a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Size

207KB
MD5

17b82e64e80caab520aac1965ba4f8cb
SHA1

2e4a23c270b3e8d9324a7192f07f405ef03bea59
SHA256

a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
SHA512

e882a59ea0feaa556a303e7857f04f1415216509658ed5888c2e61b4de5f136e4cfe4f09e8e54ecee42abadec53431520aa3646401df400e87f2cace67eab3a7
SSDEEP

3072:+xeV4f7Gdz24bTZ6OoaqGGY6wzOKbghx0O8CLLpK6LC0Pybl:KeVwQiq9epwR0b5K67P4l

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FMMMgsQM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	FMMMgsQM.exe

Executes dropped EXE 2 IoCs

Processes:

FMMMgsQM.exePosQkwsI.exe

pid process

316 FMMMgsQM.exe
2248 PosQkwsI.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exeFMMMgsQM.exe

pid	process
2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exeFMMMgsQM.exePosQkwsI.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMMMgsQM.exe = "C:\\Users\\Admin\\LkAsccMs\\FMMMgsQM.exe"	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PosQkwsI.exe = "C:\\ProgramData\\ecooUYII\\PosQkwsI.exe"	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMMMgsQM.exe = "C:\\Users\\Admin\\LkAsccMs\\FMMMgsQM.exe"	FMMMgsQM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PosQkwsI.exe = "C:\\ProgramData\\ecooUYII\\PosQkwsI.exe"	PosQkwsI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\SsMsMEEs.exe = "C:\\Users\\Admin\\JCscUAcI\\SsMsMEEs.exe"	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rUwEksMo.exe = "C:\\ProgramData\\yOgwUQwY\\rUwEksMo.exe"	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe

Drops file in Windows directory 1 IoCs

Processes:

FMMMgsQM.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico FMMMgsQM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2648 2608 WerFault.exe SsMsMEEs.exe
2196 2540 WerFault.exe rUwEksMo.exe

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	FMMMgsQM.exe

pid	pid_target	process	target process
2648	2608	WerFault.exe	SsMsMEEs.exe
2196	2540	WerFault.exe	rUwEksMo.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1644	reg.exe
2260	reg.exe
2984	reg.exe
1336	reg.exe
2620	reg.exe
1144	reg.exe
352	reg.exe
1948	reg.exe
1576	reg.exe
2196	reg.exe
2740	reg.exe
1064	reg.exe
2332	reg.exe
772	reg.exe
1600	reg.exe
1324	reg.exe
2852	reg.exe
2696	reg.exe
1028	reg.exe
1428	reg.exe
2860	reg.exe
828	reg.exe
1596	reg.exe
1604	reg.exe
1836	reg.exe
1568	reg.exe
3052	reg.exe
2604	reg.exe
2064	reg.exe
2200	reg.exe
2420	reg.exe
2600	reg.exe
1644	reg.exe
344	reg.exe
880	reg.exe
1068	reg.exe
1344	reg.exe
2412	reg.exe
2284	reg.exe
2716	reg.exe
2032	reg.exe
1756	reg.exe
2976	reg.exe
2924	reg.exe
2300	reg.exe
2628	reg.exe
2996	reg.exe
2396	reg.exe
2092	reg.exe
660	reg.exe
868	reg.exe
2700	reg.exe
1040	reg.exe
1336	reg.exe
2836	reg.exe
2952	reg.exe
1416	reg.exe
2076	reg.exe
2036	reg.exe
2332	reg.exe
2116	reg.exe
2316	reg.exe
2224	reg.exe
2616	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe

pid	process
2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2604	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2604	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2876	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2876	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2132	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2132	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1064	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1064	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2596	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2596	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2520	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2520	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2332	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2332	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2064	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2064	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2832	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2832	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2864	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2864	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
492	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
492	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1748	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1748	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2552	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2552	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2004	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2004	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1344	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1344	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1844	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1844	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2800	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2800	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3004	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3004	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2660	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2660	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1668	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1668	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
532	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
532	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1604	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1604	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2288	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2288	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3048	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3048	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2396	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2396	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2128	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2128	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1900	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1900	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1600	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1600	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2736	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2736	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

FMMMgsQM.exe

pid process

316 FMMMgsQM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

FMMMgsQM.exe

pid	process
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe
316	FMMMgsQM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.execmd.execmd.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2184 wrote to memory of 316	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	FMMMgsQM.exe
PID 2184 wrote to memory of 316	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	FMMMgsQM.exe
PID 2184 wrote to memory of 316	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	FMMMgsQM.exe
PID 2184 wrote to memory of 316	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	FMMMgsQM.exe
PID 2184 wrote to memory of 2248	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	PosQkwsI.exe
PID 2184 wrote to memory of 2248	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	PosQkwsI.exe
PID 2184 wrote to memory of 2248	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	PosQkwsI.exe
PID 2184 wrote to memory of 2248	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	PosQkwsI.exe
PID 2184 wrote to memory of 2624	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2184 wrote to memory of 2624	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2184 wrote to memory of 2624	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2184 wrote to memory of 2624	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2624 wrote to memory of 2716	2624	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 2624 wrote to memory of 2716	2624	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 2624 wrote to memory of 2716	2624	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 2624 wrote to memory of 2716	2624	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 2184 wrote to memory of 2912	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 2912	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 2912	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 2912	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 832	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 832	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 832	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 832	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 2672	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 2672	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 2672	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 2672	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2184 wrote to memory of 2896	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2184 wrote to memory of 2896	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2184 wrote to memory of 2896	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2184 wrote to memory of 2896	2184	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2896 wrote to memory of 2512	2896	cmd.exe	cscript.exe
PID 2896 wrote to memory of 2512	2896	cmd.exe	cscript.exe
PID 2896 wrote to memory of 2512	2896	cmd.exe	cscript.exe
PID 2896 wrote to memory of 2512	2896	cmd.exe	cscript.exe
PID 2716 wrote to memory of 3008	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2716 wrote to memory of 3008	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2716 wrote to memory of 3008	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2716 wrote to memory of 3008	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 3008 wrote to memory of 2604	3008	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 3008 wrote to memory of 2604	3008	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 3008 wrote to memory of 2604	3008	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 3008 wrote to memory of 2604	3008	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 2716 wrote to memory of 3052	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 3052	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 3052	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 3052	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2552	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2552	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2552	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2552	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2396	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2396	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2396	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2396	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2716 wrote to memory of 2060	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2716 wrote to memory of 2060	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2716 wrote to memory of 2060	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2716 wrote to memory of 2060	2716	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2060 wrote to memory of 1320	2060	cmd.exe	cscript.exe
PID 2060 wrote to memory of 1320	2060	cmd.exe	cscript.exe
PID 2060 wrote to memory of 1320	2060	cmd.exe	cscript.exe
PID 2060 wrote to memory of 1320	2060	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\LkAsccMs\FMMMgsQM.exe
"C:\Users\Admin\LkAsccMs\FMMMgsQM.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:316

C:\ProgramData\ecooUYII\PosQkwsI.exe
"C:\ProgramData\ecooUYII\PosQkwsI.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
6⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
8⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
10⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
12⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
14⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
16⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
18⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
20⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
22⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
24⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
26⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
28⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
30⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
32⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
34⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
36⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
38⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
40⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
42⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
44⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:532

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
46⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
48⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
50⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
52⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
54⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
56⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
58⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
60⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
62⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
64⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
65⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
66⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
67⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
68⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
69⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
70⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
71⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
72⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
73⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
74⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
75⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
76⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
77⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
78⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
79⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
80⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
81⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
82⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
83⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
84⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
85⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
86⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
87⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
88⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
89⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
90⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
91⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
92⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
93⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
94⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
95⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
96⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
97⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
98⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
99⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
100⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
101⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
102⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
103⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
104⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
105⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
106⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
107⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
108⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
109⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
110⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
111⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
112⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
113⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
114⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
115⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
116⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
117⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
118⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
119⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
120⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
121⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
122⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
123⤵
- Adds Run key to start application
PID:2944

C:\Users\Admin\JCscUAcI\SsMsMEEs.exe
"C:\Users\Admin\JCscUAcI\SsMsMEEs.exe"
124⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 36
125⤵
- Program crash
PID:2648

C:\ProgramData\yOgwUQwY\rUwEksMo.exe
"C:\ProgramData\yOgwUQwY\rUwEksMo.exe"
124⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 36
125⤵
- Program crash
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
124⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
125⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
126⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
127⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
128⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
129⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
130⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
131⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
132⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
133⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
134⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
135⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
136⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
137⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
138⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
139⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
140⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
141⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
142⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
143⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
144⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
145⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
146⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
147⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
148⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
149⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
150⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
151⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
152⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
153⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
154⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
155⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
156⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
157⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
158⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
159⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
160⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
161⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
162⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
163⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
164⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
165⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
166⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
167⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
168⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
169⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
170⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
171⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
172⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
173⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
174⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
175⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
176⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
177⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
178⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
179⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
180⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
181⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
182⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
183⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
184⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
185⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
186⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
187⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
188⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
189⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
190⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
191⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
192⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
193⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
194⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
195⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
196⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
197⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
198⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
199⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
200⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
201⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
202⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
203⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
204⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
205⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
206⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
207⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
208⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
209⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
210⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
211⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
212⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
213⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
214⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
215⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
216⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
217⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
218⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
219⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
220⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
221⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
222⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
223⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
224⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
225⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
226⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
227⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
228⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
229⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
230⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
231⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
232⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
233⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
234⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
235⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
236⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
237⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
238⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
239⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
240⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
241⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
242⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
243⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
244⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
245⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
246⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
247⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
248⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
249⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
250⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
251⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
252⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
253⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
254⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
255⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
256⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
257⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
258⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
259⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
260⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
261⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies visibility of file extensions in Explorer
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
- Modifies visibility of file extensions in Explorer
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- UAC bypass
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSUYgQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
260⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- UAC bypass
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EywgsUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
258⤵
PID:1600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
- Modifies registry key
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoskYUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
256⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiogkMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
254⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zssIAcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
252⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- Modifies registry key
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGkQQgIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
250⤵
PID:856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQkoUogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
248⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmAkcoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
246⤵
PID:1600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQcIYkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
244⤵
PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgckkUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
242⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies registry key
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcAgEMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
240⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\amwEsgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
238⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKcwsswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
236⤵
PID:1716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKsIsEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
234⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:480

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWkQgoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
232⤵
PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
- Modifies registry key
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\roEwYUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
230⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
- Modifies registry key
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKcAYQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
228⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIQQcEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
226⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUAwwEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
224⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
- Modifies registry key
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AyYcosEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
222⤵
PID:1428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIYcIoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
220⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies registry key
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ncYgEwIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
218⤵
PID:2300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- Modifies registry key
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgEQYwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
216⤵
PID:1664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcwYkUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
214⤵
PID:1964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\egoUYEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
212⤵
PID:1216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAAkkocI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
210⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYgUsIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
208⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgEoQksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
206⤵
PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tskUQwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
204⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies registry key
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:372

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqoAsYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
202⤵
PID:464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqcMEogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
200⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKUogEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
198⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GysAgcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
196⤵
PID:2520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:480

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fqkwYEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
194⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwYgwgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
192⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LowYgcAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
190⤵
PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIswIUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
188⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
- Modifies registry key
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkcAYQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
186⤵
PID:2084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIYIEcEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
184⤵
PID:2332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUgMIgUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
182⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KoQYwoAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
180⤵
PID:532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- Modifies registry key
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKwMcoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
178⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcMsYYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
176⤵
PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies registry key
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkwIYcoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
174⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zswIMYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
172⤵
PID:2740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
- Modifies registry key
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fEIAQAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
170⤵
PID:2500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- Modifies registry key
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewMQAIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
168⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yggooMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
166⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCIwIQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
164⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\luMgQUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
162⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zYcIEQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
160⤵
PID:2172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUQggsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
158⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQIYggwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
156⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DskMIgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
154⤵
PID:2140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuIwscgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
152⤵
PID:1768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WkYsgQME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
150⤵
PID:1068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYIMsAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
148⤵
PID:2576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
- Modifies registry key
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\swgwUIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
146⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TcYcYIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
144⤵
PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\juEEMEAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
142⤵
PID:2084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
- Modifies registry key
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hggQIQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
140⤵
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TeEowsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
138⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies registry key
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIgYswIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
136⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsQwYgEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
134⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuAUcgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
132⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
- Modifies registry key
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYYIkYsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
130⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYcswcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
128⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BqAocUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
126⤵
PID:2696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSMsEwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
124⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsYoMwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
122⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYUwEgQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
120⤵
PID:2700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
- Modifies registry key
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKkAwcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
118⤵
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWQcUQAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
116⤵
PID:2012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wYAYoUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
114⤵
PID:2044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:264

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyEAIEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
112⤵
PID:672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMIEcMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
110⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAYIQAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
108⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- Modifies registry key
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FMMQUkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
106⤵
PID:776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HosQQYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
104⤵
PID:1488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YysoMIcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
102⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSMccswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
100⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWsAAsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
98⤵
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKswksUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
96⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcEkQcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
94⤵
PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgYAwAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
92⤵
PID:1336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWMcMcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
90⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JMMwoAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
88⤵
PID:2188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGgwkQgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
86⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIIAEkUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
84⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
- Modifies registry key
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iAUwUIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
82⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWEgMYgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
80⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeIsIAEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
78⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAssAIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
76⤵
PID:2752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BsgEAYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
74⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PycAoUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
72⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUcoIAYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
70⤵
PID:1228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYsUsMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
68⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaIsQAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
66⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgcwokEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
64⤵
PID:1716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKcAEcUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
62⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
- Modifies registry key
PID:352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKAAQQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
60⤵
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yAwoIcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
58⤵
PID:784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYccwIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
56⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgEMwkIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
54⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSIUYEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
52⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XowkMMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
50⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCAwIYcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
48⤵
PID:2664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IeIwAUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
46⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKEgEwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
44⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCQYkkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
42⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqQoIQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
40⤵
PID:2976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rYokQAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
38⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZSAMUAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
36⤵
PID:2644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYgIQssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
34⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuAssQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
32⤵
PID:300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgkwYYQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
30⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IeEIwoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
28⤵
PID:2616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmIgQAoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
26⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qiQMEQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
24⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- Modifies registry key
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWwIsEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
22⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqMwYwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
20⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIAQkIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
18⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOQsgsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
16⤵
PID:1224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\boocgMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
14⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKsUMAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
12⤵
PID:556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykYoUYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
10⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mucwswcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
8⤵
PID:1036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\suQUsIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
6⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmcEcgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoQEQccE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1007617211-873976097-362832236-19676443761873605299-1473744323-1235385039-1921558192"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2793242921723831658-334779430-1921162925-543369461-679162058-262189637-1339507060"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "135303641310492467249573008131297129567493058928-13746869871406590891-1215258019"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2843291221958824528-53435812125907388-1636644437-4416047151846190766-1436000267"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1386165201-433014970932380347879920801266560083514797669-1540682832259326483"
1⤵
PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2038880065-6828404938241332717139509672070244848-1394877574-1889410616940039807"
1⤵
PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "634100082-983953581710056994-1379165085-1936895728444170789-1978962842-1744775203"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "212207045321683091075926968118366531417629100199486107401378192619-1611416581"
1⤵
PID:2108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1784748160369423872-1471777345-32704909102151804513022951801382926374-2087747323"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-585008881-11018147512124022412-1731132330-1336895502-15471457081875125591557667278"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1882986010-1863331253-1993471751996633355-12887577191332153421-18168290851709520663"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1039965623-531240675-1660011421-203005216-796384179-11807697271736565170-1636816938"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-945023522467421508-4065865072072636974664404411-1249831162355238099-1222480855"
1⤵
PID:660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2920128501924864427-375043450-36454407-5069639772110713553-12731457211476742133"
1⤵
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8156560631091465988-15674485653945435211570364848-299718570997339928488286997"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-44137365811984302801969502899-12767491472729389831679972233-999888342544449266"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1838996498-1101011281-1815602233-1238112714-5054103401522779457-635340648-1284676953"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4442908711517338315-1974971651851437723-20340205261327145784-1190345576-362965125"
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-259335230216605562-3829198031047389437-1025057572-220783215-467735937813385045"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6471680201184059351417370374-690303572-292404107-1378435368-12995951661117920887"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "141114224219335741001665922386959079616-1989956269862321568730572698-556022268"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-209269490653320009-375597315676056727-107826180-1632495887-763837433-484862134"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-202289733918136065573180638618233064181466535804753669955-1966798607187544185"
1⤵
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
214KB

MD5
4bae2e89380ee0fca32fb3402147250f

SHA1
126d09d2f638f8d42d11ee52737be3975b33c785

SHA256
d9ff46de9d6e7645feb37044a5c9dd210856a50f31bad91d7bb8b55f9ba4189c

SHA512
820ba9b32361d4f23e6bcd4a7745b012e5887a7bcb51a462c3366586e1396a209e2d696be51e13c96619f03a5474384e1fcf7ba3a06e98473438103d892d4f0c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
221KB

MD5
9afa60e608ddf4bbfc2f912a75994f85

SHA1
0f75e312b8ee49bc05a20053188d03e8e47fb43e

SHA256
3e962720ca7cc66994a93f1cea6b8fdef4a21453c7178f4123ecdd9397b9066f

SHA512
b28bbaac0003f582b463494427d78d395c30a1b212d09208980a65b212aabbe6080ccbca174fb4a38b799f9d018181e4c718361f1b6076b7a8f0af08aedf7d82

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe
Filesize
229KB

MD5
9dad0d989919289183d30a86f4db7284

SHA1
eb87075b4afe935935a70b26542706d55d17bd21

SHA256
219a2340e7ced422167557070fe0d48ca9df5cc8ea07477d4a1c3ebb16649c76

SHA512
2f4ece26211b6138e6adde584149bed68a87461b6aef0fff8e7ff03d3df10b4149d0737fae1665760067a3ecead84c3b617adeb548becbbb7e1085c0a037510f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
Filesize
254KB

MD5
b6af4fe41b9dad82d647c6ecf1904df5

SHA1
bd77adabaf97a1e7efc578c2422ba12435886f4e

SHA256
622c4a942cb5d37064320c599a0d392855e5c4a5b00b33f4bd9d6af4a48d3f75

SHA512
490e7d5cd58659cfd7dd0debaa5b5792dffe1a98dd12bfa301f068c604acb8fdfd7fcd68d5a2b2b579a4da0088d608bb95abba3a904e3fd04d289fe80ba17534

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe
Filesize
238KB

MD5
50fdd8fe8d591c604b6eb8840235914e

SHA1
ae5511a0635d4b55a62bc9a3ce98a74825036b0f

SHA256
b9bc61b2f30bbbda3f887d2f53b4e042ff8ab95d8c97fafc9db6937e14fef1e0

SHA512
78a9117f132a1f7cda3051319252c873fdf9f6b54432be4707fb3605d30348e2b9ee0483eaf49b26cd9a57a9cf184c8da361d7a81f95d896b4f9077332ae9eff

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
Filesize
246KB

MD5
ef1af51789c558a017b46066444487cb

SHA1
762efa8076401b89538bde449f7016aa3eebdd62

SHA256
901e528e6760f12f99e2b26a23736c1651954c8253645c84507cfe7464bbbc02

SHA512
0a8cc2f608618e1a9ad5ee9e056bdef70b3fbcb1a1070792d13e27e0173a6d5d2fd479d27beda78bb796c7d7fa63644b4512534b891b4096b3f0672ae4b0d744

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe
Filesize
229KB

MD5
c75da89911bc3d76d5a6f25c16cf9960

SHA1
2fab566e84b140eb82483851e475486b010e6ebe

SHA256
9ebf422f952094beceb42bc25dd414e87af834695d16e71ab0b22f29ad7ba41b

SHA512
48f44b71367e0e8ead1c44fe5c2abdf5fd5da02c54f08343376cd1e3c65e241be81409bfd20bebe8f2d71e32fdc4ea2974bec99f61d30868153cb55e3287dbe4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
Filesize
236KB

MD5
f4a074c6cdffc79b199d9138ff41c4e4

SHA1
676b5fac575697e1011bb439470a81a77cb1c18a

SHA256
d588bf78dd30c6f8d93fb883cd7901cd1045b4784567fd6df6cbcf1d7624b45a

SHA512
c7c3d24f860c4bbc7de81a434912bc008b1aea878fc44ba3bb093f2c46c8923129adfa76a256f833aaa2986e40ff5fc380dfafc709aeba03754627876a71471f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
Filesize
245KB

