f8821cf5a3a186b1f832850

SHA256
ad064f6c1fdce8fd2d56f47fba3ff5fb3838017b508198501fa5645a507d53ab

SHA512
96ce3bad0d87d9436d752aa45104eddb24d38abc518b6720e8d4f6f2eeae92870125fb424a52c1e1cc9a61d6b85c0eb96f6a1718fc64bb6ef4b4035e4dbf74de

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaoMsUgo.bat
Filesize
4B

MD5
407b2fce8d9ce74c5b9399a66fea456b

SHA1
01da85ae11c1eae555d7bfd9524977707886fd72

SHA256
410a422dfdce0b02dc8d550e0f3df0b81c8d0900f19b783369b3b45c0f1799e0

SHA512
5fcef814763cc6b8128b1b7c1bdc099c24624bb6a1e290c7050b2e2dedc45f4631215e67de77115123126fd8a740fa79c508ad5341028d380346658b69137a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAYC.exe
Filesize
640KB

MD5
2b4198a898517176efcf36af675e202f

SHA1
bab8a9095ee13787850ae2c0c3ec0158216014af

SHA256
3e76159b1cd838ca2c7486a31c528ade78e0ee755d3da6e1939d645fbb376405

SHA512
2c99a42ad4ae9cae6a754d6f257f566c5ab74249782c921d1566007ed9c5ffd1b0abb745707ae9ecd7127f61cca24c423e3c110f637c3b16c87a90766589e2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYsQ.exe
Filesize
195KB

MD5
1a6f2a195bcc6bb63de48050f3f7d181

SHA1
3b5748738a07c9a63b5062252e698d30e4ffbb1f

SHA256
002ca41a4b07cd1ca3ab48a5c0df5d0bb77f238893674dec26e58d96fb6aa23c

SHA512
7c427a7750261354449de36646433d2032335bd0ce5909bdbe2edaec9147b71dad77907e99057c6dd332e2cc2dbbb71027c28c65487c20a0e8ee406f5eeb51e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QegkcEcU.bat
Filesize
4B

MD5
b1a66adbd1b3047baf4f883adf5cf68e

SHA1
7fa460fa377a5e038f43d1a3d18c968ee580d9b6

SHA256
cdc60e2303f9481cadceccb2b951b5ac18df7186a7a484d41ab4a8ea4128428a

SHA512
24c70da3d696d3ca34a11b91e3b9654683d7ab71049b93062e28834824c1ac83d90467ffe716eaf43fde4e69b4ca04dc5478dd2eb13139312c038e0cbee89557

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkIQ.exe
Filesize
228KB

MD5
f71c99defd3f87df7fed67df58c3e927

SHA1
da61852194266a7ed8f5021264607acef3dc434c

SHA256
b66a3a6c28ac866891cb6a5ed7ddf20be91b064e56f814f40142544f5c26bad1

SHA512
a92ce9e0c9406aba1cd19169363602523f4365adeb81ff2ff63d1604c03d255246933f968bc09d95ec67d4e1203f9fece97cae459de9de6c86a1d8a4af539ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qowa.ico
Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qswk.exe
Filesize
247KB

MD5
d5f685c19eb1584ee6f5158f22c7a6b1

SHA1
f8779e85d8eb047f3312b451fba2d0eadeb57a05

SHA256
92bbfe5b16f3657534afc23974f1e935db270f6468b2a6ca2ad396530c89d0ae

SHA512
f53fa6fc145e7aee4a9a9f745bf88bd883e73f58cfa2bcabbd2143ee90dc8060cc23c88fe392af79bc85b28deb39debf3b492d3747abaf36b30c2141680a346b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwIK.exe
Filesize
245KB

MD5
b285297715bde05f271dde8e3e9ab5a8

SHA1
12660e49f35efa607a59e94eef40b8f939950f8a

SHA256
ded366ed9c09475e6684b34e399674e72ee58e685e31eda16a79a70bd6d78177

SHA512
6d71d55c031b169f52b5ddbd5615a5e15b9e5a836114fdd8dd9896328539e3fc824167fdd37699bb12286330eff8ede63652eaf5b76a6c1cb08e69ada8535ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwsq.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGYIksMU.bat
Filesize
4B

MD5
36017b9c450a5b99a2c41fd510b48750

SHA1
df4e04274679366b3791d645ab32d6d1acf25788

SHA256
672238dd4def2b78c020f7541793512c6210897c525535f51585fe3e35404062

SHA512
a891fe57fe2b469c7be83108291448335c4e4069ab9e14769515c282e85071b449f89216f816d41b4a1a9c8b72437f20bb0edeee6564f2a8c7d373f91a9767ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaYcsocs.bat
Filesize
4B

MD5
6e39f8762c1b1a453e4fb227c3ad89f0

SHA1
00772890aa255469ebb48c6961d0ae3dfee354a6

SHA256
ce5e1653ae73d735f6bab2fec0074c413b3bf7b39a979f9fed285f3221f04724

SHA512
ef99f8172a84d096ac1d4e7bde8ad6f4c5f1e647313e6d403846d27893faeb64faf8873d8fa37cc2490912840a82f9d2d123ce6a6643940f4226187f6b3148ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgYgoMEg.bat
Filesize
4B

MD5
0262717f0e394d0896c5e3a84a3888ac

SHA1
be8f995b11918c4d301ff4d745fb4c9c41425ff7

SHA256
5bc3e481b0bc4146405fa4c559729bc96afc911ea72fca393f872f45a2835ca4

SHA512
784f7491292093293e46ac213fb365e9b5f6a108ac935489b88885bbf131cc4588921c9695a9aadfb99810e61c57d253f9197b08974394c87422f13a9380be81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoEscIYg.bat
Filesize
4B

MD5
af342952684509dc67d6618d966353b2

SHA1
22266b03e095a78d0b7eb4ed52d20ab1ab44db2c

SHA256
6329dde7a3e784acd23bfdd95e2af6a23b4d1d4c303d2128c88a206995604892

SHA512
9463c02f6882f85cb61a406f52d57aee7b868b06f0daa8cd7b9b43ca7dc709595ea48551f7d987fee7113237b9329bf1a94bc1a135489ec0a855a0a2172fe96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoIAIoUY.bat
Filesize
4B

MD5
3cf5761da2348de4d7027fd0a52d7001

SHA1
7baa89185c63b3ebb7940d26b14543fb457e9fee

SHA256
ebd8aa892c7b84ebefb558fc06863bd9c112ab819281639bc56069701bd4ac81

SHA512
b55607ce8185924ddc49170ad032f046f2d4a824af2f01ae7ef8cc7efe4065619aa1f61036daace58bc6a3836eff4a023a8cc161b48c2a793140d9d5ac6ca5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEoA.exe
Filesize
228KB

MD5
cde8faa0ed6868ee224c0a06118aafa3

SHA1
1964c6602ea894b2c764ce21623a54ea6e79afc6

SHA256
0098f85a979b7b367f13501cfd4f5103ac29d0f2df380886adaeb1a514c60ec2

SHA512
e6594df501796ce1abc7aec082d3af3de170135673c7d3ab6c997689ef5e688466e27dba5f3826e149f06fba4b4052045fe81d03950cb27dbd9c1e534ee5b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIUgkcQA.bat
Filesize
4B

MD5
0b7f953f36575bf85cf919cd77f16569

SHA1
cf0f68e581df18593a602c8c66e8c7ec601d96e5

SHA256
2c904439cd7df9dc9a7ced9da72e67b5fd9dc3200b9d5358137408d74edcdc34

SHA512
46afd7ddd29af306812fc58fa0b393326ef1fe1b13032dffcb0ea5db2f9a06814b02ed7f1ebe92d2b798fc0c2287e9128370be79fedddbf4654e3f4c0e259188

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEoIcwM.bat
Filesize
4B

MD5
c52d2a2ae9f30f7598fa310a44f573cd

SHA1
4062bb883234414d8e5edfa46d322cdd9387de68

SHA256
e7e14b5c9eadcce5361c213ca627c95cec1e532dc259cb23a0f5ade2b03b33a6

SHA512
603c11604f5dd380f09877bc87c4cc867c14e2efb7074a4e4c02bd3c1af7710b04d2dcaf2c7b0cc3fd25df53502330774928302b5a62f6182a710c9441fbf11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMos.exe
Filesize
710KB

MD5
214aed8cb2e4e48ad86da612a385b7c7

SHA1
7121bf4649bb91e124a43e178f912dcde49bc741

SHA256
3ddd5b1ea9c0d637b126259122b651a8783d29a60518693a53274519015c569f

SHA512
fa4a37a3745134b5947f160972e591836b9dbeb80f3a570934214db375eea70d11cbaefb8fcee66a3337459edab207ce841ab8d148f904479ca8fb69bd1a4e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWgMUQcQ.bat
Filesize
4B

MD5
5b667a5d70bfffcd43553f1433eb36d7

SHA1
7e8eca911163cb0498785eb29ba5894e242fbf95

SHA256
d0aa01ec17250df0353adf3dc8275a4463bb80eaa75f3bf38efa1d2097636c8a

SHA512
cb0db85987abbed3896fa4ffb52b54a9c83051b8631f16dc29010a27870be4f1645856e4518405f3481536da8cec01fd8807c0c598f2f0f22966bd83dbe97c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skcc.exe
Filesize
251KB

MD5
13e4ac6f6bfd27571b9debc3ddce20f2

SHA1
f5df2eb8bed144daf0efd373d5efd112553e5b55

SHA256
f11088f2ffb7793f920d714dd92721c3e96be17608372a42796a6bd3d8ca29d5

SHA512
bdd618a5f22d1f6f2390341fd1a8f1728dbb65450ab8445af1a0f2d35e68bc4e0776d92e985f71f1709005f2653f27e01d34c790e077c379044228b40085ac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SucIQEEo.bat
Filesize
4B

MD5
a4485a9ba7c9bd023415397a1d4b8aea

SHA1
b59334b213f45c86a1dba940ceff74753ea2db0e

SHA256
70df3ccc67a66964f3bbe9014aeaa128645e1f4495e2fef576393cfec88f4623

SHA512
05867a53c8e953b2f76e365ada9051b05d89c058f0c4fc32889f7d3cbef8274aed3bd8a7cb601d7b936058c04b98b8d48a57b8f4374baba35c582516ab941be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCEEswkA.bat
Filesize
4B

MD5
90565030f463d0741e88b5f16a9a6172

SHA1
99a48d2dff02aee614d712de0b93ff0609dc9001

SHA256
3c2797da6b8e6c4345be4d5f442d7dcdf5abc5afcac9c6b501f382b9b7abbeb4

SHA512
4c27ca020430bc9a4823ae1c13bbb3d4152623503009a05eb76eae3b18f3453a4b2eb077d83ccbb49861e80c4c5598a0f736bd7932182f2a9fc4e79c484ac32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOYwAIcE.bat
Filesize
4B

