1a5d387ff5859dc880c62a9bc50ee448c464ca998a986d8c1eb93b7c824ed374

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
Size

199KB
MD5

978f428348a12660ee885c1f6e34d926
SHA1

dd994c28e1df0d4b77972c4c4d796f425e9c446b
SHA256

1a5d387ff5859dc880c62a9bc50ee448c464ca998a986d8c1eb93b7c824ed374
SHA512

763bcf72b4865e3b285ceacd2385de465a5616f1993aa52b6dd3d786b68a67cbdcb196e8956efe7f49118b8e385fcb14d42ee7dd960c6b5c8caae8eb2b568606
SSDEEP

3072:2RTym7D6XCydNyPGfBAz5pttQ6hKztASqbQUbmYtrP/fFVQ1tH0j:2tL7QzfBa5ptJKRASqbQsmYe1tHI

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (58) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CYkcEoIA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	CYkcEoIA.exe

Executes dropped EXE 2 IoCs

Processes:

CYkcEoIA.exeIssYwEQs.exe

pid process

2056 CYkcEoIA.exe
2720 IssYwEQs.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exeCYkcEoIA.exe

pid	process
1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exeCYkcEoIA.exeIssYwEQs.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IssYwEQs.exe = "C:\\ProgramData\\AMEgsogk\\IssYwEQs.exe"	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYkcEoIA.exe = "C:\\Users\\Admin\\EwUMYccY\\CYkcEoIA.exe"	CYkcEoIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IssYwEQs.exe = "C:\\ProgramData\\AMEgsogk\\IssYwEQs.exe"	IssYwEQs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\EwAQEwMY.exe = "C:\\Users\\Admin\\IsEgIskU\\EwAQEwMY.exe"	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QkMMgkgk.exe = "C:\\ProgramData\\wsMEcAko\\QkMMgkgk.exe"	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYkcEoIA.exe = "C:\\Users\\Admin\\EwUMYccY\\CYkcEoIA.exe"	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1620 2440 WerFault.exe EwAQEwMY.exe
1104 2232 WerFault.exe QkMMgkgk.exe

pid	pid_target	process	target process
1620	2440	WerFault.exe	EwAQEwMY.exe
1104	2232	WerFault.exe	QkMMgkgk.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1796	reg.exe
2356	reg.exe
2920	reg.exe
1804	reg.exe
1772	reg.exe
828	reg.exe
2528	reg.exe
2660	reg.exe
2008	reg.exe
560	reg.exe
3052	reg.exe
2584	reg.exe
2896	reg.exe
2316	reg.exe
2584	reg.exe
2632	reg.exe
1584	reg.exe
592	reg.exe
1660	reg.exe
1344	reg.exe
888	reg.exe
1616	reg.exe
2664	reg.exe
1736	reg.exe
2868	reg.exe
2860	reg.exe
2576	reg.exe
1456	reg.exe
1608	reg.exe
2796	reg.exe
2932	reg.exe
2664	reg.exe
2772	reg.exe
1828	reg.exe
2464	reg.exe
668	reg.exe
2468	reg.exe
2248	reg.exe
1748	reg.exe
824	reg.exe
2664	reg.exe
948	reg.exe
2304	reg.exe
2452	reg.exe
780	reg.exe
2432	reg.exe
2460	reg.exe
2608	reg.exe
2700	reg.exe
2164	reg.exe
912	reg.exe
2700	reg.exe
1820	reg.exe
1972	reg.exe
2220	reg.exe
2956	reg.exe
2640	reg.exe
900	reg.exe
1396	reg.exe
2696	reg.exe
2792	reg.exe
3004	reg.exe
2672	reg.exe
2668	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe

pid	process
1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2836	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2836	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
308	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
308	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
380	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
380	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1600	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1600	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
336	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
336	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2888	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2888	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2840	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2840	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
856	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
856	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1876	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1876	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1948	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1948	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1396	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1396	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2848	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2848	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2248	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2248	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1664	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1664	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
596	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
596	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
964	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
964	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2656	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2656	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1036	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1036	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2640	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2640	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2456	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2456	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1936	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1936	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1808	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1808	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3028	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3028	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2024	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2024	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2224	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2224	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2252	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2252	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1568	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1568	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2924	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2924	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
900	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
900	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CYkcEoIA.exe

pid process

2056 CYkcEoIA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

CYkcEoIA.exe

pid	process
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe
2056	CYkcEoIA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.execmd.execmd.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 2056	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	CYkcEoIA.exe
PID 1792 wrote to memory of 2056	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	CYkcEoIA.exe
PID 1792 wrote to memory of 2056	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	CYkcEoIA.exe
PID 1792 wrote to memory of 2056	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	CYkcEoIA.exe
PID 1792 wrote to memory of 2720	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	IssYwEQs.exe
PID 1792 wrote to memory of 2720	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	IssYwEQs.exe
PID 1792 wrote to memory of 2720	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	IssYwEQs.exe
PID 1792 wrote to memory of 2720	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	IssYwEQs.exe
PID 1792 wrote to memory of 2780	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1792 wrote to memory of 2780	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1792 wrote to memory of 2780	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1792 wrote to memory of 2780	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2780 wrote to memory of 2672	2780	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2780 wrote to memory of 2672	2780	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2780 wrote to memory of 2672	2780	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2780 wrote to memory of 2672	2780	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 1792 wrote to memory of 2696	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2696	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2696	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2696	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2904	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2904	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2904	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2904	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2700	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2700	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2700	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2700	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1792 wrote to memory of 2808	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1792 wrote to memory of 2808	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1792 wrote to memory of 2808	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1792 wrote to memory of 2808	1792	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2808 wrote to memory of 2612	2808	cmd.exe	cscript.exe
PID 2808 wrote to memory of 2612	2808	cmd.exe	cscript.exe
PID 2808 wrote to memory of 2612	2808	cmd.exe	cscript.exe
PID 2808 wrote to memory of 2612	2808	cmd.exe	cscript.exe
PID 2672 wrote to memory of 2624	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2672 wrote to memory of 2624	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2672 wrote to memory of 2624	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2672 wrote to memory of 2624	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2624 wrote to memory of 2836	2624	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2624 wrote to memory of 2836	2624	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2624 wrote to memory of 2836	2624	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2624 wrote to memory of 2836	2624	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2672 wrote to memory of 2640	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2640	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2640	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2640	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2856	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2856	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2856	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2856	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2872	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2872	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2872	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 2872	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 2672 wrote to memory of 1984	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2672 wrote to memory of 1984	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2672 wrote to memory of 1984	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2672 wrote to memory of 1984	2672	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1984 wrote to memory of 784	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 784	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 784	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 784	1984	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\EwUMYccY\CYkcEoIA.exe
"C:\Users\Admin\EwUMYccY\CYkcEoIA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2056

C:\ProgramData\AMEgsogk\IssYwEQs.exe
"C:\ProgramData\AMEgsogk\IssYwEQs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
6⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
8⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
10⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
12⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
14⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
16⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
18⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
20⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
22⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
24⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
26⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
28⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
30⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
32⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
34⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
36⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
38⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
40⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
42⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
44⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
46⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
48⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
50⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
52⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
54⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
56⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
58⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
60⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
62⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
64⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
65⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
66⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
67⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
68⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
69⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
70⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
71⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
72⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
73⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
74⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
75⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
76⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
77⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
78⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
79⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
80⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
81⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
82⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
83⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
84⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
85⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
86⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
87⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
88⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
89⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
90⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
91⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
92⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
93⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
94⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
95⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
96⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
97⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
98⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
99⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
100⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
101⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
102⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
103⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
104⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
105⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
106⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
107⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
108⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
109⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
110⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
111⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
112⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
113⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
114⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
115⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
116⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
117⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
118⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
119⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
120⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
121⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
122⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
123⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
124⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
125⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
126⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
127⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
128⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
129⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
130⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
131⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
132⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
133⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
134⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
135⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
136⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
137⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
138⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
139⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
140⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
141⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
142⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
143⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
144⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
145⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
146⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
147⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
148⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
149⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
150⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
151⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
152⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
153⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
154⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
155⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
156⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
157⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
158⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
159⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
160⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
161⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
162⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
163⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
164⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
165⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
166⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
167⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
168⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
169⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
170⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
171⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
172⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
173⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
174⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
175⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
176⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
177⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
178⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
179⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
180⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
181⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
182⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
183⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
184⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
185⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
186⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
187⤵
PID:344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
188⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
189⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
190⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
191⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
192⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
193⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
194⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
195⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
196⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
197⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
198⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
199⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
200⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
201⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
202⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
203⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
204⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
205⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
206⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
207⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
208⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
209⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
210⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
211⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
212⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
213⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
214⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
215⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
216⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
217⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
218⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
219⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
220⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
221⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
222⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
223⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
224⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
225⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
226⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
227⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
228⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
229⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
230⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
231⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
232⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
233⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
234⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
235⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
236⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
237⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
238⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
239⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
240⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
241⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
242⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
243⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
244⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
245⤵
- Adds Run key to start application
PID:2428

C:\Users\Admin\IsEgIskU\EwAQEwMY.exe
"C:\Users\Admin\IsEgIskU\EwAQEwMY.exe"
246⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 36
247⤵
- Program crash
PID:1620

C:\ProgramData\wsMEcAko\QkMMgkgk.exe
"C:\ProgramData\wsMEcAko\QkMMgkgk.exe"
246⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 36
247⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
246⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
247⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
248⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
249⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
250⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
251⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
252⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
253⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
254⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
255⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
256⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
257⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
258⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
259⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
260⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
261⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
262⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
263⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
264⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
265⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies visibility of file extensions in Explorer
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
- UAC bypass
- Modifies registry key
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CykQYYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
264⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QocsYYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
262⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQMoskQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
260⤵
PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- Modifies registry key
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWgMEIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
258⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqYkIMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
256⤵
PID:772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
- Modifies registry key
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
- UAC bypass
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiQYEEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
254⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
- Modifies registry key
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYkAEEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
252⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmwoMAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
250⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- Modifies registry key
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TqIcYskU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
248⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWIooAIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
246⤵
PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- Modifies registry key
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWgskYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
244⤵
PID:336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMIIMAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
242⤵
PID:828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMYgEMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
240⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\puYYIIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
238⤵
PID:724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies registry key
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiIMYoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
236⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
- Modifies registry key
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGUMssoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
234⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwYAcYko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
232⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies registry key
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- Modifies registry key
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwwkswcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
230⤵
PID:1372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQUggwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
228⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUcEsIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
226⤵
PID:904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyAUIwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
224⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
- Modifies registry key
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmIUkIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
222⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jCIQwoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
220⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies registry key
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\foQUIwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
218⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BukogMsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
216⤵
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tAcskkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
214⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkgcMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
212⤵
PID:1664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iQskAIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
210⤵
PID:352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCYskcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
208⤵
PID:3020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qccsgUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
206⤵
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- Modifies registry key
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWEEkIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
204⤵
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
- Modifies registry key
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMoIswUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
202⤵
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
- Modifies registry key
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nsMQIoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
200⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies registry key
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYsMoEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
198⤵
PID:2384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugowcAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
196⤵
PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISMYMkok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
194⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWcsEcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
192⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuQgosYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
190⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSYwEwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
188⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMMkAkQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
186⤵
PID:1968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- Modifies registry key
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsUMcgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
184⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcAIEwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
182⤵
PID:2500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWscwEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
180⤵
PID:2580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sOAcscgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
178⤵
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmggwkcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
176⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yccYwUsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
174⤵
PID:712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywEcUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
172⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIoYcAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
170⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOssAkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
168⤵
PID:724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TickcYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
166⤵
PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkswQMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
164⤵
PID:2504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwggYQIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
162⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCUcwIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
160⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ggoMUoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
158⤵
PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aOwooMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
156⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RSYUMEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
154⤵
PID:784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkgsYUIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
152⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIYwcQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
150⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
- Modifies registry key
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmMssIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
148⤵
PID:2040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
- Modifies registry key
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UcQosYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
146⤵
PID:964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQsUYIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
144⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuEUwMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
142⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqcUwcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
140⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgIoUYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
138⤵
PID:2452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies registry key
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEUQEckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
136⤵
PID:1860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- Modifies registry key
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZEIYgwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
134⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AekgcwYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
132⤵
PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCkoIQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
130⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\emssAcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
128⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yGAUQMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
126⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmkUoQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
124⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkkgUIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
122⤵
PID:2504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lcYMMowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
120⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XiYAAEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
118⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kcQQIcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
116⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMYIsUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
114⤵
PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- Modifies registry key
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UicEIYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
112⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUAkQEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
110⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOYokwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
108⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUIYYUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
106⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies registry key
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWosIsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
104⤵
PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCUgwMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
102⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWcMMgog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
100⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMYMsAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
98⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OukYYgwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
96⤵
PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASoUosMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
94⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeAQMYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
92⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMUoQIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
90⤵
PID:892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZaAwIcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
88⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZakwQoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
86⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\easAoAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
84⤵
PID:1380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsEUAIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
82⤵
PID:592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIgwsQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
80⤵
PID:2256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gyUckIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
78⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sowwokUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
76⤵
PID:2740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqQAYgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
74⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeocswQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
72⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkYIUoQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
70⤵
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYcUwQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
68⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iiIgsAoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
66⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KucQAwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
64⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGgskcEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
62⤵
PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAQIQggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
60⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOIIgkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
58⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkwwkwkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
56⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAcccMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
54⤵
PID:2040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vggcQIkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
52⤵
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOYMcEkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
50⤵
PID:904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqMgUsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
48⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMcgAksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
46⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIEAMkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
44⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwkUswMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
42⤵
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMUowEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
40⤵
PID:1292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQYYMwgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
38⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmwooAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
36⤵
PID:900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGUQAUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
34⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIwQQMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
32⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GoMsoMcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
30⤵
PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
- Modifies registry key
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmwQwIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
28⤵
PID:2872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PuoQQgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
26⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
- Modifies registry key
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQIMAAEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
24⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\liAkwUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
22⤵
PID:380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xEwgsYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
20⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOgIAQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
18⤵
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuoIkAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
16⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCYYAgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
14⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEsgQYgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
12⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwokAgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
10⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FmYYMAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
8⤵
PID:1524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nowkYMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
6⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMgIgIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkQMsUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-65774669310391648721814719176-1213529978-6491996911472448126-1615975059-207256926"
1⤵
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMEgsogk\IssYwEQs.exe
Filesize
183KB

MD5
4287d84d924f8925fa5356123389b5dd

SHA1
a8b1503e58b46eb769e29f38cc4fdbd5027f43fe

SHA256
00a90d1fbb4a86496f5bbb596ac2374c3dcc4bd037304eb9aac8b38ad7d8eecb

SHA512
4dc26ed3d4910df5f2431b662860578cabb7c2b4deac0b97309cb1fb4d505604ee3927564053d2d1061a902e52333ba3e14dbdcc5b4ff404e799865513fd4441

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
305KB

MD5
c29f33bda186cd0a9c305717d7451ef2

SHA1
d3882135f3a649982475b42a79de0d749887ed0d

SHA256
7c9f7b04d7b986c9a458557ab0a7ea921567daee464e7401ee4f5c3e90135863

SHA512
728740631f2170720620051b02f667ba02322cc83e35a3d3f50b566c2c49f34a14fe381cce3504f84ef00a42e5596983e791604bf309aa2a7008b143d09cbb96

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe
Filesize
238KB

MD5
b046eeb57d7feb55650cb1efc7a52c20

SHA1
7d5ef73d20d3b6e03ebe76a0913ccdf79db51923

SHA256
ffee51ab15469d3dda3374965d972602452768f9d5ae3bdfa359f74052e1f77b

SHA512
bebeb4c90613c6897edf4ffb434f0baa86ee1d3a4f8945d8164ca21f1c5a18e15e07005519ee1b5e9e4e091698c9cabe1d09ce04e2cc017bb51e08cae031c3ee

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
Filesize
237KB

MD5
e2d8afb6c848b66cf74a07b16151821f

SHA1
ec5b5cf2018066045210ac8f79e55bb1b6111615

SHA256
e33db0bb9369390e396b050715c79476cb78110cd0f19d0d8b1614099e660116

SHA512
d6dcc1f86c41660b69835b28f594ae7b3cd4c51fe9ffa10ab464e3d428c1aff269b05f99053327e0cde02fbbc7939291dee3ee7768273129563167aa6f20ed25

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
Filesize
227KB

MD5
fa2490e36f2de83aad6315e5f4cf1b0f

SHA1
9c0dcdcf83683db89d59a30dd58aec1e52d6ac72

SHA256
02ebe3fceb995124a729245c99f8c2cd90d9b6b239a71f7ef51402000926db8e

SHA512
4b3a11b39e576559f3ebba90cd864d95dde99d900c52ad5f19d03fa229cf74bcb0de941ab4db43653cebcf5639e7815561be89485bdbf76f4e247051c0a60022

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe
Filesize
235KB

MD5
3eca53c806429900dbb3488d81724cd6

SHA1
0c564b5d96a82f41ad3c636ba4e5b63cf4a2484e

SHA256
7e1a099418d8edb6067e0e87c4c32f3643a306494d3fe63fc6a680f3fb275d7b

SHA512
58e6114ffd3e73681de9f8b69983788a7284b1d39f63c46575af4a670f93f0ef86e2efdeb19819e313d85b5bc3bb5c1063f0ff519178f622bdde841de00f67de

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
253KB

MD5
4befe9517bbcd09eaf77251127412791

SHA1
ea9447f266f974f478f9bdd35846929084663625

SHA256
9790544db3d8afa6860707587f9794bc7af516f41807c628aa6783b5ce7d51ea

SHA512
aaecb2d8ea2e563cf84072838c2808c6837a0307243155598e846d9b5bd21dfe8fd1bc4f2f70e9c5ce2b4776d5dae4d5feb2d8a9ed1111984b8091afbc8b1e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AaEgAwQg.bat
Filesize
4B

MD5
7af8d95d8bbee7ca3e24f8a0a19233fb

SHA1
47386e8ed169a6fbf5311b053ca4523fca95ddad

SHA256
db811aa488c015d411bba34e5aa8e0af450401a775815c35e5a4ceffece22997

SHA512
aeede57c0d2fd14db74cd5c6a38a1b58473c15ad4b77e7d3b90555a7179c8ac6dc0bc1f3d69de5df8d5fe07cd8af88526e8224de1a4368d208f8fb0ff6096869

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmIkoYAQ.bat
Filesize
4B

MD5
8db7e279411c29e8225b40323bc48467

SHA1
4489e7403146d9d66275e066ea66e3712ab0678f

SHA256
b36c4dd59528c8c5922e03b0a145066092f68359ec13f7193da50136b310b6a2

SHA512
88094e2f9c3e55a7d1b0a07dbaa0589869d54b2144ac585151d1b0d6c6741351de8845f352c22cb5582e1b92ba1b04ab5738c5420edefe121dcd42818bdbe28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AosW.exe
Filesize
954KB

MD5
9932d570a987de8d319f6c75863318e8

SHA1
a8fec595ca55f77fde79d8b76a525b2087557957

SHA256
6e5907b52730670fd5c10c80c939f469c832d06d594a51957ccfd873a35da0be

SHA512
225a43e460865b44f5b178413678bb1c8c57f37f7308f38f7156f99a63fe07c388b806bdf8b1fa30a43b2aa7d74e4b03940b532820ffeb7e3160d65c1dc36bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqIEIsMk.bat
Filesize
4B

MD5
5724c1b66d776850c2fc420b05d22a23

SHA1
d6db10290e9133f9facd76f0b81ec6f59213626a

SHA256
020656806d1494b6347dbbeb4e0f8be4d790a697d33563cbff96c4612d64dcf3

SHA512
77f4719b24fe2bf24cc99c9f526e38ff3bf42ab6bcc620a093c9f9046e36c321bf7681e4c93549e6e8816346fee43a490594dceb643ca5309f90e3475f34553a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsoW.exe
Filesize
1.1MB

MD5
5fa5548d4114fa56c0bb9ab249cdef7a

SHA1
cd645b48c8bdc1a5dac69444615044d5bc502f7d

SHA256
790baa8424c542524e1e2039403a49dda7650fc7c5a2c307d2d83766845273b8

SHA512
76420a49637110dfdf3b63eb945991b13b479f67134c38e57d3359ac3fa722f0875dd63b5d5c15f09b5dd3e550ea674c7abd57934bb2e19901f61de3aff5587b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asoy.exe
Filesize
245KB