MD5
af36608054ed4b54e54e1bdbbf4f5ccb

SHA1
a9606dd5d71e2a8e7cef22cead94eb4e4536bb4c

SHA256
50d827c017ca6876e2cf11cc359c699d95170af24678d486e1942e4be1e1daf7

SHA512
88409bf28febca29a031882c656d01528a37b2e867da444ae4b337a0b386273e249c0efd61f3b74451ff439776f5c5c3b96999c2ce9e2fd75a7b8e44b4927ae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
Filesize
185KB

MD5
3435f5ab8346bfc75d3946cd320030b6

SHA1
db258d3a1013f2a20acd2029faf24a11f73e70a8

SHA256
4c45d048db7ae0177241ec7fb56a8979353469c5b58ca7f92afd8d7fcfb69943

SHA512
604f86376bc751f1b4f9979d501311e399cc211a7ca5b26a93743d5ba1643a2060638710e3be50718986319b68dfc27f3ebc7f08e6b8c3ef1c59cc432d331930

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
Filesize
6KB

MD5
c5a954c9c675475ac522b45ffd52d03a

SHA1
1fc5bf8d724c665da276aa3284942b1b9d822935

SHA256
a1030522425b3258e21b3fd2a1dbafef2ed07154142dead7e9b7f4ae667c8726

SHA512
8828630868f5b8b694c4cbcca3f995ae55f2edf7a93e970aa11fccddd484fc4b869389dff9875c1c890e7e6c32050d669e42f009eee8fa519f94e865e4164da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAMgEEAY.bat
Filesize
4B

MD5
a7ba986634fe708aceb6d346df637cc8

SHA1
67ce86c5d90eb380e97fe82385360be225d62bfb

SHA256
3056dc3bedf636455c5d1d1b07039450577917d8bab15a987049e8dd0fbc02f7

SHA512
003bd3712a0e2fed8a335aa99491bd406c3304cb9f1e64ea09c34f0ffa6d8e80529fbe78be3ea7613305b3d51752f92325012265e0ce51e4993b89babea166d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIYY.exe
Filesize
229KB

MD5
49011d2d87bcfdfb916963eb2c3e3fd7

SHA1
6ecd386130bc5819ae36b390f199528201b7a00f

SHA256
49400021ab2d4ab4bf0ed4631f9335341a829b7629071b9b0a961a9c27f03f2c

SHA512
4a6eeb5a00206b495a12fbc657e0572badce8cf7bea1eac87ab0084c2e04d38564b30d860b53ddf989b47ab310bca679fc5a3ac9da419aac0a98526724955048

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMsw.exe
Filesize
246KB

MD5
29d1b12c4220b49f22ce34ae3343b155

SHA1
b7e293c24486bd34cca8b2d74bdf734307cdd874

SHA256
64b11de7f7b9ec36b7afe188be79eae2c1f661b89da9983f04bc1e252ce8dcb8

SHA512
48dddc4e7ac20b68bdc6c0465dc0aa718355bfb36f2e2cf036dc34ab85018ecbf30de1eea5a05a1a446758a261f1ab4a6d6af9af411adc09cdae8c7e7bd2f66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAw.exe
Filesize
549KB

MD5
6147b3811a2962736d28e3ba2caf08dd

SHA1
4e4138aed17c07d54da3db5d1914e5552e895027

SHA256
9ced068153dddd47ccc7a16695cfadf5a3689699ed3c38b61aab4c075bc0c92f

SHA512
4ab6ea71db938929188b30ba19620c861e1b80ee9e0a748888c112e6c544a4a7e8abb073ee7db19ded2dad1d814ce4bdb2a144e9f53a8a73db5fd23e098c2154

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgEy.exe
Filesize
248KB

MD5
65a96c9c7da35c70f8aea7d4f0f7e5f8

SHA1
d85b24fb897863381d8990b67c7e9dbf2e26defa

SHA256
ccac059efd871a5847bc5429c444f1dc8cbc8805ac121af3002df7fef108c5e6

SHA512
4d7e8508256ee9357765ee9a8c0f3ddbd1098ad04834c3b873d7fb5cd013c1988fffc50f8f1d084fddaf582c73dc927707fd76fee9d474684e924fa89ebf50e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkIU.exe
Filesize
228KB

MD5
4a80da8b496803b95ec23faf81dc562f

SHA1
ca7775b377e369a2c3d050fd3dd77e7b7cf13d0f

SHA256
ad3600ffce725da38c496178f3d4e5faeecbddd48f9c7d3b1aa563c567d5419b

SHA512
d534bdeee56e6596ec2e109857b73158c33afe185297ff209d55aaf97c7f9485eadbd05bac2f25b43322fda35084fe3795cd2ec4c71b5453c2a8420675bcea89

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsYi.exe
Filesize
240KB

MD5
9316bcc2e8526f4594a9474376b6a639

SHA1
9c5f91bb9a63931d1b0b400fe9ecc7f450be08d2

SHA256
8127610fa882ea7a2b0830f51716533242bb1aaa3ab2013032dca633eec9b408

SHA512
47fac62c691b155194b373ed57dc98745d76ab3218246b44f435ae7866dc72287c4afda243084790f2ab3491d31e09a349774c83f800ddadf344c163794e8b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsYkUkcw.bat
Filesize
4B

MD5
cbb5769701899ca1611caa2e18c9b72b

SHA1
f57ef81fc5cac74982baa3dfd4aae779e5eafa79

SHA256
68d651e4398c1e8599de1131911d45051abef8b6fea74322239f5442230c642d

SHA512
2908d144aab0be3c8a02b3b74a820fcce3f657bdf2d4b498965f3b0bfbac68ff230365ec855a58aa900fbdb14c4aa03d04111b798fb2d36000d1590dff479ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQossoMQ.bat
Filesize
4B

MD5
647def3fa66bb5bdf69525681cac88f0

SHA1
8f702e3498a7fb56bd607bd4f440cfad1c9de1f1

SHA256
810196abafb90ad31cf90c73b4cf8b43d71f35e19da659a424e45842840b6d63

SHA512
2f1034b5bb2046b344ebd5746444bc627ce068fce211c3e63f2c7919c69101900598600097fb5cd2b95663fe144526e7861e72c10b256939a5e21400d01b3dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEAO.exe
Filesize
184KB

MD5
6cff329442fe3f56f4d71d20f4f1b2ec

SHA1
dda816a4c4296ee984e9476937648023ded85594

SHA256
d416c431d8d9368cf02fb264e894da303a42dc9d245efa01df2126bba6a1b969

SHA512
9b4a302ab3a9ce32c19427203f43c1b228df77475343e24ed52e86fd2d1e48550db93449dc4884d095cb5e11816277c73a2f1e636f064ff24629190262827ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUMO.exe
Filesize
230KB

MD5
3c564514c161de4ec25881d5d8008aac

SHA1
bf853e4eeab06a5fd924f179e812f0bb47f5647d

SHA256
8418756f37cb5ff8d2f9eb23afe30b57e78e7c9ab70b1ad93a17c045e8e8fa28

SHA512
c348c41c82cee3fc1225a6fa4d9e06a3fc4c65448a4d8c87dd635e560767e43247c8e4947fe2df68951462a368ecc2df6931b73988ea241f30241e552bd1ec7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYcs.exe
Filesize
226KB

MD5
d19c26d008852f83f7fc59c465fe55df

SHA1
dbc46b639012415109e8508a2fc894c34ccf6f42

SHA256
655cc5481631443d0848e0059393b902829a191d46a08e6e822dd080ccdd2537

SHA512
a76dec8e8461d27dc1208d0cca20105420fadcb687ba12331780b787cf591e4b8bfc9d28ea534ccad6f59fdc68a811f6a0d345499ae7f3e4197c5ede7d93ed53

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcEo.exe
Filesize
403KB

MD5
6618c86792970cb5ff282b3ac0cc78e2

SHA1
ff830b7da8438d49ffed8152a5ed82156139d3c3

SHA256
df76c59b4c630b88eeebb7079bf0627f9f6e1be04993e85c603f86748a349687

SHA512
57071955be58b0e647531dfd987f902e5bb02373509ce9570a48cde3ae434a79f8a19dceceaf5bd2c76b7fcf429b0aa742072da1238ae7873a3d0efe7f13d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccgy.exe
Filesize
229KB

MD5
fc7bf66d3c25c0d5133a3d1a9fabe0b2

SHA1
b59da5dc1c4537f1392c6f14d27d36b48400880a

SHA256
7fb4d80d6a916768d627c9d8f7bedb284024801c4c3c92c95415a7c7aa7e623e

SHA512
f8dafeed3dbbd758cb513380be7fdd858e3860292d5464f14577f29acd169671bce0a4c793e4260fafff7179e8c9e663e073052c791fbe4e050791258d326435

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeocQowI.bat
Filesize
4B

MD5
af130cb5c5fa71c21389ad70dda2fe9d

SHA1
c23757985797a4b111a269ed167c506cc6c263fe

SHA256
f899c2d0918f8135b938dc6df9f612d149a51a84a3d6ec8cb75720069e490dae

SHA512
f6ecbd807d16122c8f488dd39ea53fcdecf661758acf98e83eb19636ca776b5b127b3b3290e847dbc50801ab5329fa4b74e8bdd791ff9d05422b8b3df34818d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAAw.exe
Filesize
749KB

MD5
6770785c7d19f40e10cdcc525b4d25d1

SHA1
6f8d3ea12ece9981f2c44c276f93e0fc5bf3af61

SHA256
62fc4a64ba38e167e91b04e011663a19160975f7f3fa31aee294b39308be479d

SHA512
bd8abc6ccb43e668790289ba22eb7a570ac72ee112a44adbc7da9891857e5088675d99db891b564b10dc4e8389cc2cf11cfff5e34eb2f981a13ac025a028d183

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAQC.exe
Filesize
248KB

MD5
e2d218de6db107799b633ff906e47b3c

SHA1
4d59c208007a021ea2b492c33c4dd773bc2671a1

SHA256
89e25b2ca35c4af35d45376738e19314641d64d008181b7bb06460a0133e7b69

SHA512
07696eabfc67d5e105d27f925bd939e79b1e3d74394d9252f6dae7cfc3b2e81dc9490798bcf27d118dda04e896e89a667bc0322d6d29b176ae0b5d912d94de73

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIoK.exe
Filesize
296KB

MD5
468fd702ef5cb9078117b2b2067635fc

SHA1
bb4938f78b5b78a4b4a2d7f095b5405972db6015

SHA256
23839a05cbdb54ba45d992ca26aa9e3d010731bc8c2ecb119940e7217962e817

SHA512
6f505099a0daeb9771848234bb38812e4313c197b9349ea6f4feb5f01b01bd821bd461f28d55c2c36f8b73bfbaad4f08e5950d5a649c4b62277b4bd2c8ff9418

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQMMIEck.bat
Filesize
4B

MD5
2e215c181749f5352db103dd99dbebe5

SHA1
51f300ada441cc949df7f7370d58b01185242726

SHA256
1dddb64de34a4fc47dffae76271e8908be6625de8a95885251816e250e512bc7

SHA512
abde7e123e0ff2d4903943cec2d5cb5433eaf406bf6744f292fc59f913b786d31d0f59d339e2dceeef280c5239c6c701e61206118598e26f497365b6992871f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQYq.exe
Filesize
443KB

MD5
fecbea5c465c99e98d2f44e041de4d98

SHA1
2d8e977fc2cc71683ba1bc9af31b84acdf3f6543

SHA256
7dc0bfd53a381e765ef56587aa1dc0fe45a1fe8e714110b509158ff254def4a3

SHA512
9689acdd74b8182f47425cb8384324b3cffcad4824ffd0b2ae9dceff03f27bbc61d3707bdf9b0c7082b8b6d10b4eb268cf1867b92fbd87100442cf0a7a400d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESYoksII.bat
Filesize
4B

MD5
3787779cf00d89b48df13f708215f2db

SHA1
7c8b2ecbb7df3503a3441400a516f202822d8120

SHA256
60ff03e4526845b21e2cb6f7d0981e016c169fbd1d5d75de6a3cfe901c656967

SHA512
2a9cd5bd5e82ffed528d1dad8af26581509c15b21d6d2f0477598713f49b2cbae04ea34ea45bbe5069e4765188b7388956e0bf2aeaa916e2667ed5d2143b2021

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUYS.exe
Filesize
373KB

MD5
8bf09e954295fe0b563ae1c38fc01ff5

SHA1
af9e745830c708d82b664e3451fd2f0d0195cd45

SHA256
82a0d2e21168162c9e9915d8c3569f9a1c7cdbfc2385f33e9b266632970607a7

SHA512
936160fad0c047c3bb4b245f5e29b92c46a526771e3da383c25d78bf031dc67c9f2f45ca7e739c90ae51c2a22e450f7abc0345cd9a4bdd8fbf44c8572f520f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUsi.exe
Filesize
236KB

MD5
9791e3405ae87031c35f385f5a7fd491

SHA1
e3a6c89a7456e033f2ce02333ce9ceebfacbe42e

SHA256
afea63d1c22b09d716cf00734d6a92acbdd357b00929bfd7fc584e9d2ed53f17

SHA512
b292bda9e5167bce3bc281fd01d58bb730a6ff924b5b30ff18d07cd3b46cf9077234efeadd52fa5b2e7e16abd8ef9612a1742e80229064a981e8baa9b55c952c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcAc.exe
Filesize
185KB

MD5
986fc3d65c307409c6c45b969b981d3a

SHA1
75c749a664287eccc020018cafdb0e6038708a86

SHA256
e461f4facc18a2cf22a121a8bfd9b03087d39cf8b7b3a38f83c8e374787d11fe

SHA512
1d79d5620b3b4eac8eea22dff11f66fc6cdf591167869901dcdbfcf4274926c7f597695c8b04419b51e4e97c83715b292ca77eedf175763fc31e3171f5ef09a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkcM.exe
Filesize
660KB

MD5
6ed313de405d3c5e3e1410f5e6c36a5c

SHA1
0dd263c07cac6bbf40020878f12a2ed0fa936084

SHA256
50e9e74eeb493cdb6a33e0ba9a92c035ce826c790596952a7c2e2b9afad513ac

SHA512
d9b060d258472a2ff1966b32d2eff0103ae24755ac6e95c4ac78c58475b2ea2432ec949e9798dd3baa467031f951f8167b258bff7ca9d205a82b2e5fd0301d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYk.exe
Filesize
250KB

MD5
620affb9403969b17edfe81bafe2329f

SHA1
b84a0bd74a210ab959466629370c0824f73430e0

SHA256
006f9f48c4b376814d6494a4dd172c4088fe64cc787af7ac719422cc43e3f6b2

SHA512
ced8570f9824eb651a978d3386c0c672cb83f4c993c66f6c7d10d9e3580c29968185e382a057bd4341053393cc73b525acf7e88a88ff1012a9f79dea5423a563

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEwY.exe
Filesize
240KB

MD5
597e5d87ba4736e038fb4f13c180d802

SHA1
fc73d264505757ca5363024c89ea5191ee26fe68

SHA256
f312eca4213194fcffc653c50939b0664a19376114e86dbced8f53dcae695776

SHA512
d4f798c36a3655dd1add51cecdadcf89459b5419cda642f5247a7216685493ecf7fb400f62e3609330f439dd819bc4d2ed5fff3e7c83eeebd34bb24e3fb4d4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMoa.exe
Filesize
249KB

MD5
1c9fac91a0751799b1af4fb2e1ee8d06

SHA1
cafc8454e87bd7a78a5813909c2c281a6baf48bd

SHA256
0eb6626c9e34637f7e191c8f34233e118488e53f8cc6c50013f98ce34f41e034

SHA512
7db957c3f22dd2a5f935bcfbcdb038869a93dc2b6c7ca0164af2e71b902792d16ab414caaed6bbf5b18aefd39f5dde6e16c7cedbe47af28082d1f0013e0ee1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQEc.exe
Filesize
572KB

MD5
a4c30d62037bdcb3cb1ca9f65f5d603c

SHA1
0e69b6555b8f35a38d17ba788ca07a1c0757f1d4

SHA256
8dba162e0af2969f43a6154454cfcca038be4feea40b3445925f78cda92a5709

SHA512
b5379db988b050d9c671db35d381dbc3f974b5856491a1c70f253a9352d565d76ebe2c10ae28ad8d5d8ba349ae46281c3a0a077ba2ad74ab35d78fb996360dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUcE.exe
Filesize
203KB

MD5
deeaafd7de9f41e590de0135fdebfd8f

SHA1
60866c8bd6a4afea62d0c472d46a2516440df076

SHA256
5404d1a3065597d74740b3da9e99530710c0fbaffae0dd140472d1b231d19aaf

SHA512
877a371be9f7cd574e762805ee2d347e768bcaf28469432873b4af4801cdd60fc874146e29e780b53f28818901d683e009e9547558c3f20365bead5336f9d453

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYMk.exe
Filesize
201KB

MD5
a888a59d3705308d7f21edd753591d40

SHA1
fe287a7443ca6cb296f6e759a36bac12431beb84

SHA256
e0c2c54139cb4c6ec2371ed40da581d6557af151f1d188b804e2214e1f0ecb7b

SHA512
3e0aea1833a33415c02d8e441519417142b95eded5004656574185a3fcdc75f1d7455db8f7ed03a3a373f820db5ef54cb5f06887f8337d57b56bf51fa7208e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYgQ.exe
Filesize
184KB

MD5
36981e9b28e2ea22b8d938a76d7321a4

SHA1
e44db84e1aafc13af7f3afc71626f08d61a81406

SHA256
205e15e808ffee899e07e6fe0d0134cca69b2177edb326e86c385c0deb838310

SHA512
1720b0a50d14574041ffca2f2723bf0448429b497b3cb7a4f92e1749766f011daa199536605a4313960764ad4645c4019e8e1da0e49e6b42cc85785df2fd65f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcgoQsEU.bat
Filesize
4B

MD5
6f035528bb8a6604a929d3962485e093

SHA1
ebf18c5ff34aa8656ebb32ca3f742bdfbc0c2674

SHA256
1af3118b0256092a285cf63731b0fcde30341fabc01f9f68210ddc91e49d5bc1

SHA512
70e80a7b2ffac8c17eb6ed3793470025e997de06ad29418c20b7e79c7395cb5671fd16b6d8d159333d950173af87fd2ba62cb08e644d343370d41db91dca0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkAo.exe
Filesize
642KB

MD5
29d8ae84bf2e5c62a6d81d621c9f88bf

SHA1
d51548e4e8e32a6e56768ff0db55ae77a375a901

SHA256
8b0fc051ef77191ceb3e4c62b831356d2d82fc86b206aac79e8b5529e480d345

SHA512
d917997f37b0efb8d7171001d4f8c35e9864878ae3d16b2e8078a122b5034d53a423a33f0f63336e42ffcc90062a72ff7c4badba4ac64f4c006f5f70c6c775e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoEwYIYw.bat
Filesize
4B

MD5
a63790919024104975be01cf60e4eae4

SHA1
acc4320419cc47e2babcf814dff88ac0c13636eb

SHA256
90cf2c1a4c5d44525c31973526a768f78e8625a060150767f4d2921d18a1a569

SHA512
8e7d7a0e33c253b2dfa0b1dee278a20967f436f6b5d4eb6922a7236e0d208173da1f6c1d188dd34f9771d990d757fc7e65784995e4a8c0ed01ddc6cb1e9425f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUu.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoYy.exe
Filesize
183KB

MD5
b283b8d83fbb3d754f71438c25f9b21a

SHA1
1789ba539aa8c83111c6d57f5e1cb6626177a637

SHA256
d004644d30ba0a963ccada1747789012ab872fd0aa41e6d8015d3e574311226f

SHA512
3685819395a6e2d0693e9b017657caf6c1f89db493bcd90c0f5e1fcb27cb0797dc6d5c053e8794341cedf61c0e4e2850a8ad36abfec27e1511503e1f5a4e8a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsgwwEYA.bat
Filesize
4B

MD5
53036e874220909250145d1f25ab9e1a

SHA1
62fed1a0b8c5632fe6d73f786f278d8ed1c65f6b

SHA256
caede84e921366b0034d9ea8676cb6fa7a2fd6ccb589f27e7fa724e2cf27d36f

SHA512
b6ea62b80597b0ce7c252e2f869785d744ce19898dddcec81a45463c8398dcc58ece3a8907f90c10aab967078ef24e9d4ef973830309216fca90d89e8c96aaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwYo.exe
Filesize
1.0MB