MD5
b1a57c71bd5c785eb88387c32203920b

SHA1
1193d533522419de62a516930e1b912893a76086

SHA256
9ab5b4ce3e62745109ae1b8a92693c8940ab17854ae34bd643065f1d4eb34fff

SHA512
34d74f1094176da9dc290220ea3057f84fc65fb8131721aa03fa7e21e931339f2c73eb8ec4134d1f47193c4de7daf8481f07130e30a45e87d24b2586055a9a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsAIMoMw.bat
Filesize
4B

MD5
f565fa6d12ffe0322d44e1d0bb5b5e5d

SHA1
23935ecf094f8116781df6f6b455f46acc8609ba

SHA256
9f47ccb2f990a5a37a399acabea28d565f4085de6e2e95a2b848d9a8afef86ca

SHA512
cbbbeeded20865b231171f6012c0d4815fcded031613c65e1ea4afb17da4163642101896f39c57616628850b4d4a545ac8902df268a40d045be0e2224db9b75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TssEIQgM.bat
Filesize
4B

MD5
0f53c079c9b75815cfc8543ba537116d

SHA1
eb030d3a42be3ed795b0778cbe606189e47c8cc2

SHA256
2013b86d54405d5a6152a6df53d0e61d94249a0b6ca84e09f9e5136ca62a32b4

SHA512
f7cb7826750fbea33bcc7410d2a8e67b78b4e977b747cb2ac53438080442712d99ee10f3d4c10b4fdceae8f897429a8dc08e5121e07f817ae0883f843243dbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TywYkUkE.bat
Filesize
4B

MD5
54a92cb26320b3322c626f1c39b27fbb

SHA1
f8b641a8830da243e1f8057d35d26405a645530a

SHA256
c1bfa7b0b4d3a37ac6e648ad3d956f121f132ec28a13da4bfabaca5e4c950073

SHA512
0f583e2594ee55457cba48def354a7ca0dcea0f1dcab4e4a5925ae9e45bffc04bd7bbe467e7877c632052456561aa437700b969c6d5fa6350cc58bdf187b63a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQkI.exe
Filesize
246KB

MD5
9c1a3de1800b9febf840ad99c9691956

SHA1
ed2992b3c71c4b82bba4485551d6bef424b8546d

SHA256
21ffeb64d228f2235ce4140c42247a4ee0e2b32d9073a95f9231d7222a370d2f

SHA512
2125e7906fded3fc111579b7d9af7e4c54e5a83bf1ff8f1ca22f25dce09724cf6e2b63c5c23d6eb12bc4a18f52908649442c2b1808a1453f423cfccefbeb9010

Download Submit
C:\Users\Admin\AppData\Local\Temp\UecIcUEw.bat
Filesize
4B

MD5
43d672f404c3205878917eb90022f6e8

SHA1
66470fc0100689caf3be396c2702c4b1103fd9e5

SHA256
2983901eb41e11ba75feb0e9aac4436def31dc74506d0c1499e95e83c4e9dda9

SHA512
418d7c2563f66a986f2e16c8f81f8f7143ad592174cef7c0d9e99d80ccbe2dc8c2eb41e44bbe078370ce63aa8d797d1097ad03c999272ae419d8ab77299b6d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkEc.exe
Filesize
229KB

MD5
d51f13d5b999da93bcb87a86f6e63514

SHA1
a8176d91bdca45df7eb31628443b5d93020c8140

SHA256
42f3be9ac860c14c2f1693a4054be5e974a7294689c0f013b768966333f2139b

SHA512
9bbf098e5e312fc8e8ffb28719cb8121d04c9ac5d0caabe629ef9089746592fd8769b26d7c0de3bddd058a2c053a322c87b3659f7a0d0789676279414377930a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsEI.exe
Filesize
227KB

MD5
99c1fb9aebf32f586367316590d1a96e

SHA1
267db07337530591369b15339fca3c0d41397e3d

SHA256
0f03e08e396612a65fb3503e3d1f0ae3d00dc74f4bc9469d5049259426e3b03e

SHA512
a04f6fc4e990a847d50dc3f2505b8b62d9c6be39ed847fd1fcc15449f856dbb81bb5eed9539e108c67e16dfbf76aff7af9e9c4d843851780947abbb48953f403

Download Submit
C:\Users\Admin\AppData\Local\Temp\UucgskUw.bat
Filesize
4B

MD5
07fe58b5da86d96c13bad4f7c8cd3f46

SHA1
0904641b681fd35c8ee6c81dbe549ac769dcfa2c

SHA256
5242c564a5c9af6445c39b92b5530065e4b14a9459cf483518e4c72dd51c3c1e

SHA512
d9f03b85606d05f457c598913dc6e5ccd65a84be7ce89002e9fdd6c66092b8b1d605a63693ec19a4c8c5f5f68cb62a078140f62067989e527d06bcbf9a4664d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwUE.exe
Filesize
207KB

MD5
c2b0a731236c656aab5d060c01a255ba

SHA1
62f165f92057ac1d262b36681b7d78e9d7af0929

SHA256
f00a994c244063aef96b1bf8021f062c43cb71e1f5ab336e159461b0a547d424

SHA512
8f657356b9fa2330893d89dda55c4b571975e61535e62079d25ede6e168d595bde7d9ee705e69706f0d2b277a43ada2fb21f05a73a5d718710753700ae9da802

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCkIIAMQ.bat
Filesize
4B

MD5
2b4ac643c81f380c829cf97732062a27

SHA1
aa5c91a5dc2485f4370cba0c17d89dc272d1711f

SHA256
31117cb1e03fe4e26f6329aeb83bc03e630e28e1f5fde0e7af6fa7e85a1bd8d9

SHA512
fd553d04eb7e0a9fd5a750cd2059f961917188de8759c3d863cd14f957ac4123a1dc1eb2257156518fdc0061143ec9288216f84b9ce808ccfa4d057ce54124a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSMYwsEs.bat
Filesize
4B

MD5
8494ec246812080ae59146e545475da9

SHA1
52d3776479f952dd0db1ed6af3634f3d3ad353a1

SHA256
28bb001285743ec2b0cae41457dfc715e14217cd0eb06268117402d515da9aaa

SHA512
0e0f3c9aa75e467f5f453e4154fdf2703d30d7085c3e582f96cc44abe80c3284bd481bfa2604b9b0deeaab2f80808dd3f4cbb80fa83f5272ce7e6f42e2bdfb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeAUsIgw.bat
Filesize
4B

MD5
cbe31fe448d22e529394546843a6f40f

SHA1
1fffbdc25826d7d2204334d0c3fff577dd584384

SHA256
b97f1b4d3f6bdfde62f402b7d8ba27b4e97eebe5ef0f234a1b0457db4e3995a5

SHA512
462f9ccc425502c3ed209618287f9febbf07be31f2b370f7071a600dff7bcf770811bc48cafcc46647ae90e2986c6aa56ef126df704b6261e770fab1853b92a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOYcMUkI.bat
Filesize
4B

MD5
5f69e1b6571b1f6e70f12d2f11095b74

SHA1
f2ad0c740085d48de8b0c28dc8a0c9d322389833

SHA256
af9f41ea746d619184be4d6911aeacd1fb4bba9c693e749cfcf09f344a57faa3

SHA512
c321cafddff2899e5dfa3bd1137255a82555c1938276b1957fd79827f8a432d98df5a9d232362ca643d4927176bfd47681d5cd499acc79f081a0c1c9686462e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WggIQMsY.bat
Filesize
4B

MD5
6581980bcdc174a3b5620a4cb1d4cdc4

SHA1
14daf283d958953fbc844c946d14104b8ba6de8a

SHA256
16ee19d11dd0d54c3acc395afbf76a26541a79810bb05e5a4dd21a21c310341a

SHA512
84eda82266e048139c57d3520550973f29e892e713f6851802c479ab486f7d860356f8a12cb880c83780e4ae9a87ab77a7b65e36e04202bc4daf6fbeaeb1b127

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqQYMMkU.bat
Filesize
4B

MD5
e4cfb81f50c0313c2d18b497e40a6990

SHA1
9f627ed5882057f15f30d760ebaff5c40839c14a

SHA256
17ffb9de70d7649f3d975ade5808d8caa69dac588b6e813443c63d0703546b38

SHA512
d69fd104b8551cfc11017c36b7984cb6334331936b494ce61bdf29ad85ae84de28e7e4c403b451f047304e9f4b725e6074e82016478dc9d89441919e5b5c1ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsUW.exe
Filesize
232KB

MD5
698cda6abd41936b36369dbbb1b9e1ed

SHA1
d90c666acb0452aceeb6a84a16afa17d2701da61

SHA256
c5e2ded1795d0e5ebd73d70935d62c8643a116ae09301564a5cb3f1ba2b9a2d7

SHA512
45d86c1646cff9100521f7fc61285881d59f872f1c36e97ae622cdc83c3c3184c81a664f318b87be728aa86dfa43a48a54744d4059287afcf28b2a908ad3610c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WssQ.exe
Filesize
245KB

MD5
fcf0db240c3b1627b68d0cfb95942c69

SHA1
fbaaeab2738220605accc85eb5fd115b27f8e288

SHA256
a0203cdeaab21e7bc25d0adcb8d1a4d43d6bd9626a54a733739cce1a53a2ee34

SHA512
3905dabbae12050d3dc55c53317e9a9e23a162b4d9dede102f9965cc6b940fe1e49acc401845b27bb0f65afe6a6e1510655d6d6920cbe7897f847eaf4e56ab61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwgc.exe
Filesize
237KB

MD5
7669b562eb6970ac57a54349a3757117

SHA1
133612c85fe8c7e6205a85fedf3efe9418c853a8

SHA256
4536c2f789e86dce3d6b6adcd4210bed51f6a0a4d79862a381f22d51dbd53a46

SHA512
0f5545fbb25b79b74c00701ff0dae78e5d2397fbb7bf909fa6efb91c0f052934b6f00e5e886660e83f46c78f024287a4d4c8ec377f46c52ecba2222a5003d665

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWcooMAk.bat
Filesize
4B

MD5
bd650cfe94710a448d9088ebad88bcbf

SHA1
6781ac6ad24c06070216cb2d0b0d7d38cf44fe86

SHA256
04b79cf15e62021da2075c8d869187edf15a8bd54e4cf5985954be0bca2d2c97

SHA512
4a6a2ce4ecbe764d978b4d730c8098d26c8549d0bfec41ea8ead13d81c9295177f49074eff4d6e5b9efa23d619156012f12a4fda32053f087616c12cdc2e9220

