9514d108766f1afd9f48bad55acde065e566d02b0ce97ed5366aa1678e328fdb

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
Size

205KB
MD5

5ef48f63127987a1df52d23c840bea4a
SHA1

2d5073bf30bff3737ad6693fae369a52830e34d1
SHA256

9514d108766f1afd9f48bad55acde065e566d02b0ce97ed5366aa1678e328fdb
SHA512

a6684415e6b2322acddef1bb0f03c6829a29baff04fedf65ca83cd87521292d666e3969441fe57718fd2350ac1788ac611be67f9e7615bd2d9dbbb8040514985
SSDEEP

3072:8X9VAOolOJdYht/RoY64iQDy7cvL3TV06zi/q8ej1wN/jMo+As0164PttTs/wT:8X9CCIt/yl43y7i3TmeO4oI0EOWw

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (66) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HakUIUEI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	HakUIUEI.exe

Executes dropped EXE 2 IoCs

Processes:

HakUIUEI.exeqGIQYMQY.exe

pid process

2960 HakUIUEI.exe
2016 qGIQYMQY.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exeHakUIUEI.exe

pid	process
2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exeHakUIUEI.exeqGIQYMQY.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\SsMsMEEs.exe = "C:\\Users\\Admin\\JCscUAcI\\SsMsMEEs.exe"	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rUwEksMo.exe = "C:\\ProgramData\\yOgwUQwY\\rUwEksMo.exe"	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HakUIUEI.exe = "C:\\Users\\Admin\\nQkowAco\\HakUIUEI.exe"	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qGIQYMQY.exe = "C:\\ProgramData\\gOQgwYgw\\qGIQYMQY.exe"	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HakUIUEI.exe = "C:\\Users\\Admin\\nQkowAco\\HakUIUEI.exe"	HakUIUEI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qGIQYMQY.exe = "C:\\ProgramData\\gOQgwYgw\\qGIQYMQY.exe"	qGIQYMQY.exe

Drops file in Windows directory 1 IoCs

Processes:

HakUIUEI.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico HakUIUEI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1988 2156 WerFault.exe SsMsMEEs.exe
1628 1668 WerFault.exe rUwEksMo.exe

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	HakUIUEI.exe

pid	pid_target	process	target process
1988	2156	WerFault.exe	SsMsMEEs.exe
1628	1668	WerFault.exe	rUwEksMo.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2220	reg.exe
1660	reg.exe
3068	reg.exe
2856	reg.exe
1360	reg.exe
2840	reg.exe
684	reg.exe
988	reg.exe
908	reg.exe
2308	reg.exe
2200	reg.exe
2192	reg.exe
1624	reg.exe
2516	reg.exe
2868	reg.exe
2988	reg.exe
3032	reg.exe
888	reg.exe
2324	reg.exe
1612	reg.exe
2712	reg.exe
2216	reg.exe
928	reg.exe
2956	reg.exe
2852	reg.exe
2768	reg.exe
2236	reg.exe
1120	reg.exe
2196	reg.exe
2576	reg.exe
2816	reg.exe
836	reg.exe
2084	reg.exe
1908	reg.exe
2560	reg.exe
2132	reg.exe
1760	reg.exe
1632	reg.exe
2656	reg.exe
1648	reg.exe
2760	reg.exe
2340	reg.exe
892	reg.exe
1864	reg.exe
2040	reg.exe
576	reg.exe
1492	reg.exe
2856	reg.exe
852	reg.exe
2972	reg.exe
1436	reg.exe
2496	reg.exe
1740	reg.exe
2804	reg.exe
476	reg.exe
2116	reg.exe
1732	reg.exe
1324	reg.exe
1940	reg.exe
2388	reg.exe
2980	reg.exe
2684	reg.exe
1384	reg.exe
2360	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe

pid	process
2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2884	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2884	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2852	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2852	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
760	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
760	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1536	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1536	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2012	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2012	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2076	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2076	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2532	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2532	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1304	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1304	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2936	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2936	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2900	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2900	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2940	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2940	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2756	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2756	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2076	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2076	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2404	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2404	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2092	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2092	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1820	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1820	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
340	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
340	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2780	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2780	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2136	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2136	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2532	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2532	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2204	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2204	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
320	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
320	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
572	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
572	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2972	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2972	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2412	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2412	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1284	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1284	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2116	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2116	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1864	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
1864	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2484	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
2484	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HakUIUEI.exe

pid process

2960 HakUIUEI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

HakUIUEI.exe

pid	process
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe
2960	HakUIUEI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.execmd.execmd.exe2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2188 wrote to memory of 2960	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	HakUIUEI.exe
PID 2188 wrote to memory of 2960	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	HakUIUEI.exe
PID 2188 wrote to memory of 2960	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	HakUIUEI.exe
PID 2188 wrote to memory of 2960	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	HakUIUEI.exe
PID 2188 wrote to memory of 2016	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	qGIQYMQY.exe
PID 2188 wrote to memory of 2016	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	qGIQYMQY.exe
PID 2188 wrote to memory of 2016	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	qGIQYMQY.exe
PID 2188 wrote to memory of 2016	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	qGIQYMQY.exe
PID 2188 wrote to memory of 2768	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2188 wrote to memory of 2768	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2188 wrote to memory of 2768	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2188 wrote to memory of 2768	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2768 wrote to memory of 2676	2768	cmd.exe	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
PID 2768 wrote to memory of 2676	2768	cmd.exe	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
PID 2768 wrote to memory of 2676	2768	cmd.exe	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
PID 2768 wrote to memory of 2676	2768	cmd.exe	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
PID 2188 wrote to memory of 2920	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2920	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2920	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2920	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2652	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2652	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2652	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2652	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2040	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2040	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2040	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2040	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2188 wrote to memory of 2860	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2188 wrote to memory of 2860	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2188 wrote to memory of 2860	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2188 wrote to memory of 2860	2188	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2860 wrote to memory of 2772	2860	cmd.exe	cscript.exe
PID 2860 wrote to memory of 2772	2860	cmd.exe	cscript.exe
PID 2860 wrote to memory of 2772	2860	cmd.exe	cscript.exe
PID 2860 wrote to memory of 2772	2860	cmd.exe	cscript.exe
PID 2676 wrote to memory of 2604	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2604	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2604	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2604	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2604 wrote to memory of 2884	2604	cmd.exe	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
PID 2604 wrote to memory of 2884	2604	cmd.exe	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
PID 2604 wrote to memory of 2884	2604	cmd.exe	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
PID 2604 wrote to memory of 2884	2604	cmd.exe	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
PID 2676 wrote to memory of 2984	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 2984	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 2984	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 2984	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 2992	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 2992	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 2992	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 2992	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 3032	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 3032	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 3032	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 3032	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	reg.exe
PID 2676 wrote to memory of 1540	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2676 wrote to memory of 1540	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2676 wrote to memory of 1540	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 2676 wrote to memory of 1540	2676	2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe	cmd.exe
PID 1540 wrote to memory of 652	1540	cmd.exe	cscript.exe
PID 1540 wrote to memory of 652	1540	cmd.exe	cscript.exe
PID 1540 wrote to memory of 652	1540	cmd.exe	cscript.exe
PID 1540 wrote to memory of 652	1540	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\nQkowAco\HakUIUEI.exe
"C:\Users\Admin\nQkowAco\HakUIUEI.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2960

C:\ProgramData\gOQgwYgw\qGIQYMQY.exe
"C:\ProgramData\gOQgwYgw\qGIQYMQY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
6⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
8⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
10⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
12⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
14⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
16⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
18⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
20⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
22⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
24⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
26⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
28⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
30⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
32⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
34⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
36⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
38⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
40⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
42⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
44⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
46⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
48⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
50⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
52⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
54⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
56⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
58⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
60⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
62⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
64⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
65⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
66⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
67⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
68⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
69⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
70⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
71⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
72⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
73⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
74⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
75⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
76⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
77⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
78⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
79⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
80⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
81⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
82⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
83⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
84⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
85⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
86⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
87⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
88⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
89⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
90⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
91⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
92⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
93⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
94⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
95⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
96⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
97⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
98⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
99⤵
PID:600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
100⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
101⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
102⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
103⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
104⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
105⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
106⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
107⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
108⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
109⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
110⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
111⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
112⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
113⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
114⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
115⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
116⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
117⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
118⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
119⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
120⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
121⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
122⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
123⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
124⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
125⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
126⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
127⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
128⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
129⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
130⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
131⤵
- Adds Run key to start application
PID:1980

C:\Users\Admin\JCscUAcI\SsMsMEEs.exe
"C:\Users\Admin\JCscUAcI\SsMsMEEs.exe"
132⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 36
133⤵
- Program crash
PID:1988

C:\ProgramData\yOgwUQwY\rUwEksMo.exe
"C:\ProgramData\yOgwUQwY\rUwEksMo.exe"
132⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 36
133⤵
- Program crash
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
132⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
133⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
134⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
135⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
136⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
137⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
138⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
139⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
140⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
141⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
142⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
143⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
144⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
145⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
146⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
147⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
148⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
149⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
150⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
151⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
152⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
153⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
154⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
155⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
156⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
157⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
158⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
159⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
160⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
161⤵
PID:272

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
162⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
163⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
164⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
165⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
166⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
167⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
168⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
169⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
170⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
171⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
172⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
173⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
174⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
175⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
176⤵
PID:272

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
177⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
178⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
179⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
180⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
181⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
182⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
183⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
184⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
185⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
186⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
187⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
188⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
189⤵
PID:600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
190⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
191⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
192⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
193⤵
PID:288