MD5
195d9203c8f59e1a84e9659e09aab83a

SHA1
b5fd4b9ce60c33aa9fb9ac21316c145c9ed03400

SHA256
6a7b565616e75a6aaa84323573a8ec4cf2389dd202ca7ad23543125930b26312

SHA512
0666f7cc74897d98c50dfc91792492df93bc98d4ccf2cc56abc4a223bfae1047f8edea06f241fc08f770b581c60abf6cb27ae637d449e973de7270e53f94a9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AswYsUok.bat
Filesize
4B

MD5
fa28bf325c1d98f188c9baa562e228a1

SHA1
71658771d9af7361d7fcb4b3f5dc6d7c6f87da8e

SHA256
dc4a9ffb9d7f8b20f7437a33ff7c74ac6a24761ec823a3d9ce504822d94961ea

SHA512
dcb7149ee3ad321ba37fdcd68147f1c3807f728749e3142d3952fd364212347bc9711d280bd2b5cc3049f47be712302153d49f85a87f8ba3bd62a246eace8d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awci.exe
Filesize
215KB

MD5
72f1dc92c9dc710706f91b21a59fe529

SHA1
ad6345e01aad3f69f59e71e6bdf85acc8db6b34c

SHA256
15943ba4e46d79dbf0b4ce95237e0f24da32341d6abe435c589d2331d3373631

SHA512
90586cce8c0e320b01ea04f4aedac39a2972b0b0b9dfcb9b1931bc57962bc14fe63a5bda3f0409c47f265f8ffabef121b45121cee805131d5607f9ba1c32de56

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwkK.exe
Filesize
249KB

MD5
bbe5304b0d62a06a0fa56364fc464bc7

SHA1
ecadaf2ccadfb666d72f9096a28afeaab8a73751

SHA256
b35998361e8807eaf4028c6d0c0e35acc46901a2dec10a17fa50c0ee2e4d43d4

SHA512
45edca1f59bcaa21327d25938764ad1009ab896008348f59b716a00c0166e4fb1985aefe0cef8eeec94c6d19827e9e9f6b0ca3ae832b335d968647f8e863e3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGwIsQEY.bat
Filesize
4B

MD5
fff41f27a6f20eff086056c201e49a29

SHA1
11997ec111855474d803212acf991384bf5dd752

SHA256
a82924cccfe7bddb67cdf7d260640df47bf17b3dc6ea87f77becfbf08b58ed63

SHA512
6218aa3a93148c5d34194c481ba127cf2ef3d76093d1817ec79f783d9acf9b17aeca79290cc3f249f2267b9d2bb1fbe6818af56b7bf6ffb6a4f80de6bfef4aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMQIwoMA.bat
Filesize
4B

MD5
3639541fab36459173aeea6681afb3a7

SHA1
48c6a13b2e91284dc4b3925fabc0258820d69e97

SHA256
236f9cc826c23e0581f3c291b3164f2f66d830b5222ca352dfb31f38de7c5b73

SHA512
34fddc57442e7744001dd0c83cdb3f324d81572ae403925d419f07d18e4e742248349cdfe16629e135c890335b1027cef27e58cc5f7c808a7ff2ed41553bdc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOwsQAcw.bat
Filesize
4B

MD5
8f104989aeb9a478582544cdd7776c1b

SHA1
bc27eefc63e2799803b7298aa3aa981185c4e518

SHA256
be34e374a00f4c597ecda0e0c372a26c1bb319e55fc09dc28cc6bb9d1ef3d0ca

SHA512
dbc094278e66055f808350bd6bb3a695c9ba80bd642b2c0873a5ecc7250a80be016c8a3497cb6e6b9ba07429f5e147e4f45b8e69e26b4411b28d8aa064bf1792

Download Submit
C:\Users\Admin\AppData\Local\Temp\BWYwMIkI.bat
Filesize
4B

MD5
7a4f00e351437f535dea485b5a6d7cc4

SHA1
47dc43b851e98744590b36657b7630ec29fbc19f

SHA256
63c4dc0e671ced94077862cce38d8c18b09689e89e46bfc7631c31712e917faf

SHA512
38c48a8a9461a5b6c75204dc9bdc9e9f1e2b7446d4f0a67e2a2e0cce45b51c29f7a517a9369590df5e8ade7cb2569ccef92526bf2f8bcde4f147c33faf927c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeUMUYoo.bat
Filesize
4B

MD5
1c3a7989e31b870956e8dc37a3dd316e

SHA1
13d64b29b0b35e88e448eb2630f6c1652786ccf3

SHA256
4ff2fdd6a3019aadb9ff504e6251aa0aa77acd22215eac690dcfc9cd13e490aa

SHA512
fd35dde8af830413788e0e438d00010a69e3d8b6dbda14f63084d4c2678df1fb6177a6b3b08a35d7b3fd2bf19a1cd28f57767a27dc576ad1f5c21ce0b3375554

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCgwwUMw.bat
Filesize
4B

MD5
8341886dd9e159deff235872ca46feaa

SHA1
2b5d4a23996337bf0d8595e0a034a659ae9a3d12

SHA256
02828364be54b802eda777f3dfc3b873c49e77dbeb2bd86f85724e439abb8b64

SHA512
5444da4720f5c45cdc8a090449234169e364851363efe3bf2382f45b855c91a892177f7b0a99a7c62ff97319d80fe8d3f0164a85681b7dcc2759b1e622dc8202

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMsg.exe
Filesize
246KB

MD5
e4fcd7ba4b57e93ee0d399b6d113ea62

SHA1
77d44ebbd49c4be31d2a4c3d34fed6fd430cd7d0

SHA256
86782bea225502b92466da05aa6085aff5d99256dae1de21250c922fadfa8ad4

SHA512
f7ea25cc0ed17683dfe85ddbbd177b9c2604a54accb4246d0f86cbe551f70a0b7d9673c8566d1aecd82a596d123b25974e2e7c76bea65c4bfe58790c3168c61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQkwocIM.bat
Filesize
4B

MD5
43c6ed5b759c867ba199f2399b886a30

SHA1
ff6db88d2c8674fd99f15e58467357f0d9a56948

SHA256
48acfcf35dfa13e4eb806ed3beb5e8e49dff558b6ba0f92a5b4c6159fb29374f

SHA512
20688d173e8589ff5c31d7bc33b2ec011312ca8b2e2fbb2d663f8691582442787439e3f1e8a9548045a22e900818f9134a1cd503cd7add620512475216921606

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUksMwgQ.bat
Filesize
4B

MD5
1dc878f867dd06d46a86ea95d99c4f04

SHA1
7cf86e001b581025fc79dd5bf55442356a19fe43

SHA256
45cbd8c1e988102fd478fc61f582fcac3c385bef8b43f0245ab76604b9e86df3

SHA512
7a8b1d9c9fba39a0455bce38b9f32a776e3a469f00cacdaf90528b8444f0f5059aca7d804d980578c6430c6086dc562bb30b76495780af3823c3b25d596db310

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYsEAkYg.bat
Filesize
4B

MD5
2c0be041d65adf6c512e518006de5c0a

SHA1
d889cc8780b99609ded15f31cfb4663896b932a0

SHA256
8414449235c808cf227711bcb8ab1163f619091e61cc9c3d5317d30b0430b10b

SHA512
fc591e140c7c7ac6e08fd851b8317841d80a0b2a7c5e37d9d4f26f38d371e816963db4eaff3522bc649e9df56dc47f70f323a924061355e74214e6b4a07c75e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcUEkoYw.bat
Filesize
4B

MD5
3d7ef36e3f650eba8f4950cbf4bb95bc

SHA1
3b4b9ec6b54d2b3bd0747c2194bb07586bbacfa2

SHA256
9e9432efc75ec1c2afdff91b7c5c865c227f3b812eb51e351b4795e92de4d9f3

SHA512
b051a5702f85b3ab4deb7bda2623898d7a4d691642ff3cf93c3482359140fe7b456c5958176f61c8ba06de330cac530b183676bf081c4d673dcfef448aab9619

Download Submit
C:\Users\Admin\AppData\Local\Temp\CssY.exe
Filesize
642KB

MD5
b4e1721eea61267623f08e2591c5cb2f

SHA1
a701a322b1cfdc59c20b3095726d089fe83fb01c

SHA256
20bfcb328045f00d9a184016a1452f8f6d27e1ee4967e0099286b529a04e437f

SHA512
f9d7561cc268832131020981314e0b79695d7e1f420566f513802939fbbbc12a62105fa69031e2302804b0c532b2eaebc7518ad8673fbcd7301eceb5d4a428e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUwQQYMk.bat
Filesize
4B

MD5
77e3296b9d64ab204c0cbac6c2bef743

SHA1
8e8df2517073561efa3eda1197807097287e8ac2

SHA256
832a639c6ec831f030df3cf6776ac3d9697c8f89021443d259a30214bee355ad

SHA512
ab97b756ecf09788fc4d2e2e36410fd9361a929808112ca8e1e284716b6f884de95821f7571936a2db3f8d3c8adca26815638f8e3f63315527e7edd7ac2d25ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DaYAIQwg.bat
Filesize
4B

MD5
a44bb28819d0e9dee07be888fc9c915b

SHA1
5e8a64467ca7fb4dda89c1220b4ae3d44b0ab3ef

SHA256
a9e027bd4408a254ce4b45644e621c2d23becbe30b01b045da9f089ff5840d1d

SHA512
88baa02ccdb8f024d7b8f453b8b804e77aa2c6e5911979bb034d627fb8415bdcac3a4be1e23a90634d6618599cb6fbfb0e3cd323a4c65c4d44e476b695bdd097

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAUU.exe
Filesize
206KB

MD5
906c139950ef99bf54dec905e56a7f63

SHA1
f73a4ae026a94c6a73c18b6a2c677a9aa060ef09

SHA256
80703e5d23367fd9393c2b3e9630ed5ae03ebd16064b581362e903e09203d2dd

SHA512
99ac2d8480e51ac115e70de1e4d75e09f8051c85452616a7cb821bd5951706f19015305cf9501477052d5f68e6c54f5aecfc16d0f25c5e390815cccd73694174

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMcK.exe
Filesize
515KB

MD5
a54b41c52609dc5289d976d26f2430cd

SHA1
1df914f021d6388d12a0c06774cc9e4db53dbf79

SHA256
f2c19a42192a7b7f1fdd33714b61a7967a17fdfc6de5cb201e81d53fe1a0a439

SHA512
5cb240411fdde14708c42cb9b7c1cc96a9254333a3e4175b113599aa76fb80dddd931871d5cd19b651ced48ae4461349fe96abc69f1a52a560f4e3412d800c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMsocMgM.bat
Filesize
4B

MD5
2e217a253467e97f8c709c05381ef9c6

SHA1
60289a7aa3435619767e7d2137e3e311eb8db277

SHA256
6e8c91dbef75478cb14013b21ede47c261954b60ca4732a6cea8e4b4115d318d

SHA512
6f27b70780e95b55afb3c3d28f4ca54b92852f79d7103564e2d5729107b3e6b330839008a72a2e217a5920fc1a9729803a57b7c36a756d74632460247fea2c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYEC.exe
Filesize
190KB

MD5
3e62beb85babc79de8986c486bd20370

SHA1
f623bc776eaf13e96b5d54c169da4099227ab601

SHA256
bc0f4f52bac07b06e72c68500606c290a73503a2030f59b963472fba0c4a02a4

SHA512
748e968ff85de9df6b72dac8e936ad012f74382c456fdc2044b3b1884e806ed5377a129f52f52349447108faf6c1b1209546a4ba9ee65dd45f8ed2b3c4c2f25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYEM.exe
Filesize
237KB

MD5
31206286d144adad4f79ec32ca4704bb

SHA1
ff6397f8e7b6e6036afe029e46848ee7b96c8e86

SHA256
08153dd3f4799e39587b9dac8d603a6d3cc35c7c7bbc226830ffd60fd5cba6fd

SHA512
73cabbfe96a5666de5e59e1674863a5da007556f6509f0af5c7bd5f854ba54ebe69e1bb30c94f9656eefd5f4e58b2b891dffe5826835ac2e98eb49a980745597

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQsYAksg.bat
Filesize
4B

MD5
c1ad94faf265789bade028e799ab490e

SHA1
76b45c011023c9b0b29a5552ea94790346aab1dc

SHA256
62d1221121830e0f3e3e681d53d4bf8dee53aa7d73bf2b08e69b573f273b62bf

SHA512
8d688ef2e278fbae9184c2bf757f3da6c0323bbb674374a98118bfa7d6c1dd8b043f5a1abb26df6dc4304a3f267f3c550120d0fb2caaa835c6a52f75d97292d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEEq.exe
Filesize
233KB

MD5
02356b85efdbf47492c52dec15bd7ba2

SHA1
0c45f44e4836e6da1a024cd2f016d521fecd1721

SHA256
f67c39611eeac1ac0556e827fed6fdb81624daf17c19e6d955d838e192f7da8c

SHA512
73acdf805078a17bef76f0c0fc5fea16608c0213c10578d444492ed14b24551863f693c6c90aabf6e5bd91cd328b856d77f8c27f3534b3509d0e79cbd27c96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEkA.exe
Filesize
243KB

MD5
04855803d8685f07c203b0de1e4506f2

SHA1
7ef7c203a9b883055a6ccc2f861972d41744da46

SHA256
ad4a139d4b14cb91d4d6f3a8ada8b81577d0408b429c8c699368e5c69b59a3b6

SHA512
c16608f6bfc7ca50e3ce9d391a5c53be1c177f4289ad571ec87223b8a3785953105b307d35ef8b5f99d7ce3fe50400c62ef0008358cdf6f55a0de1a09d48ae96

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGscgkwE.bat
Filesize
4B

MD5
3b8cdf806627370851ea15a90064f5e4

SHA1
a746921f495823cf0b1b4708e5273ec0b5a2c3b1

SHA256
b017c0353639bf85e6b600cb678ad28fa23deefe2d956a7ff5477de5b5368f33

SHA512
a4d105c7a2edaa86b4057b863c8b019448a60a2b3a4343ff22f5526028ee4677704eb378e094635c08e96140c8aa0973df9c0aee850641b35fe3a1311834bcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYA.exe
Filesize
238KB

MD5
8630cb051ca61e77f78089608fb359f6

SHA1
7f7c628533e0f553d6fd7d271b40db26ff949ee7

SHA256
90674e43cb91d6fbc1ceb749ae0ce56659fd97ea1bce873d39270df23ef0ba47

SHA512
c758f814d4fc0bcc42b6522fdafcbf032f6d90ea804848761bf199a0ca373a5b0a058a61b006a0dece07f9d647eb5ad730dfbcef0ced56ebeb1b1ad85e24184e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQgK.exe
Filesize
227KB

MD5
36d3b21766cebfe9b23c40be9b81589a

SHA1
46b4aafb53f799fadd5adf43395c42ce75bf90a9

SHA256
f0faf1df5eb8226c11bbfc6f4bd8351a830c1f19e3181445921714a5e5269f9b

SHA512
b8505f43611cc5709fa6bae48c6745d85d4229d631e6923bf787e90a7f11bdb21452bf3a0f81cca3091360de7d68f4d27b4dbeec53450b3cd67b2dff7494d2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GckS.exe
Filesize
231KB

MD5
3b3e36ac8bf9084ba78a5facd96a3fe3

SHA1
c76ab67130df0f505fa79dbefe2043d54666fd26

SHA256
4af79abe8b5ef9417859d183f59c525a46f239af1b133ad560510277fcca1281

SHA512
a03cd77eef0d06f1ca66e96ccd56fc9fb2aa5ee8a882f19159df7e148d9024f48f3198a7dca8a05fa21dc2c8ffdb48cf0a539bcadf29dadad9152162d26ae39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQk.exe
Filesize
1.2MB

MD5
85916ac16a2819e8340e0bfbd2b13100

SHA1
3fe2655d0dd02976b2cbbab792900a8199dc8e57

SHA256
5268f8313654672dea9dbe167551700aacf1b30ee89ef746b537c5dd3dd8139e

SHA512
6a5bc26110351e7c64aa691316c6d3675a793002d31c734c3344fdf22b34888fec3d4fa05f87553c422715bda9b3e3d7e0ff0bb9ccc089e23871f32cd2a46b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUU.exe
Filesize
247KB

MD5
07c1eb9c6827fc9ee5b6498409da68f9

SHA1
ce6932b754ad6144199f1534965c4405e07de5fd

SHA256
b2441842150efe5ca18caa2e76860413c7fca9f865c0aa5376e41705523451a6

SHA512
257940a0e0bf9b6abda544621deeba518c0e20692b860fa3837928c4e6a0566b71dbc6a380ac79ab3a70765f386af25bd5c684c9bc5f41342a9850b4b4ecf2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUc.exe
Filesize
232KB

MD5
269b39fef312e5cc594d994e001dd806

SHA1
2a0af54c80951ffd9c95a9c6a877c948ad8bdfe3

SHA256
8276bc592d8016fe140e4ed3c855a18046da34e7cfd4a26c6965173a77efa7ac

SHA512
d9638d1967312626ece153f347a2ecb4673ec4db0e304baf7ba7a5ff5d3fcb92b7fcd4fbf5bd16788121e2ba477ec92cf9837314943b7d61b3e6aab4da9772e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GowA.exe
Filesize
246KB

MD5
00c1b8a36b6234be4fe10d167758c686

SHA1
44666bfa8b5b8b6109c7647c0bd5715139c41bff

SHA256
90ea354125e6f4657e9d85e3f9b57e2bcbfbdfa625aec7846668abbfabf2728d

SHA512
0e0ee7030137be4a7eab0672bd16c5731112f9a8006b610f2c92f4de61e435ac0c180c45ed7682273966f70c2e89a6d5295628a33df70fca08818ef739c2d7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyosUQMc.bat
Filesize
4B

MD5
e5e9386640d43cf0d38614a933e76276

SHA1
89a3e2f3e3994413f454db22a1f1921d32297908

SHA256
b419f7116a69a35bebd087a32d8c287bfc57449026df3fe7ea8611bc55a0b7c9

SHA512
20c3e0c721c5ed42d1a020268f6a370cfd6d2aee28e966ecbcb2405b267655dcd9a45fb7bf43d16f74f18aa4e78e00419edb4fbe60f8fd4966caa12dff89a5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQcIoUos.bat
Filesize
4B

MD5
4e7a8c2068e9eb784221e4701d5154c1

SHA1
8563609fb48ba21dd23a261c30c04a1872b66803

SHA256
0199574ec5be6c6d39e8bfb6be25e4de951d8ef530504aa284a9ba4e3d3b5115

SHA512
a3cb6114476e6ef069cdcdb5e4209efb7a2658c35255453f9ab579185204949f7c5ccac96f0e947535f023b07a36ef8f3a9f13e9fd2730d5caf50bd80d7d3a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiskMUUc.bat
Filesize
4B

MD5
e3eebd57fe40be275a9a4b8b31193aab

SHA1
5aca154621a5c05e7336f0cbb5e6d1248f185552

SHA256
9e5a4d5e3f543948d9f8a6a41458548faf22afffc1e7c5aa722d268dcee900c9

SHA512
9773366791b4d2a5f065e335a640c25532b3a784f73835bff4f59a99086598e7022ec0a6246f11fc2740cd346e8c993247a6ad50d3d6fc6ad97bb079340385e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkoMsgEc.bat
Filesize
4B

MD5
728b6e9eee7767f73abd225e91632631

SHA1
fa14aecbd26700ce60f51757dee8e3528eba7984

SHA256
12329fc0179581c80d92827f85eab002d27654de58122c72a98de2201026e6a3

SHA512
0c035b5bc0f802b8c7f0bde6816a0470f547d218a0127e135583bd1791026df4429c7b361ed8503d4d808466a606e63e672a934fbe92bb669190fb453f776c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAMwAcYc.bat
Filesize
4B

MD5
9576c3c975769e123d09ba486aefcc9a

SHA1
25f15908768c63a88da0b9972dd8bbd06e61cfd7

SHA256
121db2a14b008666b5df035e98b7b36ac4f749735838620da3cb5bd8980ec9fa

SHA512
a1bc5e786f2ef8bedeb8ae2a95e86e1587643a5d1dc03f4aa627e1c1872d7aca0276eab776654c1690149305a974a645a102f759a2a65de8875486d51fd6895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEwk.exe
Filesize
244KB