Download Submit
C:\Users\Admin\AppData\Local\Temp\XiAcwAos.bat
Filesize
4B

MD5
a5ce6bd7a7e93f27bba8dcba6fdf184d

SHA1
12fa0f9f9d7e808f98dee53808ef6db00039c244

SHA256
6758a68c4397f6b0db5ce81738b0535af51976d784acf0b20ed62fef6e7713ba

SHA512
036aa9cc34aa3ca7450bca4da0e281619fe6acfd6e87a636a35d4cc565f2a3161c050e3d2afd0003bf9ccfb5087e0c68e9c8f53fba99ced89a87113796dcc8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XycUkwIA.bat
Filesize
4B

MD5
aeee114d62bd099a612b1566a9d2d9e7

SHA1
ff65e2fb56f586ad1ab7e4d7953a40e0f15616c7

SHA256
7e499998dbec3b742c13576f971370a4393ea48cabcbab65f54dbecfafa41453

SHA512
7618925e3b26b56f99c50b82e9555e5bbdd36d0727092c13b765ad5a5fec5edbf33e894b40b6994cab72077611ad95a1bd4ae10eb75246e7a62b0b83c1c0799e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEAswEog.bat
Filesize
4B

MD5
5cbe204e6224ef45e96f391a034a0fae

SHA1
f1d1c37a8f8d861fdedb7468d2f0198db38f5be2

SHA256
54c1c32f8cda408c632f3c3b0aed817e43b3bd0bf93c2ced711bdf80b3c61a7b

SHA512
11e8b1e262faae89f6eebfef486f9fa21668c3252155618f76188f1c2192c08c4557988e3dd2c24c476f2353a7fb3f80ad8f3f2ea17015c4cbbf5d4b148f8aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEIs.exe
Filesize
240KB

MD5
5737a583edb8d7e0b2ab35db95520012

SHA1
5674194c417f35c7aff980a9a621fe72c3d2ceda

SHA256
1824db7b6159ead4b4836476600ab5fe2736b00608db59f21c0db0ca377bc464

SHA512
3debe80f14ae5f83113f816ad47149240d8d23755ff073e7a12a7bc9b86768a175ee480d4118031035d39fef9c73c80d207f26351216fc427355689a3c38cef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEwM.exe
Filesize
242KB

MD5
829da09feada101bdf3966cedf80d59e

SHA1
2a46837ed0efdb424e543cf02d871b86b3cdf59d

SHA256
8dc17fbfb2d5fabf9be84095e8a93ee597d635ed97bad3add4f6572130055150

SHA512
c797baa201725dace82dd8f187f6bb6202231472cbe67dbf797c34303fefe22c85ba23de10f1c98937f6bbd59785d5b3513969962b57d1bfbb769caade36ebb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEU.exe
Filesize
199KB

MD5
9e5d5c65bbb1775d11c3356ecf0a89ab

SHA1
698a6147ea463344bbb4c7e10fa9e75bc5d617c0

SHA256
1cfaca8e16c366ffe86a3504529cbca0a53cf931ef861eb5437efa9c3ca9052c

SHA512
68051e58232ee01b4e072e294c39fef561f2acfc534577886afb7e8ef6dc413b1d727aefc73c22662806a77bd49aa53f92c7b9cf0753fe3a18ceb70ec7717a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUgg.exe
Filesize
196KB

MD5
ff610398bdaed493d9849870f72f1cad

SHA1
c2d468aad8af30c31232936be14ba47fdefabe73

SHA256
ac32c6d330bc7d6d1558ec0834ab33fc70f045359c1a673a0f4ccf05543c2189

SHA512
f19c6af3fe624001cbac42f6bcff885cac08017b26d4291270ff9279921d9cc2e5c1278d680e3deceab538f35fada7491c89530dcb427712ba3f84d1a7ab768c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYAwIIwY.bat
Filesize
4B

MD5
2151f93c1e5c384e567d98ffce6059e0

SHA1
289d7d163f9a4cc88bb9cd499655ca272a7d5040

SHA256
d2133579190f1f480ac29170ce107d0f5bc5f9c621964ffffaa5a5454e7d7c33

SHA512
3d33c56fe744669aff9a67035b75c3dbf4350433100922774abcbb160cf882ad3772bd34264eee0de55c524ec187f82ff149e0fd8edbbccd8bf23978d2b03456

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYYo.exe
Filesize
4.1MB

MD5
20d97eeda01384882a59c2eb721e0985

SHA1
72e3d4b1f434236a8b754e441fece918231799b9

SHA256
ad090dd364ceaf6ed3d1bb8dfae27c99b5aa1177abfb0f1627c5f64e12da2b23

SHA512
1d491f61dc66dcc48892fa0905d1adafd615ed1b5727ebc9f15494a28b2b387d50be1f3246ef2dd117eef7279097182c1369bb1299709fac2e0f41fa98b400c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYgosgEE.bat
Filesize
4B

MD5
dd8d73e1f9e7c6387d606fa5ab968e95

SHA1
e1cfdcc8d65aad18f6799f0dec37378ab666eeb4

SHA256
ba251eedffd1c328fcc2325a1ca02e04971c4ff3b04b908f6ca1061b505306ae

SHA512
b00fb55c5754cd7f5384022114f22ba0aaf8498bcc37387a1a9a08cab0e96b548e46bfbac1fbcba57dafc26963caa029e15f4c0bbdff5b1c1d4eef4b17e547d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgEIwsgI.bat
Filesize
4B

MD5
504ee4db68cf1be498acd79c4c80cdf7

SHA1
37c7a6c2ad87c4e7a4491fc6c970f3d2127bd262

SHA256
0274ca9c274312125eae9626dc01c1dcf855b5757edf9771f7281b56983879bb

SHA512
239f9f15ec9adaf11dd6d2499d2d0023997b2f56204861bfe1a535d94aabb83022af4296e7533a955a23591bdcb4c020e55a53b22d79c020165a25bab8e09440

Download Submit
C:\Users\Admin\AppData\Local\Temp\YiYgwUcc.bat
Filesize
4B

MD5
92c4c3ed9bf641ea9ec9f8bbe8b6dae9

SHA1
36dc70a09ce3f3942dbfa992369241a1aa3bd11a

SHA256
5e78dd74ad08a0affe71cc32dbfc67b9c190589ac12defc2d9843fbfb13505d6

SHA512
8c1e2e45a4b962f8586cfe2f7f3c8c73b22555f2cec8898d26e1be9a2bff219055cd2e5076494bb53a23982875cd397410a49f2ba531ed5be6f45236747c73c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcskwccw.bat
Filesize
4B

MD5
dac0c56366cc21402d09026864d83936

SHA1
b70a8a495fc53c35ccc80507cc7eaf74f67932a5

SHA256
11073867586bc487f9433d69578a5b17ea2b008037120b468834fca7c4d439bd

SHA512
3be1fada66d19e79cb36fee6bb50969849a0d91962da566848afa3f5e215b76ba8cc806069abd055b97468438b70c034606708b34d701902e724299d444d1a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQwU.exe
Filesize
958KB

MD5
6785911f21834da5961dc6cd435d4955

SHA1
9676a07945d37d976cd89f2699edb0aba0c39eba

SHA256
6e0c7bdd54484273ccbca2e649670e44971e3b50e72c629bf0740557fcd5681c

SHA512
b7cda1d9111e275206ee00f72968a2254a82d0ded7db3b4c0ecd9b7d90d9b7a186c9c07fa511cf1dcc5bef8a7f0949eea136816689ade7c4088a9f632b7717b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUgYUwAQ.bat
Filesize
4B

MD5
70c15d26cdb892be3870850517db971d

SHA1
92affb13c37a893e930ea95727c6c44e415e0f44

SHA256
be8c05447b2dabd47574b658cd1086cd3d878dcef8c1a2562d4f5b6cfb7f570c

SHA512
d67b4679ddee36b847b98d75f9e348e49cc40c6a3b2a52b9066c7a779ffe50efa597bbf99a68ae575828f171200b3bf8a2f9f7b4e0608de229abe2b1c6c1b637

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUwm.exe
Filesize
243KB

MD5
fc7332d341006c3a1e31a7a1933d3b5f

SHA1
31d6764575a939f662f6734b6f2806027fb66fff

SHA256
60aeb4b83e7067446049ac2b4026346d161182314c3b8e5f9e1a66904f49eee5

SHA512
d095671108882ac64ebc8f980d5ca1f6fa9c572fc04081fcc74acb55b5f892b99d9098619783df5bd39e8e9d12fb39c97e67db91b4f939550e798560eab75d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoIi.exe
Filesize
194KB

MD5
a9134f44c8c2f4a07f186b36a8d8fb1a

SHA1
7f2e4b74f0037e43fa37db9ca634c0b5d2aec49c

SHA256
4210aa41b96b36c2a6a5dc70a48b8289f7c4553d30d3f5d8308f2c73f91ffb38

SHA512
aa8f6e2171b723c5d0c68edc595e5f50b56dd6b3a2a682d535d540b112f4042a45e00b065a33880f6f849bc19a4f1924f220aed4331be98dfc8ae2138e4c1eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoMC.exe
Filesize
235KB

MD5
cf3ae30efbe4f4dd799a1c8ffef8db52

SHA1
c4192f297694319a2a58cf73c83aecf9f243e24f

SHA256
698aaf2c26a22ab5dc41ef243ae811d6feeaf35e658c97f37f989fb96656000e

SHA512
5902d893a6b846a19ad2726dd32882a2546bc337f6d3156ca9e836cb836846ebbbe5f1ac784a56fb2feefc830e5af4023d6519e9a450d77a64891cb31cadb6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoMQEMok.bat
Filesize
4B

MD5
5d67208c769c6ba5f5731c90eb11a781

SHA1
9eeaafa5430e281e2390a254817bb6fe33528707

SHA256
73679611aa5181e0fdddd942f200d8c6eb5d0fb25800a4fab04a900d89a12f37

SHA512
0eb7ca7e037e44ff2289426be4f25ab0562d12d3ccc25965b3fb4e8eb199240824d1d035b5cf66f1bdb7cad509de4122beb1e13033a95a84b3a0d398d0934ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqEAAgMU.bat
Filesize
4B

MD5
4205c7dc11082b691fadabf71e7bd0f1

SHA1
c992d31e8970e78893ecff064bf43b77dc4f25ee

SHA256
83f2c1bb3425d7f88ecb0d0e8c209cff992553894b40fd43958d20a9430b1791

SHA512
e3230a6876567360d8ff33a671bae1c51eaa6a6d9f2fd06e3077c729cb9c0635773460df07a9862d98ae2c4d8567920edba1aea41e4be4181334e3a17248bfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqEMAIMQ.bat
Filesize
4B