MD5
c10c2548b40b4e4834f7deccb8f2836b

SHA1
d09c1b944cfbfecc3b584bc8eca18e1a9fb2d1f2

SHA256
cc8b7a48bad78067a1b75dd6f728d947d6e362d8cc3d00911d5acbc3124593d7

SHA512
f1e0fe3bd25be76268b208fcf482849edc5c7f37ded9757b16a608cd88032a5836cbc90322d55f6a67d0ccb2ecfc76854572b8847f18ce3010c96ab9485e5aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwkS.exe
Filesize
239KB

MD5
814e0d45068d3a706756ae4c6bfc1ee8

SHA1
0cacdbd6378ebc06e1df25161730ab2c25f47e01

SHA256
16c75b9f6d76cf9e0c020c7c5eb886a0628f338c606bf22491b4ae7e0f117c20

SHA512
4daa86deb206b44503678e7e7c95b9306dfd8743e8a2401361d0889396e54eed6a60d62ce88f1a3ef8c7efbcf79fc9ab4b5a8553a1a1bfaa2b45d97ab214f10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYkkkEoI.bat
Filesize
4B

MD5
ab306628bc33b0b48fe5e13925680fdc

SHA1
0635b32de40dffc225f947d803cefae5193eeb5e

SHA256
9ae894e18f23e006c15f0911c3520406fc1390cefa4e95efcf035ab1952146dd

SHA512
a6054539ce4c7a2a196992491ef3008337b3a51d9ad3eb41b547db7207ccb14b1dffa5dd830198f976b4d5cca0b2bd5c181d022c037845dfa1ccc5ef1dcd1da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeEoEksI.bat
Filesize
4B

MD5
56a6a8b655e0a2130b5fc87f5327cb9e

SHA1
10073ca9c9e9d85c13ee1274f62be8a915447a6d

SHA256
23936cd88e8e605672df969fa1c32a88e2f8ba2533a2dd2c679adb957fec8111

SHA512
337eae6d7c48ee615b4aecf6a1c527cd68ba0c91fec0d2e640714a2b05a3a421ed0902bc2dc8ade6190860d31bbc00eae440950100fd92a34772b355572b4fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgoQEAMs.bat
Filesize
4B

MD5
ad6f5265de65224dfabbc526e8dad532

SHA1
21cba350535ef042bdab029ae228d08b7f7f08a1

SHA256
3be2ac9cd836f27432824cb3792f8f993fd576dec4d34b45e93fb0dd6958598f

SHA512
4e2d4b2c6e79841b693d90d07525313137241de0dfdfae448f8683007c745902e2043426a07f76dc8c5bf7f993383e516935fdb5ebe8f6891392361315f4ac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuAEMQUE.bat
Filesize
4B

MD5
a7690ec47c7fc486833c82f0c7009ab8

SHA1
3b59903a2d29eead7ac35efb682a32cc140a8b7f

SHA256
d55eec4745e7cec431c11786447377070410dae885f0979927704a138742f374

SHA512
6ae87975be08b451f7403498e0286d708c5a5d3030a0ff30a2acf6433e83052d1d99f92d729c2bedf52d0d1993ff3cd382d91fa4ff1dbdf14a040355b4d8de97

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyMIogYc.bat
Filesize
4B

MD5
60eda9ae691e194f9f2d2d005e46066a

SHA1
f40483aff07c649dd86046bd0c8bbb1d11a17b90

SHA256
98fe3ee7d36859673b71e15a0175565a444fd872f3e700da766af215cea31bd2

SHA512
3381fcf50aa846657ac7f0f59a01d757602c00ea558346265388551288f4bf155f1660a756b582c7973405868caeaa5113fcdf64fa4dce0ac6dd954bf4647b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMkS.exe
Filesize
231KB

MD5
f94010878bc3ce76690d6933dd1b44f3

SHA1
94c4444a7830828af54a836500d2fd0af2860102

SHA256
742cfc0096899370df530d3a3d0fc429b54bc7b2fe0179f6c980918469b4e7c3

SHA512
6f783683cc5568b0934f2ba6562fd4849d74f90c4566a8ace368397d4cfb1d8f17d5d01f1eac0436a03723b7e085d5ff0afd8fe1a6b876e060036a0601f7faa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYwQAkgY.bat
Filesize
4B

MD5
83daab6dcfe3e94e665925a5eea44644

SHA1
c59fa66157f49686bfab2971c7eb2b9a04d3b079

SHA256
ea89211e10d330bb31988dbc1bd3d7ec0b716fc6b31cbdd10c1c92f0153a18ff

SHA512
05e5ed128fec954ad373234089e947289c55fde11ab62c5ea33e257a59772ad7bd46b6b0222ee5d015e21ad4ff18058d733c0b075f405d992c5b117c5f4294ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgMUwEUI.bat
Filesize
4B

MD5
c77045bc56b9d7e18d5858e62943b089

SHA1
b1e453d426a745e3a0f5b06f2b40b34acede2d15

SHA256
ecd261839cbab17768aea178602a26dec2347e6a2638d58518f748a7a873d380

SHA512
f2edfbb988e85a7962b0709aebaca61b0166a7fe2516b267d484d774a6716007fb21dc71fb94acd9c3d438bdce0c6c230fe80eac365f471a938f02148b643f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IicAgwwk.bat
Filesize
4B

MD5
46b453f3687413ec47ed1cecc112cda0

SHA1
342373cf34f337de9d6ab86e52065a07fc17f25a

SHA256
3c741c69aaaf5148af3c115605ad2317a7cb94cc2a92f09ccc8ee72098f02ffc

SHA512
914dede2587257d25a0acb6877547f332cc71565d4bb1a939efe811e36dbcad70439c7ee34f37abad39d87bb4b3408adb0266d3a045b5d33cc661e24534074f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkEk.exe
Filesize
239KB

MD5
e644ef4bb60a477e91e755862c277d3b

SHA1
781b78f2ab2255dbcc3a8c97c0df51482d801585

SHA256
314b064ea56f7723004f2b489dd55c60799a6fec32090e19245c482a4f50e39c

SHA512
2b60b34e1648755dbe6d50b86a8cf15875fdfcb85ddaa60fa85851faea452de00c71f229c77763e1ef9f87a936001f593dcc5ef3fdb970b2bb3b90e8049eaae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkcM.exe
Filesize
199KB

MD5
ed295b3aa3cfe9c85273a800011f1d0c

SHA1
2ceed256df6e42addcac12398a171c9238ffc1c2

SHA256
ca0d750ac2ace31f85545405f49b86047502a46115fd56498cf364fdf92491cd

SHA512
a75e64932ef43efdaafc20b89c52cd1c3546a1b4b93db43843d79d289964e9ac3e2d22483bc44250c6750bd4a0e5c3744377cccd63a922b2f7c7eb4e29f0f0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikce.exe
Filesize
184KB

MD5
646f71ec51a193eea0d72e03d2837264

SHA1
bf6996d3b9af6cc21125e7878bef75718efd4115

SHA256
c9ec222dcad028b54b24e19b3ad4eecae9006e0f94b774c58d59c3b0b3aef258

SHA512
c4172f0eaafac40f3c6d7bdb4c7ce2379a3c0e9d54b34a2df13a78cd6724c462491997f31fa11eda1290145fdb7f081ecd020420766e047463cdb1e1619d5be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAgMcYAM.bat
Filesize
4B

MD5
c781a22ab96edc5fdefdbc3e71b31cc3

SHA1
84425918a87bdfe64c409bab6605e2effd3f0c1e

SHA256
c490c18a2e0f605144127e0929e20203622d558ca5e008e1c64472d2efab2ec9

SHA512
c475ecab1c568084a47469ac3132d050810061805a966d10ad682c36f3f57dd5595073a0ee4fc76e66cfdadc40b2b71ddadea555268ee207a2ec5b0fd97e1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcIoMkYU.bat
Filesize
4B

MD5
363f85bc1e36c2f5c1817df4b2e4500a

SHA1
47cd37c1b1d1aa9a0d6ff8a2dcd44e9d8c616612

SHA256
e60167d627267fe7d1b53595dfe5c8bb006138d38286bae6e300690999ef7879

SHA512
e04dc2274fab562e8989abb6fdd4e88df50eb4e5228cf6adf69ac540820c06c21e3c9c7a16abdb78ecbf055ade76925540e1727be2dec3e90ec652b78ed1bcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgQwcssQ.bat
Filesize
4B

MD5
3046d341fcf853c21603212140752b0d

SHA1
90ee576241da20deb7ba2fc4bafc6e8d9be26129

SHA256
f9d936ad09262e6ecbb71449e9b1c849a82a98aafd5c598dfdd17ae848c201d3

SHA512
4abaeb7128e1c885e6975f2ad6cde11d92ac442cafe65e1ca72efe49b4fe8b5e73d881dc0a3128eeed69efc04d2639577f3bba8736c83a4fb554319eca1b8dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUAYokU.bat
Filesize
4B

MD5
ef50c908675e46af846e23ccfc5f4fa5

SHA1
d5ad00898f14944511c5b066942faeb371494457

SHA256
35a16e90d0217e46190399dc110d972ee363cd56c49a7d3447628e5c4788f181

SHA512
704cd72bb58441a806c04abe9e6fb45ceb70015ff29b29665cb9184b1a65233648b2c5a72d226ffbf0fc8106fedff997ef6cba45d7d23d47500489e4fda01999

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEgk.exe
Filesize
240KB

MD5
50389f58a40eaeee3a84117d3b260e9f

SHA1
09e5e3b7ec3e3a5a725bfa50697d2be33b65649b

SHA256
0ab1e60f85eda8294c0735cfc01688bddf18602bdc1e4b86fe129cff0b350749

SHA512
7ea6d19aeb0e4750ee04373972acf4297b1f1f6e4e38e6f9295ff9d95916a2e4cbfbf7228ca4e1f0124eb42b147fe3eab864299ecac544e6c1026fce9e7e15ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEkY.exe
Filesize
231KB

MD5
ba78da913380aeed6dad59931558c067

SHA1
b03ae2fb95dd09128f7002a848dd3f054dd4c413

SHA256
4764676de517ecc8b75f35cc71828bd778e3aeeb224b18914213c7f5d067d17a

SHA512
496f5bdb1af9626d772134548690cb62b0129ea57fe6e0995b0ec6e279e3615ea30e4bfb273658bb4fe0087de828bdedcd0e71deda4076868407c952a8763a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMEO.exe
Filesize
230KB

MD5
9597e84c9be7e5c5d1b4a2ae73356dd2

SHA1
ca1bb72af3647043d258e7463138934caf73bb7a

SHA256
d34cf693f54f63e0116cc9e33f401861cdc20da2f1677fa3a9ca832831576c93

SHA512
c63ee4ac135d456f264efe9e058bf12baebe7368301b3af95566c967f9192d99df05a8629a28cd3c28cbed2c4ec8d5affe38382099d230e20504b30b72f40bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOMYYswY.bat
Filesize
4B

MD5
e6b42b9d790be826b34882bf87181874

SHA1
d672d0d6faeca632abf0dadbb0693c08adfd4f4d

SHA256
37309053a57aa2bbac1d8302f98b9e3b768414555768942fe07063a35b1ad100

SHA512
2e721279cbb5c544230164dc5d338f5a3522b7d9a724eca2de863a861a1272722cac230272662e680c48a757662dd73f2821dacf9900fabb74e28904a5748a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIk.exe
Filesize
245KB

MD5
040ee6c9724aa8b10064ff17f18e8229

SHA1
d22dfae5f939c2fd15071f211bf96cea9c5a364a

SHA256
7cdb53152bf05917c040149f682850560b02c440941badffe417eb0e628b9bc0

SHA512
f28aa8dcb19aae0dab25dba1b1c9e96aefa863d859a17927292e029e78e746858368ee95fa6d8618921845581793168624a8becc5bbbfa736bd4d37aa88097ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEq.exe
Filesize
810KB

MD5
5e79740e497fea8fdf27a7153ce48c11

SHA1
1b75cc946be76e9fc5382b772f4aa90596529130

SHA256
5025f94f7e4a7fe30433af565594f02013a4be06b82a9551856db061199f3497

SHA512
8d3f7cccf49d3b26f0dbf673c6574609215c597360d69eda34298ae27be4247f98cf42ae54ace7d1e43ce7fee1351ad86b761ec1553de36da8b1a3470d481e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYso.exe
Filesize
519KB

MD5
ba4fd4f1e2a0a1256ecf47dcc665cc76

SHA1
65a2a9e48b633511d95fc24698f9f1aa69e0b653

SHA256
fbb82cb7a724a5aa8836289924c57951e7985c84a1e9735c35d61520730591b4

SHA512
fd91883975a5cdf63060cc0f579e93aa15ce062594bf6bd93d9db67fb9a3e08673d86e76fa35fb54a0a69076db0232d6cbcc85679902cadb1e2cfba12514c4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwso.exe
Filesize
247KB

MD5
422f686545758292b17e1ad7c350fc7e

SHA1
341db411f2632c070bd4a3818705d0129c5994a1

SHA256
0100f1db35ac98d3de28c127282ab7cfc61286224a4e6e919402c8c9b86bb91b

SHA512
86ccdc272593bbb748c7beaf13e3dfa9fd588cc0335233168ef0e2c10fe859f326d0434f09435ceed8c414e0e833eec02eb9cba307445400842fe19c0abea512

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUocMAwA.bat
Filesize
4B

MD5
3026dd81c707b99281c30cd39dca16bc

SHA1
06f3883a41d61984d6d194b58716a3c05087defb

SHA256
f4104b68574a7b8ba89ee87d862ccf01a987bb2af0f9069f3c3b4e65d252e5d7

SHA512
499ef07227f52db8db1339d93e29f4736943b1bf895c4fe118175cbf56970cfa36111f531980b7e62b244ad05d232e87678c349f4e44a1b9f0fe51b32020210e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LggEAMIQ.bat
Filesize
4B

MD5
31da05c13e9ddfe0f74e833c916b22ae

SHA1
233515afc23aa8fcf90d5303cf18977b02ea8082

SHA256
896fbda9650c1239784edf9c0431bbf814e39af7e961ec05ddc2f50f9b67ed53

SHA512
8a234c36d73fc4e53dfe985aa49693dcbadf0539acb3a3a047cf2191e95b907b1a9906fe9d56891c31378aae4402f0364c94fc67931ed4462d80d2aaf496a1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LmQEAIIc.bat
Filesize
4B

MD5
6f643f7c4d9048bdf1de39496b5bba2e

SHA1
c2b4992380c45e1ff783cd301c743b0947897be7

SHA256
75fcbe458aae122bf61f9842a60a5a98dea0bec871adc47dd0df3725c8491fbc

SHA512
b11caf9f2e37f2cafe06e8f63ccd4ab7d768048ea7225ee577f4d649b4c9f71da00698be11d79dc7418f17708f68d6c48a171623c55bd2b7b2ce395ecdd311a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMUG.exe
Filesize
247KB

MD5
7dea8c4a059705fe9b955149d6b4eaa7

SHA1
9cda885738c9b986912b44e012f55ff4cd8c7c80

SHA256
6937ee009ce701cf043d38ce74d557acae06c79287b1015512310eb937becdc8

SHA512
098cabc942c9d830c7ac967e4362fadc1ce1fd933726c0d2688a8f9311c88c634854a84af46d516701e57ee9a2dbe8ef4e3175727b3a3c004f3dda7ba3e3d615

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYYo.exe
Filesize
249KB

MD5
cf954077df3343b14d484be30ed7f6d5

SHA1
498f6447ad29bbba4c211c8d50aba1bbbbaff315

SHA256
29d5dbf800538f57b3cc3abfc7fad7654b94a8543218ab7ef6e8745f48157202

SHA512
dd60b0968c415bc896a940554f3248e0a9e3b9b6d4cb265ec140c4ccae272ae8feb1ae138015b13c3ade241d5e95a629e1cb6bdc14f667c2fee78a48ef32e57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MqMQkosA.bat
Filesize
4B

MD5
3f7a02e6faabd974e1158d733f5c1b58

SHA1
2cd285a2fb8d89b75c5359a14112fd4b278f395b

SHA256
439db6e014b052c7b3b91cc99e958493758c01eeb4dca5d3d387df4f295d3d0c

SHA512
fe14dbbaeaf15995a2e0517c2bf3bfacfa917493d10e310c4c8b71c3b068d87af5b36db07947a311c0bfdad5170ea1e1680ce5391779b98b15307478e78ffbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsIO.exe
Filesize
202KB

MD5
dfb7a32f6d489c01a37f96bcb6bb6658

SHA1
65582b8701313e4056a0138e5e88aed8474784b5

SHA256
64667309e37f30813fd007c0d61caf9b24f80745027e4769ba0ca826a160b37f

SHA512
0374034b93c311181842b3bf01f83dc2b2c5625031b9e74da4aa4d9f646f54d5d3ba78ecc7d0b1922f2a6576ccc42087da99e094e7a97f4c8186f7178e5ac040

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQk.exe
Filesize
247KB

MD5
a3b80c5bc289f3c56614422a330c2ec5

SHA1
a4ede16fb489ac45111fac39b126c1d58cdff49c

SHA256
706de7587eadf4372a105e10bfd610666463573513e480071927d3a4d8498c75

SHA512
b7d31afcec125e47bd73efc0500f03bd02f97587dc8a8a215b55c77b266c803f1e56e1d626acfe3dfecd5ff733f094c416dd8dcb3cc6be62a8999cf651583bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MscW.exe
Filesize
232KB

MD5
4e5003ded2463c0bebf6574271da7715

SHA1
fbc34a19312494e855ed51f22b4f933720818a35

SHA256
045f806ef436010c01ceb1b03ea224891ff19c5ea22e3a6733420bd5ef865e30

SHA512
826b48e77860b4d6a0ff30dd584b9ffc94675eba1e31d8bbec9b75db5f925051f15fbe147146ad9ea9ff0400291ce58214a2b7f90ef255c7267f7cda78fa7b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwUE.exe
Filesize
234KB

MD5
b9401884ed9dc6782a61544e528fb55c

SHA1
b19a161affc7bb87d4bfe8d177e0cca18e23bf5b

SHA256
a6c421e0adcf0e5bb454a5c2c878e051cb91efc4c23532110c1b704c3c457b68

SHA512
94a5897258481f48828777fd0c90adaf0083011d4d42530236c993a8893fe3e45964bc5b0a093448c77dba312f72927fd66ba6cd63931fd795c859e2465cd7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAoY.exe
Filesize
204KB

MD5
eca3ec353acb4ba4ca8f6ac2ce6a4631

SHA1
048b32900ffb922626644677d8448134d10302ff

SHA256
81cf70bde3f617c40a78e6876e2d838522eef1c850ace0ca6e73fa495bc9cb3c

SHA512
47a8bf1677cf84c51a06a833faeddafbe9b8bb3bf14a9085732c0e4f1891628f8791229029bcad2952cb3ba906849bab7f97875410114da323e144f4b111f971

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIkk.exe
Filesize
467KB

MD5
bb426399bcd9448fb4b42736b77be27a

SHA1
77b48d43867a44b42127eac993cbf3f4de6520b6

SHA256
6432199d00ed0a5d51ed00122c7392c1c12ab37d4c76604df858acc461d3970e

SHA512
5db14389fcdb160ec1efd0674233d6482c01b3078d18c84c1c30c289c6658cdd41d296c53b2069247d0edc8c3a14d462818949bcdeaceb01c0084cf20818250d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEe.exe
Filesize
245KB

MD5
247fed484a733a135ecf47c1a5553af8

SHA1
a3437c8280c245a61143d17eafda4270f17038c4

SHA256
b61773287da625afd45019325f1f3984c731bc6912d495065f34f2ed4ad02792

SHA512
c4b3ec9e11eb171fd65d3f9445e32c46a4688af60ba8f8ebde55e2c405d501b5dd480664bc54daeb97e5955b0a7316ba70f11477b536ffcb3dc140b437192547

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUcEUUAM.bat
Filesize
4B

MD5
85ca6c2a3511620c44a9b15d5892de6e

SHA1
7ca00c7451fec7f0e7bf46440ee091b15a57da81

SHA256
6ed08a229110731a8ed249764321292645bc13f0f617b358dd3786b2d261d95e

SHA512
67af77264965efda78e446199dc0c4b5b8a7255d9b706b4874d3f9395ec7cbe6d4701af1a440707ee817cadf52b23fce4ddbda3259281470e8fd428f16ec98f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUkwgokc.bat
Filesize
4B

MD5
d50b226b6c227421b4aa9b716a728119

SHA1
e59a392e541af929bfdba5e94da4b5f1c4ce5ff6

SHA256
ba9e580b2492f666f5485b90dc47fb02e8ae9ac95df26d8f7487d5e9ca8f728f

SHA512
a878824e7434244c174361e98ea253c112420b5d31dea8f1a25111a663c13d2e6c65f16b072b81fe8947a9f12e259de7b18328b495cdd5dbac3f93bb32866588