MD5
26a9ac8f37f94ffabefd95829eaab449

SHA1
6aed1d4c94b3f85320e35134384bb795cd1c8400

SHA256
2a4ac4a1de7c56f68a0ef94a5e1e20383f7184dfa38b0c1ece263dc0114849e0

SHA512
1e64a59fdff988db65f06de52077c4124f8a73b44824f231512c463e4e4885365acac8d7dc38a6b88858b3ee08405b5c5e676dfae2ec59ca096a495db3496075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGoMUkYk.bat
Filesize
4B

MD5
4c155e5a5175e01afe4821497d77d9aa

SHA1
06f8b3ac0931c3373d1c54dcffe60593ae279572

SHA256
ed3302af16aac0a0571cd208fbd96409a47edf8427c1d24f88334b8daa7ad702

SHA512
6da75d13def0e20b53c61931a88480deeb2613bde3d6558f4f5ccaef37566e04c648f9642509003a8662292adb8e6af34427866569f912b26538fccef0daba80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcI.exe
Filesize
239KB

MD5
07e8f51414b6b070ea52f8631af0e490

SHA1
a2adbbfab11267a236da3dd051311c2833246c19

SHA256
56b0e823fd041c3f3897ede6bcad45da0a97306b72fc065deea2e0b8c50fc881

SHA512
f5f8fa6494d06af1233bf3f2c073b5e23d033cdfa109baab2aefb0972da62e2fb72d0543aeaf9547b24d67addaa26fa53dab6051cf1f4d577f86de38e1432c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWIcUcwU.bat
Filesize
4B

MD5
5e4a4c4e0be10fb7f59ac01dcadf8c97

SHA1
26fc5795d3b7a233e26555eadf64d295452ed2b9

SHA256
1e23a2c114edb930fa60cd74bf42f1d65d79aad15a175a11bdf34c5d6c368847

SHA512
234991348f01e9219a38ad108f331ca9c721a69122f1b21176f1ebf0ca086391295e090817dae73ea4ff8478540bb0d262fb4297d896a92d4cb1ac162dcb47eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYMS.exe
Filesize
228KB

MD5
0318cdc049899957c100ca67cb04b2a3

SHA1
55be04a5d9c77a5cb9349e9cf1c3883b19fae79f

SHA256
65c286417fc9a868c0db9d3dc9e065f36070e602a3e061bb59c131124fb7530b

SHA512
9f5f2161b692226fe7f7049fcc31b1cb76e920d844fccc513d01f6028e4b8e91ab28d9bd1b05fcf34176853696ddf26349c65a300d358219360d941c9109357c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYMm.exe
Filesize
217KB

MD5
ebedd86f591c94baa6a5ceed8dc4c970

SHA1
244788d0d412ce873a58bb41ec84c557676fbcb8

SHA256
8ec7c5a0d2c4672dbb93a6c6e9ba66d12e0a21afc1b1db9fa9b66e8bc2e96981

SHA512
a7df1df4d82eceda293d9f548ba952d98a38ccc79648648fd6ab4847777d27c6cfc8e52a3a40ba0357f39f193d9f96aa558ea8274577efb1bb3676997e8be3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgAgQcAI.bat
Filesize
4B

MD5
bb5f1efb21f6f3fea1899a540e30ab5a

SHA1
7fc774fbefbc1662aba3ae4728201fffd2a0cf12

SHA256
6a0a227cf6ac6ca17ca3a70ece99981a37342b682c596fe4677f5aced1a443b8

SHA512
2cb435d6183a875909ab08044620abbddf92ebe7e845cf14a2757d81a1c1e1ecf82ecfac13d0c4b82242ca825f5a559176069f3378f9cd85bc3024fb79af8dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgwC.exe
Filesize
192KB

MD5
a4a9c14036776ffedbdeca371a78effa

SHA1
d225a2c335db6cc4c0f58698a379649382cfef37

SHA256
c874761996c3605bd305f84e205713fc87466b9d4f3495b7e1d40dc04e67ee72

SHA512
df4a5ad64fddb40f817a3b2d20f3e2dc5565d71db493be3fd17f36a36d3dfc7b6d42c4a435b30df174f24a52d54f001e27712650c6939ca72c0a14f32ce8a717

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIYMQgEA.bat
Filesize
4B

MD5
edf797e1176fce6b6495fd1e15f6a767

SHA1
cb561a48109f45e4e843e4e53052229257884824

SHA256
53be974b8a2c845a9707a757c1ea7253857ae12606ace6f50f9d731a2a366f92

SHA512
30de21251cf2e57c277c7117ba76fcdc595b9c27dc7696be722347cfc60333674b9cdfcc1f76109216a7ce50b6cb86dfff3b9508fae0fe3e4d9217f5cc0d3274

Download Submit
C:\Users\Admin\AppData\Local\Temp\JggYkYQQ.bat
Filesize
4B

MD5
e9831bea391fd771f7293a8f41413a9a

SHA1
b0216778c074f78183eed20383e8cc9d7428c5d2

SHA256
ef259e4a022c7f67e84afa51432901fc05f52c415b3ba3037b00f0b25ce2b989

SHA512
6df7329e7c9b961a16456001672647886e6aac7b4f0f75a60fabc4bfba85d5c0e3e0bd105f34d810eec0574df61af07b8b4df64b8ad13637e1fc2330ada3016f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQAcYEAw.bat
Filesize
4B

MD5
ec3175fcea7a4850127ab5727fb74836

SHA1
0b36b7fa6a5f546d9e37412ce3498574b9c89a2a

SHA256
eb8e8b27c0f8c7893b448ec4ead61a0852ba3bf1bc5198738d7c3c0929e98dfd

SHA512
dc8f7e69c03b81ff43045a131933c931d024190bca3341d20548cf2047d133a116b7f8e7811930645096c8ec72415187b994dad6a0df2cd1ea133d6b42e09e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KSkMUgsU.bat
Filesize
4B

MD5
b5395a82191a222d8fbc6101a948393e

SHA1
6942759d642b9ea5377967d233b0476e24f82c89

SHA256
5b62383b947004110e85b82dde3e7340bf42f3ee4062778a9db9536da5071bf5

SHA512
1e6ee84d6af86197dea1286f1c0d088417c19493fed4de32b74101a4203483cc33800987852fd0f27144649754b780a4b59dcf34670c356da77af50a737c2b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUMQ.exe
Filesize
210KB

MD5
77748038eee95123b88d0747b73f49dc

SHA1
3c27e1eb707b4b22044a57bf8f08b2cad93a97bf

SHA256
1eda270d387b8bac93ce306d6de7814fe06bdb061c093aa1bb60a6952d06d5bb

SHA512
cf43d48e8612c12ec64770c4c6da87ba7a51966c130b9ddcead287b889019d823f0f33fdc13e1de55ff262bb6d02cb1b40d2248434e80aa93d88c17a2284e3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsYK.exe
Filesize
4.1MB

MD5
c11f27c9abe6da743ebe24d75a2554af

SHA1
4d50b1d8b6879e07849553e81be963e3ffda110d

SHA256
a999ebf6dbd2fce86c60413f3dd5fb71b072ba5436d2adb7710a8b3fef888104

SHA512
297ab8c0b9f3b0b8fc041b55d3aef714fae54d0a696073a1925ef86af70e8659c69b77f409eae653b3ef66ef07f788835733b6707bedbc975429082be30ec3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAQgMQEY.bat
Filesize
4B

MD5
6752bc9fd93599a0b85da13ae1c0a8a2

SHA1
9d64af23b127cc3a691d1cc7ba0155488e97e8c5

SHA256
0a7d206f1c0b960f05645a40abf57393f3f341aeb5ec77080ee2fb086032fa57

SHA512
67d30136d2f5240d3985f6231873557c86d4e227a2a35d463598e4e22233483547acb2e07a40d7c5a6455c3775fa9b18eec22d43513b44339b3194ce866a6972

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCgcQwEQ.bat
Filesize
4B

MD5
5245f1c87370289eff81f4783a58e179

SHA1
655e839cf3bd212452b327079c0c0108488d77c5

SHA256
a9b6cbd7d5afe19ce449e204fa32041e15cd78da944520193c864c5f33b423ea

SHA512
0c8a2761f7a35fdae251a403b2198a5a46d6fcbf2d5826a2f4b05f221bfd0392a8008ac64ae4cb789d6a5f088bb0fd5c076ffe0d35a3474a64e3b111d660c758

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUIW.exe
Filesize
254KB

MD5
1d2a68df460ab409ffa79783b87fa1d3

SHA1
1080d111120b37fa0a684daeccbb30de8ca2d3f1

SHA256
e4b9672d992e3e0502f7a3d105aaf8b1e3537362ff754435936549ff5825c421

SHA512
649f2de5fb6ea3e477f50e50b9e4279761c2ce1fc3376d6be9bde47d28eedc1415453d9d155221a7e2b494ba3b2a63f881d7f0e4c5aba5184220eca878e6ee6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MWEMUAEM.bat
Filesize
4B

MD5
ea1954f173ddf09f4c244649c9868063

SHA1
a3af603366d9ffa0a2959fc3fb4130c4da03f318

SHA256
24d6d3e641694d1f07b8174358f9560d6d4f5fce456a655e1f7548b9ead3320f

SHA512
fe91bb242c7ee29abcb24fdd99976d7ccf14d75fd9ba898339e5e6af07e46ad95d007153ce90988e2ef1a32f0fe4b4ff74fe6dbd6ca1da2d061432f1e1f6ad3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYAIskgw.bat
Filesize
4B

MD5
7718f8e25bb42f877daa735bfa014b75

SHA1
f069cbbe6731359f5882c4d4eeab29abb250995e

SHA256
f1ae7694470c7f53b35131c65e1049462aed4ed0a4f644cc995f9e8eb247c167

SHA512
034cf749d95dae1310c1a741c5f0d0a1102ed3529b9461f8a1678e5b8df0f62194ae398c47f2975c218eb4d34059bd93908845be3a4558542e0098298601b195

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIw.exe
Filesize
253KB

MD5
fb3212f42ac61613c69d825b2d6a0459

SHA1
e4de241822b1db0f8570bef59c27f4c2c61892e0

SHA256
2dc1c9674a41d2215ba32bede081ee220cc3b1c4a7c1d846fffd54bacecb0e62

SHA512
b1a2029ff0b3869d89ea7f13fee0ab2e9c5043a43ce065947a0c03ef6fbc15ee4ae7ba9884e6080165e66a1c1c2672f7c791296d5deb7b30db2fe62502ce0eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgMoAgQc.bat
Filesize
4B

MD5
7341123bf700750298fa256dbfc10b4d

SHA1
a17fa610bc48e79e3a7f99880cb0688a7c5449aa

SHA256
1a35b8052fa007717c373e81e2487607b9fbd1e0b7cdfb51f89e1be7a4fb500d

SHA512
4acd7b540d8f72da0aaa417c07699b408b32e628c0a5b55e38badce6012a6a9175a99c31da46f49615ec4635a2b33e538991af4f369e461d88cc5aaa292f968a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkIm.exe
Filesize
194KB

MD5
a313df7812de8f44318f1cced5f70fb4

SHA1
3857e7c93c4c12de5cd81c9387a531fd4a8d92db

SHA256
a51328a27d56e020037d60443440f807c42b9b8d0cb8a1f632262b15a8dee5c6

SHA512
b1d39f5bef95a2ea1128a7b93fee465acb6065f7200416f0d412758553f11ba938d672cd5a4bf17a1a596bd2e35fbbcc51cee96d22e626eb28d82facaac67634

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoEa.exe
Filesize
232KB

MD5
44247257260468cfcb026470f8f3a753

SHA1
297355fa784b5d64a1b2cf3689b36ea1496fdcd1

SHA256
05838840e31501c328e2421f0719752cfd9530bc20aef078619e2ce066140841

SHA512
498ce2d838c0da2a133052359b215a8e26dc1d93f90a8b7a7fdcc4b2d985ab86da51868dccd3ed19406f0c9f422795b62ebae84000d0e1ce436db1a9276862e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoQI.exe
Filesize
1.0MB

MD5
8d3c76ca32cee6d7719d00ee76edbcd3

SHA1
271a6f98b0e458ee7e1c4efb2d8745623fdc1cad

SHA256
cfbf4a6c38cc0df1cb968aac1520c423c9cd5445f80c40f98ecefac0d48506d4

SHA512
4c52c14cb03950dfd6705a97b935a38726926ff92d0d747e1e7c6d499c5a5e50df18ccfa090588dd886926c0af266207db5fbb526c8d880e40170f9e98cb8f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwoi.exe
Filesize
235KB

MD5
21691f1387b62ce11f5637c5a761ca26

SHA1
aac5f80f90ef68851b9471d349db7c4d623115b1

SHA256
54fa6e593ed0a0452a1214c5ab55c8a558f8213836909fd048fa1891c1fc853b

SHA512
d9974ce2638d762931748f75a504172ea159d7b07c3d818762f5071414b2a1896ef9b16437687f63ef52d34831709bc1e5f018dbb13cd078fffc9fdcf38bd0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEMAQoYk.bat
Filesize
4B

MD5
ceacd15ddc5b4e12ef5506ce02eaf933

SHA1
631ba629e43fc3cd86383a6af1af602ac1b49fc2

SHA256
6c0678604a1faa9cb591050a9e99bba182d2df3c5da57ea3134da4ca4e74e9bc

SHA512
f28c74cd0acc740cb55cdca723eacc801b53cfe6ac784c3f6af9da24007a624e67d85e44a7a718bbe5df23bfa2d37c54989bf71be75a576002ee4b0868810f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAYc.exe
Filesize
207KB

MD5
11ead3638cfba4cbcd968a6bffd0561d

SHA1
e83f3f411bf888205b532bec5b8bc2f0ed06249d

SHA256
84df192c7e01cbedaf7aefdd7751d085ab12b15b4fdb52e448e73c0d3cd6fb53

SHA512
374d53594eb18dde863d0b8297bda4653e47bb8ee841ab0407f33389d1ebcbd53bdd7ddbb140310a805cd806fa7f6de386d737cdc3dc485c0e64beca3aa32f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAcI.exe
Filesize
228KB

MD5
ccba1f53555d33798275c0b0a44f3fb7

SHA1
ba821e72d2c641362b76a76198b24416477469cb

SHA256
42ebebf686482622e121c397c797c186f523d526d7b83c0991dd3018cd45c861

SHA512
552d2323e63578585e258341f7719103fa317c94ddb0ad461556f0fe37c8d7a4588020ee612fa4b66c9041615a58e4261cfc636cba118352909f2895db68852c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMsi.exe
Filesize
182KB

MD5
862920c4c3c0dd6d42a69d987320a390

SHA1
69d396985680d15e77dade5c675f956685e4157a

SHA256
d7f86b2673cbb2162f2fafa99b66cc2ffa12c531a823e87a039c7169c084f961

SHA512
c717ccfd71b79dc53ec1b7f99a1a4edea581bf4b44c6ebfb161569d9bd4cbd92fbd8fa801dc293ebf751813364ed7ac08d0294b744b3aea40d7671fbf8f56f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUk.exe
Filesize
226KB

MD5
c888e6111a8a9913153bd44fcb7e91d5

SHA1
64824490e8e985da0ac72905d20a63a74dc00cc6

SHA256
b3da847b971266e7c3bbd3ec1dfd45df58dd1803a44bd32007112dca9768b4b1

SHA512
9e5fe89e0857ce4d4a7e35deb230138a6d0b49c9cd83f505a0228352da87ec21c775370628d55f9ca517eb8790030a9b9c7544c1c3ec43d10dfc212fcd9dd02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkAI.exe
Filesize
245KB

MD5
5eefaf337aff3705a8d64c6bdbb7e5e6

SHA1
b11f8c1bbf4a2a0f439a9bf96133d0af1078a828

SHA256
2abbb235c790c225c3860de26235f59719c3cf8cf9ee2f4e8b313331bd0ae4a5

SHA512
e0216f6f58c6ccff0499ea8bdb10ef8b7d11d33e6e3b126e40dfe96721666a385cf969aff03626cad7ec1c0ecd1d8d4a39b270b9a9b611f3751c2b2871b05907

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkkO.exe
Filesize
305KB

MD5
b077683b0bf29562b1c09c2bd2d70763

SHA1
74c71fac5e5b2f97651e03fad5b334f0a2bab6b0

SHA256
dd67bb603b09a0d685384a7614410e060e90fa6cb533a0ca09c1a644ee8786b0

SHA512
1c5ddc8ff0af3e1d4d947796c30cc0c34cefd0654d75e5f34c2f8ff0f4c41b99a5bdaa960d240694ae4c6a03f38718f77353cf31042957d730d1ed83f49510f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEIgsUM.bat
Filesize
4B

MD5
c6de3e54a72f0a0d0a2c35b42997604e

SHA1
f20c11d245db72dd6546ed0a129cd004a2b3fe82

SHA256
418966626e88ead7a7614023329b9f7aece14e1d4ca3bfceabf7bb14ebebfe7c

SHA512
36fa8d5562dea20ac74fff6cb30dfd43b9e752901b4d94ec78c766b33edd5ba5fb324bb20f3ceb95b439e939e0b71862a86545a80ea7936f4a308033b55f9b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsMi.exe
Filesize
1.1MB

MD5
a2288eb0f120781de2ce2eed3601d232

SHA1
502ffd00990fd96991b6b63199b75c7982493be5

SHA256
6aeabdb3c0dae1a2b80bcb1a26b0b65ccbd8c1e6546c5ddf28fc6c35254393c8

SHA512
363ab030f2461ff6267d21282f288ed42ee5f2b258949e1860bac00f03ff824ccb4aa643071be3f59cb626bbab199993c44a7fc039c3df5c454b771788b62429

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUcsooMw.bat
Filesize
4B

MD5
123a185cdfcc2343491eec2fa2e20227

SHA1
015966c2a95c768bc15738ca4762879ca0b0a02f

SHA256
17028f44bfd1c081c223523028c3f9cbc6c288474077a9914a0fcfcb5629094a

SHA512
52e0fabe12a1800f8b80318c4ded8a6a2f510ce983e566ed1468675176333f4abbbc7a2fc9eb7eaf781b861100c3cd9b4c9dd5dc27d179bb523487e739eea5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUggUgYU.bat
Filesize
4B

MD5
a5c8ec067f42aa97eb4b8b71066cf2c5

SHA1
bb791ff7b255b1be50456dfe0b51c7d81bbb781a

SHA256
58463efc3a76794b57f5154a0db5e4b3dc2a7aba0a1722bf5c5f93cf750918fd

SHA512
415102e3407e32e1457d07566c9984492c5bee38c56eb93ce27f749dc407c1310782fec16c7d6abf18fc80355a99b34c604393020619116cb2c09a408380f85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwwEAQAI.bat
Filesize
4B

MD5
2c8f90990045a2d468423f582dbfb71e

SHA1
18e0cb30ca5ca29d6ef0b95006ade01f995a08fd

SHA256
426d523e921930aad2393b5e9b3a6e482fc57af7e693df64f047505b1a3c5a54

SHA512
b9a964177a531c578285c018a0c168840c33fc67a5869f2010590274c03ec41f23284e4d88b96c1abaf164bd966f84336129dea4d7a2dd9eaa4b0f6351d7dcb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgQ.exe
Filesize
743KB

MD5
fbffe6cdb97d43fe01b798f8ba85709a

SHA1
0b0ea1e7bb28d3288ad55a52f2fd6950f4bf1949

SHA256
ce3815915d91e706a198788516c0e6cae607d1565b34b6078960c088f7a6ea1c

SHA512
ee60c05467ca8f07160aec7d245ec3b0a857edb406d362d4a8219f6a80b7dffb17ab1d17db9625a18603008e16435f9a68201501bd5d4e67c4c0fa559ed6e994

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIIE.exe
Filesize
181KB

MD5
9878c5cb53544c562e617fed5671d810

SHA1
1e118e04384ca40ab38c99f4fe115eded0c29403

SHA256
8fe4f871a9339940aa62ca724589cab27db1a797cee0cc8affdee919248e2c93

SHA512
d2af16dc8c6d47970d7228dcf26c983f97ab2b0d57ad25532a49382db33d8888955d479d9ecdcd745ff2bbeff4ca151e8e4b9ef55d5d70dc6385e3604ad0d23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIki.exe
Filesize
182KB