MD5
cd30ea1c6c6d99e39c071fc17298c094

SHA1
8296e61c2c107919a641df00bd012b155d1ced6d

SHA256
7ab546dfc705003b8d1e25e6fad6e8abca6a53e578a01ead69fdbd3aeaa95a2d

SHA512
5b02876fc5b896ad6585487c2af64c58326ecae702b35086476216466111a0a87177c76410ba3c70feb0be9993c66220f8d28eb2284d09beaddd42487c394401

Download Submit
C:\Users\Admin\AppData\Local\Temp\biYMAEQc.bat
Filesize
4B

MD5
dbae26d6a0882f492626b9760c9c1b48

SHA1
2720fbc570a78ecb92ba9d9c393c4b182eb6bff3

SHA256
fbaeab6a1a8f66d7344957bde229e830486418ac18d057c639f87ac584d6c0e6

SHA512
3611bafe814ad254121dc9b11159624ff6bcf1335d435e4969010acd0595ca9436982686d20a56443c42c6fab3416b054ea38ba3023b7bfdd1a9e72c51de2f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQIy.exe
Filesize
247KB

MD5
e7a50e667eafca202ff0a5fba026f28c

SHA1
4892c16d15ca5561085c8a08403e70acb43b0bd9

SHA256
ab2059f388af63f6363d3689da34ce3fc80e76f118471f4f5eccf998de12b229

SHA512
b76407fff36f4d3ef18b8d00e9c8cc1e895aca8100465c19f43217f0f9d48ce0e25d55facf91241f8d7562f11658951a0f2dcdfa2faea930c82fa48bde0dc49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccgA.exe
Filesize
239KB

MD5
98f46908a33f29ee99b3ccd5c89d6900

SHA1
1d00ae88d72aa0aa23ecbf17d171ad22a9f88f8e

SHA256
2d02f538671a29cb5793fcbba4b229f84657525ab8475e101c45393b28811b3e

SHA512
524bb52b58f6473077807db8879ac03d1889564d7ace5355284120af7f7b3f50b97b563a46068a8eead25cacc5f073a407b1a208bb5c668d3d733c471fe2632c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIUIkkkY.bat
Filesize
4B

MD5
b23609c00eafadf1a6e2e04aef20aff4

SHA1
b1b82d9a44203b9f62a4679a0f1459179b79aad9

SHA256
7c32e0ec18afb15f4fff4bacdc36802c4160db02510b58680f99aa676cd14b1a

SHA512
975626006ac1530f36ec13d0cea4eb14420bb988f770ad64f4e5f12b8fc4cf15aba3f8c00cfec6388fca856094f6de14ef4d080926b773252bf36a0c50767134

Download Submit
C:\Users\Admin\AppData\Local\Temp\dscYgMkk.bat
Filesize
4B

MD5
cb0d96703831ba885246b3690f9c5c52

SHA1
4285b01ab441838279e595a8c6f4d3df485a39fe

SHA256
4aaa6c16896ef1633705541b68738ff04042a20eb606348c7293934f4a3823a8

SHA512
09c92d281bf2ca669eda444d3a914515c8c5a3c74ff91b58de4d098d8bbb26fc6dc7843764479c2312ca5a8c7519c054203a12fe9e6677b60ea799a39523f885

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIsE.exe
Filesize
241KB

MD5
9b077b0932857e5bff9408de82d4906d

SHA1
ec06613eaacb88f5a87ad6f3e3a81536fea49fa8

SHA256
66e8ba015bdea0b94fed0c2c17fc940557893b47dbdd8c4f976d4d9de3fd9fd6

SHA512
ad16d7686e878be40bf0a745ee92ab9648c51ee00ae43c11b99202c9f15b1d4de93f39ef02845d1f5ad9c95a2417d224756aa69b3c02e735b1d16caf826f93ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQMU.exe
Filesize
242KB

MD5
f6aff347fe03c28dc532329da153beca

SHA1
d69bc3153d8fd7efc4a29159f57842ad58d5ef5f

SHA256
b744afb58958a39b9528fea1fe8b4b3e405b34c010116b7dd272572078c0d0bf

SHA512
ab188fbfeacb062df27c23c9694562349c9cb3434884d3a467773c66cda610c9df92fd5749a38a1372abb7d3a91ea8c690c5ee7ddddc91390ae547423b79184f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQwI.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecAC.exe
Filesize
644KB

MD5
89c3da6c94c315f41021e12845b55a45

SHA1
6b4e5f98d6552650c218cfe132b629815b21f41e

SHA256
e1ef9f4fad19826b8ba6f219c30577ce3fe9bdd7efac8f7e4c1f8e67fd422325

SHA512
e5e1263d247a27c9e538c9c6e5dabbafbb35a6a4ea887aa26ac842579962ec248d06a341b3b0021827230ebd28de341c73a7ef4a8b5aa33aa06246852e294b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\egMg.exe
Filesize
238KB

MD5
3d871eac338cad55c6af413297e13030

SHA1
5c9351a70367c0c9aea5bbab222fab772a2614a2

SHA256
1726f3c2bad7e90c9fd697b921b0fac40f0d25ed57e43434cba814c4110af893

SHA512
858bd9f3181bfc7d782ea2685a3261ed5e6162a79e3f4a99adbfe0ab292685b94a4529d434bbdf95ba3c6e93990d36f407bfea6e98aaba7f7071616af5de4c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\eskw.exe
Filesize
231KB

MD5
5ce5884123c14abc09d55cf8fd839ae6

SHA1
f465636d087582e51876d00740c5268a3e8a65a2

SHA256
d7e013260f01999eb1a9c168f37d77099c5d6f6feb772b046c8832cd62bbe42e

SHA512
24350e5f4369e7d813c5b7d52f3077a4d691751ad1c2fd7038b00d7ac85e6d954bff8be315480eb77cf11a89e0c41665189eff5cebbbfe70132b83ae68d2648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWEgUksE.bat
Filesize
4B

MD5
1ef1590fcde13a1db32d21c30d51eee3

SHA1
4bdf98d7e46647acd16066208b0c7339159b0d91

SHA256
730b2b15cc0375b7f38148c77ca3fd23482b68e32d0102a46720b44af384e4e5

SHA512
952083ed3b1923b5d81ec2aee9e7deec94306a1a68df88e5a249bbea02168452c0e45cc342a7333885abb80b558ec34338aafc66dc2dcd50171209eaa84c0c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAEm.exe
Filesize
226KB

MD5
b39e2913170986847f5e780169e43ec2

SHA1
ea54f4860ab1c547477898a2f5c238febb17a375

SHA256
edf734853c21098c0b6127bf257149368d76d4eaa26f0d80b737e7767abc9100

SHA512
68affca40a438e733b8849967972bd55d6336ea8a23cec5239f9ff86354f7f2d7a39dff131f56a07eeb98264c4928c992c6bda66e32319658ba46f6a9cc6e564

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEgS.exe
Filesize
1.5MB

MD5
beb10af0c07bcf1a2a750629aa60233a

SHA1
b00ea7d7cb568510aa2a962e9ad773ab6f919841

SHA256
7294abae2052a25d28768aa5ad3e13d4172edceb421d0e6b91283900b8327e90

SHA512
3e40c60ec1266f05c9545cbcb41ec9a0e0d4ee7234537c024c386c5280118910bdf7ff0ba726027cf84294fd3360f677d3b1f7484bc4a39ac07e67e5b4896947

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIMY.exe
Filesize
818KB

MD5
c3b3f9bd095715f735094ecac7921804

SHA1
d3e531e5909bb4752536bdd75b45e8c45c4704ef

SHA256
cb9291520e8c0ae523c91fe52e1866d6710427b2d4623ec37dec6a71c0fde74d

SHA512
2438b626070ee1533d73a0e1eb65e1b09daa50f70865ab516ce9ba45c1f51b30baba97bca96840d3491a8e977f97a0dbe6a8a8a9aaa4e2cffd40846539eee9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQQYwUgw.bat
Filesize
4B

MD5
2d156f7ed8dbf622b0066cd1d4163dcf

SHA1
6b8d8a2745d0bac75878315b22efe52bc3588195

SHA256
e0c589c28f3f30e86d23da4c188cda7ecb4ab7ad4e5ba214028ed6f4c46722ce

SHA512
7c55d03acb84b423c11ddb30470887e1ad7e371329cbaad41f1425382b51a1ac7a452de08476d9c68cf411f5d66ba76f559ec3566007fe471a73dfc5e84cd913

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQwE.exe
Filesize
239KB

MD5
127497056c993d029a42cc84eaa046f4

SHA1
ce9dcb9a5a33524fe12ccac976176811e13d002b

SHA256
1422316d30cc8b0a556ad8729b601b351cfa9621675bf23c5bbeb470e8e46dd6

SHA512
0b51c000f2b84bc589f93c160494da01b7d4beaddf4366542535158c57ccb7e36d906aedcad5cc9b1efe14f81cd856b6857050854134019a8640492f8217cb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKgYEEcI.bat
Filesize
4B

MD5
a5b4cea48678d534ff3fd173d7a847db

SHA1
607d145df41965287a158ac8754b32c61420e24a

SHA256
929b96e2a2ed04c57e09e8d2a07d2e87b7c2a2764a577378fc8639fb4f2ada8f

SHA512
8a4c0235165b83b63c5be4dbb20d0e2d79f13e501dd16069f6572078290a84ed4f93730b7eee51903c5234917adcbd65cfc8f2989d591ecc6de38cdf10d3054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcMUYcEo.bat
Filesize
4B

MD5
15992cf83756d53c6044705fdbb18bfe

SHA1
14a446a6967c3a94fbfcdac87bbf0acf01903bbb

SHA256
f5323759d1273429a6bfad246876b845347beb53e1d6b7a96a1a3a70afc5b3de

SHA512
b4c5eaeee4d77616e07733325e2d837eac631cef88960c59cf1b3e19bc071f1ef8122ba8dc1c62f8562e0e4a27f7fed954660626a2289c09ec825d7cd09dc446

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqoUUkMw.bat
Filesize
4B

MD5
ddcfc5d5e7cc14aba747e48b2f91b78f

SHA1
9e81381bb524c57135e7ec7fcdd8af521618bb5c

SHA256
02c84d231e3e133da5fe31119c058e2cb82a610ea8b0f3d40b70ba7a6664f8ed

SHA512
3a05b9a8586b2d79752e80010c5307463fb9696888ef07216008d6e9d49bc5429c78883cfce1d30b142ba28020d2c4d2abd3e09c36ed1a58058759d6b875d8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAca.exe
Filesize
192KB

MD5
4c141a35ebf7dc5e20cea965d5a72285

SHA1
713342b9b12bb9f664eb5fc1b98dfcf2c1f158e4

SHA256
7c66f313e3c2cd940164fd91ac2d3903b0d3ebcc9bf0b6c1a10a3241759376da

SHA512
1d3a212f570bcf790296f3f9f1ddeac7671598323d4a8521bc86018ebf3127386e44a28beae2e27d8831b10ccc7a1e030da92dbd0046ac362f9de7285ea804dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAce.exe
Filesize
750KB