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
194⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
195⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
196⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
197⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
198⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
199⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
200⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
201⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
202⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
203⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
204⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
205⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
206⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
207⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
208⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
209⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
210⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
211⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
212⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
213⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
214⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
215⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
216⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
217⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
218⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
219⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
220⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
221⤵
PID:280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
222⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
223⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
224⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
225⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
226⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
227⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
228⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
229⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
230⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
231⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
232⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
233⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
234⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
235⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
236⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
237⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
238⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
239⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
240⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
241⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
242⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
243⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
244⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
245⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
246⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
247⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
248⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
249⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
250⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
251⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
252⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
253⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock"
254⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
255⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies visibility of file extensions in Explorer
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
- Modifies registry key
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCIckIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
254⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NScwIMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
252⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
- Modifies registry key
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYcAQcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
250⤵
PID:3004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwAMYQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
248⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
- Modifies registry key
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGkgcsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
246⤵
PID:576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGAkIcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
244⤵
PID:2348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOYYcwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
242⤵
PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
- Modifies registry key
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWoMUcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
240⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUUoYIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
238⤵
PID:1328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcUgwMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
236⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOckEEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
234⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- Modifies registry key
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAEUIcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
232⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:2980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ySEwEgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
230⤵
PID:1356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\asEoggAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
228⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIQksAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
226⤵
PID:1132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fEoIEUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
224⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAocEIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
222⤵
PID:900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
- Modifies registry key
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwgAwsIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
220⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMsocoEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
218⤵
PID:2916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUIwkkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
216⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIMUoYQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
214⤵
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciYsokss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
212⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUYEwgUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
210⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwEUUEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
208⤵
PID:320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HScsogIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
206⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiokEMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
204⤵
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies registry key
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WKUsYwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
202⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QiQkcQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
200⤵
PID:1076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XakUUcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
198⤵
PID:3068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwYAIogE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
196⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWUUEcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
194⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:2384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKgIwgos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
192⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyMoYcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
190⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yKEwsQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
188⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OocsEgcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
186⤵
PID:652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukMQowIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
184⤵
PID:1044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
- Modifies registry key
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGwYsIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
182⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkEMgMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
180⤵
PID:3056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\picwQgoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
178⤵
PID:2656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMAAgIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
176⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IacgIAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
174⤵
PID:2488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\acoIkUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
172⤵
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKEgYYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
170⤵
PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- Modifies registry key
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyMsEkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
168⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqgoEgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
166⤵
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies registry key
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
- Modifies registry key
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FeUoYEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
164⤵
PID:1240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMwAsQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
162⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWkcAIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
160⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wywAgkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
158⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqEEIAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
156⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\USYkskEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
154⤵
PID:1568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RyMQgIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
152⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwEwUQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
150⤵
PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TuckIoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
148⤵
PID:2052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYkMEUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
146⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rwEMEYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
144⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCsEkYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
142⤵
PID:676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KasoEAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
140⤵
PID:1324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\koQMcgEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
138⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEUYoggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
136⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\huccwAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
134⤵
PID:2540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKcwoIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
132⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGMMwwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
130⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQYYoIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
128⤵
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqIAgUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
126⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSEcUwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
124⤵
PID:532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UaUAocgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
122⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGkMggcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
120⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fesAUsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
118⤵
PID:2576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIYYQcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
116⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwoYIccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
114⤵
PID:3064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\neYIEckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
112⤵
PID:844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xioYYgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
110⤵
PID:340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- Modifies registry key
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGosgEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
108⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YscgEcAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
106⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGsAEcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
104⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies registry key
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyookUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
102⤵
PID:2656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
- Modifies registry key
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOYMAgME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
100⤵
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCoUUEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
98⤵
PID:3048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jmsIwkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
96⤵
PID:1388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQAkUUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
94⤵
PID:308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\weYsEwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
92⤵
PID:2172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EikAoMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
90⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYcMEooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
88⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\auAwQQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
86⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGUEsUsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
84⤵
PID:280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQIsQoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
82⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
- Modifies registry key
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUkYsIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
80⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies registry key
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\biIcMkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
78⤵
PID:1932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqsUskEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
76⤵
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGIYkMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
74⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\muQEoswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
72⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUMUEwUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
70⤵
PID:2204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:2576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uQAYUQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
68⤵
PID:1436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGcYgQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
66⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgwYYYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
64⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSgIEgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
62⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEUgAIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
60⤵
PID:1372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWUIcsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
58⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UewgcUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
56⤵
PID:1868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OIcIcsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
54⤵
PID:2880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssEcwMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
52⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcMsEUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
50⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dCkoYwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
48⤵
PID:900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYEQgwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
46⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqocwYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
44⤵
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYkAUEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
42⤵
PID:840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOsMMwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
40⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AyAUUMkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
38⤵
PID:2188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\euosIcUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
36⤵
PID:2952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgswQksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
34⤵
PID:2220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIQYkQIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
32⤵
PID:576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYMMwokg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
30⤵
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCoMUgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
28⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ticokAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
26⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgEsUEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
24⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUQYUQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
22⤵
PID:2916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GwgskokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
20⤵
PID:1372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\umMwIsoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
18⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HsookIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
16⤵
PID:2672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKwkwEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
14⤵
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWEwwYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
12⤵
PID:1292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
- Modifies registry key
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYEwoYck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
10⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyUAwwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
8⤵
PID:1096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqwsQYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
6⤵
PID:1436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeEYEkwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKcAsoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1910879489-189459354729359742176510678315305231651459410863-1273003401-1119168354"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1599653869-31707881117208052962125474232885221695-9852854305165835701330257500"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-982390212623338113-19709764841132541525-5591546881145291379-1199007890637877491"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-613735958-143813365317818277001888841648-134563371359961458-12149542741869222587"
1⤵
PID:2776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-79724156-8563548335830860207738864151996693651-180729977317669233561741431114"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1871174337-202669661-1970236981-7974096621130447707-533971962-1078287526-894647735"
1⤵
PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-629989066-253710615-8152486321547895664-2142821631-816734348-4741761401951172259"
1⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1401442922-195368460012093032132093999311683766419-1524821359331901578809211193"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1514343636-1628234417-73187671-19216806191408719161537267885-16603152-733422958"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1072146912-32214634212224388365613917-171595009-2414992016158705931546503216"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16931061182120908124666616780-984624028-101754233388325244-1637863977-689005998"
1⤵
PID:2228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1489325289969292733-614786699-643964110-1300735047-43405788-1945709517469194327"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "108381721520500235011783187171097362094-18578077581195234356-1542190422-1866228502"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17428690471075029315-1917630972-17975761781787943496-58708202-12658160021982913099"
1⤵
PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe
Filesize
232KB

MD5
86fb22e25842b88cb82c247c6d668238

SHA1
7c8e8d4fa2e77153b2a73e0b5ee0fc0256fbbafe

SHA256
83b1a8966e2e390d19e1f4530ad01e417f1b1c4bd48fef838dc9529d6c4df8c9

SHA512
d48f521f72fb6095a2e5e3c4288d276d68d18d95ed8cf77a45d68f5f08351495846bce00c114f8f5a4384d2121e6a2389bafb186d24194c62ab7b0d19ca30143

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe
Filesize
244KB

MD5
bb5bbd4467221e079bc4298f323c72c0

SHA1
14eb70198f2bcbcb8efb1e4dec6f06f84a661dde

SHA256
0abfe76ef9b2ccbdbef79f68c9b4e8147b8f5e3140249f2bc05f9480dae054d7

SHA512
8de2cd74fdf7f2b8bff8821f0c110c98ab0d9ed6595768cf45d6e01651bebf8f7b1a084cc6c748c8a22066a848cc2281f39533dde0832edce5758668585237f1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe
Filesize
250KB

MD5
5070a696d5286798e32592c05560e35c

SHA1
595034b32a7b20495773757b5486551ba94d8e40

SHA256
b33749fbd9e62e71f778b9cfe441a05d2400bde13a04021e376f2dae5b955fc6

SHA512
2a196c68c3b99433f538668d55fafab3304fda5aadf7d440f9e0c4ecf22d5042b54bb7d963662cc13c270cc59145599b2efdfb3d13d18589e9901e1fdcf9fff1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
Filesize
243KB

MD5
9169ea1288c42da145b6a5b2016e7135

SHA1
78df64a3592f5d1c0700223edd24921a8d296650

SHA256
d43c2012a219ef7dc65fd226003b4469b3465541e0ce1a33573abfced5c6f94a

SHA512
bf9eb4821be14ebace9f4566ac0793342c5c1d661c46e51c51916a80069477e2b74896e57adaeba15752a86e1252f18344484c64b229f7eb11a7d656d17ca8f6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe
Filesize
242KB

MD5
697203fb2fbd7a0251ebc927a5db6a07

SHA1
02e13976d274a6bac31a955a3d7cad4a6e53cfc8

SHA256
63d2b66d0b0031ba964708461ca6572bd002f52fcc39cdf79bc2e4ac606911d8

SHA512
52262bdc296a8b054a27ac35c30333aa39ef3d19fa4b36d162f0c091fb37a745535c8450a87a8c55848db64b75fff80e4dc490c9d30244d4d3a9ec60c05b0f22

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
Filesize
233KB

MD5
e20445cfaa3f20ee59226fcb073e100b

SHA1
aa60fc3b345a41d9401420bf1031565b8ffde915

SHA256
67a225589a000f0d859e07e88d3a73af65e122aed1e5e988db8145aca993f8ab

SHA512
88e0ed597480376add5649e2cb3b03d671b9a179369843d62331502517f7c35d7545a240a35c99326203a774a88d813402ecc673313d14578026f865b843de84