MD5
cda319d234be725c2303826dc75533ef

SHA1
ad2699c3348b56a6a5161dc5a1e6d3daecd436b3

SHA256
954c7320c87a5a6a0a746868cda6260e6bdca044607cf183e99aa3fef44ced83

SHA512
2ee2349ce96ffc2f50727f04b267c0584d79ce623ad2aea6450344a74293711e7ff9a6c6edb99d01f13bedb4f585aef00bba1f55e840216b447d12f22a5160c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQwM.exe
Filesize
221KB

MD5
8858fa8678ee0e5f9a37dd1264bcb0a2

SHA1
9197924c04b045b5d24057a7e5e1cfa7dc953d48

SHA256
6f37decd109f9e1be737ee2dc856e38c449f450c68af9608468e96ed4a54188a

SHA512
184fc6337c569c9886e24c3ef5fd61272fd8b7ee659f01e358897af50f068544575d9eab081a60511bb5a8d55edbf2cba60d3c867f177147fdbe2c1a8c5c8301

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIe.exe
Filesize
228KB

MD5
fa097791959cc161869a6cafa7fb8435

SHA1
6d5b5fbcd37e7567882534198d95d44e106dfe82

SHA256
0eab7d21c7e84f3556dd0dd243fd0448d0367e8dc5a9aeacc5928fca824a7b1d

SHA512
426faed52b5c57f1697c4531a782436bb065bb6ffe20448804a9e45f65cc3602ee0800255e35c5100341449976fac78a5c866f8d2f44109fee81c9df294cb5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkUU.exe
Filesize
235KB

MD5
bba075a6ba1b84e8ddd0f3c13a8b9ad8

SHA1
ee6844973ac7478314316e3c61b8b88198f5007e

SHA256
30606256c1f1492fdccd2d3305eeeb71be9b573245270306ec3dba77548630d6

SHA512
b2c6ecfcec1dbfbbda07e8d25d49d3da00a354d5a27ef27f0e9ccb75e0bea2768fa8cfe2c4202f5b3903afd2272294c726d28c772addd3628396516187378c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkYu.exe
Filesize
230KB

MD5
6e0d79e380637fb2c45b57e4c24379e8

SHA1
322910cc569af91667e5116ecb3a22a3af8cd429

SHA256
5f940dec77abf9de59f2add35ec737fa66bab672ad3aae2c0775204d4799ff02

SHA512
25e8d315d98c135df165f2a9d6873d0aa58eade99b8af110009afca636779cec43961272b6722393063419e3aeedc1d8dcbe97ea890b3395a9f831b7b010fa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsss.exe
Filesize
234KB

MD5
e3e1ee8999a4b1be00404c08597b83dc

SHA1
f93eb3818c25e865c3f9668651d6fb587e9ae78f

SHA256
61d52afa4121e732a07e2785dc75bd6a4986d5a03ad9cc05ec88fbdcd4e0dc35

SHA512
9e0d41a3008b0899dffc591daf239bc0ed5a5ab916cd288db3c72e5b2afebd4b744f0a464950e31e0f9c77ce8d9f870e7a58beb34068514da59d0aebb43b281b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAYgIsog.bat
Filesize
4B

MD5
0104455be3b61d7a9c995315f6fab6b6

SHA1
bf57c56d6e185635a3d73611ba7e891d0df25a91

SHA256
12c62ec840762d7a608a3dd164c65e101cb08266f7df71405bc5754810d5c4e0

SHA512
c924f5cfa7b2bb0d3a6499224c5aa3a5f11d7f253f9d46e27b3b3d0fe36bb10b88f75d6a0a69bdf325b88ccfb2e711b1537d86bdd7289f0835696622f0b14970

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYQwgUMo.bat
Filesize
4B

MD5
7a0ad0bb6066a6f1d69199fe10e9f6e9

SHA1
c59f919baa701c2230b29bcd4224bd1d52708b17

SHA256
09c98e6e6498ea2bdb9928741a0df1eb8ef4a51afc079e20b30b5282d966b517

SHA512
ce1dabccf86211ddfdc53af2587171483940f2f4100c5bfcddde17443e820a1f6a0d5ff2e31bc0634aa7bddf7d9a0093b66383878c74a1ea4961f580aae16ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYYo.exe
Filesize
233KB

MD5
d5ac55c3b2fc55860e9223839bb564dc

SHA1
98ca2e4c8daf11fe5e019f09a59bfd3db0b52beb

SHA256
fc2a19dad3fa51fc5b393addb21c198a66af8cfe175ce19eb1b0bbd3d2c5df0f

SHA512
63fe6182f2491c1495ef09a3a0ca710335da833456d9d4f9c6719a45d43a7a7d509b85ccdb2911f45a5d28e063a21e07ce5b6d5ec774c53d9416694268cf2af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYcW.exe
Filesize
231KB

MD5
16fcfd0acdc34f08600ab54ed6cdca60

SHA1
2a98ca3bee96d2e8d838be055ded1c5ce77d358a

SHA256
7cf484393be2171b5bf4e8696265f25ec38fff6c83e4c7c41ad13323061aa46c

SHA512
da6e4bbadacdaaed79ba28c76c60dac871363a24eec3b39e2025fb331af74f62fbcf6377cc7b16d76c65c7557549b45e84f6bf02720e59b2ba5908e4b2621374

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgMu.exe
Filesize
202KB

MD5
04bbdec1837602f587eac8fa1a70c2a1

SHA1
516c6f2876909a7543669544ee1e1b6100f576a3

SHA256
59c450b569c0ca657e933c838d788e20ce25d0a1011a95591166fd177e0c7d25

SHA512
7ce58b287b41382d873896979706b00d3c4b2377ccefcf149a4ff71fd98547b0e08f5c4a141926ea117fcefecf40972db06936e1796645532380d24994ed55be

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkgQ.exe
Filesize
942KB

MD5
9c744a976764bf95fe5ed473da3f2c23

SHA1
a4e37e9614a9ab73809b6505055b4f467a60f0c4

SHA256
ff7c712ef69369fcf150160e061f20e6cc4e011b8d70acc0918bedc916449aec

SHA512
635be5f21f366448d83785d4460817e90e144b49638d0c8ef4ff68d7f2b57ad310e01b5229e75a5e9a331a29a7f203171f7a2c08cc0406d4115f708d6ba118d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoYm.exe
Filesize
242KB

MD5
bd6b4cdc8bcdb5c897e941fabd87bdc1

SHA1
35677e6f8e9f8ab7d839ad6a6d4f69a91765d03e

SHA256
119bc3524818635c92dc4bb6aafed9e090f49a93240f1c5d262e9523cd8cfb88

SHA512
5532c6e269b32fa84d1438dcdfac72e55fc8b048f8a0c73b419535ded7ec9cec8134bec33048b665c57ca0a786c779497a3999dc6d67e5c13d5ab5623be2fefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ssom.exe
Filesize
227KB

MD5
261ccc7003891d6efbedf27623b51c3d

SHA1
d2050ca38732932c10fa65852815920abc70a30b

SHA256
d3265263906797a735276f1d149f719fef113e11be1c51e739c94a28b6f6e9e7

SHA512
868418966eed3ce81957067ebe68864e0643cc2397561027b57b3a35ea00ff33133aa009730e063ca1051870ab239467a749b6e4ca6c93fb176b25e7a61a8cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAocUcos.bat
Filesize
4B

MD5
a21208b31526cffa0b8ed9823f15d4ec

SHA1
f7d6dd16e2afb4260200992c1eb0a372c299d6c0

SHA256
7097b244bbeea7d60e9b3e9d7fba5491cad3ecd9919c9f0951c8e1362b88d113

SHA512
3fff2ead6de3f3aeecbc06acca5bd55ba2718978e1bd9f14cba6220ef2dee7e41bf1fb8fc2301bae293290954537476ddce81f2f3083e4e44e1cbde777ff8439

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkQMsUcA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TyYssckc.bat
Filesize
4B

MD5
a2d86a89e3a1636908e7ce3c4e893278

SHA1
4a4cf92b531e70357099fd64273793a08246206f

SHA256
7f74c3fc5e92d9213cfe7630c1a792cd293926845bc64dab2fee14b4e75df440

SHA512
e9ff3433413fc298b989d116cf6cf5d2e24aacfab38c664b4e8af4fb0baa2f2710b22b296686c2012d35ab466f87f789c2843508a15714eb40f66f0c3be4f820

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAIw.exe
Filesize
240KB

MD5
5ce84122f169f7770d6f6d3e8dfb3c52

SHA1
a2eaa2fd7a8ac13afd3e5a82077b0826912e5ae6

SHA256
1a7d513891b38eb9c05a8dd8a3808085a42a2cc6b07038cd2e1ccddf287d5345

SHA512
7410530935d0629010bf9a52b3909768a883724f4db82dde304cd89fab7a85246a9507964b1149a2d3fdc1ab177d7a79f575fcb26dc19f0f7fb35dbebc8532bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOkEAYUU.bat
Filesize
4B

MD5
1c1fbfdfb0cd26cfd8547f8aa74a9b80

SHA1
88f0109a2801a26a897c9290f16ae9a9a3b80aff

SHA256
11d2ec96043f14755499d93f71c35c1b348c70d6ba6ef27b7e28661df9124180

SHA512
bd7bed0fa679b7a186f95709cef4016333968dc0cf3ec216f3e867d3f1f96296139e28fa628285c4bf938c2959261f5d29214f6376b3dcdc978673e91e84c16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\USgQIgsE.bat
Filesize
4B

MD5
6519a2b05ed6c0604e9a10470b751591

SHA1
d4320043c1c891b9f651711a1ddbf67904bca350

SHA256
d6b0eda542011ca56ab8eb8fc17bc28e5c37ab5db8ceb6b749328a65f42e6bbb

SHA512
0c8301c0d0f086ed8822d8e5800601450ce81cc6ff26981c2b7bdf4ebd68c20dcf57b050f63d9f7239a4bb7ef19acb1c3ea113fc7521fd5db826eb54e417c6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcoK.exe
Filesize
185KB

MD5
75cfc83d12b048bdf6032d052a16724a

SHA1
150bc2ca2f70b410af3d8943d4374ea557a3a2d9

SHA256
3283f470242d446db836a224400e2ac40afcfc145df36783eaff1a3cd7a4f0c4

SHA512
70fbb598a947d4d67ba02b8008d6dda4a8f87f6111a393348d635f0dfd34e97396efba399ca04966d26ae739770cc503cac23a60c468440724d80203b5833cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgAq.exe
Filesize
185KB

MD5
672e149902d9e9d2cf460893ebc04c54

SHA1
a097f56fc45f0ec68a4a5befd7398a65747991ba

SHA256
7d277bf64d3faec0e0b4a602bcd075c3069f63f2994ce8d8e11469d07d7abaf0

SHA512
f6c3dcdbf0973a7e7488f929fcd381001f5d16de2f1aa860950a42c715e62291a5960f5d759e982deaf221952eae63dd07ed00bf7053b85cb042530d343b94cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgUAoEkc.bat
Filesize
4B

MD5
607ab1c8fda5a300b936e805ef82e61a

SHA1
37aa51b60a90186ce190f907bc3c88c14cee8ef5

SHA256
4375269fd672dc79bcfa0ebe1852be840fa794d5452df20c8885aec6bc37a4b4

SHA512
3203a8b31b437ab97234d1d32ff29a1ba068ba2f80e8f99932291367b9298d2660b58a2355a3cc63e96371da96e7b07d242d1baab9e2e91885e185e5af3a99dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UqssQsUY.bat
Filesize
4B

MD5
377af74310f7b543bf3b0925734e1e9a

SHA1
dfe7b77594d7ca151033986fc943e513f31889f6

SHA256
2e693e3db0c0924174b2b5984a3eb22f64e1461101a601357021fb10632331f7

SHA512
20b3e6744284e37387f6279b0c1b450d298820727a3077ded077faee9837bb3a484476b2b5c692a6f522d763452cd34f49d0bb7c31462be27430ed19d3bd0ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwEG.exe
Filesize
190KB

MD5
a1451a736be1a4cf7c330a2f587e1b19

SHA1
3a691281bf1b3ae76572b912cb04ae84de3c1980

SHA256
9a0cbd56287261afe7c2cee4c75936cdec6fa8efe6be2836e45e1b2871e294ec

SHA512
1a7c5b4a683e2afa72f78ae877a35c82276050a8b677d60afcc1d989a842fa8dc854c14f9fb1dbac4affe3ac1cc359bc94620611eb5e3e1f6ce0df23adb67cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WagMUAwQ.bat
Filesize
4B

MD5
31cda676561c0b7cbf5afa66d46a65ae

SHA1
92b9468d401d9e761cb30629fac6171d7d941abc

SHA256
9183276c9b3e3c4f83594113f2b5ba319e38170a69ab3f28b0a4e224cae09397

SHA512
74be1eb0af223eb65078476bd3f4548e40f88624e68fd0a66cf9ad0105d9516b63a16e77b653bcf7ef57dc8cb059a41fc6dd84d0e2c3a6460a112446e10d8612

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcoC.exe
Filesize
245KB

MD5
3ada90ab3829700a4aa638f4ce91a746

SHA1
a9f021eec3ebd48e5964e47f8a1e86a318d5a6bd

SHA256
c12d19a7c002868166e0171a1a8e6627177f11c0ad5bb034d5a8bef1541469d5

SHA512
b90873d6b7159c8a1005acc1e4fb0ae8ff96f0eb431cb1cd6715bf94f8af62dae3efa3c63f83ab5dd8ecc8cfbbde084e559c2ea42099adae073b7ce90da90cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WisUsgEk.bat
Filesize
4B

MD5
e95208db167392d3bc40c2cf4e5388ef

SHA1
a6cd987358f604e38bd6835a90306d1b63e2bfb2

SHA256
44d3afde16022c0ffaa1d0322649584bcdbd839e411be02a3c624026c9eadc91

SHA512
3b5dc7394a79bac41c8db62754029e45c9c9a77d141e8228ed81a6c0d514a7d8fe0d2839588ad9f66098b64bddbd2baa3290099a21de1a75fd5100a196abc831

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkga.exe
Filesize
251KB

MD5
1c07f2abf50ddea151b5861e14486291

SHA1
7cc7372433059ef379d32c99613d314c856f24fe

SHA256
ca294592546954a46d616e01596d7a86bc888bbacddaaa02e16e59c0358279b5

SHA512
d7a04f56c0fed55e18a101602d7dfd2664f9028708492cf21ddd707b19b20ac00237676ee51eb959b1a508e0533cad3e08272cad8a5a4227dfb2fd37eb388962

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsoK.exe
Filesize
205KB

MD5
551b116d8d270d4d1e55f0f7ac2f19f6

SHA1
134b21e35d6f9da4adcd7d483d99a9efd700a284

SHA256
d4bea68b348a331ad50249233241925e5ac8fc96d525e629e5aed9e9b7582339

SHA512
4c2b50f2cd94e89470c69cce1720411af3de3cfc32947d735644499336e6047cf38a601582c2e6b490f742da2f6e064a365d92049d1777231c33bdf20da584dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwEE.exe
Filesize
208KB

MD5
35a1397c510c5ac9862446d246749edc

SHA1
b61d22322dedda0988c310b61c88a15725822764

SHA256
79abb808dcdd90d154b74ac6a9b6a59ce02abdc8becc21a55d08fff381dff2d6

SHA512
a7c00493e62e6cde1d57f3060befc64d279fb0d1a791b73e52cee604d9beb5e94db6180d4728d58c3f73ffbece9ccbc933bba8dfc0ab4a051a33326392627a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAwYgkcA.bat
Filesize
4B

MD5
da0e51c303eeb0a78d38472578706b4a

SHA1
51706cd860bca695cdf3efbe41309212ab291969

SHA256
96eae260b9d8aebab6abf61cb9434e5ecdd053ad0f70c5dc64f41385a189bcad

SHA512
5bbc2520abc897f2a50162b29e46598c21f628c3597e67b0b9207239e6ab77042912384467546a6fc27a556cdc6d5f41557018bb1f2bae2407865b315c61fbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCAwocUc.bat
Filesize
4B

MD5
48703ac51b33722839d35879e7084e3b

SHA1
391ef7d6c31d8ff58a9dd66c3eeb4a150c90a6d5

SHA256
a1b6cd24e7793010513cafda030238890da130f2a3dd9c7c808702c3f5701362

SHA512
a06ab0f614a278cad90de4b6769cb9ade3ca6efb21db7f76a88b394fef5a121a296f88ade9d3fb576fd84a49fa80445c23642b775cda67b570eb2122c0165fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSMoUckU.bat
Filesize
4B

MD5
c9cdcb97a7a6409b0f270a86e706fa5c

SHA1
7a8daa8bc5464d9b091243f1414c65c4f6fef550

SHA256
0eb153b3582377a3e66657d951449f3fc3ab650ac435e310cc002876ee423d0a

SHA512
a74a3e65f64d5831535cdb0f0f92c7d903eefcfb3dcfb9269464d94697a3bbd4cc41a5f2ea133b2c7ebd24f89697f1405c1d188837377e1781eaf14be2cb2b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuIwooEY.bat
Filesize
4B

MD5
a13ffe079b593787dd5bad47504c6103

SHA1
b4f1ce28e1cf3dcfa9b3bc5c7aca7c695303a772

SHA256
6f1b04e9163492128310d943c5af5fac5bd0bf9889d26db98d1b9196e57fa672

SHA512
bfa91647bcb870c5dcb90861d97839bd3f88a219e2985ec4126811d32ffdc172fa16e19dd1052269e6b7dff3166e2caa68c9a71e750e5fdedfff013f79392a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGEoUssY.bat
Filesize
4B

MD5
6fd4e0cfccd050109f074073924a3ab4

SHA1
b7c04dc6e543f8a45951a15885c33a55d34854e0

SHA256
955f7f472ba899ff48945d053ae6682ffb33937dbbfb5361953769c6c6150afd

SHA512
ef7ed6010f8f3fd40a8899c2bcb1142e4d0ed2f7a1a33070bf2cfb1601bcf1d0dc51752d2aa0b4950e231ce3ea92aad40a6c6dc9d38b034861e386449c192369

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMow.exe
Filesize
251KB

MD5
10d52eccec99f2d1509543b630d6f71c

SHA1
72c9c3d36acce22443fd2047f666f5467b5d1edf

SHA256
d5cb0be158301e1096f9089934f5e4ac1911bd27b0cf35d38afca9234f41dc5b

SHA512
60634f553ad75bf014763decf3b54df6d5fb557bb07daae289dd5de7e3930cf50f2b1ea213878544aace89899599b6518dfa3f0b91e9cbb3111882e2b98b2f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YSgYoAAE.bat
Filesize
4B

MD5
04e09174ba63ff75b4fc703072176855

SHA1
bab72e2732dbc3783e41ff09729966498c678fb4

SHA256
6906bd0bf3fedb41fe511ce4df18db8bbfffaddc82219b72fa318c7de237c964

SHA512
066dc3291ec0e12ec006b2ca98d34233e882b4476d8ea610091534e348d99e750b41f62a6b70af1e4102e7a47bd98609052b92f810bfc37fd04aeea848a498f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYQM.exe
Filesize
200KB

MD5
f107f4d981e4fb297e3d8f3d247d98e5

SHA1
16b2d8384ee759667f915496f230d54826160ee8

SHA256
aa519fad13aaa5ca47a86d27c0ee4ca3f5caee55b3854098ef4f64911492f3f4

SHA512
33f27fdf4db83ef96a80519d166957dd1e060ab62b08430194ab7a79400a27d1a6000cb95ac5a877b0cb26e16e6bf4f18176c4d561d16ea659c6b9d381671092

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUg.exe
Filesize
199KB

MD5
8cf093a959b2f783c81ae5594532764a

SHA1
bbe5ad6d17a9a6c0b3c2e76a00186e33882d618c

SHA256
427345f80ce0932097baab5d0624421af6a9ee31bcddc88c9a1635e021239e01

SHA512
086d81aa91b39821205eadd2a20d299ca11e77445c8efb62c43f5fc674c41ceb0e727cb1097478990d79c4dfc87949f8063ba88c2105fecda6d03d4a771b5e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykco.exe
Filesize
706KB