MD5
17319a0d8bdc38540dbca76083f54abb

SHA1
27cf76bab4e1a078de11da4e142805f4cef4c085

SHA256
a90321d1744c5ac629ec6aba3f849b8a177f6139b05aa143ccf3f342a64d775a

SHA512
2563ee7ae79c831e8280c37b5e889e6e332027aa4613c8bc043dc78ed05fb8552aa1e356c077c335792e9edaedd5141cc1b6e9f5858c7f3f8002e1f61c76c01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQYw.exe
Filesize
329KB

MD5
6038fd7bf77172f3f923c47e673eab32

SHA1
978f527be1dd8e08247ebeeaf7dfdc87470d20e0

SHA256
f885330acc8b9f8d52dae49502bfd9b626ce83614932edccebed5d9581a06a3a

SHA512
4920590b90017d773ec9e9e1f978b4f89279c2d64bb83d4f44bdca0b6b0210d90d6dc7b4625e7654aec82558e1716271d2a7dc0ed1c23bce146ba6e298826e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUEcQwUA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYUG.exe
Filesize
240KB

MD5
432153ce7e928b4b6d0690c09d5cc3bb

SHA1
0fe2e3264a941d0230caf65a68783b989670c513

SHA256
68e096e6bdb1d4a0478d73f56b44a6431820c18d8c418f3cf1b4f6726f980b9b

SHA512
07942980d68347c6b391132db60d2b7a1f9805e492d92c6f40fbd822a7370dc3d28361b7f4c25aca52aa1fc5f5e8c7eb2700554f1b7f3b05ca7bda0f807063c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQMIoYIY.bat
Filesize
4B

MD5
7611f4fc91ff775c5b2fb342d4e04501

SHA1
1841ef87922c363868776e0ec7e9007cb0b4442c

SHA256
addc036c57fcb385edf6fa0693fe0bd3faf88cd0e46a352ee2b6161fdcd2edaa

SHA512
e57f0bfbb00602dceef6fbeeb24a898f900057237c55572bf59db7ca0036eba3f387dbf6dddb1f98ae521f5b012bb0d639d82d75c7b1ac77dfff74db5a596898

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSosUscg.bat
Filesize
4B

MD5
b421ae0771a85e652e5aaa31fe66e42b

SHA1
90c5c10e99d628b5db52df8f59e77b6cfd89db34

SHA256
4270ba77a6403c2f55283e577ea2f0288124c72b51a70f6dd1469f6aea167dae

SHA512
4db9a94bb140ffa3b4891f4ab5cfe9ddc46f545cda047ccffe0dd5534dd89e0ee7e81274816972bc773489d1b05ed42a70f7309f15f8c45b4fb2e8489ac2c5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWUoAkYg.bat
Filesize
4B

MD5
d630c06e957f55b38082c15c944ae5f0

SHA1
7959f9d129357f82a5e032c78b5492ee10d61a69

SHA256
8c4a76de4166e291e6ab9e5aaf9071e506b09638ae4f17b956cb7bb439a5798c

SHA512
1691cfa6da4b25543c014ca0099383f9db1a7972f6db993a15c36eff4cc6ebaa93aef965541d2ad4ff535ae701336f48ae839b62e15e6746109624850638121e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jecIwkYg.bat
Filesize
4B

MD5
0ec542ddd4db3cdbc0b8b3bbc4a36104

SHA1
51a7518cd3c311d043cf7c0ee5b3b828a42b87b1

SHA256
81a0824cab0045983cb7006990a85421be1c88b910ab313d97d476197046e65b

SHA512
3751a9654fa9e828b8691d334bb206bbcdd6eaf246df3628aa68a64b1591304d3ad6526b0c012e8e48f1ea79cd7806b19f53ebcdf508d437706f209b232802b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwIckIEk.bat
Filesize
4B

MD5
604e0a73cff734d80818c61347c9bea4

SHA1
f2cf195c96cd22dac5b09368eb0f72141f6b3705

SHA256
963c066344fa5ee72c5fe7070822b99b9533ed67c3b5ea3ae4efb953f5e247e6

SHA512
cf5497adb247c8a9e6293c55ab3c1c2c5b0dc9774d654eb391225e02d1499a3a2d9e679211a24bb6323f7a4b1fbff6876e89d44612640911907c74fdd918f994

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAgs.exe
Filesize
246KB

MD5
7b081f2b8988f0c60818188b63729038

SHA1
11581c1aeba891640513253d602b65d93b69f633

SHA256
e1d85d5f5777ecf455b4373cb3601059e39cd4fa94b153b5ef49db8181226293

SHA512
ba99196d18f4624509fd0a85067da36f006ff6432f7df84c6017076e0120aed98f5d96a862f99211ff50f66fc32ec48029a9e5c149e54313fd889f52592e3561

Download Submit
C:\Users\Admin\AppData\Local\Temp\kCQogEgk.bat
Filesize
4B

MD5
50e50048cc4b0dd60c7ecbd7432ea15e

SHA1
989489ff0b0fdc311428b2e020f9b1843c881c5b

SHA256
243c17f4ee74706dd6608448ae7509cf34106c70db5e4d23c2849a65f071c74a

SHA512
c855e21c884d5fc2c7328da7fae67130826773a770c15f0a96d0ae2f8b2ce20fc6494f75c62b327f5d817bfbc298573a266d3e960824f351b15ef50885460e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIMW.exe
Filesize
252KB

MD5
e69c00ed3d58d36cfda0a1c5bdef4c2c

SHA1
004fab6217abafab0ce61b97b0953578e8548517

SHA256
1325f1aca33e5d6c5c504b580bcfca4ecf39f6dfdc4057b21a88243ff550290d

SHA512
4de66ace764212cd004dd2316e0f3780847f666ecb845fc88c2f7dfd736ed40f5315691e3091f1dc57db91b91de7a1cae095de8147b4b55c2b13badcc652771d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIUYwsco.bat
Filesize
4B

MD5
6725e55b88ad1bea1b96c3828ee5e2b3

SHA1
d3cb8c75ece6b106f5e115e618a00108de8ed278

SHA256
3ff150731b79e58c35a28f0f83cd9ce8f1acdebea5b094da09d52a34c9b3517d

SHA512
54873cfa0790a087ca52d8b9b867262e37538d6ad50f0cb3d7abe61f82511a34c68e7a5e5f29d0cf8de78e77b86fb9a5ff700eddd3524d77aa014f5efe511738

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQom.exe
Filesize
210KB

MD5
5dce726a2a1b108c3e4f1e7c59aa11b2

SHA1
89f14ebdee255387a59cea4130e91cbbb7340170

SHA256
7369ef10e617896c6e41fa19c5b42798d4d9de6d8f6bc43401ee0eb4193575a8

SHA512
8fa69f7493dd0f5bbadb20470c8375560cb0d53ea4426f9011fc45ca0c8ee70ac7006b76e657746f8237e30ee749f083fccc9e9dc62c267dadb27e5d382633a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcUu.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgQE.exe
Filesize
203KB

MD5
17c61e055c70f416d06fb9b3feba0530

SHA1
640fa35c549164e3cf9f1fd50f689943d3fd19a9

SHA256
da2a783681a52a9c5ff26b06fb0c76e118c3fed087624ec5fd1d4b3f6cdc3236

SHA512
53ac19cf714e976e4070f1cd84e5db23e33150907cf47ede153449509f66213916b74b589d09966a9a8fc65da2e2f5ad5c443a14f3bace41c9047207585bd3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksoIMAAU.bat
Filesize
4B

MD5
e280abec2fe798c89846ffaa7496043f

SHA1
848d4e3697b3b038587120457683265d9f708bc7

SHA256
6ea039957d4f18ba2da5cf1eba55d65bf3740cc7cc74e04f1d5d00074124c0ac

SHA512
8c1a1cf3f01c00ea7ec296e1343901198c702cadb9586f99914889f50734bf0684c6fef718dcb20da3d84c291fcfa14d8f211b85d47809aa1d8d64a6dab47db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwUMQQoo.bat
Filesize
4B

MD5
d00b7a31cd1dcbcfad2e2e3fad8fce75

SHA1
08799713f6fd1b42f26702a3bd6ad1f13a82836e

SHA256
85ac3297e0e05dd6721fce9c96aeccbf07aacb8a55e7cba5e8e83f8ee9ecd744

SHA512
f6ddd1c5899391e08d2d187277980f7be7af154efb8bc942721f9e3e88b24dc97a8e023ecfdc1dc085340729315ae37a5b1b47f7e0ecc80b98c85434099e11e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSEEgUgU.bat
Filesize
4B

MD5
624645bf29eabec031c20788f001208c

SHA1
b307c67864991f9baa7d47f56eac7e51c3f1b9bf

SHA256
61d8c26663cc170dcc3b95e299fc57c98e410c7bc34cf2374a2279de5d33b8b9

SHA512
5c67c5f3b3f259e313f8154748cec8529bc9df679a7d9250a0ed4d22552c2bb73ace3cdc8dc94266ed9b6302738e6422ac2adc1cec72503b77f77e26afcd7cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCkYgYMo.bat
Filesize
4B

MD5
4339b01f0c52dd29ccdd047bd3b0a92a

SHA1
a1a69e5539838a43a7be6e9f30a23aea53338aee

SHA256
54c235f1ec094bcd80ba39cd8e99e63e4b9f4d53ec2ec74454dc5e4e0cfd25e2

SHA512
68c004da15b89d3f336e9bdc0250a9ef06a5272bea882279a44c6270cfd1316a4afa7b23230070fc1eec1cff160193d147586a9fe9d1292caeb26ed3582d6ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKoYYIEw.bat
Filesize
4B

MD5
1af717e0b7f81fb6870382989f46761f

SHA1
54f9d5aaed5e67c1a3c2d2c98b23ce00f2b8a77d

SHA256
9a00db6c7fa3f5ca755ce57f8283977b7f1f9b3bf7c8fc87ca923dfa3b1aa286

SHA512
f43a8a90b31e345849fd171d9341f54e225ee50345c65db053ab3999ac73471c300a462c8e3900946efcd2253ce0b6780201e2071b1374dbc1227a8677ff1475

Download Submit
C:\Users\Admin\AppData\Local\Temp\moou.exe
Filesize
951KB

MD5
ab646d77d6f011a3a2c54c4472721f11

SHA1
2c8307caf166841ebbad48e6b7cb2fc4321d54f1

SHA256
e28313223a7b9dfd27af1439524f008a6825600c83a981283b7e6766d7322887

SHA512
e6735a9b9de45ea9c6565a00ceefc33fc2d169c5b5aeae316600a31143031c5512912a514d75bb8570669f2d07bbcf7c27b46c508cab2bf49a5123b29724c465