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
Filesize
647KB

MD5
0ed420d858e418af51de4e8e2ac7042e

SHA1
efddf0cedfef3dd1a6e64670fee697ff433bc801

SHA256
0637c4fb6a4f97c59bac6bf1da88f3471aa105595f4a495495c211cce4ff85dc

SHA512
1d5d34c51f85a35f3ff19f68a2f2bccd282490c3c71733eed5ef549d239f75d6aa9444ed3cd51a2fdd55eb9c958af002ccfeee6609fbe80ed6a65a3c3d42c9ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
Filesize
202KB

MD5
f3f90da121accba845e96ff6272af1c9

SHA1
71dd30d8a0213e356673fcd4924ada544884c0f3

SHA256
e63f8d5edf5f51989966b9fbed5c3d2edead96c2b5cd01235e1e1a7ce62d62a9

SHA512
123b2b01abc7a4c436492a7ef46ccb611e359af055587dbf8d31170191f21d050f077b3391bd53741a79d034c2881e00c26a32997cff1690d43f75da0ca2c395

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
Filesize
195KB

MD5
c12533880ead632d47edb828ff44e779

SHA1
8a3960d69b8855f5153c43c2e28229796e9f185b

SHA256
d4dc5df04337c6360b25be5556fec693a3e327fe515d48236c9f74a339a09938

SHA512
6daebff8811d1ec6e27dbe949ac302449cce53646a18d228c3a5abfe58411d5892a402e6db333fbb06d84d909b3b54da03aaac721a59318bce6bfb5b3f57465e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe
Filesize
184KB

MD5
f4bea3ff55b3783641151ebec28cc225

SHA1
5a09b9e3764f6950e77c8602db1eef927e883eff

SHA256
2b1c5171d41282a4407c2443f80df540a78bdd66de678599ccbe756d02123ff5

SHA512
120110220f9218dd25ce023dbe1530fade6c50982df3e15d9f1ffaea1ef75531ccff7c4cde1487f14683d101fd60c52b82734b7795098db594bbe5044f318ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
184KB

MD5
f2224d2b1ec83c0325c883adef255853

SHA1
37f2229819a4ec04d7ff17429453c586da2e12de

SHA256
3b0119473f157111c95d9e71c7a134ba64f3322c2493d678b42997157493e568

SHA512
0dfed1a8161095d45ba3479700666d29af54ff006067931eb19df3ac0e3dc4b79127dfc96e9e42ab08ab36e969fc19a6d0e1f11b9b53333017a1dfd5657e9159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
Filesize
205KB

MD5
f14c4a8453eab33e7def753bc7c8c2d2

SHA1
c19dd002be344be797d2f4332e77647302b0fe18

SHA256
3896e06cf57c5e0fbf327a66d605818d396c3f71ecc88162ce5b38e31015c6cc

SHA512
2dea08cf7d530512c5f5ed37c73919a42398fe2257afac7d64774e8dd6d0ed36a3c801e942f0327eb52a28f50a468b43305b27b462fca74dcd7bed0ce4e12404

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
Filesize
197KB

MD5
cfa6d905d8e77f2579349aa1aedca6a6

SHA1
688bb347aea9b22185ed3605696aff4e12dc88a4

SHA256
3cdde8b5e4d6a74beb4f46a5075844a0c5077974247cf73d9760bfe1de89fa5d

SHA512
3ff9c8fc99d2414d7f9468928015a38d036f0e1c5cbed07d45cf13f50f38bffef0f3343b13681f4ab66500da964d880977b4d4ca38fa2e0cf028f3aac0566aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5ef48f63127987a1df52d23c840bea4a_virlock
Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIAa.exe
Filesize
234KB

MD5
c03978c8de3e0b4c0fa3b55c1dcd9fbc

SHA1
6b114574d5cc3227ec7661631164004120aa8809

SHA256
549dc6a9c7d6c6758a1302c5c899f85bac28e8c1537f20e1c2b13b34389c1618

SHA512
770ac3769042204958a5635ac2f1de0781f3c08c25a362500191accc61792342cddb2e90d50cdb2ad02af7f133644b04a08ee44170d52f0b658ddebfa72e6089

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUIg.exe
Filesize
239KB

MD5
3f38cbcfb80bdae12f063d0315f092b5

SHA1
9c3c6a807c16bee36e381fc568a3891f4945b455

SHA256
f312a78b530bcaa78acf0fa4134e2beac71acd5f46238717b723595e2946dd19

SHA512
865868dd17ca58a2320cce6b283aaf9a08f682915fd5d72f82afb207cfd4642b2bbc07bc0b3b0a678a68d4ef2857abb125a911054fee7d6b4f1b4d23f4965934

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYgo.exe
Filesize
241KB

MD5
03db5ba6459f495096e4c00cbee8f21c

SHA1
71068c52eced6fb5f13acd85e6ff5e259b5fbc2c

SHA256
59d38da315b5b1c320129181821cfa52a32af94e9be86416c65d8f0662e01b52

SHA512
6f3b7f417272bd7862442ec2b44ca784f03a90e8768f9e6912f2c9f27629c8891dbb2ac90b70cfd7d6a8c4c02bf5b0861dcfe7354eae2eaa4f5cd1322f0a26c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aggo.exe
Filesize
201KB

MD5
f48ec28e20daa5b045e0f4548503eb91

SHA1
aba7c2079c17521219c74eb4f7f99117e6497269

SHA256
ad90b81f350b9be79ae7b9a1215fea276b1bf067be35937a9c6a112b8fd28b84

SHA512
2ab9dfba1ec6e783506d2947cb308a91d9380d61b51f0bd8071bdc28d6166b0add062c7851af145680e72c6c189ac16ec9c597370d8fc84e19db0b172be38cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aksc.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoUM.exe
Filesize
209KB

MD5
4a2e2705eb226f0fa50709b6e580dc6f

SHA1
cf7af51838ab6ac1b8a1eca19d433ab3f74b07b4

SHA256
0378b44f178cce89023b22d3321d9c1fd8155a92ac5639b8a94da2010f0a7b2e

SHA512
86417699a0ce8125bb438dd9937c634422c89ac7798c0f30a94e209f9f3cda0beeb9de463fba1d1c49a761a3f357b316a45f000a9f7039e2e64210396b2f9fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AswEUEwY.bat
Filesize
4B

MD5
f1f4c80208e376a0a15fd10e300b464f

SHA1
6a5933e4de957b6cf84a021fbe851d2de2e1899e

SHA256
44deca4d0e962c296d4a8247dd95faeaebbb3a2769c48013d6ba5ba77a56bca6

SHA512
697c3b6d2fd8af5190d8735ce889a40cdbad7940d13dc096a3debe2c293f33c3f4d8b7aa41754e2347de4e8b098318f5c085129982fadf2fb3d93ac4b8c19365

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEAQQEwE.bat
Filesize
4B

MD5
0a4f91d468c9e2ba42294012016ba687

SHA1
fd0557b478668de26ca4060fcf2596889dc3ae00

SHA256
fe540562593dcf2bfed65b33d2841db741623782157b18b871bc4fc2438ef071

SHA512
331587551fc8ad3703bd5ad2ab0812c21ec12d17c6f1fb161155b86ee2336072f6518029ee3f86a8a80f50c745e9648dc7ff95e195faee1c601a5916e3ae47f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuUMYAco.bat
Filesize
4B

MD5
5e87e785f1d8dd05e394585dc09946db

SHA1
8d127cc1295c8b987112bdd9e71165ceef129d2c

SHA256
3ac1690d4cbe876f60ed4254bdea3fe08a86537ae6b766b6130277a05df8bb2e

SHA512
cf5216261419400885cd8bcbcfd621fbe3065116332b3cc9c45a0737f957f842997894f689ab5816b027e25d47f35ef457de7a35f576d6b6f70c0b41d023aa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAog.exe
Filesize
245KB

MD5
4f67d72ead8424587c8a9305a22b0a86

SHA1
6f2e3e7507bd97a87a1ff33c27f15448ebc8196d

SHA256
3ab3e0fb17c14c8caa66c41f5ee9ad7901b977c742338da0b78224b56bd07346

SHA512
9c0eb8fda569c71c06a5a7374985cdb433a79d300a0fe275ef679aafd65bb7ff4f520f2d115c04c595b1664feee7670ec6f2dbacba245b90867cdfd33cdeb507

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEsA.exe
Filesize
233KB

MD5
b5858e652f0f631d11f654dbd2245608

SHA1
30310aa7012a8a3c3d956f75395b7a03aa737d63

SHA256
531248dfab76c6536675c8c942c90c6aadf64a22b82865808a014daa76b71a72

SHA512
0536a79e50fcfd5c7885588c4ebf0fa54ab1b0594fd50700fac637fc609d279cbd717e27683c3cb462a785badb29c1d48a4a69aa8f6184497bda726dddfaf47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIIw.exe
Filesize
240KB

MD5
f6b8180bac0fd917f9bad5d38297ea0e

SHA1
06599aa9787a06cd8c67a91f6121014062c0e518

SHA256
9fae715b9b40f7e47cc94f66dee5b0acb9a97287d550a31eeabe13b957d8cefd

SHA512
1ba1a383e86e10bc05e2ec3e275ede5b0fdef2c0a88a9748174c1eadd313358c9575059a63fab07f8f24b26a0139d45a56aec4bd37466d651ccc673d2a6741b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIcu.exe
Filesize
227KB