MD5
fdb7f02ea1082b6cea6b8cbba2feee26

SHA1
260ed35027a375aa0ce1aa317a3286e7ffbbbf4c

SHA256
fb6f22731e7dfb45b8438904e7e0dcb9bcb96e4342725ae5d90c4cb69e5db95a

SHA512
9a348abc5ae12ab070e7b2ba2593f16e340eb9470ab54e196ed90052225179a7b8d69512b8f23acf57fab58c4ce86d39def361b8ae428c6e0eddf62b68ab973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoEu.exe
Filesize
230KB

MD5
49e510189a182c23ef98eb8d9757fb80

SHA1
428b119ebe2c26885c41d1b1ad8d764c9fcf9a72

SHA256
2c4db333770c02fda812ab58bea421ce8cf27b41ce69b88c00a000f222c171be

SHA512
c2f9c5424d08dd94b27220ba342905da5bd5f723337be00e4b69bf11c12421416a98ccd8b26095ae9127f86915eef8314e663f41bf1d42690ac7a9f6fef1e422

Download Submit
C:\Users\Admin\AppData\Local\Temp\YowK.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsAA.exe
Filesize
230KB

MD5
125b2f2a7dfa0ba4d3d370ad7b34f153

SHA1
a4a2a8372c199dc54121c0df6df2231b5b22f6f9

SHA256
6f76535aaa123c1ae0b0cc8d1ea7d7171f4a8e7f97f83ea572f79d1945101635

SHA512
e70c56af6a2dd75409ecb25eb50884a1c15677936b4e15d33aca2fe4e7b564ab4ae75d606eda3d0008500ac51089e9dfc9c1c67ec9546f9dc802f20338e003d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEcUoEgs.bat
Filesize
4B

MD5
ad8e222c63cc428ba37492f512f40f0f

SHA1
fa8d756ed0ec60b6ec54dbbd5a958662d8501f2f

SHA256
ebe1bf2023a8af4e7cafa5e2d4dd6ee68f131a5ae29fbf795c87826a05e5f7af

SHA512
84cec9a60a555ae9e93e34c59725ca3a0dc5926c6916dc141fd09f47b773cd95ae166ce2a177952632f3d216098ce6c087e7360272446bc769f59912133a0a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIAsYQUM.bat
Filesize
4B

MD5
a44e33e0cd0d4a457608173c585d171d

SHA1
529dc81188f8907272946adc42613a5a316569ff

SHA256
8ee81aa9b97c9dbcc3d37674338fd3ce174672361a0dbcedff65befc8e286442

SHA512
f0112537e2227fc3deed646ac9fc730d5e711f90700f3597aacd4a1a2ef436355cda6be7ddd2d57f4ce35527dba4a1c58005ce9432b087e9d4e8b5618ad9dfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZewwYQEo.bat
Filesize
4B

MD5
e0880323877326a88636fedea77c9e13

SHA1
e50b2009f3e9872b8a0b43863d956034a950540c

SHA256
73b249d591c94520656b70ec74453a90553c7ca369731a7d90b4ccbfc46f633f

SHA512
0d028b57a3f41313c078fccd6b46326fe870c94d41a998d3336d80be4ae2519a5a877c2af13c7709f665561f556f898d0613656ad786df056d05bb36f6a916b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmwckEEA.bat
Filesize
4B

MD5
96ff09c0c326116399c6bf6b67353fad

SHA1
936d0bac0bec5ca2cce34d378b00de7704444f82

SHA256
e5a0749163c7d6b8abe15caf1f1f4a79c3151e09d74a0c5d7f1c00b59380c008

SHA512
3dda047ceb64948e3c8c6ea375b29b6eeb4df8bd7b39e2dd09bcebdce1049a93fcbaf5ab265d7e1cb729fb8056dbf9bdad2d44c9a22daf2915e672bc47f57b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQAc.exe
Filesize
818KB

MD5
bd48998215f3c8f0221717b4b1ff5831

SHA1
480bd5c63dba6a7680e620756cbb8842ecf01499

SHA256
0ebd2369cb9e15ea521dcd34ae1cde9c022fb3c3bab4ba32213079c190a8daa4

SHA512
5949b4a985682c6f7f288d87ffb344947f6e31f4e10282c13056ad20c6a7ff010f0b90e9c048cbcf2d193fe6f9efe8c8eb42c6eeec58258ae67b7164b6c08c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acQI.exe
Filesize
229KB

MD5
39ae23ad5c68c23c18f51c4a3036a9e5

SHA1
b7b045809810f8bde1efca68b283365f34e43f84

SHA256
7e0c48f6b91866a3591af2d8bafdebea1c7c261bbd0eecdf3207b449500fa06d

SHA512
ebeb1c2b312572a84ec20bb9b2e5ad3b24c4d77ddad6c993cc6ae04a507d423f3a5434b9603e34f29bfe8ee9ba9815bf6fb290cc0e874f9d50daaebd80f58398

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiYoYcUE.bat
Filesize
4B

MD5
63099c6fe5fbf8a168d47650e5f60dfc

SHA1
2f9a977bce580dd64b75a05b2025cd134903bc10

SHA256
a1c7ecc06f70bcd3923bac882b2faf27b631a18129eea782166efc432bd805ae

SHA512
829454b9f8fb1c3dd53b9deea4fe1c65e6b3cec4ecacfc7b8f9375c720135a92dfd984f40194f938c73e6a7639a4e97ae414f81d484d5a64b2e19fe6077356be

Download Submit
C:\Users\Admin\AppData\Local\Temp\akws.exe
Filesize
619KB

MD5
652b42d0187c86cfca7ef7c99da50196

SHA1
c7ba027554bb87ac865689ff049f9c9f636d7646

SHA256
58909fd5e1dec2db4d26cd93b366e90d6f3c68eef5816ed907fc96ff154b934f

SHA512
cd5c25054d192d6b07bc1c534a60ead2d2249b0d6b8d46734bb796e628e015860c3261587ef7661b4867a66e17e9092f5b0b4dd93e10d9068a87ff35a99177af

Download Submit
C:\Users\Admin\AppData\Local\Temp\bSAsUUcE.bat
Filesize
4B

MD5
8bc270eee7ca5bd599c53461b6da5872

SHA1
4fe8302651be41d4068f7cc7838e81821dbe5f3d

SHA256
df5013db498ee9d6b4ecf4ee417d813dd9ff340828862a15c3d2e97ccd6b6982

SHA512
f4aee2ffe72043e4fb3d39f17c292513019b7af8d98c7e168fd2e1f469f6d2328fa0458b05ed03498b23ad70d8eb1864b08bc439441fdc5d71130108de737335

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAoQYUMk.bat
Filesize
4B

MD5
e5ab23fcd2eb42fae0c033f6faf6c47f

SHA1
b5fb79ae3686364fdf42f96e75948d235ae49070

SHA256
b776bc72447af447c985519a83823993a0df70a2fe703a99698c0b21bac47f91

SHA512
b9bb1fff8cd0d03507d1ddcf60d69a4a4688e7b19075a35a846e24942c84fb5b0f12bed37a73246443b93ad75f034bcb0ddd5e61484749457e0b0d9b1c7e006f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEwG.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMwA.exe
Filesize
827KB

MD5
e5cfd8d4931915a58f4fa43faed25421

SHA1
6baab3a351d3197876f8faf696aa5a8327281dd3

SHA256
18999564571e4bae74cb9e1f9e4bffc08e75cee3c71638488595ae0bcbaeddee

SHA512
0bab8692641dcdabad28b725ae2e877b4a2ea7ebfe32e983081eabf094384e93180c90df1f9a7d58cfbc639007fa85a1afc62944c5cd53b7ef283b75dac98b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQMW.exe
Filesize
240KB

MD5
990639a7f5d85b0f8c6835a9ed86bedf

SHA1
130bf57d1e50fa3cb704493cc36b3c9012b69186

SHA256
d31d36c4d5f04a5614aae1426cea0a1c4c679f3cb0878eb0591e13b86be854f6

SHA512
20ec8b4bdef09c86b6d5d1f6b410501c04ad7862b151c28d0e0f7057176b1a71570ee8dfdd7ba498eb9cdfb900ad1c640700ee512e301d436505a89c8e97fe75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQUw.exe
Filesize
766KB

MD5
f8cf51b2ede01bc996456a8e88006a95

SHA1
7b15f722486301021f0e8c31fabc6099d1ac489d

SHA256
41d6a5879c55f16c5ba29ac5ae1b4725184373b3c4727c8f62a4b7f43d1bf155

SHA512
2f1db4ee73509a54bc5ee06fec92ed1b9e27f167452daadaec33d4005fd10e4fb964fc310156a6186ece0ebdd6ee8b56554b048422239652b71925d26bbfd9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYcoAQU.bat
Filesize
4B

MD5
9aeb18a819e3537d0d5efbc15f6f41e0

SHA1
5aed2635804e8139989d1107a0b906b2d25dbb7c

SHA256
ce279daa6af18928b489e90653b1f000233a52b9d420780b0c277fc59143006c

SHA512
2210d279f9384e193aee201e0c5feca49d87966c3569492b05b6364e0216bc2a0db918a8decb27453034fdd198e20171644e8d3fe6e4a76c99027472feaa11aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgYEwcoo.bat
Filesize
4B

MD5
8ef57b599d6ad71152d8c243ffb2f12f

SHA1
61ca9634a548cc5ac177ff8854ee2851ce049ea7

SHA256
68e03de8453ee4e1da79be90236632c62a4c6cfce03fb003575bfef5d4e6ae70

SHA512
e597a945ea2665ca6cee91d33548da06c41ef1dde8f3aedb1e26e9cdfdf77def0a83c7b8fc2f12fc6724d77b2a9813dd9e70a3242d93366fe382ec2df1ce908c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgco.exe
Filesize
238KB

MD5
edc1c5c37bef52873ea95e5483c7ea2b

SHA1
09e1eb8cb185ba43bfa263f936e8c6e240639702

SHA256
823faec59bc6d2322723ed27b61e667e6efd65d3e02beda61bb040cd94c06572

SHA512
f9a756fe63d033f06e86aa999b8f52536a3173c1a26a661b2cad5f68fa6caaa7658cac770ec6f482bc70cb13320ffd3f79a8877ae6c18e3a76af1ff73f0ec36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckwG.exe
Filesize
182KB

MD5
f458a95b53594038229a011c81236af3

SHA1
36a9d52bef2cd3c1bc52373f66e5713764dc4b09

SHA256
b07d2a08d7e1b619bddfef19cf03cddef0158d210a22e82a2ffe91f55b6f0135

SHA512
20fb58c442fbda84b89e5243fac4bfab85a6d98ae6e4dfd5d64d7894268e934f275d7f12c3e652f39905bf189b284dc3696ee3bfcd7e39f4822ed99d966fdf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\coEksMUY.bat
Filesize
4B

MD5
4029e1f24a22d45d10201a57513806c0

SHA1
ea36384427e79e21d71f0e8a008d8f29391850f9

SHA256
cfacc973439525fb205be3e9609f71d34f056578595b2f1562203b1451deaf77

SHA512
57322ccab1db93b6b3b02f62de099df6194c54834a2cca02345de4079f63b64e84e295d58c6c5560a652b0f955c6b81691609e5f7743c7823921209e3b4e4d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqEYYcYM.bat
Filesize
4B

MD5
2568e8e15d6b76757bf624c2fdad74b1

SHA1
ef9059583c684467bf7d1d6e09a3ad649df9ff8d

SHA256
64817e3279045b4e3b910086475cd4b9fc2a95c0307b7d8becf73b306def1f68

SHA512
37593a40c1e89a30340b605d8a6cc052edb022472b0a118eda4062a24cbc6af8621d9f5f6611b7195ff0438e1427a7ca330bca4f13d4eea3084bfa11d7ebb78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQwkgYEs.bat
Filesize
4B

MD5
2e6334be51f69dd08feb50dc94f8a599

SHA1
e79a0f979895de767ebaf8fddc3bb1ef1a00662b

SHA256
f34bfc4d8380aa2465c2d156c0b0f67dbfbae7df46a87939d80f334dcc550f5a

SHA512
1c19cd4791f9d6cc83ff126acb61f68bf49e0994d1f3a32c8443bb4b0c46a57068407ab41f81c993d2e756ec968b236314703dcbb6f30d25db3dec30fe2809c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwwAYYME.bat
Filesize
4B

MD5
728da1a668988b521b8f7a79af23be0a

SHA1
ff597d1be86e5bfa49d6479ab9f00febfedd6b8d

SHA256
0eb34ff8010168acbc8d94bbd514d8921432fb7e969029216ca9165ccbed2bed

SHA512
bcc1bff9f99ca9687273a64017f2ae0788ad00df578a30770d91402e9ca6e6a2035af06b9328b9b545991f9f48cb42374aa793b978d85114f2eadde6c9c60b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAwu.exe
Filesize
1.0MB

MD5
533c18603ac6ce198839cdf310744c51

SHA1
a80529f033ac997d2d0ccf74ed38eddbaf2ed478

SHA256
094e2b55f5ef8469d18f3319169a72acb4e15d35c6259121eb74d58c3594f457

SHA512
c2525e746da69cdd39cf20741c0487d8c16e1ce7795a6b194e7f1b76f846a394a641a9226a8746ed7272aaf453a635f3a7aa6f166351c34db1066a1406f80cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEIW.exe
Filesize
4.8MB

MD5
38bf1c4d676baf82f317d77c1ab07075

SHA1
bbb33f80d507136981ef28f27512572e37001143

SHA256
1ec3e197070b29ca292b3245d4533fe2ac2f7c3609880aee23b29f4d8c620ec2

SHA512
30b67c607a62271746a2a39478933910ff95df83e35963b9b9d077f7dfe1c727996db84a5be73ca093013e2268774e69b5fa65f10d5b07bf3081ece3476c1491

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgw.exe
Filesize
717KB

MD5
db4c220a21c8b685d682dd871b0e9d3c

SHA1
957fed3c31a8aa16427910e0524c5cd1fd7ce18c

SHA256
cb3ede429b155b8bc949898d26ad0760c6ecc902cb77adb692a904f46c0c1a45

SHA512
6c1ebaa488be4d3de23a6f1a65d32f9b3d6c85c221ff54316da5b9b4959281842d091ee1f2af6fb234e7e23a522a8792521bb77ab68de8ded0a2b311a4457d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEkY.exe
Filesize
401KB

MD5
4a600d3c94c8341006b9c8a6220a1d0b

SHA1
b091530c66fb61a33cfb058355862071d4dee583

SHA256
c28e55d39a68d9bf6cb2b595cccb7ce167f40fb8607ff964d6f18158be331ef6

SHA512
40decdc86c5b151388bb483130cc99375135f1cd79c7c6d7eb910a35c683be72428865c7adeb855458156a38292ebdd1bf076d925d77c475087ece0a8eda499c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIYG.exe
Filesize
227KB

MD5
3d5d73608bf651a946a0cc31fcd412f8

SHA1
0aa548fad40fc2b2f37662d7947d90d975d0a27d

SHA256
7b857e28d185106c0361adfbe4237284392750080ed9c2c5289566332e3243e7

SHA512
76a787127ccb2c4454e1c637fe5857cffd1599e0a4e6de6417f54c3bb865875ce18e3fd3e4a0ba5cc577d66f828d8f413f1fe5b6089d8dd65160847d36c41313

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKcUAIcM.bat
Filesize
4B

MD5
7e24b8dc9fbfca6b8adfc02a64f2f786

SHA1
c15370ae50e07a528c7293889e60225a3cf46cf2

SHA256
193f9458ed44311e7f78b1cd5cab7acc2a5d03d32d423fff93893c1bf7ddd411

SHA512
be9db4e28659f656d7408e41993cb4ea4371f21d51b1640c518f08620dcb8a709e39b19201c69c5e65538506ace5bd27490e43a2008796ff394b5f52783b42d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQII.exe
Filesize
233KB

MD5
0479d9d2cd659f35eb371a58b17a6bd5

SHA1
10443432477b15c95680fd6b0965b9457dca3071

SHA256
9fd46ae0061418abde039d763dfd4b3835b1f854f59be1938207cb5bd643b2d2

SHA512
4724cc7dcc70c675ccfdbeea8bedcae8ad11ce1befb0029943968a7e5abd6aec5570dee7a28bfc3ee68fa189e25ff821dc2ade80fc1ffe073bbadf07ebd6ae2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQgw.exe
Filesize
238KB

MD5
43f5ee60488f2e362b52c4412ace42cd

SHA1
01e49eba4fdfbc867458a38b9a26d6f437f92999

SHA256
d0d11ba7215a7222e33cc2adbafbc7fad7b7801cb004a393c202547fba908e4e

SHA512
2db60066b438dd97ee2d2feb1937b0db1e8d6416402aac7f6ea86bcac393bc1f33c5091674b4cb34e5fac0e3f9338e77719e7466d1f8885dacb1429e0f969089

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUEQAckU.bat
Filesize
4B

MD5
751559ff9e32bfe475046ae237c5400c

SHA1
7528ecac3d1d67fb34b3a031bf799f127cfc30c9

SHA256
36b8cf260d9e3bba7913e61c2432fd71e24af0bcb4a417e916ea8e3adbd57564

SHA512
0058e31c60a5b16d74269136667f8ae63b06f2e9ed276ab5bd2994c98bcbcdfb984a2090549f5a85df63e67158813513b5e8709eef7d9748e7192acb4f4102ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUQk.exe
Filesize
644KB

MD5
2c829f85f0225244a84750766cea0188

SHA1
c46886ded6275cda8eac2ee7d543ab659bcf0787

SHA256
d0ae8313fe525dcb7c951694c0a6edc304ac4383988922f5d4c3f751c9009c54

SHA512
f10ee22e84dc2427351fd72271ebe0ce18997ee9131378b7619220a02c6084ae3231718480a13ca6f0c9da25c8fec1f4817f1468c2fccc886d18689fa075bd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWEckkEk.bat
Filesize
4B

MD5
f86820f19204c3bbd42dbcf7c59f2112

SHA1
84c6e969e163aee893e26c201ec11bb3b81a4470

SHA256
d3f57fc4f17db538bfe9714a4dd2aa0fe98652a18c4f6300e66cbcce4552f301

SHA512
760114501d4da73096a4147db0eaae58d3a398b1ecf29ae2bd2ebf0eaf4be25a74c5521b1ba657d6ff49814f2e704b092adcb1b8efdfc48236b7b9a5e4ce39a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYgW.exe
Filesize
250KB

MD5
b75b9e90e73eae1eb408e75f35cd3304

SHA1
c49b00deff36df29a15ce330c39a0239a966dff3

SHA256
a4dc7e873659155c31a4fa7a795e7d07da5ab827068246e790d533b323920f38

SHA512
cf19c61863712e92bb6f2c81034172135fe284e5c08ed57119a4fc795ea76864783b948ce3315918a65fe75da17f1b0a466277a704d7626b177f09892d83951d

Download Submit
C:\Users\Admin\AppData\Local\Temp\esUe.exe
Filesize
468KB

MD5
448853aca7fd8b7165fc5b8411282085

SHA1
ebdab664c840add6ffde39d86b20bcb55e5c4f81

SHA256
efd2502a173a5ba6a976f597e2c3dd4cfb78810982f0131d6e1ac19553aadd63

SHA512
242e57bf3d8abdb6cb13040fa706b94305dbbb80fde3a474032c51180e3fd6d7cf3ea1ebd87f3ee705ca3a72072b7d3e4346af9a3e48618fba653722ca7bbeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUAEcQYw.bat
Filesize
4B

MD5
ab5ac6e34e729605f2f100ae1616ef07

SHA1
99dc986e11c499698cc63845b84e47579bc11d92

SHA256
f29483926d1c8b22293852d80faab964d2268b741e6fd3ad83de57b516667ce5

SHA512
0a7f7e4dd0991292eaea2991f7fcd036a14186cc50b1a7e3e1b0a921fb68d7b77aaa00eaf37c93d4b8e3c7aefcd02d974e8ac8ff05d5a7d585de2c8b88da89c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsMUYAkc.bat
Filesize
4B