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwIO.exe
Filesize
237KB

MD5
1f9a48cfe3ab966139af7f46b9fdca0f

SHA1
d7c19d87251efd87dfc1f7fdcd121d8d5918516e

SHA256
0d7ead04ebfc2edade281498e186ef4b28ffba00ebfa73dfbe5d598799b6f924

SHA512
07e14ee1ad16df83f43fb31bd6ee320596d261a8345cf22035c12ef36ecdcb105c5cb66d0ff2b07b1aae019fee0f65087f6841caa685300437a4dabdb26e39f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwIgEIkQ.bat
Filesize
4B

MD5
0b99f819cf5288454c4c3525719d2f57

SHA1
4f046a19e91fef5299c0e09fb7582940ce89ed90

SHA256
49deb0680ab7c39d4426c15ab6716e3a45866c49cbae3edc42d29fd2a2e9d4b4

SHA512
23a6e7fe97c8aac793f0365239805b43b3a5c84af48bc4c93d7e9c92a598e5e6bd477201611a83c0b5f653bffb60ae4f7610f6497a7b6fe4f388007c3c08b6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nCQEMUAA.bat
Filesize
4B

MD5
0bbd290af731840f389df16d83a5b249

SHA1
87774bf52a5f8378c780b295e6a4ef14de165ec0

SHA256
45cf89c9243e4925c5c23016930f28ad8df81a39b217e942ff19f7236324fad8

SHA512
323a1f17e2b0b6032a2cad6b6f2ed829fc5eaf55fa02d00cca96e44978a56d40e40bd4409cc3622e89893916ae1e5ca20f2999daf1e1cb50b0a6ccf60ffe4af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQMkIYgA.bat
Filesize
4B

MD5
ef691b736d76bb93adf36f0730153823

SHA1
5718ae5524c99e278ac9e3b6f9092107eaf30a96

SHA256
12a923bf83264f23976be15a78403040bbf60c29f95a47ab5e55a81540f65fb9

SHA512
6002e85e893e803a441379639f78caac05fa83469771f43319a825ec3084479a916799636d02a0f974866381237c80c8757bf0cd42e685976b0ca4c42198e5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYwYIUws.bat
Filesize
4B

MD5
78331aeace9b3f7791fbf5e65eb7ea38

SHA1
ed453dde73164be497bb123df73b880ffd43855f

SHA256
bff669283e02cb3d4f34309d2b98bd2fe0117773f9ea44e68939be3f4ebe1978

SHA512
2cfd130ea35234937cc548eb1119244ff25830c2082eb3d9b49424353df2ee07c323ac68dd3251740f5a42b6dc2a9b48124e70676c6da43da9e7912df0f01d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwEoUUUE.bat
Filesize
4B

MD5
b16e6167385041587c3f420ca55ae7a1

SHA1
f6f6846c27f3501ad041fb73ccee2675d7af186d

SHA256
7d99093e3055bc83c8b8fdbefcabe2bc314e83cf6c1e1d1ecb174c7d228cb6da

SHA512
0cfcfdeffdb3286a13360df772603560cfda54fa67c0557918daea7fff6ba1f97a5b787f55e519082094b1cb6f935c54205bfe73f1eef604b553f08ef37820fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooQAEkAU.bat
Filesize
4B

MD5
2b902043da0b6351b3c12a92828a105f

SHA1
9768df24f756bd943c38abade569d9f3ba9a1a84

SHA256
0d46643f5777fe908a495a4dad05c664da7266078256a82efc497fd69f6cc882

SHA512
c6bbd3fbdd699c4bf5a24a2d5fb44bf90685177b0d1f506a97244032694550c6050285717df41484de6e9152c70b264f4408b755b0b851bd0103a7a55ad3a5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOsAgMUk.bat
Filesize
4B

MD5
2bee241c8a715ff24eaaf0c846deed12

SHA1
737d0f114ce95d13c282c6213cd090dbc02efcdd

SHA256
457f51ffeae6d30dc3ef29fa636de2bce0b1bfe7d51683ef33e67dfe5ca2c91f

SHA512
fd9fcfa715608cfdd7bff167260dfc42ee14d57b1cd0cbc25e4f6e7c05a3f08783e23a15a518b20260ebad5fa069260b52f1e13950b2def028a2bd68d85c19fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSsMgQkw.bat
Filesize
4B

MD5
53e20843f55702e2b0db3163b1b1aa00

SHA1
d8203e891030d05e43f39f929b43f96bae0decfa

SHA256
a09a29f04d8e00e02b12c14a2da22c44bfc7fa7eb3c5e8d6249dc94b40668e25

SHA512
d5507350ee5804195450e534c12d80209c80126ec026de387846c56f6801c550b8b06079918703821dc888d8a99f8d39f1e51d5e7db9fb3f0fa5313527a8ef1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcsoAYcs.bat
Filesize
4B

MD5
594b95534e345185074f9743e3b66c11

SHA1
ec04268afdd8427729d3b65e250c877571ef3856

SHA256
7110913660b2819e1458cb09b8e1600958014ce52967e8ae5c71983a7a8f9164

SHA512
cab9f3bc9df9fba7903c77c9199a3bf409333bcd85d150815f35bd6a517aa765c006125879887c147256cbab3894c2906996745fe42f23aa50c5ab0ca61f125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\piEQkMwM.bat
Filesize
4B

MD5
09c3e24524d259370a53e8611c8dd866

SHA1
a2a3cb4fd13293a27d0e232480f7affc908e0ea8

SHA256
77c7b198727a2c7f6d31249710a7f740f83bdde32deb5820950523689d23fec4

SHA512
6a7409a66030f2821f84f7db388d274a4407efecbf9ddebc84e6a695308a23584a9eb094af5fa57ab23185b057de4b42b3c2a2075d01d459c5908483b8211373

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAoU.exe
Filesize
241KB

MD5
2e5ad4ab5870959c32c5ae63f1956140

SHA1
efafa324705145aea938cc72ab6e4335c6c21c73

SHA256
863845d6b0c86ccee748e0d6847f46ce4da8b5fd8f3550b2a1dd802afe7e3fd6

SHA512
8d244431bcd1b4ad859f4af940b179f10ac14acd5bf57eac9e9126e14420050086c555f5f6fbee28b9ee8dcec811ffd6f03aaf510fe138a3e410b526d96bd197

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEgW.exe
Filesize
247KB

MD5
d786096673afc437389a46fbcae893b1

SHA1
d15b16473cd23f0b19320343ccc2e77993f16f34

SHA256
a7a1ec2a56de0f37ee0a4057355932b5bfd6190b82cf004c01d094fb1cc48d89

SHA512
0b9e017d10759552e8342552f6aa0bb3c44e53f3c2434718f3b6e69222d24a02920fd95326952394258684458e08f682cd16d612c41a7dd07b3d8f9973bf5ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIYy.exe
Filesize
194KB

MD5
188b5eb823bfa40b35a18d70e26dd515

SHA1
aa14a687387086022070dcf3e2018056469e6222

SHA256
2cd3b78bd174b1290aa477bf0311be01510b466f9ab05173a85e0c506b61a092

SHA512
b9176844920799e8780c118f48eb3c19b0b29b52b22b7ca75a4c8fe564fcfcc1f768c05c044237ed7997236518441bc7393f7bb1286ff02687e0dff8192ea80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMoY.exe
Filesize
249KB

MD5
cf38d26d2e16af75d2f6e0454173e5d5

SHA1
2c391fce9ef4984aaddd82ba24ae8f1c985045f9

SHA256
6059e30004d786892a2c02e5d69d77bc4b54be3c3ed7f4cd25a6977065f67c4e

SHA512
b5338e2de70253fbea8b8938bfd60ea7771212a69dc78ded069d5568b4e5ccfb222e55b9fa5afc658259ac232971e169f870c2e063201ce41d9448277bee1f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQwg.exe
Filesize
212KB

MD5
ad853aaf50fd479b3c97b068f32fc114

SHA1
bc09fb3cc8ffc69f903ce3a6441660ab8d9b90fd

SHA256
1d80aac21cce3a2b77305f3b45c83b0649c3fc925d183db3ab4c65c37a52dd58

SHA512
ac932540bf767338aa49659d8a54ab9d13f7615b3986f40d5285946f99cccd32401b8e90ad57e43aa91d8222a1220debefba1d44cd90a99e08da034fa3a73e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgUk.exe
Filesize
243KB

MD5
cb15ff6ef25aa6e2e34d893bc4b0a4c0

SHA1
f511f68e60f65af9e8b71c31dec165592f798d6b

SHA256
1d1430200152e4a066f6061a186fd3140c29285170bcd1e1bfc2bb334311bbe5

SHA512
07e624d91fd954cc71bc952d2d24370c836f7fb56f948dd4162f44303701755d042c194e3f48bb880bce17d3f222c06adfe900ca5b35a9415df7a00623533622

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsssIwAI.bat
Filesize
4B

MD5
4f311c65c80306c18325b50fd90db9dc

SHA1
4f21f46d7e61bcb941a529aa35c319a0507ba9d1

SHA256
01ae345d0e2ea230a74d6e9f0142bd3087f4937910c40c2dafe766caed9e775c

SHA512
1446a3f013d95bc7e99093d447f131792ca5d7f2e19ff36792fc6160a48229c91cbabc9822d79736cda6fd516624a2abb78e21a7819edf6d34284d8742bd9f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMUS.exe
Filesize
208KB

MD5
340c57efffcaeef84dd560dda1f6e488

SHA1
224824d2bf447e62328ab1371455a8c5a368b3a9

SHA256
e841d050a271aed5fe29faafd0e5c559c05c7a5f76b0be46669d67cb80d33955

SHA512
473e21dcb397c33805b8125aad20bef0db208e73508b0aa923c0cac508a609b587916f7273a8426f3a7868ae69216c9989ad5dc58ed6941ddb1e4e7f2a8f90b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQEAMgUc.bat
Filesize
4B

MD5
14dce8832fa7e3a52f1c75c856c416f1

SHA1
67c29de72340e29cc4227d015133994cf9000b72

SHA256
42bf79fcef5427ebf970f6d988b97ae66f1d63cab11a2a55eb30831b23ecd243

SHA512
fc91b90296b46720c968930a054d74cd8f6d03866ceb3b0f10c81416ed81ef86c65f1d6aa611c4b8c0ccb167d8dae4d59c78576685624a026b35445f59e0303c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQgEMAwg.bat
Filesize
4B

MD5
b4afaa924d7ec4aef8443a91d8bc99df

SHA1
fb2c797f98379700aa5d12f5e9f403dddc645f44

SHA256
fb693a7c84d09c94afd6475586ac2622366acb3a2988e1da23c1bec0b9a5f4ad

SHA512
9e029766a222354b5b2926670c82f771abe4bd36336c6a694cbb8a70ea741fccfa8d69fbc604c659d7fed99d076f95265367b64759e419cc0da0311efec8f4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSgkoYYE.bat
Filesize
4B