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoMU.exe
Filesize
248KB

MD5
358bc73c46f8aba7bc220cd0e4c256fb

SHA1
439f69e355f96f5f0301997f30d6ba061e7a8c83

SHA256
e6b4a6523a381c8dd55b9e2cdec72e6462537e2521f647bc352f59ba02e35310

SHA512
9453597be984e6e12b40935a70fe902b59c5dbb6a90e31e9e24a0394848415c888f6fda4c5b4e8aa4bf7cfbba7116819249d9126ed1496bdc0c0799efebe8269

Download Submit
C:\Users\Admin\AppData\Local\Temp\POsIcEcc.bat
Filesize
4B

MD5
f98cb84d6d0a6a5aae7e90fc93e15bfa

SHA1
e47ef5607fb411e60da22c92c4febd33065af9b0

SHA256
888634d5e9a1f9d3fd5ef308c7d18a9541ac9abc94800fbaa59e2b46d7bcfeca

SHA512
ec7a2b10ac8702068cc789e9c0679ed73b1d865ec4c12b1e24c5ae508677d843e583b71b4762ef57a1d8d3d0a566672985a1ad6766b48f40fe21e79174ed4cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkwAkwEI.bat
Filesize
4B

MD5
e3ee777a8460734d89fe0489c6553cc0

SHA1
45c2d808e9ca2978261fd4c9a02a0cb79223fc81

SHA256
4fc6c8bac945439f70ae95d1c99b5ce4ffa971ef68a7baeb2e7f703d002c8dce

SHA512
745f75c95d3b2f593f121b673eade5292acab65d41541f88e3741e1e539e719ed28322caf5879a6adc1ff0fb63c1a6dcbe7e323f70739cfb5faddb76a59bb025

Download Submit
C:\Users\Admin\AppData\Local\Temp\PowIQQAw.bat
Filesize
4B

MD5
f02fa490c8227f5433a6e92099aec567

SHA1
e6ea2ade7fde541bcdb14bf7d26aa9edd7674314

SHA256
7fc5d71d926c9b8db6eb200bad773d4dac8fcc6ffd220cab52221b734428039e

SHA512
97e16ab23b4748dc48a5f30bcb58eb6af0ee8bac111c798eb780543dddfb9aa00be2f8efb089724d35baa7ac1b8660bfd8cb50120812ab3b2b43fc4ee06c2c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCwEgowE.bat
Filesize
4B

MD5
8a9bd7bc7b62a98388a881ee78872a45

SHA1
555284a9ad5cc21d05322ef2f2d26e8144b52733

SHA256
f7b578496094a9d0218ec5324493988e0fa83ca2d4af888142d1d3aae7c004ef

SHA512
4a33dce76765d1092ee297bbfa7b71747763d8dffc9d4bd38573264d46d43afd0f4c349787d21d4ead1986d6fb6a9487b02ce09b4b2e9ef4c49e5bcc803a6e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEoc.exe
Filesize
236KB

MD5
11e041abdc39a8248b205732558e82cf

SHA1
5ae8101513b62414da5224876f9100b0f56e148e

SHA256
56c0668716830cf6c0b9c057645fc2ca39c62bad0f654ab214cd6ee6fe2fa4d7

SHA512
2e6f86cdc9a5344569386c7cb258087794d7e35903e8211a37d11ece3ff8ba15642a76f95896309de84b39b5f33e86de817c719b4e340ab338b558b74f4af977

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIIA.exe
Filesize
718KB

MD5
8a8442b0c56ad8e02b9f6e86dc799456

SHA1
4e78d5c498575f257b78fa663d74d34a4fc0a3d5

SHA256
548d04fda8a2eecc5996feb3dac16ca007d74284398340831b31349f949bf6a7

SHA512
9680a27a185a77970c50a107e2e1daf55fe723590cfcf9f58b69757172d1d035a41db0b1f2faeb8bd2909dfc47e3ed7a48f6fa4933197e04124ee8cc575eab40

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIMU.exe
Filesize
229KB

MD5
f2ea6868d49ccdd3c30815b20391c205

SHA1
2617ceb0cde73945bf75d9b25fbbf463976283ee

SHA256
7683fb68497cf9b2c55df82c5e4bcbb9e2ef72b3641a945d4594ae1ecad2ff67

SHA512
afdf5d0f8941e13cb4d964196b865f433f8983a51dfa9d8215318be4865e9d56537af5a51aa07daa3a76359f9f4c38c3cf114cf901b5e1440b1332bd72aa1f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQMe.exe
Filesize
625KB

MD5
513ef563a23e38dd38c2552ea57d91e3

SHA1
efe506eb4070e6f67f0100723a14f94795eaf6f8

SHA256
b5caac8541ff1c65ebae31a0995d5e38bdf53b8fe1e967cbe7ea4e850b9f3a25

SHA512
981221ffb56a7c77d1f3f9dac3c5058d308f6ce2410620593157c63838eb8661b7c740416f3a60dbcd98d523fbb1b20a43aa2cac0102c8d6d3996e9697b89f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\QiYsgMwY.bat
Filesize
4B

MD5
7084bdc5549b719336d8b394489549d7

SHA1
22ed756f894c185dffcc9c25ecb1fcb5f3d42543

SHA256
ba86af530d5b7f6b9f5607ec7492edc218fbe867d3e68d220c8a887c61dda90e

SHA512
850521ef40cadab5936bbcf99c1941acd30f7b1672c72df33fabe99ac2f67c8f129237caddfdc9f99702e33ae6ed1d14736375f7132d6f8ef89d93c0a90151be

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoQO.exe
Filesize
610KB

MD5
c0740aa8ed908b14d8cd7426d3b0d86b

SHA1
d6e272e264f0884625af5642797ecfe8ba1f9175

SHA256
58afc54472b18f098ef48a4d3c42c3ddeeba8718f971cf4afb8e3794621780a5

SHA512
d3ef95b024708cb923aa469c19807ad862f15dc305120043cc5fffe662a9d036ca7ca7ef4001972eeb542080c742a1bcca6ffc6ee4ef13aa0b3f03928d954f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsES.exe
Filesize
228KB

MD5
47843643fb6fec14ecba220e10038fce

SHA1
8154823ffbfea4eb3b4098eb729fcc18f42d1372

SHA256
256297fa4f35b90f64a43d1ece415de9a63f7677ec81bd3df9dd813c5b604629

SHA512
2f2aaeff19efe07580000357328241466c67ef193f552d6a2cf6f577a4df363ad46b6b22e5daabc5e16ba43383baa443a638a9649af40ef15cacccedba22e903

Download Submit
C:\Users\Admin\AppData\Local\Temp\REMkAYoc.bat
Filesize
4B

MD5
ee22b5f58fdcaa5883b9befa21c01f89

SHA1
6bacecd3d66775c3acff9a2283c9d06973132379

SHA256
8ca0b5f8a90a110525e07a8078da35e7ddc248073f2bab5b845593ec0c129333

SHA512
843e089e5baade1337008b4fc162950b35ec4c0a6587da1aeb75219bca1de79c020f4e40f27fd342d11b0d26e2e0e1d318a95a4156f1fc2caa272bedc7553028

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAIm.exe
Filesize
820KB

MD5
126fa0402e4bed118e6db1153b30ffd9

SHA1
d8c78beff36d93f6283d790ef032532c32dd6d34

SHA256
39d84029f7509d6d1559498495eb42a5c7ccf7a0ad3da2edbfd036552aafe5ce

SHA512
d0b912e1a5c72a6b9923d40f6c8764e4fbc7d7506395e509e00516e6062e5910b3f917d710f8d8d2ed588526e95389093261bd7ba609a6bcb09b23330ea8cea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAUm.exe
Filesize
1.2MB

MD5
76f572bead023546b19a74d95cbbb47a

SHA1
61f943ef5b0406659c5b87b7146c5a8a3e059ae7

SHA256
24b250607851a944a1763e438a6f189087cc22ecff86b635dac20234684311b5

SHA512
90de6e8a763a34b2ce5134fad53f3a73ec778e74539ea85af71d758d4b683de8cdeb6540631acd1efaffac489ae4a9e33789e0ce704ee0d1e5a10b9dcc0dd0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAkUwQoA.bat
Filesize
4B

MD5
8ae64a427ad0272f8c90715444266dfc

SHA1
fe5ceccb0ced2f90fb60e077fba2e077148ac96a

SHA256
1a2b07faaa97814a4738f5eced7d0e203c3e9862e3b3d80631aa9a49170cd8b1

SHA512
f13d732a6eb473588a5f8c185689c0447f22f7dd07e12296b3927ee674756b5b455688e90b213cf72270c96365c57e1a3c25e25ca29863b378adde2fdd433409

Download Submit
C:\Users\Admin\AppData\Local\Temp\SCYMossE.bat
Filesize
4B

MD5
c8507184d540e61d30c4f4ed43ded50a

SHA1
88a442d55728eee7b87e5be84ae7473e6976627c

SHA256
0f9846dc8c05ae8fd32029ffeaebc52f6c42a513720e1f9a838b965a457b3516

SHA512
b7b36ea9c3e1b88e7559810494aab0bc431fb8987c146ac9a38d5020cc1c00e7d19783c9df46e542a863db6f31be2560892258ff248c4fa4cb548e175c084a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYo.exe
Filesize
241KB

MD5
24ab42bc567f9f4eba90d263ebd26876

SHA1
19be419022d1187dc40d1dc1022a40a9e8433561

SHA256
9c2037d4adfe5cac20da64030fe463139d07057af7a84283ef1771085bfbe6ab

SHA512
1ffa9245866aa7434267f745aa49f14290057c345fce159fdd8c615d101d6722da5d5b06a417ec27817cca6ea30f20bf4cea50f36efc1e56980528d69f5cb29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIIU.exe
Filesize
228KB

MD5
c6f86a0bf4190a15c63e3e34abbcd5a3

SHA1
9b7fe51af4f3325da78bd9a4676894190661dc56

SHA256
0d0a5f8a67a5bc69265c366358ff8f578c3326416c194bf5c2d37ef6ef999949

SHA512
69102fb9cb4057fbf9afd3f50bd853b48ae25a6e5f36cb6f756238570430dae05eb8f6fc55bcef00c7b35965092814114a28551741848d10e28f67c5fd595a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEK.exe
Filesize
230KB

MD5
dc4139fadb90663625ab7a7da1e7ba8f

SHA1
9cf1457acf50dd0beb80f833867604c6796a5d1a

SHA256
399286f924d844410fd3c8ba150f7c664910faac495dc12cc96423b8a28cea8c

SHA512
052b862a5a88d0eaeae5f9e124ff9b8273dfff89347c36bdcdada24fb1ae14aecc2f215840a527b766cac43960af1e73d496b1da57cbb049629415e8a313967a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSsEYIAw.bat
Filesize
4B

MD5
215178319e3113d8b266d6aa4278acc9

SHA1
df6f098055599b8fc0d622d023d449fadbc1508e

SHA256
56629a0d2658c87fa265086e7cc2d3c06156e0c7629aae12fed4f87fae388c09

SHA512
27bf6ab2f088891fe5dd2b67c3a112860f1965fef0d8ef5e4413c16d0fc38499ba3694c2f82213aca5d02e67f0c3ce40cb8bd662268286728f9b88c3e77110aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgAS.exe
Filesize
357KB

MD5
9edad3978b29bcfabd905bc48c70eecb

SHA1
e51750544ccbebbc97faf28fb4cf33ef17a5e7c3

SHA256
dbfec93e364f860a93f7c77d1de2f4ce835b40faa3471b985d9bf868f8d9312d

SHA512
349769b8ad2f6fc37faa48f7b0c422272751d35af6ce3d399d1ee70c9d7c15539201ba8d809a09d63ef75f7dc5baf9eb869bec28c4b2517af9233c1b810e2aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgYgwwYc.bat
Filesize
4B

MD5
cca4fb9558bf95a4cb70212aeb3f928b

SHA1
d15a958596bb15c995a0df6feb9d3d23eb62c1c2

SHA256
2564432389a3a865bd1937ab17300cbc97e57e9810c2e26a948717ab9535dd71

SHA512
db6a4f9ab8a0481871ec6df70c188acfd5e0635a52ecbef4507e34b85ed7e9e5629e4123abed5bf5c2900937ba8e0a76d6f733cc0c4eca29e1f6404e4142c0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkEE.exe
Filesize
243KB

MD5
e7b9adf74fb5374aef1c40a494ebd9a8

SHA1
5c7d9134367ae4b192ad0c5d6380437e23fd0dc6

SHA256
68e6d25c98a2567a16cada53866f49679b748f3a60dcf4136681943db32ff836

SHA512
45728a8ca5f74616b6e0218edc550e9d1dc2e60935e0bd4a6ec6f09e8f0e30727b095230176f1177bb1e38f69af762f93b7bdd6f40e960335a9a15c84dbf42b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soko.exe
Filesize
197KB

MD5
e17512d5befe4ea604822c7bfebf087b

SHA1
84e9e2212bc1498f5a1fe5f29c8674431bfadfac

SHA256
03679c19afe195528478ace0a8b875abd3ea830bfd4d2f0e7fe777a108c512d4

SHA512
bf74f19004a49fdb567b71df7d7718500ff3793de6a52ad218cf046b6521a7dd4638c8035b9b9f29de4e4add03bae731339c1d96dbeaa9353cb327e49442017b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqkgAIsM.bat
Filesize
4B

MD5
7cc78f464c5e5bba8295ba0a2d88eda7

SHA1
766ab2eecd530f770b85b3d0cd644cd974fa655f

SHA256
85ceca615eeb6e0150e28cda568e195d67b893bd45916b971cdf07204e6d66e8

SHA512
e7abb250acb47d90f8082caaf03d3a85d7a5e94053c9beeb94b8b83b6a65aa9450315e914b75998ec9baec3d865eb214137aabc9ff13b1d4bd1ff04a2d0829a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwMkIEkU.bat
Filesize
4B

MD5
c2c1f16a1d56834816bd5cd11196ba55

SHA1
176030c19f77e9acb0996309b26cd00b6c7a5e89

SHA256
590d90f715c9b766f35c07d755f4849aafa5fe62230c7085a84d24e4932e2320

SHA512
173e1c60e013017ce591b12c7fad3ff9f9c4fb42ec761687685334a72d3013147d43f0ad208b1bd881259882cd915a40610fee4d19dcf52c958e03126a5995df

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMAUkQco.bat
Filesize
4B

MD5
bf7d051279bfa8280e5bcd29106b82d2

SHA1
8f35beeee7dd739fb4edafcd9568c92b1cbf3b6c

SHA256
794b0389446f1a3232cd13a3feedd31d61aa8912e0bf81732ac7ced7fe7b7bcb

SHA512
cc9f1ef79f028f3f9c981baf4de7ba64c17b0f962cb0cec482d7cd5dc6f8c11d538e13aafa2f4aa1ca57957532b140575733061b4e8e35dccae844112c370725

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSAAkowc.bat
Filesize
4B

MD5
a20c50ecd98087db62093b2b63598d17

SHA1
1666c6f3aa34aa4bb00e0641c56bb29cf872ae6d

SHA256
9f00d7680a1b5957c141e49b3251985338edbc6da71468bab6cb08dec7fa720f

SHA512
4db4c2b5bc6369bd12c17bd021bcae807d2c37a009103e825a7919b9af982ca53dd1c6e6aca9625673f49cbb748a70d7b37bb5466324f6ad8b7f999d0905d8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaswUwco.bat
Filesize
4B

MD5
d72b97d918f12d21ca7c9fe03f42227d

SHA1
85b68fa2f417471ae6387f007d697270e4949eea

SHA256
b7741f6a12ea9628796b9d95047c69100a111767cf8ec57bd96bbdf147718ff3

SHA512
fe2da5ff55b11bd58785c526948356472c5fb957f4bff5bd784b2cde5be54358eacc69b211144fb949087f21bc1833e59145d8d3cbae74d246fb18cca1f9048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkUQswcc.bat
Filesize
4B

MD5
bbf9146e160c364dc611ef76775e3802

SHA1
7d47e28c697b03c40ba748aa607a784578ab55cd

SHA256
8dd2d75df3ae08331dd598a16b0bdd16968eb2152b64ae9d8a9e6d21b209a5d2

SHA512
9b9479f0faee0700bed7a501f17330ec219b7b14e262318c77a832f8f3c694ed765670a88c7c1d42ea1f920d100f374983a94b03155960a1b06ce7601a7b0ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGYkkcQA.bat
Filesize
4B

MD5
4e1d1c78b29e99c47f3224269d5fbb9c

SHA1
ce59cf2abf428bf7700d54d80013331d07f72bb9

SHA256
fef65cc901946e10dc058ee9234d89d0f3fceda4f441d48df5a528bed3ffe1f9

SHA512
eaf4a0c7bb34d1b68b19c4abfd85b87fa7b5694826e0df03f83fac8dec89d73832d8e2d5dd3e641e80511d6c8fde6bd8f037ffdbdbd669bf0bc831f3dff234ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUIy.exe
Filesize
204KB

MD5
cd697463a73759119e857d0032b63dca

SHA1
195bd123dad7abe3d7501ef701f7b7a359ffd9cb

SHA256
4d3a0882a7b94ab3f99de64c86b20f7033d9a16986f08b86a1a09ef8c3bb0692

SHA512
90398ab41310ecb64ed875df25293df3cac74b749dab743909040db2f8c3604cb85a80d57b386e36b937e09354c6f387a7a4aa0fbea36334c5a7e2655f1dac40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucgk.exe
Filesize
695KB

MD5
bfdcb0c092d0d476cf281018b285ec4b

SHA1
c1e737e8775554deb2691c54b41a94a95825459f

SHA256
2712a0fc9446bfc5cb50457baff9c0d6498054941d60610bd7c05a9cc10cd3e8

SHA512
a2d9ea0b97ea5e6091019fec7ab18829dc676eb2f4c5e132f43229ee69b63328e05943096e58dc8628321e7f7d04d1cccf38fdef6976c51d3b089a3bdb7275f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcwW.exe
Filesize
205KB

MD5
febc98934066914c5b6facbb63183dbf

SHA1
58fa1cd90ca07b604acee4807cf710fb2bac0e53

SHA256
2d613ef07fc3066ec1d48c13ae009d777a5e6e3b4d8ee563b453db72c08237a3

SHA512
9018fca8af6b47209cab7f00515c8f9f1d39bbfc305738988c45296d4652f9a8fa53318573ed18c432527c24fe29ffcfc44cb9c63c460bbe2f2596ac025c3a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEI.exe
Filesize
228KB

MD5
2d5b7e1acb5df35b23ecb2ebffb28f7d

SHA1
917c32c607bd8510c24be68b600e11814d193e8c

SHA256
d53d20109535e679dae4429b7d3725b2069e540efd44ba9de2cc0aa2b29b3dcf

SHA512
916bbcdde68665466a95bb60458bbf456ea4a1bff3890729b442b5840522bf68de08672575b1029e5e765348c666d1cc88c3ec5e840d7b49eeb0a9a8e2f46020

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkQm.exe
Filesize
498KB

MD5
ca5c29d6e7b63483bd6ffc47977b653e

SHA1
5605a72d1a2fb20c5b69f67efb3fda91a8590c75

SHA256
96cf4579c098afe75aafb0b11b3eb9598f3db08dacaa8001641d2f20c7a2b188

SHA512
27648f1eea479e99c413916fbab819ff260861647e9c0586d1428d0625dd7f1dd8d521278eabe5ff6e9668b21ef11ca33bb1313969bb552ea69c220bc4eef6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UksU.exe
Filesize
966KB

MD5
497fe0b275bd9d0f172e5fa9aac82913

SHA1
99e622d7a8dd14399bdaae0546ae5d26799e8ddf

SHA256
2f65113aae794d53b7c09f0f138fec8b9fd6c117663fad8ef38116e665e8f732

SHA512
be760cad52a832b064c49383576df3b6c6fc64f8c3c749fbda84d38c375b862786b7125dfcd14dc13f4a2a9a110863b183585930a359b5595dac2868871acaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwgu.exe
Filesize
201KB

MD5
f508f1e5528c92a9f4af52e42622a3ee

SHA1
489e286dfa230cafc35cd3b4fc95b4a5b32be35a

SHA256
3b8b0be3a3e080ae62b687173a1d2754aa158ae28ed8fce59576f9e78523568b

SHA512
03c5e7d99d0e8da8161e04c25c73fd123773a7a982996ac669593ffc0f1811a12063854519c96b24b2cf626535650879006497956a9ef55976bcb80686cdf21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEce.exe
Filesize
235KB