MD5
888476226e69446106ad50fcc1d3be74

SHA1
68d1c7eb1fb81ee520fca8b6ea10505506320501

SHA256
d22d5192cbf52827ec7f153fd9e0a6a82d42437bcd4bad6b0ee07f410190d10e

SHA512
5e031e6894d079e9cf111addb269c3bebb15522e4c3e3cd332374ec6064620ce273ce2bbce0809baab5842e4eda915aa2925e0e4c605e460913543de96db5415

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUUEcUcA.bat
Filesize
4B

MD5
376a7da650f879e1939c9d04617a5946

SHA1
27d4ce95f21d680afc1ffcd4988017a30b50a44f

SHA256
5992ec3e5b64ff37c5cca2e6a1038c7ac13e5f8537663954385f2123c3fd5d1e

SHA512
6361946b6ad66116fe7f17aa9ed0f3b8532283e3838b7504306a0578760d7f76c16931d25b679b8a8dcc175cd6f4a8a087f02fae6d3127e46515fc0cf584c54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUUI.exe
Filesize
183KB

MD5
8ac489ac3d03f4ce9cf598be00d2cf66

SHA1
cfdf37e181ccf3e7133e09d6e7787106358aec52

SHA256
a354cd9c6eac7335801a1bbca92c417943c65b1aee4e5a34397f0ee438eca6e3

SHA512
0fe2fd8e4fb5a23be10d2ea9de7b5d96bfce267552990dfa6683792443135ecc862cfb07ad2c6be4c2fd3f0096e00aba540c6a077083d816679afebaf21fa7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CikwwYkQ.bat
Filesize
4B

MD5
659d404028a05249ea183359b168bee5

SHA1
029ee46db62678bc6ed82c6bca43e9e9dc7031eb

SHA256
acd5261acd8a1a666f2f7e70ccca24d1cf3da1e13f224a9b74997fee701114df

SHA512
0edfc2f1b74c1627347b2f6030ff0c98cf694dc5726cf13bb58dc02bbe0762f670fd6cbfa4bbc78d27340337516ce608825181fbd5f28d7626abfca5ed7f4474

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkQi.ico
Filesize
4KB

MD5
e1ef4ce9101a2d621605c1804fa500f0

SHA1
0cef22e54d5a2a576dd684c456ede63193dcb1dc

SHA256
8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0

SHA512
f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoYA.exe
Filesize
235KB

MD5
b542522ca248914765dbadc19044a067

SHA1
f83f98cda985bce2a6cdcf7c242e7c021e15a571

SHA256
5e04d5f32f7cd579159068c71300cf5ed6665badc33eb5e5b81d6821d915eb04

SHA512
056aed0afb83f27d6d075c12c6628ffbf7f65ec9739f6836055eea8794904eceed564017611aaa9a8ad9fc5865764332e4ce7022f74b6c5622ce416cd719e3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsUw.exe
Filesize
240KB

MD5
ad545bfebd54300d364e535591be2824

SHA1
1759e8ea2bb249e9bfa99d72d0883094acfd7b15

SHA256
c1af2f840da0e195b52ea0741faa10d34da50461924a852fc7c5b7010ea77207

SHA512
15f5cecb367c2a6437459eff80f04a9d1d61f9763d8cc0bea038cda740bfc63db5a35781bced5a59c5ce9fc3265ca6b1a8de90f9543e672ba5cd58efc8e127eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIMAYEoY.bat
Filesize
4B

MD5
30e232fe4a644b161819616f1ee7a80f

SHA1
14c8de2d98948aa733349ba6bdcb341f8b3a6608

SHA256
4d1bdf257357e626adc6aa513a7356f549ce49c607bb813a343dd601b79e2430

SHA512
da92c680c70e6972dc45dc178164015e49ea9a913aec6efa4ff54a0c9977712dcc26d8bf41c5cc0b634910326f700f3c71ed260a6ce720a7a59afc2dbd11208b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIwQsgQA.bat
Filesize
4B

MD5
4a00a8a7406000a8eba2f73c901e28be

SHA1
1c415cd8b0862adc8b05ae1b1a64b271a0b1531e

SHA256
83157c8579d05359bd5f10d1309da00903a9f2cf5eb05d13adc07a38e45e5487

SHA512
cadeed4efd23c4dd56bf7ff6fa2352b3ff02ad95387c053462574b1b4d6b3695d9bac7d991f847f056b38379a567dc615b5c05eac03aea9c5860f0febc4103e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DWAocIkM.bat
Filesize
4B

MD5
265de0e607f46626c8f2675ac00ca913

SHA1
031b66ac5c48f8aa04bd9d2d9d589cb1ebc05037

SHA256
cc138c4e5bdaa5c773c169ba09115e5c90ca11e78e48586fba7b0c9ac5300e59

SHA512
426e8ec81508ec1682e4e6ef65e2e218e232960a7a64260d89377a6a32780332f5c11a15869d27182ba9576aee19382250f8fee391c80967ab549e693add164d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQEK.exe
Filesize
235KB

MD5
88f48f133219a3a1ab6b2544398f7a43

SHA1
a13573eb306d5ec8b3109feadc83761998a4de85

SHA256
daa42c26dd1e42e2681a2c396a53406925f6e315753181040e15ea39231ef5af

SHA512
ecf82c046b83ff74aff8a34c564e2633a834780f0e61833ae55d478a092724322fedba67fd8dd0bfdf1eb2312ac09b88f655e56e8c829f4901d88bfd0de188f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQEu.exe
Filesize
940KB

MD5
9675437853fc6a818bc57a6eab9fc8fc

SHA1
b61cd8624403ee6e4f4816c47e94563c1b90f54b

SHA256
60fcf17e7964f75fe5c03eec6097ac2d79adb44b14b62bbe4f13d22ae12b64df

SHA512
dc0ecd26077c92d8d02075d56c12cc132006f9beec1e6932acf26271e8f600ffb47b8c5f5cf2709d7da6c3085189cafa2898304cfdc87d471ba4e129613665e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUQa.exe
Filesize
648KB

MD5
a40bd76b2a2d7ff89195df3884eb4681

SHA1
b68d46faa945d005434c17d4a15325049d3d258a

SHA256
68d95f2a81ded0494664328ce41d3ca387658cbf9620cf2aa433e85462889c53

SHA512
364f91aa1ad5bd3d01c979e48654a939fdd9979c1b9e1f8f6f701f241bd2ddc8ca90220684ab303d0cd496c6d6dc45d955d805d4e8be3715d53068d6bfcd28b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EaMgIQEA.bat
Filesize
4B

MD5
808407c79ada90a481b3ffc9e81bc714

SHA1
db771b04c2e25c5333824a01b8db102af3a89a4b

SHA256
91f50ab3f04ee2ca8b2f8e797f57e88a34e92229ef8158540eb9f30fd59d45aa

SHA512
1b802180ce6e91d79b4f4b2c9c9aba853d4301ce2c54ef237b57d46a8afe092c2b9a28032a7bbe4093f201ac28617880b26b1b5b5daf3fdd9d9b43f662aac4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EksMowUg.bat
Filesize
4B

MD5
5c4186e4142ad1e0670ea9de1f72d8c0

SHA1
6813fc27e4c3ba548bdf099a976badaea3e8b438

SHA256
bbf2209672b256b1f278ce1d4c153ec8197d16ee88750518ee0d1daa9c258031

SHA512
90f71ad0a5812cee14c966397254dbd083f27a433033e76971312e63758694731869b698c24ce767306fc2e49f682e51c7296498fb271a039873698f67d0cf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\EogO.exe
Filesize
585KB

MD5
e45f55339529aa6bfa36b1393d072ae5

SHA1
498ab717bbeb974a47f88cb7cf481d328aba1a2b

SHA256
6d63a7d245f5a2678032e2291ddb90be8b9baf825f866b446c8778627b1a7268

SHA512
afcc14d24a671da2abc8ef95ce90e115ecf07658397c961a4865de42ff5d87ee57d21ba5f2c0ff5ede2c04dedf51bc0fc4fd6ffa2b19a3b30152f272db332939

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eoog.exe
Filesize
247KB

MD5
083ea0cf0e1dea15f6e4576cf6189c40

SHA1
486bfb7dbd5ed1d439161ca73b24a2d54efcd2e0

SHA256
a259763689692628bc55bc86ef7cfa1b539b173564724c9abae0bd290726f2e2

SHA512
b038bd16120f6a207d5688b4d384f560d5e7db7ce4d87609ca89e2dc478c8e699891d1a4d519d2d7ac5255cce31e84b5e7e2b1d63335ffb2ff448cb91bd26c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIoEIEgA.bat
Filesize
4B

MD5
602901743d2a5874fa1770e3ef1e0978

SHA1
2bbb4a40bf61378ae7da07341b51eb9c9543f75c

SHA256
79586017e7a340882ed2998d15d544af00c4d73ffcd649c309a812d2cd8f59f3

SHA512
3e4d51fcd341bcaabd517c985ca417253c6e5b2c22242612816eaf364deaa17673602c57c35022737e43482375d0f90fda464a67cdb37cbd94e1df3fa0c01be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FscscsYY.bat
Filesize
4B

MD5
29fd54d9f7d4aa3d7603c698ea544692

SHA1
082695c3dbfdbfbb0639ce261dafe9702405ee27

SHA256
4f1211756880fbafb82fe02289be7bab2f76a589b0cfad2bdb713637eb81857f

SHA512
e2107e5cc11d8a513e5d1d3ae5561e8d48eb4df224810874021e329c430fe6ec9c16c8b15ba2b696102c484675024afc258eec31bea01ff8c8ef940d63a6758b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwAoQows.bat
Filesize
4B