MD5
a5785e405fcfda78de6d486bd208a2d8

SHA1
c68b1c668656f3e55ef1057a1d929332da1aea06

SHA256
edc52be2c12ecf45d46e89cf4ab5b4831792e71e6f7a13159056623ffb1c628f

SHA512
a2b5f2201fd2dde9acf59842669cc47f2fdbedc6585ac8785e8c3191efead4e6bc119b0842362bb4496d4d9082aa03cddc08455ca4cab711802f8f71741efbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUMS.exe
Filesize
232KB

MD5
e1e0dc2a84aa1cf2a9cb83e497dabb44

SHA1
df2dc0818a497f9ccbca29e50983fccefb3d8205

SHA256
b3273d9d8acfcb609365742af408b173ca1fd2fd371d52d511b37692c9b99788

SHA512
7213aeb81f95b20e9f1e9f7e4d43111f0a25292063ab30f35c3c51412f05ec767e768d03bc6367c06bece871ff782cad04ad0bdb43e5344a96ddd43d5c7c20ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWocMMYQ.bat
Filesize
4B

MD5
69fe6c3d7260a2e2c30fb383d578f352

SHA1
c11423f30cd5cae0bfa5d5b89d1458186e12a761

SHA256
d6489a3cfc4025d35a8cdc5f867d8c52369c410dc4ba8763dbcbe2de801fb6d7

SHA512
6cf2a5b8863d24a9eed26ca9c97d8c25562d966e2f99754382351bce98bd148603a7903e4916b0ce9be9d27f3cf40abb9d9a117040c8e62048e363235295b57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMIgcgk.bat
Filesize
4B

MD5
f593c31c4ac5f7002911ffd00af5df38

SHA1
004cf9619b5cb8155d32dfa203c4923f23f47906

SHA256
4c6e99e7f76e637eba93f2f114436fdce6528b5586f3ed481f915cb82839492d

SHA512
e5cff9d3a25ca7bc41c14f3ee9885e9984bc3456397906c4c9a43c4b6a8d3265d46c2c1ac1e424d0bf5dde1d8d24b7c6563e512c4ad36f0e348f9274b3fe7ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYQO.exe
Filesize
522KB

MD5
b8e9cca5e6512011cd868e098370da8d

SHA1
8d260dfa98070e5ab8b1ec917b11f727df3af7ba

SHA256
f85a05793313095ead8718aea8ac2d172ea5755473d120181c934fc2256dece0

SHA512
3b3fd8a38c142326096015c60e11999abebd4e42b072ba99e9d0b91261d36cc2d45f28c4a453ba063309680460d99a74cf0da0ee931f65391545275f27098ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcsA.exe
Filesize
189KB

MD5
423e2a8e083cdf8012067dedc9de18ae

SHA1
feca9e40a6848bc9f373400b959f76fff14a5769

SHA256
3e13c98e737fc079ffef3aba2c04d86c337e567ff098934a1df93fc8f4875a5a

SHA512
0cbc5623b0f4df6c427aa49c46a94fa7559e7c233a41262e22700766338e28c0448bd5478ff868c1dbf54bfd6774a7a6758c8ec61f353a56718ddf62be69e4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\geQEQkcg.bat
Filesize
4B

MD5
675e75ea240f88419b9c37fd6c5272f4

SHA1
05fac58c391c15d2297f766328a7b1dae3b75d86

SHA256
877dca9a338ea7fca651c6120a6156a04f6092cc221c761d4dc5cda287b4712b

SHA512
fd26deba6ef0a6f0cdd440192c61a3b1805836a3174753f69e334acb92ed3de3bc414370b1ac3474e653edae44d47bdcdc2a288196fb865ce7dadfa9fb1ecf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\geUgYwYc.bat
Filesize
4B

MD5
7d935e14a906bd208679bdbee382de8d

SHA1
8a6a8bd4051237a47410ab45ca4c8950c598b6bf

SHA256
288c6184c24179735838700793b960a5922314c7fb2ed65b42caee4870fe2d03

SHA512
ba2e11c3f0695b27d3aae7d457a2c8eb44ba93ed36e90c2c76d1d44af938055e801e9d360a7cb37d8c5a534fac079c27483ccb155b40dfc30766cd97af0702ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwgi.exe
Filesize
310KB

MD5
148d00834f48ed6c50076f4aec8db72f

SHA1
9f7074793c327b3678ba49905eabd6da857ce018

SHA256
e94c9713c64d22d0e4aaa349bec6fd207151a497a208f2f1c055bad96b49b745

SHA512
f17300facaba82387b02039370dc6b1444aaed0798ee7c241102e8f4b23c51c2c2a08589e055a178d4fcef62e132c2e159f38d843af81d3ff5dc1b315102083b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAsYAQQo.bat
Filesize
4B

MD5
cce4256e8335d39a28b8aefa569c1cc4

SHA1
3b192fe69f8e1e4b7b49a6fda22395e016533fc3

SHA256
81a901a5e0029b75a00bc80f10487c2c597bdd9c6c07ca97ec2639c6a40cf1a7

SHA512
868bf61022f2740bcf1ac6d7d1f98bc770974af4232936d0cf696856f4d8cc452361865fefb53e1ab88aa9d0909b8bdc1117dc8d540402f1317d2b28574560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIsooIsY.bat
Filesize
4B

MD5
636d528d0664c8daaef03af3efb5219b

SHA1
8bfbd3f4128b6202b4d8527faf34dae388aa8f8e

SHA256
ba6c1d1db50c5905a495ae3b2d39a584770d4dea83d1f48a3976d96db07ec6ce

SHA512
aa82484da3148b1fdb5e8072f7ddb71bd42c8e051e138d7078c575481e3e3b019df3e9bf25e7637c9b6cdd02210e7708f3c22bc2c57e400c03d092f79b449d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUEUUwYQ.bat
Filesize
4B

MD5
d676c9f9ab4cd001d0e1d56565cbfa30

SHA1
6b0c65efe92a97640138e7c9aa5b0071d19de5ed

SHA256
3ce575f03626d6162037e64223d38ffab1de6134958d6a6b99c9891bd569c388

SHA512
540fcd5a1c07a386678e45adae4106f739ab06216b94775089f5c2533452ccbd179032029e750ab8db62dfdd58279488467d2a80c48dd490624a0594721ed5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\heMccQIk.bat
Filesize
4B

MD5
5ac20c6ff5011fb81c261b99b180407e

SHA1
0c1db33fdf395890ea89ab9731ab7eab2a83e1b3

SHA256
b745678c3fabcbf3e7b20c64ea1c8eb0d39bf22ebfd68c526ffacd8b59c0ee75

SHA512
a1ef31514b298765357abf24c255433e8fdd67754616056158839eb1066463a0928e1f6a6c9992d07e8f50a26b1229286eed340ba4e6e60c13fd455428589c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAko.exe
Filesize
251KB

MD5
9944bb0339519bfd736e19a3523d70b0

SHA1
80c70152e7f1b08e5bb1da4836deef91e1185852

SHA256
de6f3ace238bf9d17b0f76eb10fb0567fcd5d694068b9f2992d6c441bfc3de01

SHA512
81b3a7752adee306196554bd1da483f9ff6d2ec800a6a55293c7c892b69341c788956fad7458bd0737c60ee1c052f3832594591792b7c0c8b6c0e629aa621690

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEow.exe
Filesize
484KB

MD5
6ec4199c166af8e08598afa2962b0af4

SHA1
5b48a1f5334763473f650a3be2b663748858fb82

SHA256
5c98053e76903709bf52cb032b8e30f363bd33289fa3e2af0af28ec09c9ca54a

SHA512
fd6576634b3237fd80ce36fb1b65dc78fd2d74ed1a8c824c69038e921cd9e7af381f18068b164364e9b1f68c2fb71983d3ad3aab22ea36a4ee8ff3b70e0fe06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIocMwYY.bat
Filesize
4B

MD5
99149fa8ddc5860298a14299418c83f3

SHA1
da937120c60a733015e4e35f854ed7cc4047041c

SHA256
b75640ce3fbb369beeac96d1ecb26140b275a8a4b04aae93244c41283ba0b3d2

SHA512
8eb2a6934364ff9aae5f6fd1d3d5d7c6c4e21fc122938a6f5b8f4316fa1ccf127e5f24befe0eef2f6e87087b3350b73812763eefd33d9dd713990b0d56ee2b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQsO.exe
Filesize
869KB

MD5
5a06e064d8ca0323b7484fd33eca4a8d

SHA1
351267e05a5bf83714c81c0703abc200e465d2cd

SHA256
e2bf43bfcfa696ebd8206a5ec4efcb4c44bed30bdaac758d92fbf3e80fbef1c4

SHA512
b18c13fd713a8acfb78be9a1ea4898c87844d389c45936f96249ac748036d31ac90a06f60250710740291cb8de8f49aa9dd0d58e1c573812b9895e1fb578777f

Download Submit
C:\Users\Admin\AppData\Local\Temp\icwk.exe
Filesize
191KB

MD5
aa6d50ddced3b742ee1bce9ce5327eb4

SHA1
75c4fea64d39237769cc51b8a06fcad01d9c498e

SHA256
30c10e7b20441a6b491c2d46d15c63f5d7e12292243294b4bfe90a311836dec1

SHA512
585a8ce35fa8671c17bb84b546ca627745f59f552a68878095348e1ded20dafb8bc12b1b7f3d1b9f0af319892caea20c61268fa7f2ae3c68e679dd8d9d95b2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikUQQMEc.bat
Filesize
4B

MD5
385aab3bde712a9dd058d2ca01670137

SHA1
69bc7348df53e69c95ccb937e6658fc052185727

SHA256
316941830b5232419b76090caf34889ba4ce7724383a358df9d1320e832daf47

SHA512
7fde5e42bad6353805ab0d1a00066ee934a59843782f67acc3585f1ca243488114ba11a9c037b06118937b959b1c16efb237e6efee61787c014883911efa718c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikgc.exe
Filesize
242KB

MD5
c8f07edd4fdb2574b978ec2ae7b1abc3

SHA1
275411b8337a40ce1be1f54197a65f0a30fc4c03

SHA256
1b86e2184af53a402eb62efa54386fa0298c4499f3d492a89551998225f90658

SHA512
c1c9195a3059e64b0d10edfaa85cb2f285fbbf49a18eca66f16635ffd28ee758cd0253aaf266b7d3b01a8ec1f8b0a2ea188df4f54252c2157a1aa82199954cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioscUMYc.bat
Filesize
4B

MD5
a96098d755e1074029711b1419577933

SHA1
34af7031ab0323c54f83298b879262d66b6a016c

SHA256
1cf3f59a39cbbaa9fe73af9f46f455747617cacfb5510e9952d57cf73ea6a941

SHA512
6f2e6d14e24f6cd023f29848c03bf77b7ebcdb0d9af7d020953f7261e3748e5f3c50a4dcb502241dd0cf2d0890a9b4d16fbe9545cad0213144490ab9c046367d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCkkocME.bat
Filesize
4B

MD5
b7a1eb7d4bd373b6a9b10dcb7cc0c190

SHA1
99b85af5f682381bc15dcc1e0eb05a4820587a53

SHA256
8d930b3cbe3563ee2634250e6978a455d9a5077e88a5dfdabeba1b905d3e9be2

SHA512
34ca34a39037eb1ce2c23dde51c3fe36b33df892897dcedf8bc3e8f06d35e8ed5b9d7d227bee948491622972d23c0c00f286bbd6eef5595ec718b2ab81ecb236

Download Submit
C:\Users\Admin\AppData\Local\Temp\jagQwAAA.bat
Filesize
4B

MD5
a18d543a809844ddb320ce9f15397c8f

SHA1
7935e8592f3a873197931fb9a88590d8f9fc253a

SHA256
9866116f6c595b9a4c62a24a65ce513725226f0d874c0b80195d303d93957c42

SHA512
839db85ceb241360b3882938d58e0d887808603c8daa1bd60804a35dcb60d0139a9fc0f4dea46c57bf0462f93c5d3ef33ab9563fcd18f9021b4d666c53b6d497

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcMccMUE.bat
Filesize
4B

MD5
1fd4732006ff7dff1a66e34d08e0cd32

SHA1
0382aa57a7ec7d449f36f3c9abac17fb7b76aef8

SHA256
2ed7fc35a2d808559bc1c4e8be3462eb925bd3fca247b479f6fddf6980d13637

SHA512
05ba8bdecaf3ab44089523c8a3a006f900d99b1a6f520756c30e2001ed5588c8dde1656ec9cb719581f2f619cab1526954bce7218360ed2506cbe386f680f3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgowcUIA.bat
Filesize
4B

MD5
2666c4285ddea8d325f319ad7a6a6a6a

SHA1
bf7745fba8870c576eee9d3629968bcc3403c3c1

SHA256
40896c90cdc1493897dc3ca5251183175b061cc80fc2480463aa049560357b19

SHA512
43961525eeaef5f42c1324fa94cf215628777717fd3dd16183176cff8b86d2861b38d4aaa281c585cdbb4757b5d226f02ab12df2b5b4145f7f95fbbc85c4866d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAAM.exe
Filesize
460KB

MD5
57edf0715544fc9ae8e065027d0eb3ae

SHA1
72ff7d661951804fda93ab5be8d301eb2edd988d

SHA256
668a06f722363782c852e5c2912a823be2dc2f3bbcf02c0b582d22d8a07b9510

SHA512
45f1e90e66efe5bd93ba454ffabedfc6779799b695436e9a142496b6d305eb42939de793c7fe4c412e344adcbf227ad351f2cce251e4ad8664ee4726c736b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGQAUcUg.bat
Filesize
4B

MD5
a7a94b5de9da612a477e2fd0b738bf1f

SHA1
114f83e5b021fa22123813dec7cf7cd5ce4a6862

SHA256
9d95132c01ea58ae7552e3844722fce90cc293bafc663e0113b5f6dffd2b8d01

SHA512
9b86e3a4412cdee5438da6b772328e9344a1a9bd7617f2f78a4cdf8f72a68e5c6904425acc99159ce77aade0acb10b448614045eec2ac7385d8c4faef89a3909

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIIM.exe
Filesize
240KB

MD5
42573a411dd9239885cc8ad61b5b6c0a

SHA1
6bcfc9d166cf6c04d0940226f6fd77d515beae58

SHA256
d877f2050e229a842d668956781dfc12bfe36897bc602ef489e2668448e2d335

SHA512
a039df0a4d9b8173b480ddccaae5ee8a6fecaeaa5dd747c53c0104cfaf70e17ad5cca09772e66374b565d3b2f90f3089752bd3b51a083ff0ff2d1383d718ba34

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKEoYEEM.bat
Filesize
4B

MD5
10e8884305289938f9360022b328aa37

SHA1
d88fbf235c9bf760dee4ada5e8c1c570c607feed

SHA256
701fa60a1cd0d7a3a81c8accd6359c42d6656996d4d4c11092f2e2c40cf5ca72

SHA512
6126bc62b43f73f1ea961d83548fef0fa1fbbb8fe63282620e1e5f9e34affbce2f4a5a366e553a8c547625d8bbb876e5aace67e56c79138bc2e6ccd2ae132314

Download Submit
C:\Users\Admin\AppData\Local\Temp\kccK.exe
Filesize
248KB

MD5
7215dc348d1c2c79bd6fd2e9143f3b33

SHA1
ac7f43390228788ec16898a6fb5dabaf00524cd1

SHA256
fb40731f87e6f22181aa937f648585e15c7f9d30f3ae0dc68f4d0b34609252b5

SHA512
d245cc9dfca3715067f29ae0f0eedbbac6d0e109b3a3d49cea4f24c3a1f8fa190d9f24ada3c55e5d34f008b12e0b046b1df43e450baf9cdc1af40e51a87ea115

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkMQ.exe
Filesize
246KB

MD5
13da641103c992296e7d9f34c7cd24c7

SHA1
7a378faa9c9f1ae1e1473f7872810bfb7955197c

SHA256
61205cf8a8f52070397a626392779eda82b10882af494a1daf0168c4cec43cb6

SHA512
647d099f965225f68fea55236cf33bf64cbd30f1abfb4c04679ed6daa533d1a64721e587f2d6735140f12032d7bab1322b6a82622f68b364e948fd47e439f2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwQA.exe
Filesize
646KB

MD5
b0bd683c24837b385a7128a4c266a09e

SHA1
21d246c32e36e2a7509335e1f839ab9077bd16ee

SHA256
d98427c783e1724ff9b389f16197b63e299d24e517b61e4e84c951270a3d82e7

SHA512
3ec829842c0e70a7924ab2f80bbdeebcc023419785171d4c94687bfe3b41b174bb26aa621d57f08164b8ceba0d65ad449da0678c2516a6a0b968c31695249868

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQAwUYws.bat
Filesize
4B

MD5
0c2b43c7ad80316dbecf7b23de23bb0a

SHA1
8fa512244aeeecd232cca3d9493fd4405a2c5bef

SHA256
11367a7a7173a3859596b00eb0d9647a5d332cf59b386f9d1f6fb4f1ae0509af

SHA512
fc44b784f7a0196c0f3dcd427684b7d8cac7aeb22215ce7f2df6222f5171b900fdec64e4146e181181f5873019a7c6f30414ce8824dbdbc1a5686fec32d5d6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\laQEokUA.bat
Filesize
4B

MD5
1d1d2436cfa2af070eaeb3561e9a7747

SHA1
05ae444a1a73dd2c27a8abc5e89894ecfda06eb2

SHA256
7289ab1d64d60a17fbff8af28e8f18805801f37a01652bdc567ce991181b26bd

SHA512
940a2c056896bd9b85d312498ba50cecf26e808a0471a002fa3faafd5939e09c2a5644fd1fc84b0852f9ac6834ada855b3613270871a23d4d052476336cf7046

Download Submit
C:\Users\Admin\AppData\Local\Temp\lowIcYgY.bat
Filesize
4B

MD5
db70287731ce9bc4c83983446901e5b4

SHA1
011d3e92a40832e824971e44a7c31418f51ca571

SHA256
dc37e4cbe4b6a8d013b1ce09211e3aba8a7b19a0c500a44934f157925b50a87a

SHA512
c1766254d71d000199a7d3a3d333f626043df9fcc7e6e0ec7ff5f106164f1c239eea568bd999844b6dec20b17d1797bb48dfcd27d0d86b84451166b5b6eb520f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAAq.exe
Filesize
330KB

MD5
a361d7b4a3a8e8586985935963e91866

SHA1
7baa27b1c26f714b3d4893e66d0b1a62fc2dd18d

SHA256
56ae7a6fe97d372d6233631b79f13a0d441e68a7b867f39834b0ae19bf224f0a

SHA512
66ce44aa32beda3b6123c62c626b726e769a65011c419efbbfb5a6a887da12288ded3e2fb3d11462ff46c8932156bbaf36cc7b5efd38520b1f911aaddabc708a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAYe.exe
Filesize
639KB

MD5
12e4908759c0c4462cb5e077d49c29f9

SHA1
f0fbaf221c46f280dc05f078025f85f676c34619

SHA256
61cf34ab8d9836c7af5ded73607f21e4d77929c62d14791860a978cfc683e6a5

SHA512
b20fba049caac7146b4e544a06bb1298ce891f9d1d824ee47d165cd21f4bf7ce61bcd7b72fc6d44274f14d3935ef9481619de1072c5a76fb5d9d55d4d6615202

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEEY.ico
Filesize
4KB

MD5
0e6408f4ba9fb33f0506d55e083428c7

SHA1
48f17bb29dcd3b6855bf37e946ffad862ee39053

SHA256
fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67

SHA512
e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIYy.exe
Filesize
205KB

MD5
24f1609eba26d9dc56e0c14ed6005fc7

SHA1
f98c6d227028bafc0a824bd36fe9b65f10f26f8b

SHA256
b384489d3f622c9d39cf7b0f460d25e848d306a4e83066a38023f59f617039fb

SHA512
ae2f45a73997885a7ea369c0ec6e12063a3e67d95d91c97dbbeeb74f56ef6eab6c00fa350843bfc3b99f36d623bde7fc6cc586e17daf05ca52bca550a7de5af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSAsMMog.bat
Filesize
4B