MD5
c07515e81a9199e1d28b8eead07d48d6

SHA1
067ca609eb36182b65a32c8751dd05652a05a684

SHA256
ce9e263b97df52092a0b657139132c8a2bba15995a4c10ddc3228a9610aac3cd

SHA512
f912d6904f899898e7e8f1e8edaf2e3b4b00cbfb7c09480ed03b62b0d07f762b9f559bb8f1dd46d97338e9dd2186e1b73f18151a986f0d84bf98d34757066a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEgEkgkA.bat
Filesize
4B

MD5
980dbe192a8349f96c3f3cf02894cc8d

SHA1
e8398f874b1e138b388904640a8bd356482c06a0

SHA256
8119fb61bba627a1e16cd5684b1f30c18f712b40cab7f252bd84bd962d9188ba

SHA512
c4d2fe8a88b63d83f7e1ddcfd026166075e227ee70f53d50385195a48ab1cc8898b6bd4d698f1b38c9ac7d480c0d32290821d9dd903897ac9521187a61a165e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEsA.exe
Filesize
208KB

MD5
1cc244ee0ef9d1099cbf837ec579d149

SHA1
4ac179799bf3ececf2af433dfbf489c6b25d3ace

SHA256
d4007c4f2e9449a4dfec591c5fab3a875566f6879be76fca411b821f3f98ea4b

SHA512
3184cc58c157902f4fe0873e926abf411cc9c593b7131688008ca5f9fd89bdce23ca142d3e03ddd411e1a104f02b2c0541c9236811faf3b7d4407ad9d2b8beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMEw.ico
Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUsI.exe
Filesize
241KB

MD5
b4470ada2b104a0d85afda809979b1be

SHA1
b464869f52f14410c65b33def671757692e8f4cf

SHA256
742d2dc4f9cf3e4f57f6b2b7e37759713763c7315a1aa7f247dedb79585711d2

SHA512
96a7545a4866161dd061b9905d87377edebb35c959d38cbb4262f8646ab5763a4c92bd58f358a0eeccace8775ba45faa8b30bcf6c8b8eeae240aa4ed5a312a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwIs.exe
Filesize
221KB

MD5
a22126455b923b5480e822484c0f0785

SHA1
6eeb26368e58f293687f5f8c50b621ed51ff2bc2

SHA256
3fa891bf7054db6822ae484d595cdd128352c00bf703cc12ffd23e467969e557

SHA512
2a109273d22e5bd0824f523f282f08ad6f404fabf2cbbe2404b5b51fed568e8a090ff2076da8698259bd6832b6261e2b2dd0f02118fe85471581fa53fbe0892e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKgUAwco.bat
Filesize
4B

MD5
aef6dde5dfc4932700c45decffda8755

SHA1
4b885c79f0cdf7fad633d27d294113a96b40feef

SHA256
add1df4ba17ba795cb3e1b14e48c557a2ad873af578807001938fc685a7dab56

SHA512
91f921b1459888941d6163f9deeb7e073cc5ae88a20b8f233c750c371abf106467b13392af95add2e9c8c2f3765e95e4bc5d5b5a15cfdbb253c9890c96764c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMUYQcss.bat
Filesize
4B

MD5
f7a4988f1fe14fca5db5081cdd4eee1b

SHA1
2481ea3ff92a026f0376e9d20efc1e8b06fbc6a2

SHA256
f608809f1728c007baed1b69a6194cf1711045056f1499cc3b6e3136523f52ed

SHA512
bca7f0af03b0062364a1c1fcbd27a27b40a9b6d94a4832827fb37c4d168c5497fb189a4c9a906e8d03901a95511141eb8c89feaf8b3fcdb813d43bcc7d638436

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQoUwAsU.bat
Filesize
4B

MD5
1fa1ec65c69d20a4b6523fd703905d6d

SHA1
078bbaaf65c6bcb94fefd292bc546b7cadf8d652

SHA256
b12497c7e4346febbb758be840feaac58a1e516c4f288b5267a4a47584d64b22

SHA512
173c3da5acb5249620d5f3bc187beecb046c5d5b1a47f6abfd9e131586ebd240d3267f87b94812716ca4428eb0f14bcabfcdc4c431a98a6fa994dfc8e49f3c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUUMkkcc.bat
Filesize
4B

MD5
dd3f300ff112d806a1704e3ea5aad10a

SHA1
c85ceec845978e541ce3cc17759eb7753a6e6170

SHA256
dd8c5cfafad8c3e1cb8a24536cd3f6d7657c384551b9ab227b9f6b7268ff5518

SHA512
3a6065987bca4913ce0e3a71f02eb72b4fe6acb2ee7c3b3283a98f4f2540ec5eeaa49f6ba4214ab4f177713ce4b120275c41e784b30b2e7cc4c1709ef3e795e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XewwMwMA.bat
Filesize
4B

MD5
e1d5e65a44fe53f1c63234766977f40a

SHA1
7cfcc4021d52736d0dd7fa2f643ddf1215c07ced

SHA256
62776828004edd17bc07f443d842a03be8dbbfed8a2d9205d1d3ab86c0555d60

SHA512
1162388550691d0a6f9b11bfcdad619bec54f1543f8b0560b0bd1da53521633c133482914582f24c10af125f2fa6152f79001acb1a2900961c95fe151869c238

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMsW.exe
Filesize
8.2MB

MD5
51b50715101fa2d18b28a52b2240273d

SHA1
bea604906fb0edc4fb460939849ff345ee7ccb34

SHA256
00db884e3d86585258bbb0dd7f1660814e5e5f9b7594a84a4c944c5dbf624ec9

SHA512
63c22279183ffdae473ac8f0352012d83695d077364e4f5425661434a911154a6a46f4791962263465f543dc6d333f16a3894cb90a23b8f7fb98a3c6c94dd888

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYMg.exe
Filesize
198KB

MD5
f4e5a1f701a70d0d7c878c3a612992bd

SHA1
c9be3b2a9cd48ae29619ba037be2f593704e7b56

SHA256
8b4e6edf33c1a84bd065587261b2f1441da48ea8374d11bd217d4a854d06c4f3

SHA512
17a503c7fa338644df740b35219cb53d202d22fe17d5229d740e0195ed2182c352f3ef8c6f66f16d4df9d70871d6a007d1a68ef4d99cf98532aeacbf38fd267d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYcswkgM.bat
Filesize
4B

MD5
32642201393edfd0d7ecf03297ff056c

SHA1
5589941d4eaf5c2898904190dc62e19784add4e5

SHA256
63fae90460dba4c02b2f626c683592417aed0fb909229a996273a9b2c8b1e037

SHA512
0a5e8490db10a1bad74f229a9599590b3724fa6cbcdc6ba68f5fdb19bf0d2434edb26aed78acd982f5401f2aefc811a845e1b2e2f575e111b8cbbb0541e9fe0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYks.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YawEcYgc.bat
Filesize
4B

MD5
377ca411a1bdc9165abbec9611b54d6b

SHA1
2beeb80ea11c5256bc0b884655aaf11fd6d3c4d3

SHA256
dbc65a923b236fbeb0cdd7b14a1da8d73c01bb9b958dd1ed74660d0d960e9923

SHA512
4c9dbfeae7bd8448451cb1b9c41948845bf9fb58402892bfd5df8a58589c675d274d1ca592687909a22e78a277b843647aea59f21db974535fd23fe3b369bd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YooA.exe
Filesize
244KB

MD5
ec7b30332397252ee81bb4744d6c35b5

SHA1
31a05e7a6db700bddaa91b76960db6a13424d249

SHA256
b3f4f5d59fa664b64d467f096eb5976ea7acccdf73c8e0fa784dfd38154f069d

SHA512
08f1ce7fa9b15ecba1428d4e5dce5347f5d444b43de246c0aa3c9386da91f753111f6b517fae3326afae72e9ce663b674e511756e6fca1dbed1f1f93ffeac016

Download Submit
C:\Users\Admin\AppData\Local\Temp\YssS.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwEoUsEw.bat
Filesize
4B

MD5
2d9eda522f71978928b9e86e783ee2fb

SHA1
472a413a12983b632d2fcbfa62b066c382764780

SHA256
d244c76df8d10805db05417b46f479764c2414a59d83e3360578556744dd4b8d

SHA512
c02ed77e9e39a0ccd1f947f044cdfd12f0f72a8152bd63bda5003c62ad92cb7a12ba11d8c72d66ed30c8eeb6571547c1829fb9442584ff64a000bc2d21d73ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwUq.exe
Filesize
232KB

MD5
c50a56d140b5712b01002764b756154c

SHA1
a7c5a4f6b2b07da3a9e84eb6b38d680381a22628

SHA256
ec025336636cf285aab62d0ae25d1f6bf68e2c9a6661151a3076a5c36c6bf85d

SHA512
e916911543591a08ec357c0efa3b946eb8f12075785ff18f35a0d07294e126cc678901f42df5440be86d38078e00adb224a71e67eb57bf3a988415ea47fd31c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOsUwAoQ.bat
Filesize
4B

MD5
f82e80e53174c22feb0a153abc08dd80

SHA1
e10311cd1346fa9e040402ecb1a6b82941def385

SHA256
663de0ed18834ffa15636d9682015606f5d1c90c57515dc38b0e2a2773c36f30

SHA512
15944c84f51d5ca82d9b1d3b5e02db404d4bbe5070cf0e5acecd0727f4f26483e55a9fe060921ae1d1bbd46eb3000caa8fdaf9ced1428b8c1bc06e8aa09e41b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSwsAoQI.bat
Filesize
4B

MD5
efd059602be4b2e6937947c14904cdb1

SHA1
95594be841ad7e8e554c0c502a948d16062fd670

SHA256
ea770dbf97b30b261ee00b1ddcb37b64f56f58cba22835584482234d27e3132e

SHA512
b27908434cac395d8ec104b07a55f2330f57ed8bd808c86c6940cb88d27754ddbce188a7bfc692c9f2529d31519646db677797650d322452ccf3522934b4391a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUcgokoo.bat
Filesize
4B

MD5
ddd20a66ca7ca22fe75c35bf879b9bdf

SHA1
ede98d84d6610e8e7a0637da0398dab1b67dd758

SHA256
b581d6d9ae71b454b41291200f940432f8866447ccdec93f1f8ecd1ad07e7b27

SHA512
94ad438d3efd3d9534305a8dcb7433d226b005d419a37c120598b5e6a14356804b2c8e13766e92bdd64c0b7ec76de54e0dd17492300b619cde02530444dbe9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEoW.exe
Filesize
241KB

MD5
b0677c9105c5625f811fe42301e3ca3c

SHA1
18fcad27e3d8915af8331cfcc27fec7a14f18ef7

SHA256
b2c60e49c56526f5cb818edf7fbc6da773bdf74fc94dd8fcf2a92a2b2a0d0763

SHA512
b8ab1859c25e68034dac4105d61d1a302ec5f7c6b8a376fb3687d4b40ccfab3c01416e20217ceb4e67e479910d88e6c8ccc3fdae183a65f5d3763266affa88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMcw.exe
Filesize
251KB

MD5
09114e7288e3dd1f4fea8378e5f04520

SHA1
5ceb5422abc3b28fe85f4f5030cad38a6d094674

SHA256
aedb23f9dc12885ceeb7a1406a14bba086c1455c89662e86e0397db8f1efeddf

SHA512
0d83728ff49ee84a7532504aeae2f0bf5372d52bc078844a7a92438a89a99dfa3d1982f9b176a4eb0a289af027f1f76ceaf6cc4d49e5670fe437bf2ac151517b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQYW.exe
Filesize
237KB

MD5
3fd791a5b40cd4c2806b993c92a37fdd

SHA1
523cb0225be62018774313af67d28a7adf399261

SHA256
5cc0233dec16610fb7920c96f673b0fb089e50ddddda1acfbeeb7b9fb294077c

SHA512
9bec66ec228ee4810ef6b9dcd1058bf1e1c77a4c1e57549de61da93235e9b9125cf8e81656e877bc7e53d54d96bba35847621361bd867d7884325a23ac4065fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUos.exe
Filesize
939KB

MD5
f8351c4a339a675872da449c39bd7408

SHA1
a884f8e6b6f4c8bb7061962648206a43c285a902

SHA256
c7b653eeb17651d90197ff6825a5b24d71533dff03ab8d61763427956c65ffe2

SHA512
dfe044b8aa52ed65956f40666099afac431dc2b419af5960c751578d14e527766cac5d429accb493b15e7ba91cbc06ede33f57e4924cbddabf31b23c870a1e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\agwEgsEA.bat
Filesize
4B

MD5
da731378a12953abe9568918d7f66381

SHA1
9d833cd04789b7aff54418aed26b16892ccbdbbd

SHA256
161f236c2661cfc68dbd875554e0ddc2087087f2a557f52d859fb0519d30d7a3

SHA512
af1aa02115d300a4576f664afae464ea0c3b04522b456421f132f8ee2ab7e28ff74b0bd6897a6837477a96f517388ec0b0f72d254d28bfa654da233093d569c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\akEo.exe
Filesize
249KB

MD5
f115864a8ce2382d4f73a7ca4adae039

SHA1
aa534bfd5498ca6c5e9462fac7d73b53b631cd7d

SHA256
310b8ca456c1336d0c1e9edb68b1bf75bdba36cb0771aee2492a8d6f6b0a3988

SHA512
282ade8d1ac37528e6b333c7c128ccb52f3d85c3a8029b86fc380c76c382d05f56e19d89cf134fe4ce9442d648128930d5f8b0534d99e43a9af30b6fc20628e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqMAIsUc.bat
Filesize
4B

MD5
92dc0fb92f186a5ba6d713271012b3d9

SHA1
5e89cf1783d1564e26e344f9e5c53ebdd2999664

SHA256
3bd8ff5980bd8633080e2af31373b6d20a7f6f7302a848649f5bc192c96f0596

SHA512
2811251ab890dcde959a53ab19142eac75eb380ece61185ad716ecd34b97a70bed3283fa698893e2b58494a4d2c3e396d364ef3bc83fee1db9b406295c14817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\awEW.exe
Filesize
315KB

MD5
58449dbd2f3c09a56382d7f354db956d

SHA1
8f4548c9582fdb998f3628fc636440dd955110c2

SHA256
a36399fda733a507ad1f1a578903eaf9b2ec4eaed1675934718185a15cec65de

SHA512
0ea761b0a75c8494a16bc16bfe64a4302177bab4242ce830619a45ca305e3db0d63235812dd9fef28d6f5991fcd44bdb086682bc866ab727ee43cdcc558e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqQMQwAg.bat
Filesize
4B

MD5
d94c3f73147f43724200845f9ffe8f3b

SHA1
4532b6e25a22611f5b0bb4b1233b920131d9844c

SHA256
8106f1b014a56671eed0f6b886ab1a4a8c7a0b881b69c74106cfac9215944107

SHA512
7e137b20bb8e18a94c7306e87476bcab56f09c94ee7c9231fdfce1767cdd3c9d7db773101da41588e07ddca112b704a49a5af208316ca4340a6c9dfab1a9c227

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAgI.exe
Filesize
239KB

MD5
46995d16b1e1eba18d5ae80d43543c20

SHA1
8d9a5c9b051ad0d3636a756d91b03d756fc05634

SHA256
d83d60f8efc716ba048099b1648f34a594a771e01613e7ef0343bc259f556132

SHA512
137180044be1c5f2028d2db481788b8ade6b011296a2234abc97f10c13b1dcba3f2e479b0a420b1b401a7b012a01a80d6306219dac4cfd1c2e17cc85cd12d5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYkO.exe
Filesize
782KB

MD5
dfc52fbd3c62f2ae4e3e0e956516fee5

SHA1
46cc8de96fb708d397a0d50d9e81a547874195da

SHA256
7c5ed10beb6059789ec600a1cb890ea41b0ead0f94f2c3a33ced11e70a1ffba4

SHA512
ffd98f5f2320fb58f3072c28cc6bcd188a26a6421117769c40c2a9f9361f53e1a0fc6e3f7ab5bd9f0fbd00e23400b6affacdf6f3ad7979a6946f0dedbd53dc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\coAy.exe
Filesize
837KB

MD5
d1c3c4a01b62f4e9b89ba719af239941

SHA1
c1adda22345d912eb670386f63b9b425b17655be

SHA256
aa2533d4c609f53e6637f82742ac0d0313779fd3378b69c8502892fe571b1fa9

SHA512
5fc634f5c8a9e950e48f72fe429a0e5f28c56fb51146289f30b3475ed4393e46f9b21dd6870655eeaeb5140b7024983d751f128762ef12551c13f5948684c87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cosG.exe
Filesize
653KB

MD5
18b4773f3282e609bc8c487b01117099

SHA1
9d8223693877dc0bb794b4cfe95ea7c77187fc68

SHA256
e577e56af4db82d9f587f875aa97c6efcc8f01a28f0fee2bd5dcef4e7bdad626

SHA512
44300e8f4cc7fedc2c4d80e7dd37cc4e9ba64916f1a0916196e31adebd661343204fa10df86df3b87c50841a8af54c0efa01fa374cc4ca03ac28be97aa716761

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAcIEQIg.bat
Filesize
4B

MD5
a63236ce4c2e36f3f3886c4a61ba6b84

SHA1
fac25064748467b508bad8f6c7ebbcce7da5c811

SHA256
48723e7e19c23395d6c018b09e3386725b9b4cd204b06ac49a20e09dbba1e001

SHA512
22a7c1cc5f594a08d067274f91d2855ddf02e6d1df783a9047a343623281339baef5d99117dabe22f353878cf9acfc50f3ffdad10474cb0db866d228c941bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEQEAoMs.bat
Filesize
4B

MD5
8027eec5f592d08b8f9ed7a656e9c648

SHA1
358f7c7c1522f1ce20cd043ccdc835120d1f1fe0

SHA256
863768c0d69edf7aa4ea8ff3f99b5a24ffbecdc27faf0917ceafddede7b15370

SHA512
e0fff1a68a85dbbfa0ec82358c95cc48d55b25c09c1b82687c7c8a4589009350e25d929b5c52ebbbfeb3e0bce74b3101569fde246aea4e8765e036295884f363

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMwi.exe
Filesize
197KB

MD5
42e15334cec96ba921bd9e422763c3b7

SHA1
a080030190ee608fd4494cbc7d54c273be8756cc

SHA256
2cf8c04bfc37852729f973ade033cf623ef9e516d3562d0084f7dcec2737c242

SHA512
e186ea3e8de3b207327ab99f39ef5112abc9d2d1c6c8e5112aaaf48d99157ac29d68167ccea7ef083baf52a1e9b8a07eca63d599dabf97a3a11b304d22ba62f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\egww.exe
Filesize
245KB

MD5
65ea4f8b7b1fed3643be6fb0d5ac6459

SHA1
fd53c3ab3f9fc24e200bd57d1e3c5989c496624a

SHA256
3e879164faaa20aab93469ae490b4f1b1147a011276112eec37a5ae452527c00

SHA512
e9022ac9b79b03448d1ec27d0c85889c0eb67eca4787c3dd015fbbad0f9c0efe9be9b7d471f0933cf7e8422587b5656482183be9e1fa9ff719643746fdc7b605

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewwa.exe
Filesize
204KB

MD5
8bd05518084a48aa9474f4f516091668

SHA1
50a8707c60988bffff493e5533ffce15b7a670a1

SHA256
da9604e6a790de14bb83bb25b6dac52306ddc6fe004a4eab772535c1c202f4ec

SHA512
9a4e3b0ddbe08b586ec4049c88d87fc486462d1ceeecb38e3b8e22981dd996f0f0bdaba1af72c526d2f6d0321e3db9b0586b54933a802c03ce249d32496e63c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOcIcIYI.bat
Filesize
4B

MD5
47d38b1b7653b3397e2935f58591cc7c

SHA1
b38917995d6074b3ffc79bc7b8320b1a8e68edcd

SHA256
06e40e6e2e37108aa8be90abb09be85795a1b0ebce9d02cb6219463801a59c64

SHA512
62cb340d18ca55cb91e49806f973fb51a5dd0baa3a76a71bcc8f089d165bf2711d970edc064375f028075553c3bf01a430992011b83abe0dfecf27b0bd609019