MD5
6cb1abc4b0bdc0ea0281a46050b31fce

SHA1
8b662da4f524a2dbe9676af92dcf5afd551fe838

SHA256
32c0f44d4ba3fec653bb156857bebbe0ed63f6137a229883ff52ba33c97468db

SHA512
769918577409d4e9ad4bbedc0489f7086c41a8fb8149d32d3656af22e5252428da7ab128daf138d72587410500a843a9bd24530798cc892336d966da63e8b7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gccs.exe
Filesize
251KB

MD5
cdcf45f18b04df8877562122fef9c3a0

SHA1
019199b59d29de86dc5466974569b46b1c40d9b6

SHA256
bcef7e1c671e07e79d0a68328c4ab6233556d8441329381ef970a03d3e62f226

SHA512
30da2aa9ce1b8fed885ff0b4dde48572cc4ce7b308d78042467a6a3fd4d957e86245ef60672b200f1979e79537225ac4387ae931c6f66c7923fa42b235895f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkYm.exe
Filesize
4.1MB

MD5
45c942a706945ea4c0db7bd663da1d06

SHA1
8b2caee92ef2e36069d1a42dfc8bf17331767109

SHA256
6b57b27137bd540c34d475bda606edc79d14a900b748acb753f9f253c75620b8

SHA512
d911763569d75372e7bde0d4cd85ca4935fd4f284f0ca630f821ac873cc059d0cfa3513dde3a8fbb86f4f23fed17851bb9078c9310bc1419c484dc45a00a804f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmEkgQAE.bat
Filesize
4B

MD5
484fe115d20a1fda6ee5138742c06a6d

SHA1
30099ce56977a599f32bf30c7ee554215db04cb2

SHA256
a99c0132866bb26981f7973046dab4032da5698b88e4faecab12f44f89f59bdc

SHA512
499c0103345b389b374ddd8fdc1911f086a666cfb3e08c266689082995d4e94426153ac58eede2e486155b4182b63e1c4c5a5f5151659d3a3f95db1af8c3e4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoYI.exe
Filesize
238KB

MD5
f1c9a061ac79354a061bca2cb3425d73

SHA1
02b9ee93a969971d9fc24970aebe4eaab6f51aee

SHA256
8215ed6ee7f384ac83a409cb508c65d52a6c19282e0bfed75c58f142c329d2e1

SHA512
6ebbf24014ef5c9206c8f4263644550cdb0d3d068bb24d98f1070d440e3132079b8545ccf07a9550e5d48f406f5030d0b570d56e93d62810b2be4fd1aed01770

Download Submit
C:\Users\Admin\AppData\Local\Temp\GooC.exe
Filesize
241KB

MD5
6bec8a40a4cd067751402f3bbb3bec7c

SHA1
c681c2f00dca69abecead91d09a7777c431aca07

SHA256
df232be7d2f980555faa2eabc7245474823ebc24b067bb6b5153976450c82599

SHA512
d9bb09faec631175bbf0aab1231f052584c12cc9192729e306db06a46af4c1122b9ce5c9a67526820ad3c637ee217f4260eeac43cd52ac453d68a542c5a49a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsYEAUwQ.bat
Filesize
4B

MD5
32843557ad437601da99f87f13a19026

SHA1
6456e7e5bc580b5266ecb635b2431a2d639643d5

SHA256
257eba0028c4f41d8e4af9c9fc770ffe15eafd3ce37032824f2b21bc9d00f50b

SHA512
6e67017c8962a4de0576e6036614edbe156bc83749d940cf63f2fa373594d57d36382aac2aa30a0efc27d7d31525c986955c4c56d91fbee04f5707b192261d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIQMYMAY.bat
Filesize
4B

MD5
b490ec71d28a4678e800147434d80537

SHA1
64f911e6f418101cd4d66f84704962611621305f

SHA256
c8d0757b6a4af333687ff23b6dea942d345ae56860576cd7e18efaf7324b3977

SHA512
fbe0f1d93e5b90a9768d85b731ac65ec3ccdb67b3292551521bc47d47105028541325f62c45b8ce7ec5042ba6dddf9a0b6801f31667f0f04c4c767b18cf55f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEku.exe
Filesize
183KB

MD5
e2b16caef2d6037c89ac8a4d19f62fe3

SHA1
138ab4ba90b34aab8a0ccda16ef10176cad81350

SHA256
5596e8d9107ae2941d05e5d5e8d14c97ba7e835dd52dd303e425aa8418a3ecf4

SHA512
3194a08a762a5eba69330a043b44d1b59fd7766e7af9d2539f853512b2b0c7fa12fd08650ef576ff58fc58cb1dbf207f80689e8d213fc66fa570d4bc564fdf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIAW.exe
Filesize
253KB

MD5
850222257d85fd6118832266711dac4d

SHA1
6e225ccdb29812d2ff1054bc5dfb79483331f8e9

SHA256
7536f22fa9ac68a2897dd8b102724e3cd35ee4d332224cc87dcfcb81a8790e94

SHA512
c873da80abfd84af713627df9fbd5f871589c9f4fc169c9866b5af227067d09ba26cc5bae7c9e0d226fcc072d39508e6ed24f227d3fd756e813e5c773332d689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIwc.exe
Filesize
585KB

MD5
9d9b34c771f075cbe54a2ad74780e801

SHA1
f200591ca670ceb901fd5ff410cc3774551b8a00

SHA256
a2502b5a368cd63178fa1f7f01b28118a26df10a69b9918af4f3cb6971085a8c

SHA512
da13e46f1f8222d859e6f55e64f0e069168986f3e8026d29b7f2ebdeb3cd30e8d3c553d059e2978904af6330c34173a5b79b4fd2f04fe166f62faab713be8a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMgm.exe
Filesize
366KB

MD5
24115c0ef9d01df6f844eab663e9cea7

SHA1
de78d3d0d145255eeb50a4f68114267667e7358a

SHA256
06ecdc8845487db7620fc9a17fbad958e6dc2c9797312210551d04cc18a50d4b

SHA512
423e4035f4a9a9100221286ea598e6a37098cc4fc7bd27ed8ea6119403d8e1b3171f2b0bb976aeb61865e9748c6c58e0fb9c8b9625518619675b5cc83cf3b44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMoIEMsg.bat
Filesize
4B

MD5
45ea2cb9b5ef07831567e0153df8ba50

SHA1
f22d4e1308d30119ff4da43bcaf4884de35c361c

SHA256
56f8cfc84e8ddabbe4cf1c28cfe8cd4b8ce077d79e36606b3583da3387377ff9

SHA512
c73936738ce9de0a89b02c46e5f1ffdb5228ceaa76e33a0ed260da990bf7fa8def2d0512ec304a98edfe495708469825314ea0996cca19e1f8594d1f53f8cae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUAEQcUI.bat
Filesize
4B

MD5
df593fdf9ea37c0b1aab16c9536ca5d2

SHA1
1bceae270f57dc11f5a529cf911495652e0e9f09

SHA256
68cf42b9ec317e166435a368381d77a3d86ba565f42edb4a832638e078b99dff

SHA512
31fc40d71bfa3b7344b2374890c0f0497b8e358cfd6205ea22557166c00c5bcdc778d024ea68cb75aa16014f6617355557d9b443eb2af7870913cb86ef7d68ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IiYgcMII.bat
Filesize
4B

MD5
0a16da3b16244043d5be96def1da4c92

SHA1
931659b58cfb43bc0cbfbc302565c21f749c7f8e

SHA256
723752d679f69f2fbac021ffd08954726d2e264fa289493b9658910ab7986d8b

SHA512
41606c9b66d83e5b33089bf373efde7dd7ab7a046e3de08cdf1ac790ea7465595206bb502bd215cd8c75a548f0307ce44cd45ca9da603154eaeb471250577288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikws.exe
Filesize
198KB

MD5
8f41616e790490b76411ee9a5d49b7fb

SHA1
e638db3c8a4bff86c18ecd4d67a4ea645154ef8a

SHA256
66474270643a1ebc86b196e47cdd89b38ea7d0a014f3a6a66385193be790ed8f

SHA512
8d63c7536af42d73e54dbd65799e323412f904de01394c58ec5ac794195e5ce21e18d89dcaea54a0d3dde5b3bb98a70ee33e1ab5b43d1e824ceac9018aa3ba19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycYYkEo.bat
Filesize
4B

MD5
1594e63b88d708f42945cf5772387ce8

SHA1
bd0d05d35518ec6ec4f52b31faf839c29f063d71

SHA256
a1422b3422168b0b0cb2e678d70310ff67c7fb6fc2edd11f0b10fe29917060af

SHA512
b0460a37705058f1566163e29934769b40fb264ad6f4bff48572853ac4e0277ff425a55fbb911f9a835194c6f922da2335a3dc4cbad1d9056acbd4d47e43e73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgMIMgIA.bat
Filesize
4B

MD5
f03c9c3352596500b581b4c1643cdf94

SHA1
1651e455cc818d728025f64f5d5c5f8ddea8fff5

SHA256
66a4e4c5f568d95a0d35957058ad9e8d3e76b57b9675f92e9e87ea38c9eb50d8

SHA512
2b88965cda426adf0ca0a26f1390c67a9f78436f177da55d35e6460fc0041ff9baa36594f713892c82713618fb268785acf6a547a98e3df964f1cb3558fe4d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\JiIcAIwc.bat
Filesize
4B

MD5
7b0bb3104424ccd3ad1a3c6d2accc273

SHA1
7d8c18071522780d9c4c9c73568b19a79fc6ee6f

SHA256
77093ee92b9a0032fb3216ea1aa78004a10bed19f8433eb6e752a1eeaf540c1f

SHA512
d018af069278b708bdb07a83606d0f0c2ede6ade728e3cd48ccd0da11b2aa2176120392546affc04bfe0550734fae5d9d221aefb2438a218b9502bfa607952c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkAQkocY.bat
Filesize
4B