MD5
c16db32521839338a5914d849edcbf9a

SHA1
10252132cc65dcbc964582f235a7bb8ea47f1c51

SHA256
b4978b4b2e25bfcc5399d1632135d342a4fdf23017f15053c389bf8371420fe1

SHA512
a1ef48e68ea2df60272bc5bdc70bff4b6b904f0651232bb2fdef65ef8cc215aa910a89487e4ae49d2e7f0c07925100afa5bb22854cd1db7c77d58b2cfb1d3467

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUIw.exe
Filesize
250KB

MD5
b61f8b2a349789442a4f0d2617198113

SHA1
c235f82baf375f480e039825bc4a4d844d3764d2

SHA256
6b738d4d789553afacd61b955844b4bdcab56cc83e8a73b92436bc1dc3ce2460

SHA512
4c2acd1cfa39978a4f29c398b80467b4e1c8d0f0a94049e49de7f317368bad375c9d482f6c9dddc402d1025189f4b5b07a9e809ed6872fe487025c9e8d7193d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYgs.exe
Filesize
228KB

MD5
5eca7004a25741e821746aa78b05c08b

SHA1
55c477ddc65edbbac076f7833a9414bfd4f36ded

SHA256
3a2ffac77575945b22cd8a7ce20ff010b3d027bb32e1fecab2f5125f7b59c09f

SHA512
5e18b69acec6fec73e4c011a14e694f719700b3639e9a1974ba72ccf73c5d04943c3c355f6b13439b41fc8572ad3b03d413a6cfa66cdee8e63c21865b04acf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcsO.exe
Filesize
946KB

MD5
aa06de5701fc3d82df57df44f00061a0

SHA1
edc3771bca1881a70d63f7ff1040f76a0b20528b

SHA256
a6c49f5a87e874055de32da48e0380f927d56343e27a9e494a995e84b7697bc0

SHA512
0e72b404d1322c3cbe324a20f7137fedb0c02f61ecb247a86fd66b54445fb9683560dfe1ba96cddae5fd3454c00a43ef4f6be5ee36b7eb87a62453d526474276

Download Submit
C:\Users\Admin\AppData\Local\Temp\mekgMskA.bat
Filesize
4B

MD5
9120211fdc4a3a2ea872d40bdef27a7a

SHA1
758a926bad0bbcd20880800c83c71eeba0f6754e

SHA256
657021cb9af5080c667fa73c13fd134d42a043353dbcbb752224f0dce3b633c2

SHA512
17216f4a9a7a23fe63c2eed543e1395770927b48b989357ef4f263e6d646a11db66b1618bd0b4e3dc4d2c7192be43f725aa52e0463c9ea6bad20b1c11a1f3fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\miIUcgkw.bat
Filesize
4B

MD5
8f51837d96266eb2516b1eb9d79f3310

SHA1
098d1394cb913d66c660b363f5d6f5bf1f57b2a3

SHA256
13cff147469be19db3479012e5acea6fdc332dc53ff014aaaf0011a0ac985cb7

SHA512
73f3ab55430a2a9f731df8b6a6fc59b4fdf049329db55268e91f8d3ef92da79e4e8dbd3305cdf1563521d2dd6e1b67ae62869e9b703eb810df67f2a9f80c19c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwQa.exe
Filesize
234KB

MD5
f4742df1593571cf9a1994731ed05e25

SHA1
706a3a5127f142fda212da0d224c4be8a2798395

SHA256
6132c66bedc15f3c6d3c842e30e27545ea936b70afc879cd1f8f026662c0e67a

SHA512
b841f793223ee2142daaa564011f82dd065df15b1f854d34bc0c547ccccf5c63edd9fcbe77d84e7163f5a3db29a4144240f567912d75660541ee5d45e368ea56

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwUw.exe
Filesize
231KB

MD5
7a268f70c5e765fb1c7a08080b65134b

SHA1
fb9b6ca5262470e6a8efce7fccaee2f866416cbc

SHA256
9eb25aea58751c5c32126c1e88aa3df61482290db7426cdba81ee38824f26e9a

SHA512
be2481ff4b00b6e64ff7a734e10ae5725705847e1da7f72a73d9101a4e5c3a11d6477c5eb37108844221eb87db0ec91e95a7216ab91c9a3b0566b00f79731fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGIQcsEY.bat
Filesize
4B

MD5
ab21052edfdf5c20f1e4415b8bc19bbf

SHA1
66501386dd65a522cfedf8ae10e9ca6bd5581295

SHA256
75629d629f92d3324d563558714d3d954919b91628172142de4561f6baf8b04f

SHA512
ca501ecf0c33757adedf399532fe2c6f0cf1064e6094e0717a0171a1d57776fc8178010108409a05d74675b4410567f697a76302dd257e421ab7c71406f74ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncsMYkAs.bat
Filesize
4B

MD5
7e30b0c9b5cc9c0ca3ca35197dfb643a

SHA1
157862e06956aa6093bd183bf52cd3662636751c

SHA256
61e9cabc4ab82a93c7c6af81a6e8cf0f3edc78377a8dd0b912c3f5bff3845be7

SHA512
37fcd670937612c07d0097d22f01574f24954740e5a2a2002a665fd5c971267406860d61eeae5d2a765fbc121206841ed67094aa6450ad48e35d3503e903a437

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngQQUgAY.bat
Filesize
4B

MD5
606a63e8a703439cd166760d4d713d33

SHA1
056a944fa4479cfec042654b3a95940204717bdd

SHA256
4982473c5760d08b9ee9d87b78a66ae5e8e44ec46340ef1d8ba47f432f16fac9

SHA512
939de3bd2db9f390e49467daa0cccdabc37a6dbef060c73a2039e5b0d26b9d5ce54800e95180d0188fa67e657e569aa6f388c1cad6ac6ca67b8c3326eb77e46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqUEkMsQ.bat
Filesize
4B

MD5
16717d204c9191b2527192ffd7a8f5ce

SHA1
548991e5c821dcc4e898ef9debf65de082d6649a

SHA256
c588085b29ea415df2fd5c453a4789ff7aecc7d068f3bf69c7021d0aef55daf3

SHA512
5a84c6edbb79e35866fde8978a7be81544b6b4203f2f6f29e9a42f0bb4cfd0eddaa13d0dc0ee922a093e8778ce7231d0c3c5e77701bdfb7c52e2d61c0f21b983

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEAw.exe
Filesize
244KB

MD5
220e446025bfebb7f184d81854e03f62

SHA1
1c608a76c742dc3794da9b7f023dfe6037f4fd1b

SHA256
52b7552b196726351d8f5014acba6bfeef561b9e8fc1b7ef019cb45afb442486

SHA512
ffc5f40ab6c99af1c0fed6593a732eaffb56a56f6e2f8bcdb74409d9e5aa9358984125e090e865bbcfd464957781bdcc8d9aee95b77bba5c1fbe8edbef0e524c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEYc.exe
Filesize
250KB

MD5
70c032fbeb58d82c74817fbd86490055

SHA1
11f8f2342fade0ac15dd7f394212f050d2bc57ce

SHA256
1636810a68a1b256a4169fe921a9b92f9613a6f95e0d5411b8a80f5a1ab037ce

SHA512
350b33a8426fc4f96a7ac9dddfbf7ae2249e97ce523fe96ec9d112e128b760477702cf3bc7e5b0dcac3941c480fc99db411fac3015d6d4cf07fd2f060686d44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMMg.exe
Filesize
184KB

MD5
827b41064a535753a03f6fcdc4c620e9

SHA1
360234e5a44ccb0f70a3268d7137ad7f6be13f36

SHA256
bae65557b6cd9bb4a025e3dfd35bc45b3f752ee784084e37916c3fe32dfaecdb

SHA512
4345a2aebc93c085de0b5be0d617c93fc34deef00dd4d0a1ebb4d9169cea5cca2d32bfdc517672ab2b191fae4f4b98cda4129161c21d9b69778221e5a543cbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUga.exe
Filesize
204KB

MD5
7088d834103e9bd73b0e42204bc36c18

SHA1
fe2b10c4ecddd77ef9e46bcc76c418086c0696ab

SHA256
fe98349405a2584f21c3ee2b5330f74c2fa3a2a3f66ec0daff0be79895f09e3f

SHA512
c9b7f0ab436378165712cb35236b84d5a9eb0d5fc4a60ddf9481f49338c75b79a9758bf34bb6b866665f6c82625bff7522ab6aa963e200c03f76d0f36332d2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUwI.exe
Filesize
250KB

MD5
f57aae3c424991bdc7c75f4576c448ad

SHA1
a8fb040e9cf6c8768eb9823ac79c2b4957f5cde9

SHA256
1f7006c027c98b1867faa70acd6af5afa821e9f704bec3e517bf58ed4df31a98

SHA512
68bc5d5574801cb8d533dc461840a5eca5cdcb8f9f8b9de41ca575ff22b657c965660a210bbbab055d58df1229c4d3f05d78e205a8f3dc07723a984704016bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYcg.exe
Filesize
252KB

MD5
2eb4414b3a30f3cc1265b8dfb2df9717

SHA1
d78253fb72c7992c50415424b2208933aa383d8e

SHA256
e609bb6921bdd927851df8ab7f5da072ab968b421c11a1d71239598a328e0835

SHA512
2599d2c8eb41d14c29c85f37520524413a68b012ab22d12438eb0220ca3ce9d9f05b6d61be80decae94135c7dea742c18e9a88f2cf2ccc95bf0eddf3a8332a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\oeMMAEow.bat
Filesize
4B

MD5
a071ce7d6e7c6fb6733e051ee8d551e2

SHA1
8afd1f19492c6d30cf5f8b02fd7c2f3f555319a7

SHA256
2d4dc9685ef9effe844769bb07fe67c514d2a833f7f4b50f0a6e552b282e7e14

SHA512
43fefe0801c26a307e3db334e06f5a7e53a005abf1f3810ae1fb492790e56156d8ec94499f234cc54a934af7b0ace4bd39d7fb50cdbc9426afbee72975ed799c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooko.exe
Filesize
232KB

MD5
1f2f02f54e83c2ce079c30caacee6661

SHA1
93a9b1455171b77530bb1792b3ecb36525c46238

SHA256
2665e58510972dc9ed1a766a619e21b6fae945d6e373b82f46ff4eca04b67e46

SHA512
52797267ee40f5f7c0b171c3d9366744548630fe76bbb98e11919d7f5b8f33f981982b0ee52ce9894b4286b8037f2104758b61c4ad745a3861a0ce4f01e7de5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCMEcYAY.bat
Filesize
4B

MD5
ffed9387ad7f833b26f28ae769860040

SHA1
edf232d6d46ee3310c049efc9771bd061c47d762

SHA256
c824a9784e54a4fbd18282740503ee6af3edd84698c65d799ef03d8e84c049d2

SHA512
0ab144b249b781c1a58471c251943d02b5609fbbdb75da1e51e3626c58f2e0324b6a827d9baf93f7345f0b06c78d20082df0cf1aaa469a14878b0516c1ff217f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcIgsQco.bat
Filesize
4B

MD5
b9328ae1914ddc5e9f2e90fe6d4b2322

SHA1
5c2043a4664c28d4ecf381e92fc9a2ae42c3728c

SHA256
c825f7ac8c7c441e8676462bb651c66664477acc28e6358f81a8048c2f971e37

SHA512
9d91776eaa69266ffedebf340ea0422b3207151db5ad6a686bbeec3b2be0fe7f56b9b352d5438865b4e8421e6a64eeaca58bfaf68acb1697cab42a0a60085d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\peYoQAYA.bat
Filesize
4B

MD5
df6fffeabe0736d480cb45f0854b7224

SHA1
e107dcc3328a6bca383676bcddbb51ac7af68b92

SHA256
b85320257fb45556cec91f255f69789a6c5b0d84d62c13c7258a99afff3dc5b7

SHA512
01c720bd81c5874ba2502bc4c89e78b279dd99660ae74669858d352193ac538f48401af19bc8c0a985bb403b6ebe2a1addcca947b0b1265a116bb7e933773899

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCwQcAMI.bat
Filesize
4B

MD5
41fc498302905f23966f22212bb26538

SHA1
b8e18e4f99fdbcfe28a4fb9cf864c819dc86e1f0

SHA256
3a57d01aab3de7cfc7d625e6aa6240922290d3438af1b168b49666725b5acc1c

SHA512
5b0b8eb8cafa9a349b6d3f530c215e5a9abaa4cc1bb28a2bb61c1b36c078f22e964ce968d6bdfbf441ae1aa312fd06c15a4d7029b301cee60ca2174fbe43383c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMos.exe
Filesize
599KB

MD5
3381dc68cc07d42c9706660b15c653f0

SHA1
d8c1d8f756fa5b1d9e38b98b2560dc49a04a624b

SHA256
17b0a3a610bb7261843514550d45eb5ed9b447aec1442a9be3b36c762a402c5f

SHA512
356de5dc70ba3857c5d2c78d10346945efb8152b9f35e7fb19b88950ac41c5223b783cbcb2fb600ec6ab74028d2b83904685eda7130146c40f05a63aaffeebb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMwkUMwE.bat
Filesize
4B

MD5
c5183ab54f701b532346665bf576b2d6

SHA1
f4efc758364d5b4af6e2b73032ca305199988353

SHA256
b71e8f442c09520d9a33f8b808c0b72b76d2354408fbd6eadde8eec724ac93f7

SHA512
bb0b1fef14f759a61bccdeeec1079f958f8b915fc4045e0093c11e7b45b50da3ea5125ac3d99231f59d3e6dd02bc2814ad6d71746c121f634c7e45e8b1e23a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYou.exe
Filesize
570KB

MD5
c8b42512f2ab61be81a48c51f721146b

SHA1
48a7fdfc27369bfc2f8ef3d59682998baefe5a0d

SHA256
b4a29ca82eb2ba85d06243e7d0dafce152f73cbfb8381f28cfb19d3b36123ad4

SHA512
f73ba0c73d65d8112ad84ddfa866933b9f08f0627d6026282cfedf5d60aeb277bc6bdfeb9cc11c258590f4f5bcca3084e11c22c86f5fc86edcecd8179026c7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsQckoAY.bat
Filesize
4B

MD5
64d57a47f14d057ae1772f552a9a835b

SHA1
2b1333fc93e4b5f43fd068073680c1682cb2405e

SHA256
d02ff3087b9973a9e80292d9a7603991d1e36f5504060e25d2392729355b3183

SHA512
a1e2893b3e9f4879c1213855ddffbd3bed1bd2266ac0cb9c0efc0f24b0857e6f51e7cc5df76901541348733e30bd9f678c8789e41b0b9e3e745c6abd7b90422d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqcYUAQE.bat
Filesize
4B

MD5
6d5fd7a94e3ad53ae22a58f8da6aa6aa

SHA1
41349072bf4fe96df6a9ad7db4309f80a34954df

SHA256
2da2d7e7cbe3d2e1ead4a8da32423e8c4cfc886c0e151e0650362a0f07545172

SHA512
b32d68a5a445bc18dc010bd4fd498938a76fcf55fa292f7f88900dc55808e6787639662f24ddfd7b0c6a4282ccbe9a26eee8f1e2f1dafe07c03523402942601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsEIowkM.bat
Filesize
4B

MD5
a7a54b5b2d072141b62989b20a1d9481

SHA1
bfdb6c41c9c87e81871d5b7a80ad015d8443da26

SHA256
f9bac72a0e805370598bc99fef93945593fb67f39becc49a12bcb57abc7589b2

SHA512
034e65fa74ad7be33c336cb4eb4b96b9defc1c9a7a6729860896acc67055cf08c67d7b2f0819de7855bf3172dc556f0b0cb6d384318e9b33b25201d65a8d9860

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsQgkscU.bat
Filesize
4B

MD5
a5bd84724029fd9ab26527e8a7e8d449

SHA1
dc4fe5c5c0ac748f1e129a742d921281b1805594

SHA256
ded8a488d7a96e6b0151b65eee141eb41622276cff77a4d648b84f3fca8e7245

SHA512
d53e3e6a407e714c6b37c234b5279054e21051f6b299f3865e25fffd1c52cf47fc6514f8ea52226564836c64899ac92e819ffe87f22aaeca3b1777d89ea63e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIAa.exe
Filesize
247KB

MD5
a0e5af6256894bfa40fc26e523158d10

SHA1
dae72fcdebd26d269110f507ba9722ffe7774f51

SHA256
3dd5f4f5de59a0cae304c4bb7df59889ca68cece0fceb70242106ac2caacd91e

SHA512
0e2ab96edfb5255e0bc4be9c836354a37731b27bfb4bb01eff72cd7dd0e5efa322a1526ea30cf343c6f380f0267e5f43bd625a8ec9347ba5273f3e52b3427016

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMka.ico
Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgoYcUU.bat
Filesize
4B

MD5
05801c1bad8d458a5dbe234d72d50b72

SHA1
6f8b331fe335a09db41e96fac4b848ce1156edd0

SHA256
98e9b20cb0fbec9214f957be99c8cbacbcfaed666626640edf3bc3e4d1fae243

SHA512
e8898108c8b913b270f0c7c201e7a1581c374e5573ccca0ebbe7f428913052e34533a8c996b6235b1a8c7549b081e07e8bcf7b4b57b42dc0e4c234fd07ec0f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\scky.exe
Filesize
184KB

MD5
7c2db05e01b47c4c54a0374d6f8a9d93

SHA1
40570df5dd4c6d193b690dda861dd9c525fc020b

SHA256
f60c4df9cba54119fa863f97d84a8f21585784b98ff39eb1f0ccd181ff8b3323

SHA512
eefaa642854eb76675097a6b55b281a97aff5b073b9520887c16193cc720f78e2d75981990730cc03988b7ec55bd1dc7fe846f9c91e1eae6a2373697f7660da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssQq.exe
Filesize
246KB

MD5
73b16faa6ae52395805e1b1eb55643a9

SHA1
e972f3ca99872d8588e081f0398772acd2b92fb1

SHA256
2dd421ef406505acafcbdd68d97479d447353879b5debe6fe3860949084bacb6

SHA512
61ce3bd224824c2f6f69c73358c71172a93248a959187db281a92e2e9609a0744dd1b846138d14bd613832c8da560f8e6b8812ae447f41ba8735c995d3e78f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgo.exe
Filesize
237KB

MD5
fd9f0211ce232f7a999b526d8eade1a1

SHA1
64b687d32f8c810191a894a0ed590ffc17f1769a

SHA256
2aaac79580c041a8e3955ff20675500d41767c8536123fea2f580547a469770d

SHA512
7ff7008d9356e251a9df60486b6e53a7f0a0f0d4e03b44bd16df647f92562ba93648ed21bc891809fd80c06570668aa17644cae058a552900cb106e9bd2b362b

Download Submit
C:\Users\Admin\AppData\Local\Temp\swIa.exe
Filesize
243KB

MD5
7fbe8e89cf1bbfaac2068b7c64fbdef8

SHA1
a6640fa541286996ed5b2a1eb957eb1b77f84656

SHA256
4b2bfa5bcfc377ebe3f2d6739fb214e395db5e412c3f15b47641644bfbc539ca

SHA512
8be561a6ddd070e4b8eab0c3bd8730f947e82c8e69188af4338b084bac6dfb9512999308962504d366e026884f3ff0483cd753b73f15ba66b64b028b0f899cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmcowwQA.bat
Filesize
4B

MD5
4322d124878e7d55e914d3e3a091a2a1

SHA1
5dc921b7818ee84ccc873c720ee145ba1c2ebfcb

SHA256
66cd354a44c2a61c2c9eb6c7cf416f2e85a247fc165687e5faa4915b5b91e99c

SHA512
1baf1f94a0e4c3d70e638bb40338e6cb485344ce758dd918b075bd20ea969a946492e64ef78a6e82e5103fb72d4f172ac1ccc8fd0422b9c2d5f774dcf4f5f7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEQQAgwI.bat
Filesize
4B

MD5
07d0877406096c1845e0ca50f497b900

SHA1
6d1e312ddc44f75d5066c76da905f09ca03319cc

SHA256
ea7f9a0d871f8cb8ba2293d9f408c4e05af5d082965597d0e262fd070e634b06

SHA512
546f0f4b9e5a459d03dafa22cfa102133e832caa6ae81b367836a45b229b7bde53674e739c09bf7e4710cf1e161874c3999009cfc5078c064c883586f4be4a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcm.exe
Filesize
247KB