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAoa.exe
Filesize
251KB

MD5
dd6e30513cf0f0ffa4aefd3f278c734a

SHA1
e1e680cc70510ce1d6abd65c7cb7fc4a49c8d868

SHA256
f3feaffc979fcf06b340db767e71abc89fe2830b18dda76e2981482004613c5c

SHA512
fdeee0e4b14f14e04bb0e074ca37319cda7d0320388c8f25b040120e405e457f6c92caa55eab9364e1df6e04988f17580c036ff591f9b1cf0a8b2b95c1ba8404

Download Submit
C:\Users\Admin\AppData\Local\Temp\gOgQIgwM.bat
Filesize
4B

MD5
911dbd25dd3594d32c85fa91c918de2b

SHA1
af37aa907ea3ea37e516544e36cd506e7f03bd16

SHA256
b569d998b1d60675274ebce02a95a0b78e63bbc1317e2cd536a494afa4cf9be8

SHA512
fe39cbbbdb0078b586a5f5e0e58e4805a97a164ab57f7607027e12ee2494bd4d22f1e860f5046490faefbc35bbb6b3a42b7144cbb3fc86dd9849cad4cfdf5d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQwQYUkI.bat
Filesize
4B

MD5
60729a5f59187aa88058f4a5260f837f

SHA1
dd4360ed50a05ba17fc0d7ddc27bf0b100e521e8

SHA256
fdc93024824cdd88f4e543b01c409a1037e5f5fc7201719a7dfdce21867b16cc

SHA512
ad0f0fef2e059c833a0c39b83f5356d1295e680fb4b96218aa9441a4b8809354137640a24d8bf75419d022e9e6208ca51cfdb9ab80c96205bb4ec16d79a8d2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\goMkogEI.bat
Filesize
4B

MD5
a5c245de25f8cb5231c8320cbbea07ca

SHA1
1e8c2ffab8d10b9f428988325e4787698274a65f

SHA256
964bcc6a56f757a77b79e8688b6f0ad018fb8a8e15a4c9a1513df934859e0b8a

SHA512
c8a6d521ec66db69b770c2fa00465a5a7f4f488a84fcf126bc5b8dc4fa1596930e72447e030af1da2ab5f8aa29a89ee2987d115d96de0a7519cc255b3113be3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gowq.exe
Filesize
242KB

MD5
3baef36c92c22b07a51b3a8c4a04ad4d

SHA1
0e91572e71ff1965e7998652daaca9c8ac5679df

SHA256
55d7b775661bbaa7bb93f3e8c5a621abce074ac795dca1392584b92777f72263

SHA512
95c7d3fc07d40a122c6a433aa344d3ea850d37fd650521ee8a3896f261c87d651a908423a1646172670e38b5f8337d3724fb6a0e4b16fd8340ab2fabf809b1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwsksccM.bat
Filesize
4B

MD5
24c943c18f42e2ecadd4da7424fe20b9

SHA1
eae11e089a39e2fdd5faf7f216adc4b45fbc5154

SHA256
5d86c407e53e2eac5a6de6dbacd5efc850333840a180ff6e1eefc15539582a1f

SHA512
7587a687b6c1238c68a09bb0bfd4e10f3b666fa082fd63115c670a9e572ddc2926dcaa9a524c28dee11785913577d18aa8fe9b54fbc9677091af99bda582cb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSEAkEwM.bat
Filesize
4B

MD5
02d4e940d828c3c88e0fd7e109d66e0a

SHA1
c1893b8b552a4d7fdfb4f51f0b65cf0132b7d49d

SHA256
f54657083ed0456ee6e8f533a445e8cf9b7ac0937a4080138f9eafb888a7a46f

SHA512
5830e06d18f75b42ca9d58850d77e7b569bd6e1f0fe28072b46d82ac41f798b26b3c7a99fc89a8ce61937e90500725c2188d94c83f4db7ecfaff8e4cee3105f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYUocUYY.bat
Filesize
4B

MD5
86e32c53bfad4d45c3787ad1801b02a5

SHA1
a52be6ff07be866213de2726448f18232f7dd466

SHA256
d4f151fc8d4d474a4e744af4cd685cb498ba0d87a284ba0c31765b93ce930621

SHA512
3102174717467e65dcc76d72ee2e2f8e27970ff012db99883b9ab3f1474a7290a6d129a0b4100349b8f33ade0f01370864a6dcb9e940a0d1476b4be1a9efc096

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgIQwcsc.bat
Filesize
4B

MD5
9892af01723b71fc9fbb037f9ea642d1

SHA1
dfcdb308ba1c1b5d135a77886d3fe8a77d486f92

SHA256
1fa360154d7d7a8e28712340b434608e255a6317d31d79299e45966e7a7c3b14

SHA512
19911cec798ee337922bde28236ba4c00dd6c907e2a4a51c3f0c0745a8a053d089dd291d5ec8f3d1ccb29ec67127133381afd6ba2d0dc3f0cb72ec79294d383c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoQEQccE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCUgMkQU.bat
Filesize
4B

MD5
96721cff9b49a4c755272419d1b6027b

SHA1
33d642088731c44aa2cdcfccccb05c03829e83b0

SHA256
778726db589164a82c43546fc27952f8a095eec3686aad1aa9d6bb9d6c69844e

SHA512
b67c405d9f299d76a91c37bca68ab148738980974e7870536897e4d9ef978355dc7e470df97b7ee7a58bc6e038bebeabf3d86ee8ce35f690324a9ddfe175f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGAwcoUg.bat
Filesize
4B

MD5
7648f5a51b1ef3ea6ed32797f0eb1259

SHA1
48149dc538a46f700700b6afd3ff10481921f9e8

SHA256
d47e5e6c3d663f634adbc0b3147d6ee18e3fb39563c3d790a956d43e0022d78a

SHA512
d2903321a30e0c602212b275018ce9f15ee1c204a69904e4bc0c739225acabf55867866eb71671419b8fdf089554beee5fdca79fcc0c51faa6de1932061c8065

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIQg.exe
Filesize
928KB

MD5
2d962ae89e212c1d7ed114403002082c

SHA1
209bf6f6255ebfc3abea4e9a137d6c5929994520

SHA256
c3786827c0c2121e2bc44caf3b4a883772e3ff25e2b86c6bc6f3e3c05cf484f4

SHA512
23e498dc1b43b38f4b0073456134589751bac82943f8e039c7b20bfd1fc1b7fe5ec1a48fc89b5be24ddde93312b7db4e59b04f953967a4f9ec72c0ae7850934c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMUq.exe
Filesize
240KB

MD5
5331c5f032d5452a6eafa3773e2cf1ca

SHA1
78070daef061d8ba1dd0cd9f23c8bdb596818b58

SHA256
8d49f56e8f780c84416bbadafb5dfbcb3929bb59202eade888cf6799ea3388a8

SHA512
abb967442a7272fd10eb02c82f18592a29ea5f695a73970ffda21acb721f4d7d268432e20ed5373559db532509f4c3ab3ca43a0253f788b46b42c3ad262e9d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWIsEkUY.bat
Filesize
4B

MD5
e8bf5c540a706c163228210c031579df

SHA1
4e6c8ccbd1460e5dca36e825913a767d8e6d3b4e

SHA256
631f00728736ae260e43fd35b19e5bd9a15daed91cfd2ff300943f30bfd907dd

SHA512
50dbb391cda069e72736b10ea6ee8f17153d1a03cf7b7c4570a8b9aaf11d6f5b46f46c620e16d6ba1c0e29d18ca97910d9dd377b4a7850c222735b617d3fe146

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYku.exe
Filesize
311KB

MD5
323aa2b2944b124ad14adbcbe4ae1044

SHA1
5f00cbee0f5953fb4bf98b086509c48e7f522b1a

SHA256
c6bde18b585aeef49df09e2cd539f1f8b41c47d489704688cd51e28129776622

SHA512
9747364505fdc9fdc15018840abb974b5739945de44cc6a812425d6b631ca6db04bf65f29fe6ab695edf6dfa4052c82a2340cf728712608109e663110d386fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ickA.exe
Filesize
653KB

MD5
16e3c959b3c2584b40aaeb4016f22094

SHA1
36ee60d7332afbdf3bf3a5384dbdc30d5a4e879d

SHA256
967c6ccd0279ce06f71a91823b54eefd002ab36d112c172c9e7705fb859af15c

SHA512
27de89aa02e17612ae4791843e8f5b573fef07ed9eabd8cec1523ff048205824a2c18f3b1572dd66a8578e2f67bff22ebd5436d615d196373b32c1f63ca1e8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ickm.exe
Filesize
230KB

MD5
5bd02d78a2745db78ffa833fc31df8ab

SHA1
ac9faf4f73495b41ebb7f2781fed0472f01fc05f

SHA256
904d2d2d1572b7e50bcf54a7d0cf20488bb4c20c4ac5c5aa8f4ba2b5b2a21e5e

SHA512
6939b40a78bba15057bd06ffb6866ab5a1fbdedfe25b317d4a8d71585842e32cc278f25cd0f662c091ba33720378fe700f71037a3aa0263ae1033bdd20ef3a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\icooUQYo.bat
Filesize
4B

MD5
e1f0a0bfe94b8990a95b73a36863d9c8

SHA1
baff1a20d6d71bb353d6e28f37d55130bd734583

SHA256
82857980c3edc3fb1f4e9bd5f6f4c974171e4ad232ba026e6dd11d384b96e927

SHA512
165cbcd8d9c498ee16cd8fa272d60c758770c058fa5428a55a8df307af0634fa2be1e14eb712618a33ffae9053d558effa64482401f87251fbbedd43b8675a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikokIcwQ.bat
Filesize
4B

MD5
20f2b181e7917b7d88e5414593691be7

SHA1
e95e9738a2dbe3be06c875336fbffb4eec0b146f

SHA256
f9a2124e0f081583c790c0e7414ec7609e30b6f746d9e986ddaa09f4feef04b4

SHA512
8c5827b672e450f65ff101db3009d845010e8d881f72ff2e6c5b0bea8c4b911aaee29cba1556e5ea57711e512ac1ebd2f65e07364be547670b988c6e0a4dcf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgkskcQE.bat
Filesize
4B

MD5
442cf86d4739d2bdd1f0e7c622e23f4e

SHA1
9b4067ad922b6e2e3b3ac160356c0fc8d194d227

SHA256
619ed188bdf5d3397336e0b8ed36b7903ad8913eb2d2cadd84f9f9a6a1a7cb83

SHA512
236b20382ff2bce8397b42132b5237c8b669927f39952ad2aa53a93ddd24fc43160150037a661c6eca965cb1d4abe32c70d4f868ac5296061c02ec3fd6a8a5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsgAMcIM.bat
Filesize
4B

MD5
1482661a60062ba0187c25f706468d84

SHA1
dcb9f22f1810f13aa6391bfb40be3e0666dca2e8

SHA256
13876e551dd83fa57753993865127db92c2f99d0d86ef9a88a83bcecd867462f

SHA512
a7173c3b852529f4dc10eed3a04b4e484558528185bcdd3aa757c460e4cee5139e4414d6c1771ca3000b8410b43587fd4f4c9eb6e865f268f11820b811e82e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAII.exe
Filesize
212KB

MD5
659db0f825d4d4a7e64d4146ee43bf5e

SHA1
1542eef8b023572a99865cd93233b6d7af34cc7c

SHA256
e7455e712f08d93e697108a3480af4098f40fcbb232ae6952bb8619e1bec0e77

SHA512
bfd5a96ff065f27fa8a43914e4d5fd55fecfffa0c945846b03cadc20f063116a157a4fd795e5c1cbf2ebd755f791a4fecaa0865d5492f167c58dc2f3777820bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEYQ.exe
Filesize
236KB

MD5
046adc72f98f76d72740bde3e0a145eb

SHA1
db18d63e29f1505289b9208405f849d6dfccdfdc

SHA256
6575c7bb84254ae107413837bb8fecbff01735848a21a749d7e7a363e8e0bd90

SHA512
ac338f22f264a0a563c84ea9422406e5ddb75b80e1f64468f0c39f28a76e6396eb3cede03c42a2213c0e837862f24aec1d830b3f63c9306ac88ebab19803aa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEka.exe
Filesize
244KB

MD5
64c37c3b61dec877d2003036fcfd2998

SHA1
1a660f43b2a3fd7e2599be959070b91ecdd74640

SHA256
ed938442d769f897a27458898757e2d023d463e9d8000747389bab695edf8e5b

SHA512
e60e73cc96cb391dd9555f0af87798cb5f4365bc230c1cd8a146ca4695edde77ebe69bed48e2f231f0a8de2782f7edc914f1b1402ad0b91829f7f0bfb57ccb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEky.exe
Filesize
183KB

MD5
82012ff1ae807b011c9b0352ce36ce0b

SHA1
37d5129f14f964eaab0ad8ed58a0f4f1c52a24d5

SHA256
885fe085fe3b73e31916129d61ff8842a484e7510352b9c0ad72d741deea6979

SHA512
c1e134f82d00034da9b6300732c2a23506d866dfa03b87de351ae49dcb23e34f4204b93efd704289aaa8f9a3e58ab7f65daf61445ef7a7946ebac25cba4b15c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQwc.exe
Filesize
323KB

MD5
8a425299719eef523763ffd5b2c3d05e

SHA1
ab2a11738cf7a6a68e5fb7841fb8feefee47039a

SHA256
6402268c8c3a73cde152b69a7e4655f15fde3655615f5029307439d2fa820d41

SHA512
cb307ebee756bdc03e0f5e68c56b8a18798f91027948fb32b16f958a534a3e5638cd6c0babe61764feb5353cf8237255807d2f3f6b7ce7a285200bab1655246a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiUIoYUU.bat
Filesize
4B

MD5
2643259eb919b8cbed6a27f21f245477

SHA1
8943a24bb53f089006eae902ec8f03f9ffe0cc95

SHA256
72cbd002b2c4cdf71b0227f2f363ac519173f5ca0ad19dd7e4623606d58be3c8

SHA512
6d841116c9da8d6e85ba79408c0df2701a821ede8aec3a1013b2583f2259ff0eaf8b0d68ac8e23658ff2d19a4d2895268fd5a5a32474055b73ee75d3492bd29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkkEMkIo.bat
Filesize
4B

MD5
134de5267fcc7cd2c4778382aadd2cd8

SHA1
8ca88c7df91eb666c0d28f2c74443d066de31247

SHA256
e4299b7bdfba85d977d131497e458da14aeed96699b6c484ca3416a2d27ba1a3

SHA512
01adf34ab2e89373947985ae9d0c1ee2bbcdb8910cc14f1cdf151bf1122bf39f206c3587f07a142bb37d90ed7df3aacad939498b9ee2af15f828fab0ac611635

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMgMYMcU.bat
Filesize
4B

MD5
5c57b696874a3db8f7b6c58bf2cfb664

SHA1
1fe7f8933cc296772dcd2665ec3c208d01f2819e

SHA256
5634086b5652ab5fbcbdf82b5161f29a5c878c8efb7bac56775c1aea2a329b25

SHA512
66d55d03f57fdedd15760757142ba908890c4af4b75d7ad130b31c50e161653e339d34f77e9a119f002133ddc7f415c525f2965941cbfc3615033b511c2e9ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUIkQkAw.bat
Filesize
4B

MD5
70cd3896385e715c973b2778164e5b40

SHA1
c4e2b8bff4f570a7b601ed4ae5d286b29cd6ec9c

SHA256
b8dfeca7d9425d245299c193fb5098f332a06206a22c4d7a15cdcd1de84c6850

SHA512
9a338332bb384022620f47dca264cd0c07173617bb3bf7698a985767f03546d163b0a7833c3fcab995320587110782f55aacc830dbdd68a32f4c5918454925cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcgAIwcY.bat
Filesize
4B

MD5
74972a4e1ebc0d0425fc4963cf0bc895

SHA1
05692702ae49097d24d27bf0a1f41593596bdc8e

SHA256
ea6ae90a144695b2f26b7e7c548c0328ce36c1eb002c973df6c4cdc9d5f4505b

SHA512
dcd3824040b2b41793a16324cc18471433f70833f1e2d79ab43e53cf9782283aba9401703e2dd13c323e044d19120fc97a5daf9ca7bd15850bb54419168ded57

Download Submit
C:\Users\Admin\AppData\Local\Temp\licAoAIE.bat
Filesize
4B

MD5
0a84be989c90f32764de63056a979c98

SHA1
b4c840b6760f8b12e544d93819971f3746a9a46d

SHA256
67fbf574d418146eccdd9767cbc7c8df76f6e720fc87cb3fac92df1122fb41b8

SHA512
4c84bdd72664c60f3060c22b249c84719a35b2d915d561e991d7ea2ca58d3ed33714799f5f382221d27f8d1bb1a5fb7ab83583be5e1da0159e365fc12ad66675

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEcsAgMk.bat
Filesize
4B

MD5
830b0463a09be47d20f19dacdbf5ec59

SHA1
40ed1776efc430735682cda5f8892a44ee7ac319

SHA256
85ae6347c2fc68a25c6900a1c0b900642340e6ef46e9227bf36b9e9347fa0fe9

SHA512
b15097d92301accde10baff08a5e4a74ea20005fcdc09622818f69cf56b77143958fe9cfa2bf549ff367bf23a86b7521c42547fbcda8d93b7bd9cb14b7437b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMos.exe
Filesize
239KB

MD5
c392bdd7802c1ed4b4c2a7102192763a

SHA1
925c2b4b1321dfe9508903689c8e4ba547684343

SHA256
9bad4285e23980092457f816adc31893f10634c6f7d62adc6f0be161ce105884

SHA512
5ab12609f576854ef013ef65f20695329b1eb8f23c845c15695f7f7ce709fd5d52fc7d30d871da3d7e512efc0b5d26b45da2a79cee84caccef32c57bc49bfbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQgIgYAI.bat
Filesize
4B

MD5
e02b5855613bee52de308948efd220ae

SHA1
408f89586a62947c2b7266b76b4f3fff66a6a9a0

SHA256
e81c826bf1a3ab100950db7802b5c1558a54eb8cbeb13926a08a501b2ef020e5

SHA512
d2a8d698ab02aefbb7a1da8ba7e3b6fa9abf077597955164296564638881ee66e26c841faf7a8e476913ee1567b16989f27a42ecc1aa695f03e1ad083c18fac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYEI.exe
Filesize
207KB

MD5
e517ead8e8460fde5058c8e4f0dd5177

SHA1
48947385c86f0aa6dba34f31ebcb105efd0712c9

SHA256
a6b075c8803c4c5523897c30f82cbeb59eb9d211dc77c689520dabf8fee22d0f

SHA512
d7df1ba04327ec2eedf0788909edd6302e5e14d8f840988bdfe11e6a8986bf399e4030676327fa49f6e45e075dae50ddb2ed13ebf8983aa92e6d203fc719bd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\megUwcAA.bat
Filesize
4B

MD5
dbfc45f459cba5e9616a38a6a39289a4

SHA1
65118e6675cb44e44c639171808314a63296e9da

SHA256
b51a19bed97f0c987b19e2279313ef27fddd6c096ebcdd7df9f0a35da5ed4255

SHA512
80dafd7e2a4e7e13dcb896eb42edd06b7307dc420f11a34687bc434ed668777f84b3a596b837e5379c3483fbd432fd2e2ab0da2c93eb334bdf420d44d6ba217b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkcc.exe
Filesize
4.8MB

MD5
1185023a6cffa39be0f4b489ff7a3fda

SHA1
4af9ef24c6c8552de08bfac2a9d85dd269b2d1b3

SHA256
0de6963dd34acd4b6380eab2a2e484784280ee8a51353b41bcbe1eb00ef87667

SHA512
4f8ce24c62ae0756d4256d88ee28d23b6cdb19a681c0d142d97d54be7cf13101807c2763cd5ea48843d56f7590bf99812cc3f8ceea91986ae0f6dfd05a5c24bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\moEsYQks.bat
Filesize
4B

MD5
25a0313908ce286b32f7d5c77395a50c

SHA1
dc5bc5af5124cc4252c35fdfb5494f2e79e2eaf2

SHA256
3cdade7e645b69e6f3be6caf8235aee89fe8129a366f2ccb4ffdcebec531eef5

SHA512
212b18879d79b88b7ef8042ed24d45b10c110fde1b68b10601259cc4618c392e0e312e4ba8f9dca23b156227b1fe12c089bbda134e9e6b567d3675d0eda3c3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\neUQkAQs.bat
Filesize
4B

MD5
b74b2e02adce8a92e45eda0ddb61e264

SHA1
fdd4a21ace1b483faa71998dda8021de30ac4946

SHA256
5e2fade2d4839fb3b6822103bcd4e7e0d88cb901c013b99a573a0a1ebb331524

SHA512
8d9eb05a594f1025d28b4d65ad98b8990e13ef5c65b086a242923b690a08900fd618188198aef45339296bc5f0ab45f13c6453f8eba2be5d4bba1776c3538186