MD5
6a146838f0ecb4315dd8c353a3af5ae7

SHA1
cc3a67ba29cdabcaa2b9a6a3bc0ce0142d7888eb

SHA256
fd8a9d3081369e9566b023d0ad933f2fb4feb9db55073c6313ab7c58ced92f9b

SHA512
a5a64f0fd6df10919fe3f971fbd690407fc80e89841b8d94a741bc0ffe6b28451b6a4f45eb58f9091bca181c3e1f7f59074607d20e1b21736287f0f964920627

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIgwwQow.bat
Filesize
4B

MD5
c1cf18f38845df8ee58589b0f6d5ad8e

SHA1
7df483e8ec7a2607b830ee0f605722c6427027d5

SHA256
5152023932618eaabc62fa912d7c7aae92d7c515f836322846c65a55dc748509

SHA512
149c5f0eb6f484cf08d6832fb709da0b9b8c1964f68eb47ad6b1ad2f14184f097d213462420cc0fefa5ce20e2d364776f1125b3293cc73bb85ac31e6ddce4153

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkQAccg.bat
Filesize
4B

MD5
34e0dca34c07d4705d019278326a431b

SHA1
595d494584bacdae1197bc2d970727ee47c617c0

SHA256
2751a19865a9eeafa9275c06443addde73bf420c65e9eba08b2f8b533c5fcc5d

SHA512
28e5e497cdf9456ffa1899f0848ba4ddc5589501814a526cc693cd1f767a23b8fabdabae89d2563dc531f4a2df2c45145f6970927de606dc2eea5b9b39d83cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMwwwMgU.bat
Filesize
4B

MD5
b486fa1872d726b9780cfe16ecea6a7b

SHA1
cdc8f743a53869884708cc6873d2b2bd0fabd608

SHA256
ab92504eef6a3422f336c641210a49ead3fb08234f76ff7ae7bdf69b962cb69b

SHA512
eee35659e246d028e56c7cd9a8c397fa4a8f440d6baa09908fe41eac94ce73a2e2ba402ba8f0d174765e946a1619f4eb706b376a833a5b946034f51021027945

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQkO.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQosEQYg.bat
Filesize
4B

MD5
8aaefb2272f6d343955f7f51fa4e9c75

SHA1
abdc07c30da29aa8f2663974c7baff21f55bcafd

SHA256
06b7623bae76eb860fc4812b86b05a396110b60d4e1af4fa0bb13a1963f0b591

SHA512
0a1458f5c796dc5b52630f78aaa2514034b1574c3f826a4ea904464e2182bb94144c15fb2c36dc0786d35c911c549e93f4c742a0fdc598b0b63fd50d402079a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUgU.exe
Filesize
313KB

MD5
fa6865dca990cbd758c887123e6c4ae2

SHA1
652afcfe47886022f8674a1ee3f7d6063a4cd5f5

SHA256
ac191b5d2bf9ed6c3c652325ea6490f1edfb5822639471184bfcf5feab3c40ff

SHA512
f14cde4a76a42aa34b145e5506c52864c3db51950b1e48eecfccb1faa89d03674f0c248957b094d847387f8d6b3749da4acfaaf4b31b2c0bbd7b0ff581153169

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcgY.exe
Filesize
187KB

MD5
6e8a5a066f9eeb8b64e97423c22de8ff

SHA1
8f26da9b0552395684f666e3dcf8ee5b20dd76fc

SHA256
4559d6ac797024693ae1c8a2a60e0dfd65344e5a8314d6973d77fa135194ab87

SHA512
d084409b3cc9fad7c0f77b1dfb097c19cd993a6182292a434a4db4e4ced0da8eb9011e162d111ebff02a648d2ef8d98c128fe744d79d84784f23aaad1755d0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgEC.exe
Filesize
206KB

MD5
f7841ff1546a98496aad11cb215e524c

SHA1
e2fce494eaab0934a83141c4f285bf96cc1839f6

SHA256
aa52c891d294b1308febd90f197d7796017cc812f507aeb66628ff4d5405d338

SHA512
7a2d70eb31d78e9486e3a7492014512a70d157a6fe4aaebd47eca320863856137a301300d32c2c2d6c3732d1f7363645edd956188e0f091e80f82b50c7f85cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkAW.exe
Filesize
236KB

MD5
648841b3d700df8126859f12d8b3f33a

SHA1
1f4219a68dbc97e35958180e07ceacc5d190cb73

SHA256
7b16e1f8f9d94b5dce978c5b6490fceb8128301c356ab7b40d6c649f783f6fb1

SHA512
57bff9d06664b7a0f0aea1f66e20d9eba736fded6aa8a86bad4eeb625c0003d883d9d73b41c0c6932db38eca4db8e306e33f5a701517ec95dff09b92682c4a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsMy.exe
Filesize
240KB

MD5
5ad0d7769f6762285ad39239e53ea6ad

SHA1
90d1e28a5b12e2f322fb0ef94e54483ce51a95a1

SHA256
131f086b3b26338e73ac0c9e63e1db4b92dbb85093293dbfcaa7c2aa8723cedd

SHA512
7b86029f9ce45235fd00cd88fac03915f74fc209a265ba7b69b952ebcb73a388fbae8d22271e1e016c672f69b779f5dfcbf958b191cb0566b7887a1d48052aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksog.exe
Filesize
195KB

MD5
4ee0f12594ae2a4951da1219ee4109fe

SHA1
f4bb10b05a6950003962b7ff817f8df2cb540118

SHA256
f183292c6a93ca64c6fb9cdffe901b4792bfdf91b38305500b378d5628872a18

SHA512
17feff4573d91cf7deda6589b3e36a92ad204e71ff16c5a5fa1cfefb951a12cc146c9095ee869d9959f18153fe86aa82cee9d29b69179c8653798cd4bb3d787f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuIMQQkk.bat
Filesize
4B

MD5
170e6709e7536c191ad97a15468e70fe

SHA1
5bd340f11c11ceb63a63397352a8f969a7ac19cb

SHA256
eb1408d5ae687c15cc80b8b3822710bf8a12485c8cfc384922697333b83affdb

SHA512
2c96818bb4c3fdd9a79dd45d3ec3d98ac0b51d1f9747701fef6415a7e0103e1f66c71b2638fbec70ebfb47742734c635fbcda69e1e992927cbb48453f4fa2bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMocsYEc.bat
Filesize
4B

MD5
4ca2eebec49d952d3beab81aa20561d9

SHA1
474ba790ac250e5bab6b5726289100d4488e70b1

SHA256
e8cb68e6fc064a53c9149e798c3415c2d75b68068651971fb872264d9fbfe70a

SHA512
a267a55af0cba40ceef73a5c77dc99159b1dff18016dc1e1e65647d54e3fa28c4dc73e647c6a9460119c34ee82a0997d6533fc891b1c1de5fa837092020c5e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwosYIIY.bat
Filesize
4B

MD5
0f10bf8802eb7b21a126d90b2c9d9e6a

SHA1
ab817fc7e84afddd0b0dcde7998f2e0af759061f

SHA256
4ed7bfe4dcc62316964f79f1f0ff00cc46957958bf20220385da69886a1bb27a

SHA512
3f9738d3b09df4f2a65ae0e3ee065cca87f966d1a5b7267b5d8706a0300e56569f390af40eeed4d3385ed6897ad25accb4986848389e591e3362568c7059f6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMkU.exe
Filesize
181KB

MD5
2e129d8a1aa6f27d049a16e27b52a7c3

SHA1
7159094968988190b3a98760ff8693a01e5109a4

SHA256
da4d62602b406af7ad8acfe7f62a5fc6d5478b0ae9fa2d1214d4e3809bfb6658

SHA512
f68e412b70f74ea94a05ba17492eedf8d83807641f402684bff03cb803abbab0fe69c591ac8675cd4da35fc92fa20ed9fb29a6e9cc96b02b99124b5204387a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYMa.exe
Filesize
239KB

MD5
0fd6dbfa64755367a86c6f2fe40e6f5b

SHA1
258f0da03964e1f6088e16e3ff2a7882c10e9043

SHA256
7baf51ceff20d24bbb9ea476d43b06624c934f47369f8203f63ded6ae6a0632a

SHA512
a25ee4de54187cd856d27d743634b49b685bd6c7e7654b0919537696c9f885461ad66ab687425df96a3bf86b0b44f1779bd269d48a1c966409d8a0588377f478

Download Submit
C:\Users\Admin\AppData\Local\Temp\MooO.exe
Filesize
769KB

MD5
142327f96297160fe3c500c6de6a7460

SHA1
29ceef80a80022f8639f519b498e8f62fb8ee4df

SHA256
acc9b4bcae0e011434908e449e9916d27977ec2cc711b0d34de6d4dc40c4587c

SHA512
e85f000b9273d322addf2c1d4adc52959b6f0d83b4048ea6e490daad3b68684e02eaf94718ee9f0680ed10273ce622824e3a412245c01bdca71b0cd13b64fbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MqIsAwwo.bat
Filesize
4B

MD5
85b4b6df0ff3dcd093cea42dc4d6cd6f

SHA1
0f87a6f967689545ce7c73b3d87760db0b81628e

SHA256
5e8e011a995968623481fd6baf00208850ec140e14c97d69d57eb2f14d0e8084

SHA512
005e2b8934cda5552ea105bf49c6754a2fb553f188b8c2accdecb7d294080e10a1d407d42da051364fa2bffae4ddb7299212fc50d418e62771f29707b7258d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwAQ.exe
Filesize
228KB