MD5
dc60c643a71baa0933690676f7d39faa

SHA1
a270698379459f53b3075fe110edcd113e8bf1ae

SHA256
10c3d67dc6f986cbe957553afee6d35e4a8b37277ef5584e79f72d3141c211e5

SHA512
9729dd2448835bf6780d1feed2ecd48783a85953af097870341ad4a408d097d75a5aee1d4f01525d5ce216b612981c3b29e31abb7b45bf5a7912b4045021d3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYgA.exe
Filesize
213KB

MD5
bf6aaf4019f5c5bef58ec66c7a554db0

SHA1
2416f7faaf7f7cc87d841497ba968aeb3f66105a

SHA256
a3b2d1410d839723800fd9311befbeddd5ba6feda29f87f4f9b1cb90fb0ea7b5

SHA512
248823383a783f968cbda34dc32b0f658dcc642b392e71d0225c41f5ab27d168b01a0051e1c1347ecced5746abeefa9dcfaccd55bf15a2a75ad28344f71860b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scks.exe
Filesize
787KB

MD5
7ee9553e10ec50d25fa797e74a8409b9

SHA1
673df79ff786dc6eeb5146d246b397bb77822813

SHA256
adde9f80d94e16abf938775835b2edaacca0fca704a177e366128afa121e3b94

SHA512
dd116a2d784b574d0a30e056d8e09dd2d6e9ace91b0ed0efc868127835cc06268f482008005184a500fcdac0ba7f862a0c0f781a6af48d985ef9ed6caa1f5cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgowUoYo.bat
Filesize
4B

MD5
155775a8e19135db6594b7574e167e96

SHA1
b58f6623573a3e04813127d3971135aae5566f52

SHA256
083acb05f9f4b1cf770f1b938b29ad7c03f9675edb5bf31e34c96651641944fc

SHA512
780b3e5af41bddea1955acb81e9317f24583b860c7eb5ffd0685fc95d81f102889b118446f3587d3eacbe245710f96dffa4e55605517d3bd570e11e71028ab3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\skoO.exe
Filesize
242KB

MD5
dd1d246d06d883e5cf73211721e2b639

SHA1
64bc99e3f06e169048f5ded0234694f34013d887

SHA256
8ebcdcd09c0b182af59f073cef1f8aaa0e27040ccfaaca224a05c83a2a15d834

SHA512
b987467d30f044442e3ee76229db6dc8488511f9b517d3f540cdb73f92cb9b3fcbee665d5f626e7d1880841adf034c8bc93e694d20fef22bea071c24822bf8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiAEAMwc.bat
Filesize
4B

MD5
b46ca6e8d4ad024468e2a5fb6fdeee1a

SHA1
c9d51692b6817b36ea11916009879de4b13f6505

SHA256
c7bd62eaf66b98e4c08e982bfce37cea7da285509e5ef42e21c638456087ccca

SHA512
3f26f88fa7f42b09a87e7d7cdb7e393a7fcf69a530b3e0f095fba01ca84b27bb9af3c17be9fedf1a36d3a4cedb7aeb072367a8bd3dc76890986b71e77718e6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\umIMIUcU.bat
Filesize
4B

MD5
b64bc60950812a40f8b7ee1908c2b7cd

SHA1
456485f51b0054537f251f0b87bca6a12f25f8ed

SHA256
c99c3b947f335874b3d3f9484f57eabc060338e67951a80b71c1ba7e6a192778

SHA512
9713b6d3797426a283339c22dce5dfdf8d87b84b8477ba2c76647f8821e6130c995cb7bec3eedc89b25de913c0c6f1a53abe307e870c36a298eb4a30152b4a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosk.exe
Filesize
201KB

MD5
ef1c56a7e07fae87bc2c531bd298cc22

SHA1
c5204b38f2819f797f07aa3ee29f3242a82eb12e

SHA256
1c91bffb93df37c9e8a693c4d55aceae7095a92f928ffed47ae0da856884759c

SHA512
9ff939cf212746fd40713d508ee65c9e80b63a3de0121377a2d0317a34e1e0da84157b669c95466193416b47ced5c6b1da66c5e89ce17c7192d99c6bc74a8fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\usYo.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacMAgAM.bat
Filesize
4B

MD5
8773b510c439e2f904cbd2ced2149353

SHA1
bab4057175c22b91296dbab256dcacd19e5d5a69

SHA256
8b3cf8a548027229423d40478798cf7aa7833b59d9933379c1436c77737c4c6d

SHA512
864ed6ba28f7c2acc1e96ec80b672e0553e6ee6b7813f3b09e85d1e6a6918d336a7173df5d04583bd4199153d89beb00263f4e904503bc303df8efd89d2cd64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmUkIIwg.bat
Filesize
4B

MD5
b10b75dbd5bcf6a6255b0b6d68af08d5

SHA1
a7569c9229bb0b95835fb6d0a0d9756377f87a8b

SHA256
8d49ebe8b3b78bc5558255dd948ff922b549942fc95bc2f1deb2e8abcef079df

SHA512
56908b31d82d14c1c74018d99a2366bf05f98dbd8f806063dd205f15fa66bdda31a48ffb1a908388c147e31bf91946b465ac70782a6e85ab5d557a6464d72d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMIA.exe
Filesize
1.0MB

MD5
93952375bb111036588d4a1def8949e3

SHA1
16336ee7f67ab041fab5a816e1f0d1f0ce00a780

SHA256
55c254bd4000834f15be4cb5a8cfebc4ee6edbe519d0f4ca89575360bada140e

SHA512
e31b2d8678c10e3935a7bb096732043c9c9b6f5f09d15ff65a94cb58bc09b30215962a0d4e5fe81c59554ae69b1b083e0f54ad7f51f2b4aedbebd37b9e2fe595

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUa.exe
Filesize
233KB

MD5
104f89ab64d63f694ac9437c5edb9e66

SHA1
a02fa08fee69275b823f01196e6986f6b790e6c2

SHA256
3cf94dfb2f3dad748631f1d9db77c0496f2b6004e734191a5066826128c9ff4c

SHA512
1d1911455f1f7cfc69528f14273611ae9d7ece6f3c2c46d926744792c185274a79caec76a7e037636eb6d57349aec5fa4753dbc07f75dd6f96fb9e7a48183c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQka.exe
Filesize
1.6MB

MD5
7642011dcd2858831027e4ba9b3b1043

SHA1
9663c20cd1c2610c60a5bb810ede243d7154f56c

SHA256
64bc52aff6a260c443bd00a866057886e3c163739ba8817b909a07a1850723e2

SHA512
1287363691db00c89792fbba8b0a6c6c67f833d41953b6642a40afd289232cc377cdd589b23a37b120ca85387b10bc931504329b14bd0990e2d4bfd70524233b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUos.exe
Filesize
243KB

MD5
c14e0d9ad1c8189792e38f7e86c75dac

SHA1
226c4d63377503a2e280d1ad0a239186f6215ce0

SHA256
396b023173ce186c6c0b498bfd5359b02a6db967f15e4bdd563abdc0a4a8a2cd

SHA512
c92e7cad9c957fef2e6ec4118ca35351910c1dc51f720630532c976bb9f6c853e07a6b39f3661a67e18269c18ea60c01881add865d3b1dcd1ed7669467663b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\waEQQkgQ.bat
Filesize
4B

MD5
1970d56ee81034192f330e69774480c2

SHA1
b1dc0dbdda440a27770264864a60b4520d5ef90b

SHA256
3554e533a1bd2835a031dd0143e60fd23c6f759ad54351cb09d508cd87ecd4fe

SHA512
1bab6dc15e1e0bc0bc90bb9fbd24491c8157930a5526769c1f6fc9259fab160bff0e69eb63bee507ab244b3831c2ea31e6d36216aeb50b17b32e07a20aab9a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\wakMwkQY.bat
Filesize
4B

MD5
4dda9f97c631302f9fcf7e2321c83dc5

SHA1
ae03ae34db912479a933c9679f79e2c0870f4d75

SHA256
ed658c15036b02b7fcfbc145c854ee1b6aec5ceb30cb71db19f581662786317b

SHA512
fbd6dc2e6b3fcd87bb401273cab493618f3732eeac99072962dadb6316f585c481988993a5d08d9faf83edc484ae2d6ad9e9e58d1a6ba28acb19d89893f8e596

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsUS.exe
Filesize
227KB

MD5
ace2303d8f0b0d9ade5c103adc0f9511

SHA1
52f9240643e85a74f4a552c0eaa8d040e90f9f65

SHA256
02d00d188073969be51912c6f21f2ee93491d737132607965431c3126a59ee95

SHA512
b6e9e34459d635d831554f56f914564adeea963a68d042514201c87697e02c1662e058ea362d7a3885d4cd760e94bb792f75f6242d6d87b74f0a489aeeb676cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwQA.exe
Filesize
1009KB

MD5
533ff0dbec7d8ce6a7d728d9d480521d

SHA1
3c1af1adfdaffdecfd760eeddd42ad7fa47152ad

SHA256
61113acd419e6aeffe7aa965d807e39ad976429d0da67b06a0fa6b03c22adc6f

SHA512
81b45f2919d3bcb2f79b4e1058c03a77f14300a9347fa49bd087f3fbd3a5fd5f6b877a23ebc3ec73226114e0f9cad0ec1f97a85d7e41cc0a6707685efc8547c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoQEoMko.bat
Filesize
4B

MD5
b7cd2967aa888ad2ded87b1cbcd3d832

SHA1
96b865669e87689e6006b6ba4fb963fe2f40dc96

SHA256
0509bfea0b96d2cf75355f67d950fe747b72bf31ebb86f7e952b83d7a7292be8

SHA512
736fd5e3ac6b39bc4ad8fc11f77771c26c7137ad42ad7b928b906924cd640bb2a75ac4a7494ed594110765884f2ba75a6741883f3e4b09a0556f40f057a55f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsIAQUsk.bat
Filesize
4B

MD5
4dbc540ba77a73575b6a38f2f3e5cdc4

SHA1
0a5be2681157eeee1c95e62e6071a9a652398331

SHA256
b860dd73e12e44be202188777f4bbba843a598cc7813670c7d726915df3813a2

SHA512
75b29cf909f63e7cb4974512e499b9380548b7ece4284255bec1a37627d2b88fe52504f63b4ec3e468c7d66d6e6e720325b6f6c7f11973afd225ef998905eaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAge.exe
Filesize
228KB