MD5
95aa0ea40153ec8a9052b338c1c4e159

SHA1
0b85411aca5512611f650c080509a2db0be9766e

SHA256
84c31677866fb0f71e44a5f4960119e64e455e80071e2c714e0c08a0c2417131

SHA512
ee1d9c11d71df941ea14aa370dbdfa9a2a5bf0f6c99d32dc100c70c65d4968a1e8603b87d775569ca03fa70d8221d909791be91e8c84e8ed7e8efc2b39d190a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQAQAgAM.bat
Filesize
4B

MD5
835f1a28d89ab4b22adb950a5891a525

SHA1
d65d44b08fe7d22410cabcb66fe16cccd45b4e25

SHA256
c3f61526814fb094a8828da9390f225d9e8b0e58b1d335bdc067b3cd708fa53d

SHA512
a31fad1d400d5812458417fbb882f3acfcb69c2f670b8a0aaa099b889e3da11011831aae682a2f8866dd6932e724d92ac923339774ee6f1ae889a492ea9e42ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQUS.exe
Filesize
212KB

MD5
a2dcbae8e1f6280605785618c454f490

SHA1
940e8aee066357ac76d69c4b21df3420c452cc1c

SHA256
ccb61b7edee3b89945c50ac8206897cc2662704e74705589c586d2005a84c1f0

SHA512
991d147a118855972f1e45b58d3e04c9fe947a30e5b6133e660279119245a221e42cb82cc3d7c76bebea6fe935d6313cc686a7823de116823165ba4c1c3c6269

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUkg.exe
Filesize
248KB

MD5
4c7103c75fa87722398f5ec396247781

SHA1
4bd4c754e0287db12f311f0b2238911a41f93286

SHA256
3cc4a65db872c4e3de9ec9a87a4d84e58dc33c969be658d303ef4d80f6392c34

SHA512
d6f0f076825f8bc8bcb37513d84f84373033419b658b1069cfd4a8835ff55cac4a6b8bef4aa7a3040809087f85ca8dee138d2be45ee155c8cc9741b1d8b94ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugko.exe
Filesize
810KB

MD5
2b60483bbd6f8e47cf35e9a2894336af

SHA1
8ab992fde8c180fca05bef7e1057a6019a25fb6d

SHA256
b6d8dac83b5e464a68a354a0cc734c345658f764c230751ac209104192ef02b4

SHA512
8e06dde6e7eba6e7f61d411f82557ba68d3cb5b64192d6a1e858afb434b73f24f6eee6b5fc6876b159ae31e15bb52113869f1e4c594d551017abfa4fe82877c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uogcEAEg.bat
Filesize
4B

MD5
5c779c7eefb6155f0bb81ce59b8be48d

SHA1
5b655840c45e6a6822d86e1eb402018491d4bb8b

SHA256
c3e6d12cbc1acbbf5706f242cc5002c11b8eead0472d6eb15bf2de7a88e7c666

SHA512
05b54205e7740ac439893e249d6753a8c984b8fd7cedcff3dbc02a1ff0c2a245d8b1edd351d013820097419dbbbd0bd617561d5e5ad9ea9b620bef21a2295c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\uscMIoMg.bat
Filesize
4B

MD5
999fd7713096d27710a0b4eed7fec470

SHA1
74bebe25a5d6dc5897f87876a8e40ca55ae6c626

SHA256
43a9469a0cf2503dffa1e24fdfb0ddc5a32f366418f8b17a5e892bc838f48f40

SHA512
76a1e26607713a6b676f3671839891972c96a53122873c32af34b1b186f789e390719dc11d8316508e3a485bd2ac25972e4c342c7d5e921d7fe86188cede2aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\usws.exe
Filesize
240KB

MD5
59b3b9c6a61a928cfa889f89ed6415ac

SHA1
efd095f6d9532c7be664b317fe9c4e04d83fd406

SHA256
4dd0b5aeb80fb92f9cc57bc1ab0293464ce16b015351bbe5de63af9f28dd98de

SHA512
4633dc79d3b9cf852d24710cea679c338f1a0eb92aff693b97742de0d492302de4aae22204866050e54d2cd1ef074577e20eff4ad8d117510a0181083aedb527

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwQQ.exe
Filesize
689KB

MD5
1290385e4a073ef35aada65dd5cf827d

SHA1
b9b25b26b1004282679489e53f3b72b2a3769921

SHA256
4884bc444dccd154c6bec05c35b1c5fb88f897e3b71fabc9eb526e491fc15f2f

SHA512
a3de63187af3ffa7bb642a0f3c1d95c7f92dc05937edfb3491049abed7399928680607809d561daab8388d0367f0c1ca148701077c1569023081b92e2fd1d71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwoS.exe
Filesize
207KB

MD5
964cfcf64e599dd404c207788245c4bf

SHA1
be8d8595327f3aa1244b56f90cd292a4600f7814

SHA256
63f18e6f411d883730d846b91e65c68de4f991c3d8a51bbd53daa244581e5417

SHA512
8d5e4031dbe181c4051a90e12a3f013c88b3532dcd00714cf81b72803ba868f332b829f7a5221d8f0a2b75dd98d6b7457b2d93069669e9355a9b3cdc0e855e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOMUMoIw.bat
Filesize
4B

MD5
66fef6f85a1606e4e669c23a904439c3

SHA1
a36e8fecd02764c1967944ce56cdf0929e62c22b

SHA256
34ad0ffa52c34ea1cdce1c78ff2d9414baaca1fb3959e28d14efe1cb724856cb

SHA512
df215dcb8dcfad71d4054dee441357cc97ca9de69c2d0c2bfc70ef623e085860f6dda90d1b9875e808f7e07da7cd4f44bf4016b102950556c8b240434e4a5684

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmQIYkcc.bat
Filesize
4B

MD5
7999f9793d6325fb5d326007a543b2ed

SHA1
ed4fd326d36732832e2f8b306e90178ec38d9b2c

SHA256
677b41fcb99ac020538cc87836a1d34a869e19fbae6080569e2ea16698ff7966

SHA512
8e405e7d1aaba82da11e6b4a07af1d95c18194b9200b68978010bf5d3dd8719d59f95342d2d45b25efafafc3933ee6311f073473ba0960a5efe3055f062c9619

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKgoYUYU.bat
Filesize
4B

MD5
a1100e0eb846ecccb274779fe0e56d09

SHA1
cda4460cfc07da8532ffa3340bec8716d615698f

SHA256
858662e135aa5cfa539b483ec2d9c3b5c3e55ed3738250b55a4b29628d9766a5

SHA512
9c1fd5eb6d14dc9b542c15f8784772965f6ac66316a728ab5c14e2d688cebe3a485c12382defc009715078fd10bd51263f23d325d31beba09c3d118b8f94668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYIW.exe
Filesize
188KB

MD5
c66369a6c0738b8b3dedb54aedbb030e

SHA1
e9221ebd194eadc2b8035fbd82c2374dd384962e

SHA256
cdfaa215806856c7d11a35e221c3ac3c43000df92767aba9b9553a6f820d6dc3

SHA512
ba3ec4bbc8f22a0ace5a2b331fd314c48bb618883ddc724bb5af6601c6de6bcb3b476f21a2248c0f4080ab1f91b35c55d1fda580bd1a064eda29c12086ce4203

Download Submit
C:\Users\Admin\AppData\Local\Temp\weEUEsks.bat
Filesize
4B

MD5
2438592a48a95cb88c4c901755e15f90

SHA1
93ffd9eb75f429271a604e2bbb86f206392bb663

SHA256
6f2646f5ee347f88a7a6485217ae344bbc5cb9676b8cae14c0a4c07792825441

SHA512
acea20126ba0a3f5da7eb3249fc3dd129c1640a148f0dc906310b5180f95152bc18577a52b48d0d3ccf9ac0e2ef03dd421c4c72386d2a156f7ab19e16266f1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wksE.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wksK.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkww.exe
Filesize
219KB

MD5
0cc2b8d591db88b6fd526fe6de1b730c

SHA1
f2e6c709216d79e53044f419bedd306306ed2032

SHA256
36aad06e2fb086d9eda671b4d9bd2b4294ebd5e508c6bccf40bb10311f35b282

SHA512
878e481439fb2149331515e4af2cca980fe18fc39981adc03a13905d769eab2130c47956d5423891241be40cc4952614a5952932be212c137aefbaa0fe16b7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wscu.exe
Filesize
226KB

MD5
7dc4d5834b95cfd34ab7cb9951d9da5b

SHA1
97fc822b88d916441c7e9c56b8114cc9cc8987cd

SHA256
737e9ae5186cb21bc1f580e2364dea15d88a7ea6ef3eb28ef17eb65ba1bfd35d

SHA512
ae76585737d7e586167c8779d9fd7b79a4d9623301b66009976257d13d675aaebe58a2c669d6d90ea98775cd344a192c0f23ab4f08b86579b2542f7f6634eebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEAIAcUc.bat
Filesize
4B

MD5
dbb950a6ccf953339065b7355df740fd

SHA1
dff47e385eefa46f08925251d6d068fc1e7c23c1

SHA256
679809b881e3f996afe2b34d60ce6cca3ce5e74f859347dd50e65fbd83fa076a

SHA512
cf1b0a323871fe3dc6c916f2c2b736401db06e25826681115570165b16649935b9b3a371a1592c7f920c9532c19dfcb9a9576c80e2d6d9e064a1e0f7e0434659

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMkMIwYM.bat
Filesize
4B

MD5
d189c71c94c80177ffb77c5188e403c3

SHA1
c0cf8bed3828eeed2b3478ff731da0f33b609099

SHA256
871a1ad3319344dcdc14fd02b79e17471c6176d587f1b18d4393140bd9316853

SHA512
683cffe46f96c05eb71c387b2282eb35da8164d96324337c50d14b3ad36927d5c08e7e836dfa57489215c8039d291e59090355387e0f44341f96077e9ca24d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoooQgwg.bat
Filesize
4B

MD5
3113fdbe9c0eefb7ce7c6098920f89cd

SHA1
f7a910732d54489687f5442eae2e5f2dbfd9b288

SHA256
804430d0700df50f91f23cf6f9116ac38bfb50c74d6afe1d63f69be2fadf6435

SHA512
d259aee55a75a7c859813197b9a07381b34e7fe1c0df3b199d3906da3e867c9ff08297ba9e6db28ca6c43f8286af76d0fc5c923fb19e3bcc3bd0f5d888d0db54

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwsQwwIo.bat
Filesize
4B

MD5
5c12775186f15e8bfd46721c74ed578b

SHA1
7e0c22f13c427c75d0103b573dc04609ea5ed57a

SHA256
10e06fb266cdc56da1752ae535c97ccbc0c2e46906dd389b3fad6dff5a067e56

SHA512
708366703e0ff29fd79fa52750a0c1fcb7c33ac04eb18b1ef8a2be9e7408ca934fc9f9fbc58d6d0852c1bc11ef95f8e846cd23640dc20a5b910f6c6c5cec1d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEwE.exe
Filesize
8.2MB

MD5
4fd8439b021441d1b4a89a1863e3c837

SHA1
cae7982c07323c152f6fab0f2cf92d3784756308

SHA256
167990b567dc1c0f27f2a8148d292af2ce4ffec200a53aa92e9104163419d3b4

SHA512
299d6e62dd8d41750f3bd235d315767a0c578eac53124208d5f7b2e990361ec89655b62c4b81a37277465a0e4aa96c6bf26e8cba17fcb4c6fae459bd945d0811

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIUU.ico
Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yOwwsYcw.bat
Filesize
4B

MD5
0f65fabec471c8688dacf5b07c8fbe73

SHA1
510ee2c6736ca8565b4bc21987bcb97aabdec0e2

SHA256
559dab7d11e2b84787e1666d9c3827f56e4b2738ae5ba088dea5c32ebb720fc3

SHA512
d72676697ef9360a448c0d9effa4ef57398f2a0bdbf4cdfbf0c60a48ea5ea21379fcb5de18bf9c4ac60a66174013e88f54174fb6c2308d8c7c1834506b07568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYIa.exe
Filesize
252KB

MD5
8556d98e00214b2795edad075028b2c6

SHA1
90b7c21f2c348ddcc67f17ba88bfce438a83d408

SHA256
d3a4684d49497edb138e7fc9c369689213f467e70cc1d890ceb8d1edd085ed4f

SHA512
b6378be26c86cd83a72b6274786bb90ff11a09b3ed89284da555fe939d9ce5c0ae3f419fcabbcacd45d16b7316c6820aa2786eda2d813d22be61337379449e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYkm.exe
Filesize
240KB

MD5
4316a5991846a18e765ca42242cfa2ef

SHA1
11262e6c637544387475cba1bdd0c130ebf9d705

SHA256
035ce67ccd34d9a2b30ca1052dfcb331ab3f1e1444d09532939d9a778dfbf63d

SHA512
d18b958dd72ae09331e6c7c6f7aeab8aaaa75c0f4dfef3c12a5fee600e73565fef20ea050ababcbf8668f93164d02a03e2873a97df97e03bd19bed99777bc57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycsM.exe
Filesize
239KB

MD5
d89ef7b677bd06f8b3da595bb654b8e8

SHA1
ac1e01311e26df27f0afae4404680eea566ae799

SHA256
2549ea728e9eb595990f3cfa0590d99782713272132d5f88e76a2a2529821c8f

SHA512
460fde3c7e9efd5270af2221e417d419c563ffbfa97854a8e0b40fd0fcca91630ff1da75b754037af7ec4b21ea7e78cb49319395a7d9c71117d0d2a1daa060b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygEE.exe
Filesize
246KB

MD5
1c9d520af3d4843919c9f478ffbacea6

SHA1
f5c0fbf91195d3dbce97592dae67db9da4c6dccd

SHA256
87b3c14e2b99a2043e4984fb89b646483c133ac8335f5b3a5af54818f7a70f18

SHA512
a750abb4eab461d8df46233c46459c4a48d5a304110d6839f7d57c3c4619a9644e1d42c6f45450839150300c782a620fae6afcd37adf46aeda972e08acb1fee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEM.exe
Filesize
233KB

MD5
b5149f10925b67b81d873e7c3b5c4d06

SHA1
0cdc6e67622523448bebab4c0e3bb71ac30411e0

SHA256
e4f6b1ca8bbcd52f04a73bda88d78c88283a5de4ee75d7cb46d6b399bd35d137

SHA512
c51bf30a7290510a2cbf802d9a9cc07475dd05982cdfaf0ad00620f7e2d1c81676a2762ab2b55d282be1a4252e46aa527389a61e0473410855fdb89c0d94c451

Download Submit
C:\Users\Admin\AppData\Local\Temp\yowg.exe
Filesize
649KB

MD5
0622d6417a4e6a9d3807a3aa67eb0e5b

SHA1
85da3cef6f67b45a248c6c3a281fa112cd96007e

SHA256
0bb190d8da519142f29e737f2a4680b2bb38f8d992e4dca89ec6212729386cec

SHA512
d54d868ffdcfb5173a5cd7713b77615e3dfeb36d1da685fdf1d1d918661929950fc7074f6af018166f4afd5c0ca5f2c8ad1d77bbf5349424062f55194098ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywYUgEgM.bat
Filesize
4B

MD5
2ca270a415a66597feacf7b9ce6810e4

SHA1
0cc5480865eba2856208f7847d0885beb5e004b5

SHA256
f13c632411dc700064fb0085f9f977d873bcb670de2495c0f9f79dae8c574401

SHA512
e979167cbea1fec90f496e2f5c10a98c3cf0d1c4178fbd971a8d8af3d13351ad68529d989e40982be088725733804c009586e5d3bb392e0f044bf4e0321b5ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\zWQAcgwc.bat
Filesize
4B

MD5
f6dae9f11eea233c7d721ca4073ef9ad

SHA1
5c2e53a89f3440d8ec3d8a3ccba143e1a74958b6

SHA256
ce497a5383094f5da7d203814b5375c4c34a90caeea0dfe610d366b42972e77d

SHA512
637eeabb63a209a56b6b027ead0124b456e907fe00dbeb4a55e61bb8c7325a2062b466b21724778e6bf34b4d4527a3527e8c8e591bc4bdf687073f8d1ff62932

Download Submit
C:\Users\Admin\AppData\Local\Temp\zagAoUEs.bat
Filesize
4B

MD5
ff835735325b140f574732b3817924e6

SHA1
53c88482f74a2159b8954260031d8763845e8264

SHA256
b5016c5947a0b6295e772868b55ff25097196a43f09ecd1a5c3eb1b67336d15b

SHA512
2459f45049358b282466ecbccd5d95a9f681a50e81a87afd905a0721b47b525cbc8dba43cc154cc8e5da398236a5a667809d91c217a91e5bbff256adcac029ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsQgEYkQ.bat
Filesize
4B

MD5
ca742ee3910ccbf626d3c2f077cb8903

SHA1
9ddb751c605b9ca2c5e9cffd4aaf08b96be38dba

SHA256
9265bd81084587c55de625d9208e593a3fcb498ad74128c11a930c526cc40f6e

SHA512
23b3a8ef45e406911f0c176c7647ab3f93370add25eb0f5ff903ae750b1289179b00b25654e39a173f738df246eef6a1745bfe09b453cd0fc04ebeed54953159

Download Submit
C:\Users\Admin\AppData\Roaming\CompressGrant.png.exe
Filesize
1021KB

MD5
8bc81ba670050c2d4b31d50014563832

SHA1
e8bd4a58293cf6e4df852a9fceb72d74ff157320

SHA256
104368a8a32676247e448bd7d2fb04f45dbe05d7d68c1488c933fa7ac6925f17

SHA512
6797f97809ceec9901e75b11fdd58e24c4314a3e04b1dc6b587cdca3aac4ef28694273f0387d7dcdca27022b15529e6dcc8c0ed831d006c1c00e6f65a378ff11

Download Submit
\Users\Admin\EwUMYccY\CYkcEoIA.exe
Filesize
183KB

MD5
73b9d606ee885f2683f24cf02027adb4

SHA1
6a882f0a23696f152fbaebec6f376fc5adf2c4e4

SHA256
84f0ad12cef27ed8360a3a29d6d05f9c3e8f5ec0e3ea478cd6f1c1e0c3181585

SHA512
79fe84188473fea4f62e87c86c87057bff30242f26b67ef4f2fce82944ba3ed8646ac93dcd7ed4969e234709af7ebfa53beb5868e14581779333f038f0b04913

Download Submit
memory/308-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/308-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/336-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/596-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/596-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-441-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/624-440-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/668-544-0x00000000005B0000-0x00000000005E4000-memory.dmp

Filesize
208KB

Download
memory/668-543-0x00000000005B0000-0x00000000005E4000-memory.dmp

Filesize
208KB

Download
memory/712-604-0x0000000000830000-0x0000000000864000-memory.dmp

Filesize
208KB

Download
memory/856-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/856-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-521-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1276-175-0x0000000000110000-0x0000000000144000-memory.dmp

Filesize
208KB

Download
memory/1348-267-0x0000000002270000-0x00000000022A4000-memory.dmp

Filesize
208KB

Download
memory/1396-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-313-0x00000000001A0000-0x00000000001D4000-memory.dmp

Filesize
208KB

Download
memory/1544-314-0x00000000001A0000-0x00000000001D4000-memory.dmp

Filesize
208KB

Download
memory/1568-674-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-290-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/1664-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-583-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/1764-83-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1792-29-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1792-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-26-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1792-14-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1792-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-128-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/1808-129-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/1876-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-635-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-625-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/2036-626-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/2056-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2080-243-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/2092-105-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2136-386-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/2136-385-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/2224-656-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-647-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-675-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-3488-0x00000000773C0000-0x00000000774DF000-memory.dmp

Filesize
1.1MB

Download
memory/2428-3489-0x00000000772C0000-0x00000000773BA000-memory.dmp

Filesize
1000KB

Download
memory/2456-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-688-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/2468-687-0x0000000000160000-0x0000000000194000-memory.dmp

Filesize
208KB

Download
memory/2624-58-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/2624-59-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/2632-501-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2632-500-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2640-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-457-0x0000000000370000-0x00000000003A4000-memory.dmp

Filesize
208KB

Download
memory/2656-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-34-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2780-33-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2780-339-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/2824-362-0x0000000000120000-0x0000000000154000-memory.dmp

Filesize
208KB

Download
memory/2836-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-646-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2868-645-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2888-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-564-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/3028-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download