MD5
cc77f2df6ec499e7d59835d62f049e7e

SHA1
a673d65a5d884ded2297e820c31fb747b9233a8a

SHA256
af325b67316d6dc46c91508f4e277a703b75b551cedcd48fb3770ef8ff694e5b

SHA512
e5a25c3bde5f046ae3bb82cbda73b52b3d4abb25b65623db854906dafb685b9835c255d9f005eee209c75ce9a6974792cbe1d0def9385f48a60170c24af6edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwkM.exe
Filesize
203KB

MD5
64b15979629f612faca0c9957cff6e14

SHA1
e3775b364dcec85dd849b4ce4491107356ce6e2d

SHA256
80e38be2622dc4ccf7b94a03b24fc3fa6ea1e4a40b9ea711d2b49d8fda2e16a7

SHA512
2ab11a4fecc5a376cf3d15e2551bd081ad2f237612aea0174114622345a31cb5333f78c01f2ada1f5bbe96825737846d07714b94d8bda27d6636029133c8f92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUAUUwgY.bat
Filesize
4B

MD5
85add148dbc5a76eebf51621a5e45f33

SHA1
3cce73ce5c27d6467f0605380c6a1400c673d90c

SHA256
36b917549747ff302b86ca2f3df327f8d2ac0fc4a925196789e60a70a8f142b5

SHA512
a4141c634632ec76d6c16756acb93c6636b03abf459b5d10082432ad4f6a5ae03151956546b4d59ab6f82cf5c9751623327eddf5c6e44105d188146f8f6df380

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkYMkYQM.bat
Filesize
4B

MD5
bf7b6544a7d72bc6f7169eca2ba15b00

SHA1
2608aa1e0131ce21f3b5a2d6f8d14bf99d338fe1

SHA256
1d3121da89ad8326181b8aaf38e2016a39ed0187e772bdb4adaede47a88e2997

SHA512
9ac70b944df0554046249d3c66405f84407b03f2916b2e4cb630167f0b606ddfbe47a89517fed8bb92693695461205497692527459bf07a34d133fd5b10511fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAMU.ico
Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEsW.exe
Filesize
1021KB

MD5
3c915bc6c79cf028f74861f6a4c94171

SHA1
5c4278f56e2cc022af76aa9cd4149cc211405dd1

SHA256
53253324c04e3aa43f88fa0abd93d265dc6904feb1d937c119eced740357837c

SHA512
18902f78174bba3527b1a59c424440306280d5bbb85fcb378c5440f8d4d6fd89da9eed436924f4fa411765dbc933cc162f8bc197cdb33855076ef8d3404a9f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEk.exe
Filesize
323KB

MD5
caf5f62f172e1dbff3180ce4552656a0

SHA1
ffb3c36f4d79af7c06b3c32d7c9e9a813aa1f191

SHA256
ed64943765a4f677ee8e886b602b2769c56984740d7705acefc06e490c7568a7

SHA512
1ca16ffa407fe051dcb033359207dff8079cbd4c6be3db11dab2501a044e54da146182c7459373ff3118d718378085e448e60069db109253607fc405894ab353

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUYq.exe
Filesize
244KB

MD5
13ea760dcbefe56822292d7a04a18585

SHA1
128be8076d6580a8e5de20359b1ff53ee70d48ae

SHA256
c62d9aa36b904927c8cde4b9860f0f8ec30189d069a9321f29dc19a3f7c5c15b

SHA512
2ad3e7fa23cd1110493c9965bd2ce9159e67ebe76363d3e42b4f52d95bcac1b4ca14832f7cf91f8e9b2ce0595e6f23aaa6e61f984759190d309e5e255e7ec589

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYUc.exe
Filesize
4.8MB

MD5
4c39d97bce9e1655ba8d2ca358bf836c

SHA1
5a82d9db0bfd05bebb530817d30ad5d6b3d6d7dc

SHA256
ccf597083051aa75031589c601863e9628fcb494c4d91a4f8f9da6b0d9104b75

SHA512
dd8f8f02370cdf78f97262b5911e6857742476d8a739cfab9a1388aafc2a837eeea0373249d877f33ba2a615e417d710f2c0f094c511a2be269488ca4093a945

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYgA.exe
Filesize
191KB

MD5
7d8b8a75793f3bb20f1062cf3178d217

SHA1
f882bac9fa1090d9e380602d4591553eace026b7

SHA256
c43f45479c4cbb8c64aa90f5999f3f3ccd39b979d19db9ae0f5358442b6f8068

SHA512
5b2aa9e30b3cbe43ec0a037cd69e57d2dd31da17e6737cc1e00dff030289a5f5ebc72414ebd868b5c91762c576590324e63a98780319cf0701d2cb7655553889

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYoq.exe
Filesize
239KB

MD5
14fa8311660c1915d1c3fb02c73e83a1

SHA1
91fa173924366d7d280614eb22750c665031fd6d

SHA256
7be3280f024c653a40afe5e22ea2269ead255cf0b967df7180d006222e8fa84e

SHA512
ab30bd5ea47245346b93bda7ef6339c491ff6ac50a6ceabb59601d8888875f95744f26a27287956fb03b291cdef12e098f050c54c99e60db9b32b599b013e959

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYsy.exe
Filesize
1.0MB

MD5
8fd898cbee57352376b878427a217a4e

SHA1
78485f224cc562e8311d8ab936d8673e8ff8fc09

SHA256
918dd92df36939cafebf88bd40080bcb48e49f9ef4ad3af24e4bf98bc52cb172

SHA512
15f25d1296a6fe52c8d22b6efc26568f5c888b4cee587b9455c9c0af2ccd9bc0f808cf7cfc1f0eb668752d35cfde1413f9f915cd61328241e2b5da0e00380b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogsy.exe
Filesize
946KB

MD5
9bba2834a856c64a348ef2ff902d24b2

SHA1
ec0ce8a8684754b0ea9a67d15cf2475cf6c4b17f

SHA256
ead73dc4c4c59a34c91f9d45cfd8361b6c66813547e44de103223b985c3029a4

SHA512
daae0dfa18b1f767469c2458b51ae5429382786fbf2e2de91aa05374dd65c655963208fe704a1871b9402344f9695842c0d5bba35b17b2d5e4ef94c475498a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkYW.exe
Filesize
254KB

MD5
721989134c8c350c717cc234e5b5d370

SHA1
a54ac39770395100182739eef04b9dbca7379682

SHA256
0f0a728937883c8dfb9a003fbd21e4b1918c00def9650fd113030e9df414b558

SHA512
cebc34d32e4f53c101684d5217d06d314fead92650c8e2bb016c91e7b3f3de52ef81b047fbc40240e740f33537a3ed01b4f8a365065048b9c6fede9430edb9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEO.exe
Filesize
958KB

MD5
e48c2a60df0c939eef62fea75fe5170b

SHA1
9755ef68460bba429b46ea87839b25dfd325c283

SHA256
943f4439077c0a0c6f6eccd84800e5f616db9fb5d2f6cf955593a81a95ee7775

SHA512
93d9c73dc8c9700e7c23356ce487fa3abb1169d186b783d1c95576f6754b8f401e24ce0da7cebf093da5d8ce4014079e02429c6eef91e2c86d39ed22f708aadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsIC.exe
Filesize
242KB

MD5
47a09cb144d5829ea9522688f896d7ae

SHA1
68fad331f32d9ca74cdee0e2a4be826550054317

SHA256
05beb1510762665ba6272f0698d40fd07bb003dd6cdc2ef7f694dc136c48bb48

SHA512
2d9e42bd0623c014a14caf04828f1cc8c9a22bddb5f8225c720ab551d00eac5932fa244703785d3b3983e8faca9ad20f0f3ad0787f2da37c56436fcfe24f0cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwQckcIY.bat
Filesize
4B

MD5
48fcf9ce7ccdd61c462987b840d2135f

SHA1
a7c98614da7fa61ebc440b6a8c0960a968a8a6c5

SHA256
82a87600303f0819db9cad4eed6b0ed6716c09465795a55bc2f7ed0f44a9cca0

SHA512
4710d56198b52a58e5734d9b12495d7e57c1197eda6df379038edd70d2e9a4dd2cc43e1c25179de71544eca7b364d49a3baf339b2099125599bfe858a315bef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUMUUEUs.bat
Filesize
4B

MD5
061398c5f0b14b908ac857fc2f157692

SHA1
b1a859f2b2b126b37e83c1b45b455fb2db27b91a

SHA256
34ca3d7f4085f0c64121cb4a0c1b050f3d7ac676c299645dabac5abb2cc967b4

SHA512
eb55948f12872b69263c5d50350ad676ffec0f29e930a192ae0062dafcab6adb5a7436162af03096a3f9e1e7a68de888cd43c739f0aed407c712c015940b68c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaIsAQUE.bat
Filesize
4B

MD5
9d30c56552273840c966d3dfdd78ce55

SHA1
d9c3814f49b6093acff50bf1fdd4334001b4ea25

SHA256
edab2cfd38fbb25580d5b1d27405a5d3790fb66ea3ef2e872d78377d68ed2bd4

SHA512
3f79fb2753e3fe07904dd0570487140d23c67a1b6da2959e864cc41bcead8cb4fbc3d96b934a9778f1622e39add2dc12dc45553c6807430cccc354d7b2ae845d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PagcokUo.bat
Filesize
4B