MD5
7de51e351112365b6a79fb216996ce3f

SHA1
f2ec3eb3f9499365a772d5d06a60a1175aec66cc

SHA256
5092dd89fd190dde0a7540da65e21eb791441fbdfb8c5c6491f19e1136d9a3c1

SHA512
deb3b04cf3736c2cfe6f7021ad8a389fddd1ec991336b9284b9b1a43f3069eef76953de7f4ed115d4463b0589e4408513cc47adf7e131da8971bdbdce479e128

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAko.exe
Filesize
249KB

MD5
3aa4cd442edafb2b2c4176601c08af61

SHA1
413640d9371e67658c8d41b9397b162dc0c03d96

SHA256
82c0843e4efabea20b393c3f48c441a1646a2ed5acc21f7319d81bc68f670785

SHA512
26deed3ff16203e8a5963936e78f38bb2da5ff49ddc40fee0cb9707e1103c8a30acd39b87a11b95f5f511a0487f3cc33ea516798e3f899bcf6d394075bf6b213

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQoM.exe
Filesize
197KB

MD5
74b264e874b909e3e3a1a72b37540fd0

SHA1
9ad6c405417b3d2e5c733054eb41c3d6deef1a96

SHA256
bc1d2420fc15e6fc1b9db4e01818a3dff98d8185c572f5896ca1cf3cc92a9c4c

SHA512
4901ec7710d64e1b0191d3df127f9f9e760d7f75722aed94754922b3d168fadfc3680bfe4b4ee758836246987d5c7f43860df8e64a7390a5434836a5dc3e3851

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUUC.exe
Filesize
196KB

MD5
38eb2ab8f38fb017d33fcc213a39ed23

SHA1
5ccf04cb0226d0cd478e60ceeeb45e09f29a91c6

SHA256
8ee4dd2ced3ba2efd2bba7af3df60bced76d64cb61ea254f84ff465660eaebd6

SHA512
bee99e2e43af177e8734aa31cd757a5260dbf7cd940a09b377d9f7bd55e79f59537f7a33391210ca32dbc2170928c09ccd5621a6653e171f37a3009205c3bb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYwO.exe
Filesize
210KB

MD5
685f848670abeded20025eeab8900f27

SHA1
d00a302bb713e6afd2e09f741a14b8a33097aa3a

SHA256
8b6eb4f8e4f8a44c3b19831df8cd4a4986b195dad434140e7eec435b9c69fdf7

SHA512
c48791cdcd03280bfc5de527203b263f1c10ccc9e239f4e01a474f0a9b52e200587e75f6fe6d21e143c0b33feddf428d01bc54d7634612667b0fe04a3f926e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMq.exe
Filesize
199KB

MD5
10b378287d2aa06fa69b32a6538eb278

SHA1
12ff49b4a4ef80667e99fa1adf3360fc9ec43f06

SHA256
ce3aea3be312b8b1de27100dc4f78b02ee12f5970a0a7fdfb0756eb4233ae646

SHA512
93fec0cb00dc5f52d0621fb5a54d8933291f0cf1ac04ada1b3172bf6fbcf22e12d398840d6300db354160f04f48677c0904f1a18bcf472e8c30aa3bd65ad0856

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwwEgsAQ.bat
Filesize
4B

MD5
8e206239bdfa5b2234f2bb97dc357b7d

SHA1
458eb7238c75c2a9bafa2c1b59b48c98c40de3ec

SHA256
18f5cf53a09870ed52090e1134e535be9d2d54f7bbbb11c5c32f1e18a371e188

SHA512
4b36b12256e3f2c57c6b725f26231dd115f8fb896506ec392ceb6c5472693be763e4ce6b9a8846ca05120115c6642da2fcc3ee774a70a2806988b0dcad165403

Download Submit
C:\Users\Admin\Downloads\CheckpointGet.wma.exe
Filesize
1.1MB

MD5
3773047f668b91307970dd6b9b444586

SHA1
cf591a99bf0f2284f61f2a4fc8b31863fdf2d637

SHA256
076f3b3142c07edc6a95e9cb013804a0351a8ee2fbd6ca7a4ebf5f0584a3c1a4

SHA512
e04afaa9d70897ff34ea3b05247bd724ce8ad29ef4c5d4f223990659455a4762fa55da7a57b0d0d2975d5f8c8c250a9507af4acbaa1d5b9d34b4b2246d0d3543

Download Submit
C:\Users\Admin\Pictures\CompleteRestore.bmp.exe
Filesize
1.1MB

MD5
bbf80aa129e8baf5dcb4e3b659fcb433

SHA1
73002df787a809eb87f4f65620add08191c63d57

SHA256
e3f53cb0dd252ff050d9e8499a173d1405075215ecf94b7bcba2a91b43b5309c

SHA512
1e594707ce632f8e4c0f45d55bc42dc042bda97a1a24c251ee9e78edca788eb4384d5205a00717163af4783ed01a78287963fc75b5a9b7e0cd81748d0c3a80f1

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
Filesize
224KB

MD5
66fa14b934c9f833158cd563abc3ea4b

SHA1
3577077f5c5c0ba4b837401413df138ded3e51c9

SHA256
ca608eb77f0a6b7d964e9d1f8a63eafbe8701952bc71086a88578a561a7174db

SHA512
4113fde12d59fe32f4ac5488e2a2dbd1d0bd8311fbb80d99d04afaf69010473c4192fd5f63f99b6030e01466caf07e3ef8612c7b6a6bce92d2c4ae54c1196ad5

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe
Filesize
8.2MB

MD5
6b5a9fc0ebecbbf2acd79d12746078fe

SHA1
0bbe03f0c4814807bd61d515c3450a86ed9db614

SHA256
a1a5efb0207f074632c25995e7b7994c732bfadfccaec4eb8d358b8d13c22a2d

SHA512
b55a1352b8a1d1ebea39c2b8906ce0021ad03a47fc3031afb0e975cc79e55f2d0e6c4306f4f20a38e816d99ac462de563da379c649d0550113bf58aa51fa937b

Download Submit
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe
Filesize
4.8MB

MD5
ecb295ea3eadcae056c71014481bfcf5

SHA1
75c4ec72b9a61dbb9326991214ef90fdbcacbad4

SHA256
5de2ac17f96f326625b83e64eb5e6656ae94338981458e80e0b53232e185d562

SHA512
e2e555470e04634e67428e118263fb17345bdfd189fc159ca5172b1dbb53e344b586b993e34f3f3edf5bc6565783d8c678a1f7a8110ad9835cba5a7887ac303e

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe
Filesize
1.0MB

MD5
31fe0c21987a04fcbad193eea0d4a34a

SHA1
a7a21df528b61a57c6f2ac07da76dc27a118b91e

SHA256
36757cd6958de0218fa06b05ac9c628fc85a36db40ed6919a85dd94e25994011

SHA512
34d87d7aeb155a81c4e7ad65ed7d019e7b6cfb8cfccab6d0e7fcb00e8ad580eb83769e6553ac57aa6094282ab024e1496a31a9231ce4518dafb0400470871c25

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe
Filesize
781KB

MD5
b73a6713928844fb9915a82cb643f443

SHA1
6f65c5e3bf46f26f670ee5f70527e1a80f96c174

SHA256
616227a46c2ae60c865433771bab4e13f368bcae6bc0dae19d6101b2dbfcc16c

SHA512
b7afc2493895a1703d1e932218f718fffb0068dd37ed1bc3b15ab94c4e095be7d36ca4a63a7d356da0f5e7b23311e896a1120e1988c73072e75feb3e56d117e5

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe
Filesize
940KB

MD5
02b118081c0982a5247ec7a7a0d475c3

SHA1
9d007affcc920588ba8159b186358539d7fa4a0f

SHA256
151650cef6df5df373efc5e1a13ff050340708f07689718f9098663c6b747dce

SHA512
03c5c7f1901465f10fefb8121e381180383876076c9fb39032a2481a666788d8b9f63752d181f463be2c6b1232d206ed6dcc1e6280f677f57b8fdb66104021b2

Download Submit
\ProgramData\pQUkcQoY\UCwEgMko.exe
Filesize
187KB

MD5
da59750f16c8447966536108d796101f

SHA1
d12b53661e8edfd710a4af8e036b2f8a9212d8b2

SHA256
dca5f99438fbd8d2d1d067c5d2b38306effd6c06f4ff454684797b62be57f530

SHA512
3ce795f759f799c62ec6bba7bcb538dc26867dfe77a02b776377d0cd34a88ed379a465bfbbf82b22bfdeff32e539a9c06e571f20f48a4a108f352b837119a89f

Download Submit
\Users\Admin\kawYIgMI\kaEAEQgs.exe
Filesize
193KB

MD5
47681e1aaf215c231d30239e2a747531

SHA1
9f615f7226d208657906b8ab09192e8e0c314a46

SHA256
ecaeb00f73a2595cb2a4e9e2ff3f46b6cc3d162a01ed5e4298e399f9eddae765

SHA512
e47f6ca68e08e3fa93060dbc300e0e1957b6f3873fa4ff0fa00a96eb41ab746b434f2600e750363f39d9cc41e1cabb3d5dc3dcaeed9695dd47f81b8e01c0371d

Download Submit
memory/308-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/308-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/488-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/488-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/600-104-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/600-105-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/624-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-639-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-128-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/1080-245-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/1232-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-270-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/1272-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-505-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/1292-504-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/1464-483-0x00000000000F0000-0x0000000000123000-memory.dmp

Filesize
204KB

Download
memory/1464-482-0x00000000000F0000-0x0000000000123000-memory.dmp

Filesize
204KB

Download
memory/1528-630-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-568-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/1632-567-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/1716-222-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/1724-545-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/1804-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-652-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-151-0x0000000002280000-0x00000000022B3000-memory.dmp

Filesize
204KB

Download
memory/2244-4564-0x0000000076D60000-0x0000000076E7F000-memory.dmp

Filesize
1.1MB

Download
memory/2244-4565-0x0000000076E80000-0x0000000076F7A000-memory.dmp

Filesize
1000KB

Download
memory/2252-366-0x0000000000170000-0x00000000001A3000-memory.dmp

Filesize
204KB

Download
memory/2252-367-0x0000000000170000-0x00000000001A3000-memory.dmp

Filesize
204KB

Download
memory/2280-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-317-0x0000000002260000-0x0000000002293000-memory.dmp

Filesize
204KB

Download
memory/2312-316-0x0000000002260000-0x0000000002293000-memory.dmp

Filesize
204KB

Download
memory/2312-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2400-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-9-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download
memory/2400-29-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/2400-10-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download
memory/2400-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2456-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-629-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2596-34-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2596-33-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2620-293-0x0000000000120000-0x0000000000153000-memory.dmp

Filesize
204KB

Download
memory/2648-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-589-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2740-588-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2772-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-58-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download
memory/2984-59-0x0000000000160000-0x0000000000193000-memory.dmp

Filesize
204KB

Download