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngcccIEY.bat
Filesize
4B

MD5
455ca3df9c2c0e620731da2b916dc3a8

SHA1
4a05395d60cf5b8046b2084095df8f232bdba0a7

SHA256
d31eb9cb0cba372f94eb9c8eddc4e7f9780e54a10d7eff00e6f5e16544b10910

SHA512
021d682a900c83633e39274fcab09fc743a79986aeca91708b51e2dfb71ae7f14011f4e3df7faf2c32080f3fe0b3be44a09ab52730df46cf686eb056c10b39c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUUwUwU.bat
Filesize
4B

MD5
078ba096665a365d631fa237a1af15b1

SHA1
d0c270639ac62be9794e8bee62edf7dad3106b40

SHA256
ee3b8e900a8819efbae9aab9fda0f0d197c99d2fde995630284dbf90cf737089

SHA512
85b1d8175efdc8b7000a5f3ef1b682d63df010da5ee02835ee57c1b328a47c97566439e93453cf728f42ece4958d14f173066d11a02ad1fedf7db82a2fdabc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUq.exe
Filesize
852KB

MD5
517b52191885d7bf32892e19586f18c6

SHA1
ee94ba039099297884e8a66986307aa13737ccb9

SHA256
b01a1a21baf997a7373028cce80be3601202a485a799036264b1d571b5adda8d

SHA512
f10b0e6f55de2ed3d90d0d90eb126846c55597bb8d1ab5580766c3727e113a76d3fb8e152eef5f2363bda973670cb320012b57f027b0810c34ab29e55df914c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEcM.exe
Filesize
228KB

MD5
cbe7994e3da2029002ad0f712a506aad

SHA1
71a73b5c2009e35c8748212e66bb3926c68f0317

SHA256
86e1e1fcaf95a3339c297501bed21f3f87e5426a9a5c5aed37b498546f2e821b

SHA512
af6b3421f322a71782f46ebf207251696d0510e2b1f74ef446eed4eff4c7ade54996122d9f96eddfac35bf564322ce7b989537e658cf3e349238aaf7f06be0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsAgYsI.bat
Filesize
4B

MD5
442534c8373fc934092355b4e988fe40

SHA1
1477d6c0f1728fd6e916fb3cb75077c7506b03f3

SHA256
a93d9fe753ee978769469eaaa34acaf7d638199e651f09b4a934302125362d44

SHA512
65637e759850b601ecfff12316a6fd61105f087de30cabce9ae11a0fdcb73b2c6fae4130e37a300a8d4c37fa0b3083385bbd3a823a35b32bc40d8636787f0288

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIMAYwAk.bat
Filesize
4B

MD5
4232b679334b762c5f1cd30ffa222624

SHA1
241c65a5746071294cfd3f87a1592520946fb909

SHA256
fb8ba2ffae564b702d11c9b493d7838846872d4db6dbe71a93ea27f99e4c8ffb

SHA512
2acf38155b664436f2b33342b54f55334f6d470ccb1cf7d5d0a6a93776697ce08850d3fbb2aa9589a324d2d77aae433f620f965d8353e0231e57d278de8b063a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAQMAwY.bat
Filesize
4B

MD5
5a6dae8d3c75e7c843661a0a2aebcf25

SHA1
bb0d217e1b6455a1105281eebf80c37f66c415b3

SHA256
701d3d6677451458a67b2458a75d504a8fdec711a95629e82c4e87b49c21de95

SHA512
982a6a7199b8e48c5aa72543b3b1d5e984f9a8c4e812cb411a9f271ae4d28a8aca3f6e79f9335bd2170d1b62805c9aac8f47bbb9373738460ea13d6e7d4da9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAk.ico
Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oSkIwwAQ.bat
Filesize
4B

MD5
8c0f58d98a73b7355a0b21218df32ce1

SHA1
203647c9d19c8c1dcbfea510b9a7730182506c09

SHA256
b62e0a1c9b737439aafe2e6d4dccd340099892a71f26011a52b6e3913b6eec83

SHA512
05a4c6872b8c136cd8a8754e9a814666cc4dc4f9e90972fb5bc149b6f0e5b302300c89bf3015a0d15eb03422a632f1b70baffa8939214e8a9bd73d65dd60ecd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUoO.exe
Filesize
218KB

MD5
d1ad89cc1d898380bf806becf3cee7bf

SHA1
0597d53459dd8e5d50b3ffdef2d93e93b4507951

SHA256
877285ca2e6f7689030f6cc022129225bb2878d9aed722443b5bc37201f8e57c

SHA512
5870e60028b5a123d901413a42de59e8b4ad3f9e7762853a20d37b05f44352bc39b76f24ff5b973a49bcbffe14357e5037fc53aa61cb3a0bf92e32f7138823f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYUU.exe
Filesize
208KB

MD5
dad25c0fe765b218fbcd0ab3fcd98401

SHA1
52955a29ff42cdcdd687dda89373255b1a9b0b7a

SHA256
7f19363f596aaf1f2af89d9c53e36a6a130cb46675d3872c26f67a98b0f7ad7f

SHA512
4eaadfe89362c8278f5768fa66b835a8687eb08bb5610b35e9a95ac94537fde7a8747844ba35a630e7dfbdd7ac26b2e5aa1c4c394a83cde57b984000c83d14d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYcgQIYA.bat
Filesize
4B

MD5
39496e5030439af625ed82e78f61a5f5

SHA1
9576b737a52a457cd6c4dca669610457a03bedd2

SHA256
6dcfd73a532fa096665ba23956288f7daf0fa48c4af9e5e89316fee47428e9ce

SHA512
71fe04420f7a7129dd39ebf63557790d65acb9e7fc85445dd95dd5b1986c6643ab3de060adcf2409ce11a660e5d959b9cbf465c317e6d8324b9af089560a61d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogEAcYME.bat
Filesize
4B

MD5
99b69e8a64b0689560af0ce932079f5c

SHA1
720e65b79dc18077578563f49503d1fa24d0a8cb

SHA256
354e18d1a9921196a2108a44f2527bb2748303c854e8bd0b389be2f8ceea78e2

SHA512
1a274ca0147cd8938afec9888cb7b6e94f14f4474a65f4736a22a114de2d5196f45d3bfa1d852972618eb5f77320622c5ea6d225e51031c191ba3f6268f0fa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooUwgMUQ.bat
Filesize
4B

MD5
19ac1bc80e16eb2187b1318eb1a9e5a7

SHA1
309b573e46f73e450095aac632a6aaa9df2a0db0

SHA256
4292950a13f4744d68c441e8eb3c73387729b8f113bf6cd810208cd6d1ba7d47

SHA512
1fa65c90f8f24c4634313bc967d2f7343f9a68360c850f86cf8a22b064989004ff4117cad5ef3ad60bdff244b3911991bce25054799781a94c20531a1a489963

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqAAUQkA.bat
Filesize
4B

MD5
b7ce55748623616a906f44ea39660b49

SHA1
668dc3f86f99f8dae3b65573a6576bebaf5fc54f

SHA256
29356c0e91bae326b90174dd2def7a5a2d5ab3542323a980f643eec790f31c79

SHA512
d3715e3182e12b88e70ae895192acaa62ddb400978ab8ec75aeefa28ff0683f03640c28f9a452b4cb779b881c1ae991aaf70bb0988e5cc38cf29bb6d62787e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\pKksAYEI.bat
Filesize
4B

MD5
92884d94c39d8e750f620e4d62103eda

SHA1
4c0bb0617dbea51f8f71d8f24d9dada4b1a90c82

SHA256
ec1c5b4fa04e317f613cfbfb34fa7245f3a90de01136847a242b61fe14ca3be8

SHA512
ef5be8d42539275367a19857ffb48c430672fd74207e158227b980118938516cf16e90aeba0f3de3f4807427716bc1492a4d88098640b4fd4e5c6785274a1cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\peMgMwoY.bat
Filesize
4B

MD5
22e8e4235e4763c7002874a0304ebf7d

SHA1
1fb0f64d05c5c1e562d29e3c329089af9f3bdb6f

SHA256
a3f9e49932e0c750c81c52d8780f0eba5117c6fe4b90a859c0037ba24a444fe3

SHA512
dbc2a05ee8290870ec10afba09e9434615f54c064e8161e52d8a18944e5206c2e5406ff86b6246af436f725647e80c016dac24ba812b3e05c371e51a837dd19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEIkgIUQ.bat
Filesize
4B

MD5
ce731f6812ddc4b5a50cf8bb98f57af7

SHA1
46730eaaba128ce12ef5b95224937663dab4d562

SHA256
1c7a1e8f31ce1411acc69bb7cb46b7cc537a19a6d0dca5b7ef4df3e56d9a3afc

SHA512
09f214973a40b44086f3b3f584976b904fcc5fa688b2af56d6c3f253a648a4b8fbde1e0bdc3b6af7df593743f4ba62269443e9055cd291d2ba77874a66cba059

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEQO.exe
Filesize
250KB

MD5
2330028a2a81703206a933fcd615993b

SHA1
41380aa7ca77c28cec813a82bddc05ef7e61e325

SHA256
2360be2f979516cd0bc08b50c617264a2bbc7d89a4a738b4255bdba9c94ed3d2

SHA512
cf8b7d2232513b16863a9ee8e3880e67255d9d19ae63fd27959bc24e7ff654a7b1e1137dbf2dc420ec46b26d7fd72c5e22dfa6949197bb3e1afb13d6a6e98600

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEwkQoQQ.bat
Filesize
4B

MD5
6699441d129d78ce60231cc762514190

SHA1
d2b7e82537535700322ccf19d902f52f3b520bd4

SHA256
c4c49ba68e31bf625b8d2c192057cb1d74d19ce464a5865f0433902eed4e921e

SHA512
7fd5750ce90a20d563b18bcd2f9b1de323a46ff83069eb09c325d979f2d1b13775e5bf541fa14a46b63880e9e3e785d918cadf50da43eac214e4f98d52710cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIwcAEAg.bat
Filesize
4B

MD5
e6380b7de68b5231d610ee0473be4668

SHA1
a9ee00131aa77dfaf027072ae7d53ae725ed69d9

SHA256
14b38a776ab9ddb77d2a7202a94a1afd8d27a72b6f0400363f8c12fe97bcbf29

SHA512
9371ced1d581f1fdcb76583ea4c5203642483241592ff3cf0b96d68749c439ba03585fe68f1605bfef1b6380b079191684b9ff9379f0e6f65528744993fa853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rOQIcgYQ.bat
Filesize
4B

MD5
7c01684bf464b140bff4294936d04940

SHA1
2aaaf62d0345e1102c0c6bbf8ba12badfe23996b

SHA256
34e306b284a3b7e2c1506f693afcadca51b6aad925aae7f1ae4f8c9a2ec56e66

SHA512
341deefda67ce689f47fbd3cf1887b8da1d4ec94338cdbc5917288a879b20b017607f2ba11e9848abaf4ba1d1a585773cdda72c6d2d0942d4e010f58b7765bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAwe.exe
Filesize
208KB

MD5
0a7d20941f9d4474026f6ab4e98e7e2d

SHA1
316a288c86c0fedf3817c8a83a84c4a4a75f8f25

SHA256
c22462f133df7bfe5e9a3bf94881433d8271bed30751edb232b1aa99e82fca99

SHA512
40cdd78c41ae8fcf9512c930a7eed27570a206e93c13053e183f6b29d5056da10c59079b1a859d8b045d47e99a8737c95af79d7b4e08c0375bb59bf1cbe54c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIcW.exe
Filesize
593KB

MD5
e5d013f60fc3d6ae380b5081d2695ccc

SHA1
ef7bbb9eeffedb35cef159e1d5f6d6d9d9668f78

SHA256
93583a29720062ace8b1d1bb7743e7b642a44dd53354794134d8c90d1077d39b

SHA512
5523ef570637e01014d80381de6f14cb2959ec4554ca0083bde605e442eafbdf1a6f9ac0d553f2304a4980883bc0402e4907dfd4684dab04e5adbe958afda041

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIgA.exe
Filesize
248KB

MD5
264272e5f153fb78b657ceab9204c6d7

SHA1
31abfd1d872ef0c74d001107275537a44dbbe952

SHA256
6a414209ce08b7b0be19b3079133604ca4c363a44cf947a079077e262d19b241

SHA512
ba58a559b092b4473c94bf4babd8d4f23971e2f4eedf0468f2eda5ee67621325059a570d68060091a0ffe87153d3776132d5207bd0042b9b56ffc9b890742205

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMoEUgMU.bat
Filesize
4B

MD5
2c2039d05df55b7fe49cc74ce66b595c

SHA1
b93f9a4d80c862f73b4dd99ff9480110ed372f1d

SHA256
a372e15f6b41d2fd4de068a3fa646a3cfa21aa7a6f34caa1456283f526df5952

SHA512
82339dbe87a03aebebc32c475ddba79bcd845158ea807e61f80a280a4656f3cac408e6af1129f5620d86ea62bf55795abdf21a181356b28469e44e99d218cbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSAsQcoc.bat
Filesize
4B

MD5
b9eb38777ea36892c79c3dbbaaf3ad03

SHA1
064a250e0b81a4c9bae02a047441b85f412e21f4

SHA256
5e70a1df4dc74d41f08aadf0d0dcc45d2cd1ef154b270e481225b314f5385575

SHA512
854d1258e178c1eeb7855265d07eef9f9be3acf9b1507a553ac830de0d05de8b25b44f3d3fd7d2e291244e5f40a6102737270f662173c8d389ffe326a811a5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYoi.exe
Filesize
820KB

MD5
46bafb835254fadec9e6191f52fa5ed2

SHA1
77207b56143217a6cf22c2b475f4743602f502f8

SHA256
0cb29289672bd47345d5ff730de26e81e35bffbf204aaeaba241cd39a5f8545d

SHA512
35e2b3761e07ad51d187055f506936134a70013a2706affb7d298d18a966860296f726d9b34f1aa22109ee7d0f21f7ea783a1971e03a20d6e939c370c392f236

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssIMYQQs.bat
Filesize
4B

MD5
f4b7909312fb52270463828353bfeb42

SHA1
dba7b23d91dc1bae4cc409f233bd7a5e745572f4

SHA256
d81ae3a5bed49cbb5633cff9c30988030a6a547ca923103b8bf10d2ccdba7f41

SHA512
11fc78890c40a39dcb08d03fb674e546f60cad26b38e6012c40454025eaa22fc2090796b4789ad4ec5fefe4c0dd38f2614a30d6a1b1675be4c6ad2a43cefd1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwQgcoY.bat
Filesize
4B

MD5
b0f4970c0270cbf81e85c84e5dab4a04

SHA1
698ede575994f2102cd61cfe0ff4d6f10604ddf9

SHA256
43a6353c98bb25ab3cf1e810a5f63dbb4098dd3f44b904ad49973d8827cb5f1a

SHA512
6db12dfa4293f8996cfa60b975e1028d2cbe908a2bf985bdbc1df2d80aa086c1c719da78996f77130f6e84b84c171c7ef50e73a1d8d6f8b5fb89c3acbdc03636

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGkMoocA.bat
Filesize
4B

MD5
8357033d28a6802301eeaf5b6e5060c8

SHA1
17589c18b009bf8031c074b5e6bcf74a47df6c01

SHA256
94a86a43d1bad987e92222dcdaf31c082089eeb16bcebd46a902c024e3de147f

SHA512
6b012f65cf0cc49cac0a8c079f9db0722ec72052d8a88a5394887b8fb5c73334ace9404e97e169ce0a0dd9f2915eda82416ebfcc0fd5e38bd7eac71e48118248

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUEIQoUo.bat
Filesize
4B

MD5
62e649e8889572ba3340a07b945bf35b

SHA1
a17d8b7805ef154f086b92dee2baf006bc6a3daa

SHA256
ee0ab8ef52aa6bcd7a83752108921741f4ff8eed63d585fef422ba17badb8273

SHA512
61e13a7488194d7b7b9b897ce3537e6f6de807206e1bc40821b8e57dccd0b7729e63c8578161b24c43008191a7cc7a12d8a66c66d3210bcb9561c495df16f68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYoQwAIk.bat
Filesize
4B

MD5
5118f6b09e355a4a992bc517493973cf

SHA1
a7882ec3d123e83af60a9d43d1489918e187f50a

SHA256
66a3ab4dde41c8e7af017fffc9c3916d5c71e9dd48d44da290b385e308720490

SHA512
3f475687621091168dc5eed625787f1cd74eddc61fb549106a48070830c3d4020d1109eee996f20d6187131f47264d61050e7610d272444d0cc6f6821a217ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tusMgkAY.bat
Filesize
4B

MD5
cec026360d4d18fe8ca69595b802b0d5

SHA1
ce69a427c90717eb57b7c9bbcafa963072f9ccc8

SHA256
ca03c520cf66f67308fa96e6989bc8cca29d172844cd2c4e6dab61b254b3de40

SHA512
732fad9ee350cd16c5aa81762a251314c15e53a911a1fe471073aa00c3e9274377a525846ddae081a8a14ce3dbabe263137aacaf2116fed4d33972733b9eb7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEUw.exe
Filesize
190KB

MD5
91456d7e98343bddce65ab2346b8440e

SHA1
41beb53996de5a67332365ae89777cd5ca53128b

SHA256
8a97d11686a2271f11ebed07c5998d3c92c29c4a829ce6dddc90b5f5981ceb69

SHA512
772b04091de169d43afd08878125d7fb9cc8da4c26ba52cca6a3df0ddae0328fa8eb7f54c876a8497de728fbb77ffa44ceaeef71747937393c10162559d57035

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOQwMMYg.bat
Filesize
4B

MD5
d938f96ff11b876eae5c995430c7fe1e

SHA1
aad51876222251c364169cfaec9ba510bc9e827f

SHA256
4c36d99b9dad144e8a6bd9055bd24d0e361c1f5a331a9463da6d26958f42a5ca

SHA512
0c30caa816823bd56ee218978cbfac1755c0a5ca841a93b85e8f0aa9fc4d6a669f6f5d4bf0fb77b8031d84cb2aad9938359fcf2b609ea560f5f7c04f2d440605

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQko.exe
Filesize
228KB

MD5
1acd9790a567510f9158741652e48c0d

SHA1
4b6f183aa8c3f3d8768ff763f7a9863715cf5568

SHA256
d95c9524cf1f8a06ecc4a3042df5c0235ba5c0f737db79cdda793a0a063d15a6

SHA512
f9820b8fa514631cb9c1c802b87c5bd30a3e66e8aa5f7428b2cbe171663b37f6f0af1ecebeec170f97283caab51bd18ad3f8145dffed7e43d5add33445f22f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYAm.exe
Filesize
206KB

MD5
9beba05b65009c32dcc845cfd02e9e05

SHA1
a98288b88d95019cf8b9fbd0810710460bfd0c2c

SHA256
72b1ad95936500160f3f544e6e8b84c228a5d256441f1d8ef8799a37ec5c079c

SHA512
27f5c8e5ac9668dc46fdfae7f01a1591a6068861a253353b14ea3c6372af6fd045f40c85fd125ba747676179571e16edf2d313fa4623f42ec381b10d14dda8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugMi.exe
Filesize
238KB

MD5
480a39e21583a1b8ba960c39653acc35

SHA1
709c31222951461e5b6010447d1d5f05262e305b

SHA256
f2be896525c3e4ca6304a793a7eef5d00ac9b43f902e77cf7815e876989b9c17

SHA512
7b832e9d0ef61e657308a9c97b9786f96fdbab50b366e070b6475e8ea011a8ccb60d7e9069b306b5ecee814e33c418afbc88883b202c7101c0c4b7cef9376e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugYY.exe
Filesize
184KB

MD5
97569ed5e0f61fe49c3b03cb0cdae0e2

SHA1
364dcd97680b53fe4d9a799adb804a299c472a1c

SHA256
61bd97f204e97067f619894cc50a27b3021f0de6601d81ddcb0cc0a65395f99f

SHA512
a4badf8a0d4bc052464b6b8bbf21244510fd10670172905dbcdbe2e443e6e81ffa9314eb26413befd16921c3bcfe786aebaaf13d996e263630410570eff56149

Download Submit
C:\Users\Admin\AppData\Local\Temp\uggy.exe
Filesize
254KB

MD5
56dfc32d7e340f1cc163963c9e418998

SHA1
6b5a3b89fc8dacd827bd33eefd669e377d300205

SHA256
abe5b289b17993331a883afd02439ba7831ac05d56e994fb52b9a09e4616958b

SHA512
2c0408edc3de30e8d6328aade0fb5acc97d764a4afd84d51ddcee0a84cde099f0d373cdb2b44cc5317fd5503148538d9037b4880a5537fb82d78fac2464a4fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukgg.exe
Filesize
230KB

MD5
0e33d01f6c696ec4ddf4711e086911b3

SHA1
e7a353ac9c6223cc99d9f06df34a45e274ec4d15

SHA256
c40383b0c402f9f833eb185b3e167abd80ebd44a4bd74488810b2d4677785602

SHA512
07e4c56243a06b6a42c754656217f0ebeaedc2cbf56baf5a0cd047fe6911e35c284f473d7ca5b33f31216c532132902137fca58313de28d5c0e1680005658462

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYkoggsA.bat
Filesize
4B

MD5
5b628501d706789cea3b6fab037a7104

SHA1
3a75390afe1cb91c59e90b3571685f8cb86f25e6

SHA256
140a910cf37fe45e8289207492ba17e7a437d5e0171ce5dec3a947ed6ee00022

SHA512
f077fd0e4dd41691bb244c8624388a87bd26996e5332dbc7bcc21d5d91c001057f9af1c7152109d6592042a122e95e1d265e30f8a741e854ce0263f9a97270e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\viAIgIEU.bat
Filesize
4B

MD5
6ad0c467943f5efe84eaae1da5392fd4

SHA1
753c32de4a009e69a6f0d7dd62ead1a5e42ed2c5

SHA256
d17db9809ac842df252d1a16588cee2f413afbcf661d444609abd9708eab3d7a

SHA512
f7cbf60a38910fbbd18d13480bd0aeb8767ffe2757a4803ac618cbad885213cac4ef4eb42d7e48383fff94f791888ac520aeddbb0ed77405df450ebc655a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwUEEcgo.bat
Filesize
4B

MD5
5750b617e88095b42bc7f5e76383f99a

SHA1
e1886a703d0ad809729f4d0cc72ebafd65c81f3a

SHA256
2aae8b846c49103f6b24eac3996b59d0faf7da7963a29daf8259ca96123ae700

SHA512
0f4b2efbb8f7b1342d599d2b8f55a393c524faebc90f8a78ca33f42c043d074fe29162ee83ab593e23ff6cef6110f8a01775d9087b173e0246c1f4640ed5e786

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAQK.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMIK.exe
Filesize
194KB

MD5
dcc3b1603e43a0a58d2a54034109ca68

SHA1
bd792e1c53eb070367c7fc52f2ad01d89fde171f

SHA256
2924ba2daa823d38b8b0d13fcc4ea7cf14d0c33e9c5535f4abdbf19811728000

SHA512
8e1e1f527a66dd1b39b1ba0796fd9f0b9d56fcbbebef20f9ae950030f95b32f505be607e00d3bcba13f35d23eca8dc35fbf5346f94e8bbad67a83d4fe1f079c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMS.exe
Filesize
423KB

MD5
80c032b590a8efd0627fe0728790f804

SHA1
31c7b25a3847cca284a9f78043ef0509e37a7a93

SHA256
33d25fd5e1553db76299dca0462a6c95fb041421414ba9a9bb7b185476296fd1

SHA512
d5a0d7fb80fe8a3d07659740585b6bfb057da349eaef2a711395d82d8620185fe973e3301f2afeda05f80a9868630da0312304b6e337ba0617c354843a621054

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUEgoUQ.bat
Filesize
4B

MD5
634ea7fe4deb899de2f5375f2c3316bb

SHA1
9d2d5e510cbd1cf30144918dcc16b48bd538ef4f

SHA256
31d0b1e1205d8803a4518e9cf58ebf96960f57c58b1a9663dbc6242343f153c6

SHA512
7966ec73e9c605c4fcbc7f4cf34d830af0c910ea9086f1622a13654d71b276a766dbe8d88658825520d5a5cee61d63749c512128148b2144e085947ea182d183

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUAK.exe
Filesize
239KB

MD5
1964461ce15b60565923f9cb5bda8a83

SHA1
810e76c2f7ee8f7e00387a378ad4e39ec3affd1c

SHA256
75e1f21644d053fb07ca54a4b15c5f4a7b712ad4ff653cb51effa5fdb44f3461

SHA512
da1539818348208899a7e5defe9a5c42257fc77e500616c95280732360d6f21cf90d4cc182cee7f0723f6bda02cb0b739cf81b298e9104704b61e1634d0e5717

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcsI.exe
Filesize
229KB

MD5
40a95ac2103f0ea2a61847d7a8021153

SHA1
e6d8d709df91b3dde0fc80e50628530cbb1ca33e

SHA256
e5b71d10bb6b59003e7ad511333801685a2d25dede102f0c11a4c72af46376b5

SHA512
58138936d2b15aa38a853e54e13f1a4bd59d2d0a2288675dbc30b455e6f80934a57e5ab3b36929d19adfa942f813067b92659b6408d1af9760a9749cedca39eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgEk.exe
Filesize
636KB

MD5
c89607300cf1b902a8f0e754ab829a32

SHA1
42379d2a2a19312ee8c109789f899207be0273d4

SHA256
f3d57e5374f18f4ad78b123d8a9660a0e208d0f63b44208856c0747823df68ea

SHA512
2ef440248a12f2a66ae9681be4b5d70a7b8b36a0724c4da847331bfef0d5dd30536c85872d7d34d4b38ce1aeaa8ab5b511f9397fd919f67578cc6beb3235e9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgQM.exe
Filesize
309KB

MD5
0155307c38ef103ad2375117edcc69de

SHA1
500bf0fd2115572f57fc7ded8f79c2899ab48c70

SHA256
a095b7397e6d9806856465f12732d12df56ca0ddc7f8b43dbb4a4d27178933a5

SHA512
404185ff118f5e098ae84c5ed8ee050f3b4630e6bf71fffa6bf69d823f32ee50adfc06ca3c295d2cbffcfb00d8cfd37faa33768e625725740f578aacfbe5b998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wggg.exe
Filesize
196KB

MD5
4cbb2cbe3e3d3f10b8f8c14a7004dcc0

SHA1
5d7c2995dc9821d7502ac64c9a4aa70b092d2497

SHA256
48ac4af3940e12cd7566c456b9a13b6869c793401d1c824683681020b5fc6851

SHA512
4fbfa6137e856585de378ee8438275d04ec7f3ea51208dd230d21ebcc0661e327bd8a4e93d45164db622b8f95ed71a29902bd2e729875acc92a24fb2847ada98

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUscwMM.bat
Filesize
4B

MD5
a1e5d0f8d2c82b45a9ce5938afc20292

SHA1
4599a3b9ee9a946a683836a7383d6e86101d9198

SHA256
cc6c18125cba770997b523e2e7494871c89c9fb661231d003b00dca8d8f80a5d

SHA512
4425eb8adfe8630f52c62a5768f8fa5bc1719c511b0a3e95d7997900e17f36ae37548ea9a188331c2a10006203184f3790143cd8a02c36c0e672591036fbc17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwcYkosM.bat
Filesize
4B

MD5
5e3674385f20616a67ea7064a947cf3c

SHA1
9d7fa153463ba8815d9248cef5cf932278ee2598

SHA256
fab71c03ea3a4b5b7054ced57e5918aa4ee3bf284ebdba55656d8aa27f7b7537

SHA512
ad3c93079c4f5430a0d1ab8899bcccb550364ecb6ad3b84b3ee2376ccd2131f914cfd6276b95dad1f45b70933bdbb1096b5cd9c78ab87160a0be7d17d6cb1df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xGwQcEcI.bat
Filesize
4B

MD5
ede3f7a68ed28854f7fb682dc9250839

SHA1
9e98090c52ff390d0b4db2273f5e43a2543efecd

SHA256
7bbdba30f494a47eef7f5ccd417682dae7a8ac61864fb98a85b2c1e0a8741556

SHA512
dee1e2c0b29a8c46e2221b7b3f9ff15d95c7415e45a4de887f74385fdf2ece8355db8052fb9bb71e9b3a3381701a344ca8688fa6bb8146d61d0d8c944d4e5e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyYUscAc.bat
Filesize
4B

MD5
5b2ab50bf29ee2ef12c8fc99d8a58367

SHA1
e88f00ff7d3a001f1b7c3d92e5d7e82ec9061bc8

SHA256
c06d73d09f8e27d156b4e6111fbdf48b007efb7d05afaf8fae29611f7c57db16

SHA512
d435982d1a4ccd7465ba7f53fa5bc22d39d5ff4d88fcf2b3c0211c239b40afc467da7326e35d070cde4748fa45e642aee381c3a44023e84ee92d1f0731021e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\yGYAMsck.bat
Filesize
4B

MD5
b53d21db8860364636e55d55c0905490

SHA1
7ddaf5edb0292f2710c03cf3a288c22a8f13ef3b

SHA256
a5bad58a84e1aa6a202f8748a4aba0dd9bcd896a123356fffcdc7c02df4d0e56

SHA512
fe5ed4a969529e08c3665683b4aa4f314d3aee5ee9722692d47e09cebad9263d3e28a4be531b31ec3a84c543c80aa3eae97cf9dd4ab4aae191ac77433bb78366

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsi.exe
Filesize
237KB

MD5
3803b58bba6f390b080c92a61c11af9b

SHA1
a853a2e5973e54aa8ee157cf2624bfbe5da11511

SHA256
ac896cba26669731606617f2a05878db383c3014eb869310d20060030729f636

SHA512
16c52ea80eb21ad33da8c9302780073e0aca8ed9c45c92cd2731dc532686adf48fea8a559b13713a193ec9dd32b57c28ae57ffd7bfb60dec7482bd0ab6b1020f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaQkIosk.bat
Filesize
4B

MD5
58fe4ffedcbeee1a5fa6af601d29b791

SHA1
7d08f4f3f3a79560c40e953512ef9c79ab63e8f8

SHA256
b57a1f36d34b034bf53787170e6166cb65400417c9d2d94699a1c47a0a553cc7

SHA512
4a7b5bd91bbd33b40683855303e911f08feae17c93a1d7210fcb49f93351a4719f01489fdd4f1358d2a031ec4f11d06fd257dbe3fac7460fd4552b3090cc477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygIQcIgM.bat
Filesize
4B

MD5
23b9e6a52f092b2d001530bace291045

SHA1
c288acc8bcd2fb49d5d4d6e0798e7ecf6ad3c398

SHA256
82cff685532d20ded464bb873ddcafabcd45ba806d54bfeca222552b4ae2455f

SHA512
4bb4abf0cc0a30f44d5679b9bf79306261cc401c6805c8fa2681a391ff9578b9af752edfb27448d2174e5708ff471947ab750735616684d872f24747852393cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAq.exe
Filesize
245KB

MD5
fb571877f51070ab3764fa5224ffdc05

SHA1
12119e452198c05bfe16751286f10f47c8defddf

SHA256
4d46e8ea33426f7d4d0b3ceade69da591ebb935a1b6b5e04c96e52489db787f4

SHA512
15a7221850b012d6918a517560b5e5280480403a1192c8bfffc8255fb0e43354db5276a2b085a57637fdb7d6f6b846f63c9a6d193d656eed4ff61b8ebc2c8338

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMu.exe
Filesize
241KB

MD5
588a8cf0b9224ecb17f426c7c9d45086

SHA1
26735dce9b697258ce599f5a869fa80d774630f0

SHA256
d61df49aafc5f20e9b74f3f200b83f97b0b97a4708d09f655a54ca1f2dbe9a87

SHA512
1738a2c1f389e9130d3f6ab58406198b93ce0291f47f496f871035397ceca426c8fc88760bc4b76f47c1be0f55d314749611fb8b5ebc2d6931588bd856ea2d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGsEoIQY.bat
Filesize
4B

MD5
66b7c5e23576d4639206ba157daf351e

SHA1
9ff6257684ee0d10c7c3ebf304f57d5ed748358c

SHA256
9e930f0e5c92b9562bcca45c7d0b22e791f1a8e91ea2db8cffc94f8ae9d54571

SHA512
007856d3386ac3fd64afd1072a9451cef13a537689c96cea15721c5c9944a74087527713d3c6895305b176a3df7cc38781ebb27da411191be23e00d4e7585953

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUQgcQMQ.bat
Filesize
4B

MD5
e26053ff26f62fa0188b68881efba1ba

SHA1
f688995ae14a014630bcdd101322dde7866da197

SHA256
c0986df0aefe4060d32772cdce75e9e2be77d0232f6b0ee38c8bc1774ec9ed95

SHA512
d76c7f09422cd5a420a100f244ae5c8cd1063ae6d22325ab3d84c23c7e6d8eaebdf4d397281163d5de37039bc7a48a5b90578cbba9ccfbaa58c7ca3362944c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYUgggMk.bat
Filesize
4B

MD5
49e1bb242db8d8b854c9616a9f1ba873

SHA1
9873be9aeb8df02fa19d558dca13befd85672077

SHA256
478abf2a46084d15f750748813d2606a5085fb271808bb712008fc94f8eedbd1

SHA512
f5f5b497108fb464d74bc4b48f0d4bf2ba678266689a175d9541aee5f07621b6ec7c07ab7f0c9966e35e24bed52a9bc1571774c73faa4e42254053f4a3deeac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqgYIIAI.bat
Filesize
4B

MD5
d4be1df81ae334c589b3fb8f7fe05037

SHA1
e31ae2fa1bb4b2b16f7f8540afab20df8e5e6c77

SHA256
b0c646c6fac0734e1dff89261a71fae5dc9414fa077056b1a67cb83b840513d0

SHA512
ef4ec3fe516ee21129d55b2ed550ca14213001c50b54411ff8627e27782d4277b3df7c4fb1b969ee08f346b0fbea1ed8ba63306f2d46c52a7e968e03d62dffeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwsEocEI.bat
Filesize
4B

MD5
872124607b23b15def5d400b882a60e7

SHA1
ce3e45be6ed69ab247d5e505ba875074b29047fd

SHA256
9efb3aace7cbf00ad1bbca85137a9f5f20b8fcc2448a4e509897c2da32df35f3

SHA512
11e8a643a17fdaacdb9cc807f30d46f388d351463026a6217ececdbb9642fe6bbb2b4476215c3fb79ec51fdb66589434de85a694dcbb3a825eea805e9eb737cc

Download Submit
C:\Users\Admin\Downloads\OutResume.mpg.exe
Filesize
628KB

MD5
0229dc3ef3ed33a1fb4f51326a069864

SHA1
0a1ece19643bf73ee782d447b539c0ea9c931c62

SHA256
a38d0087eafcd16dc3fddd454b6759041c5e3c6b79245565506a8fc943c4ed9c

SHA512
c0ee24610934eb33dc4f1e42924a3456c625b5f47b2f820ad5bfd869ecbd9dec7d76fbfabb2a21a33568afbfc3092b412b80bd293a88e4b2a77ebc934dbd6a77

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe
Filesize
4.1MB

MD5
d4dfd7681673e4644355f6de9e5ff12a

SHA1
f8834d77a6af5a157a90d32dddc69753d2cb8113

SHA256
b5ee00954059cff5f064663d5063b717a38b3b7bbf3d43075b87859d1e876f19

SHA512
f159d748800718834ea3af58112529ca87780ba81e780c10c92d6346bac931f13a2179ed12b79de1f61d06b034e7506686b818d967dd750bd8bee03b2cdf1cec

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe
Filesize
1.0MB

MD5
51d4aaf608e7c7e7b093080347ff3ab8

SHA1
b97bee0788c3aa82d8c91b413ace37527b4c6a66

SHA256
981014e37ebe742ed4de5ade0c2c9430d01a01944724ca063f3512dffa5d4808

SHA512
d83e362993ff47236b87ce1bdc6e088d50baa331b821c07854373e2f98b227d9a001291dc471d0e8a15e8bb4bd5972c93a8bbc8c5670ff4926606e68597cdc5e

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe
Filesize
1012KB

MD5
a7ffb690c55c91b5c3a43236c79e8164

SHA1
da89a559c7890eb6637bc6e63ae16a392dd356b1

SHA256
34778948954a298b5d3fe9e1a50ed5c5f92e0eae5e9017b2ed19e4d63bf432a5

SHA512
3f82dc4692d94e03ba332352debda084a7718da2e784cdbc1aa0ab99a4d106d5e9ca6e64a2e4a23de2904a8754568abf9586282445f165c0c0db5156f480f604

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe
Filesize
948KB

MD5
fb4fb3699320e9fd22814ed781fb7ec4

SHA1
f695534949417d1638d4d6d8b44c9deaae34a09d

SHA256
151a8d013f84d86acf8802ca4476098df584b26418b84fceddbbd630ce33eb19

SHA512
6275776a2cbe142d0a04b461e9eb37d2f6fd83224dfdbf332d79b91d064fd28aedfdb6f8627564e1ee820fed228a3a24109aef0b30b096fd8045d45be7bd424e

Download Submit
\ProgramData\ecooUYII\PosQkwsI.exe
Filesize
185KB

MD5
7b7e8ab2af5c4a820e30b8733b2cde88

SHA1
a49d4fd3d4552e214407ccac0f0606404bd13cce

SHA256
c33025447bb56bf8c0009dd266d0fd34b4001cb3cd7252faaca861ae8384fa7a

SHA512
060aaff308aa19d9f976274b0ce84e8a93b00eea09375b18ab07dac23ab3b3ad477c79f13cfbb3d8ed174e0610fc5dc42b7002d20d3d4e050853b75fac274ccb

Download Submit
\Users\Admin\LkAsccMs\FMMMgsQM.exe
Filesize
185KB

MD5
747356f869bbe30eab7e5b1b9aba5362

SHA1
225fae849cfe698ebfe5efd34e4f428c5e83fa1a

SHA256
dda6a2192b6c98f98c12e78f3a0f188002fe7803560293c5e84b60c06599228c

SHA512
5bfd566b88e20cab1c0638508a19936588697c822489ac8a991a85dfb3f48c7015dc96d399ce5f4609fd7c72069e98036e38446cb04c35b4400cb42cccfb6157

Download Submit
memory/316-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/352-128-0x00000000001A0000-0x00000000001D6000-memory.dmp

Filesize
216KB

Download
memory/372-437-0x0000000000170000-0x00000000001A6000-memory.dmp

Filesize
216KB

Download
memory/372-436-0x0000000000170000-0x00000000001A6000-memory.dmp

Filesize
216KB

Download
memory/492-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/492-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/532-530-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/532-562-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1180-197-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1180-198-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1344-551-0x0000000002290000-0x00000000022C6000-memory.dmp

Filesize
216KB

Download
memory/1344-552-0x0000000002290000-0x00000000022C6000-memory.dmp

Filesize
216KB

Download
memory/1344-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1464-389-0x0000000000410000-0x0000000000446000-memory.dmp

Filesize
216KB

Download
memory/1560-573-0x0000000000210000-0x0000000000246000-memory.dmp

Filesize
216KB

Download
memory/1560-572-0x0000000000210000-0x0000000000246000-memory.dmp

Filesize
216KB

Download
memory/1584-365-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1584-366-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1604-601-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-574-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1668-509-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1668-539-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1696-221-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download
memory/1724-292-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1748-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1844-447-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1844-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-399-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2012-553-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2012-583-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-269-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2160-413-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2160-412-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2168-528-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2168-529-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2184-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-5-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/2184-30-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/2184-15-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/2288-621-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-611-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2320-485-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2320-486-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2332-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2396-634-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2552-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2552-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-462-0x0000000000410000-0x0000000000446000-memory.dmp

Filesize
216KB

Download
memory/2596-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2604-59-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2604-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-31-0x0000000002280000-0x00000000022B6000-memory.dmp

Filesize
216KB

Download
memory/2624-633-0x0000000000160000-0x0000000000196000-memory.dmp

Filesize
216KB

Download
memory/2624-32-0x0000000002280000-0x00000000022B6000-memory.dmp

Filesize
216KB

Download
memory/2624-632-0x0000000000160000-0x0000000000196000-memory.dmp

Filesize
216KB

Download
memory/2636-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2636-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-518-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2800-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2800-438-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-81-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2816-82-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2832-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2832-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2836-507-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2836-508-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2864-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2864-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2912-315-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2912-316-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/2920-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-4828-0x00000000776C0000-0x00000000777DF000-memory.dmp

Filesize
1.1MB

Download
memory/2944-4829-0x00000000775C0000-0x00000000776BA000-memory.dmp

Filesize
1000KB

Download
memory/3004-463-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3004-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-58-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/3008-57-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/3048-612-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download