MD5
fc310addc175d1adf9196e4c48657af8

SHA1
1d326f2918abad5505422ff375ce288fb1e50956

SHA256
29b71c2a8713b6bca4c11443222abf61c72f58f619b3589c892005ac63f2190c

SHA512
49e62f2b2258d90eae8a2c6ef29c6c20b7d6933e93dc5226ba16bc55581b145653a0f4b5563f36961280820594d3c163846fa90d9516346440ec8bea74c59824

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwQwooAE.bat
Filesize
4B

MD5
20a3038763a6cabdd7b1ce3f82a90c5a

SHA1
6736e8afc18e3b16fc239e735315fbce049587d5

SHA256
c66fbca0bce87f10d8ed5d3a5525a6a3177dfd5f69b5ce1edc9b035db741c4b7

SHA512
13a8ecf69dfffa171a6e4ee4421f2ce4ca3d937bec7e764dd73708358a0e41652b8ef241b362f1ec00757ffbe6f7786060a5656f8be162a9c6ceb822cbdcc673

Download Submit
C:\Users\Admin\AppData\Local\Temp\PyscUAco.bat
Filesize
4B

MD5
770b45d3b40efcd93619663d245c86c3

SHA1
77ac24a0b03d0af25443b15d215335e7e59c6ed5

SHA256
b7670239e78985f8fb41dd80c84c826c100907b8b66934570dbb5d2cde73a41f

SHA512
26207a587f3e52cb5d89274909254a8d108795163c68b44b4945415ae823ca7db548b91f62721e065d730a2715d5290ca2602b22392000bd81c1f84f2a0f8ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAYW.exe
Filesize
454KB

MD5
e17573f4fee7e5c544aa921d743d3e21

SHA1
9b04f3e468cc33d1ac7cb2408898ace0117fa60f

SHA256
02c0f3089a83bb02adc410edce5cdac85bbe97d776c1f427c361d2db9bda6139

SHA512
22116f95ada6adace5236d52e392b99df55ab164ab7eb7296870c98db38cf13639cac112e3b0259693549c5a067cccb17de2ae44c97032409e2cc87e294a92a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIgC.exe
Filesize
1.2MB

MD5
7c83314610f136876dcea6eecfe42b83

SHA1
1b6d434443764aae89ef55ea4428263d3d6acabb

SHA256
028d290e8fca0de02653faf4b36d0c5353d07ea34e421b1196845cb1e40760ff

SHA512
34d15a7a2eede41d86dc50b45918f27f2c663fe86444f208059df850f314c77d980c513a559779b88febaa1e426f11538fe183a07cca845971c0228281332ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIsA.exe
Filesize
959KB

MD5
d71efe2afa761b69f971398179cd59f8

SHA1
8fd62100fd8716e2f4f8239004f4fbb3f4c0045a

SHA256
860798dedbc64c1fde286bbb86c4a6da200b534deb8ba0fd96c84ff95bca6d12

SHA512
e1ec79b34e05a5fa44694b34dfce94bb1574c7c62e4371be4ac202080948ece1583433a67a5f8b0fc856f1f80441e069e3ba80d8c5596d9d1c4930bfa7c7d3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSkkkUsk.bat
Filesize
4B

MD5
ffd23a89fabffd08c82433888129a4fb

SHA1
d63c90eb7e7078f3d5b54deaa308b88e499942c0

SHA256
9823a8db2e9454c4f56f4bac77707bb88aac170cf0781e4e1f4204e2fdcf98f5

SHA512
a6ddcd0f11ba097360b6b2067578ac150d25a310d4174b0cc8d62cfd29b869b320325c7672e56c2a7d3796b40f9e4ad64a4455c044cc6de33a689cc122d6f350

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUIG.exe
Filesize
247KB

MD5
5278210050fe7f89547703abe3ec1baf

SHA1
218d09e43201b9a777482a49378564b35899a06a

SHA256
5084b083a75340013f14099332efd3a7512d7d27a0cf01c0ffd210394beab74f

SHA512
bcb8061e021592263d3e2d7a77e9f91070931b5a772a240d37a49b268ab5ecde1028adf9d38b7bff28d2177393db3bd4eb1667d191f688a86cf12d77c391c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QccY.exe
Filesize
239KB

MD5
3ca12fc6c779859e6d59bd4935739f35

SHA1
018eeea21ac7aec8b13bd0d951f50d4e05cca764

SHA256
bdd9d4ed1a08dea10f8065ccd9ff4ea87c9b73e3e728209d2c4f46ff718729a0

SHA512
52de010c2e9f3b9d6e08e9c4b1aa7213ba3e8582ac9f8f6b25483e00466f4b4cf4e5fc51a26881eb3bf1b15327c79f2da84efd0d94807e9ced6508e4e84825b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QowO.exe
Filesize
930KB

MD5
58461968ae5bbb58f0a496c8c6bc98bc

SHA1
74ba296f4148c86681f8a90a2c2594ce4b4d24ab

SHA256
2e2cee71841dc88506b44bc2aada52bc36d4cbfaf92d9c6afc72e8eeb5d36bfa

SHA512
749e6dd0ff7a847bb026476cc345f4129451d0720962e7a17c9ed342d3cd0307abcc7e0841230392c44d888d16fb5b7acd751193c8d9d00278d130fd9705863f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCkoYEsg.bat
Filesize
4B

MD5
e37b6414a4fc88c628bba9ac43cb015c

SHA1
34cebf564573417d3880a9bc7b65c56a8d2acea1

SHA256
3cb9ce979759a74fcec7d52960db8d620e092d847cbb52199740e842fc5ea5c0

SHA512
d0fd7b7195f9323635c4bf6d21f41ae22e50d4d2af6929772728a32a40e2d499ec78d12cbf33fae033d013cb00d0a709219f125fb03af68d1b4b82fac16b582e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RykwwowA.bat
Filesize
4B

MD5
311a05cfe4f1a2103aa438693f744d45

SHA1
486785af879de2f3113ed6b540fc466fad123e06

SHA256
c4025e5ff53928406d942090c1bea48e89627a38a9e51a8057cb71a0dd92f9a3

SHA512
c00e2172510931eee6657dec17786a1714cf78524121b9d7701e8bca93624dc162e65213dfbcec745a345e1026e947d00211591271362fc8d0c1075bdb01e817

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAII.exe
Filesize
245KB

MD5
cfd5d2413e8b49ddd5486c8e503213c1

SHA1
9603ce7b81238ac85831e521956e2806c6572ab8

SHA256
c1cba53454f199e6879ab2bc0e64a6139d8139cb777515a155bf6ea9ebcebb04

SHA512
fb9b29fd069d3a0aa098805051fe9f67b873ead6d0e1de11e8cf68aec576a196c96ce9122e2b27b8328d29600d410cfe0eca778ee88820c45cfd910107fef378

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIAm.exe
Filesize
705KB

MD5
ba4aaa417577e5bb21d747232885d83e

SHA1
8b9e045751daeac9e162dc4200c687c848270aa1

SHA256
e6730e9eec8f8cf475c26d9f5af6545ded40286ad380b3ed4e04d4b275c7644f

SHA512
3f013a663adbd5d587190ab1fb9766a22a372a40e9db9e6e231e704913c814cb7e8cc77b3f113925972f9342aebd9840c84c389cd801e310241fb7c7ff8f0155

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIso.exe
Filesize
746KB

MD5
d95b4b33cfc97b2b94cb7335cad66aa7

SHA1
b2cc940a609df18582c959d47e3e82247c426709

SHA256
7d901c4381db13a2c1cd76aa2bad4fe9207ecc84909d2b622c03428c334bc5cd

SHA512
72e10181a3374c03ad42556713c3f6afea02b8457dbe3cae4456c466a2c010bdb2fd73f5e02d05f7dbe1358301da7198046b7684befc9ac484b5902d952f8ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKcAsoQI.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwa.exe
Filesize
241KB

MD5
6fad082cc09575e87a951150d07acf62

SHA1
def0566b7fe70f4793f4df6b770b60b1db2c8197

SHA256
f3e5f716c53c43cea93649c97914363186d956798eaa70dc206682434b83764d

SHA512
77607478e8149b967ffac7abed4352b82759fae00f875532c8187729022ddcd6feaafe02e94996f9f4dd2e0c36f8e0bf4c3ff2eeacd15599c540bcedc1ed1a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwgQQEI.bat
Filesize
4B

MD5
08765154b79964f0f2c0a9159d751a14

SHA1
5170eed45c776d05a878c6cb73df2695248e07ab

SHA256
48e0c8337736df15e54b2e9c8ddbe2f22a671f6b062ad7a98337c45e5cbed196

SHA512
9697c51c235ace922779e2d74c8bbfb1127896535aead49459ac89237cfc81d5ca40891c9b9ca59d4ab424e02be622da7a6041a5b161d0b22acf511d38292b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYIYAAYA.bat
Filesize
4B

MD5
3926be9a7bda2e5ad13c143590ebece7

SHA1
5da7eeeae35119b6688e7cfe932aef07072ec5f3

SHA256
6eb6afd039ffdfa4009a4286cd165a019f0506fa799f01147f09fc5fe5cc8fd4

SHA512
32d9fa711f9f17256502ccaeddcb4b47d011bc585cc93aabf70bc88616844f3557ba74bbb55f426543cfdbc41113a49b9501925812b4eb33256ba55c6496d526

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeQAocAg.bat
Filesize
4B

MD5
626fc541bd8e48c7d61c52e720c93ee2

SHA1
f2f012652e4d3d26ec1e6be5e639fe54b61bbad1

SHA256
c082c985d9b67f414c5cc85e8bc93755b34baef536e6013993512d209544b743

SHA512
558324775a7de556c9608053d92ddeb81843e03a7fb51b6a66b3abd9a95bc372187313044cbe2448aa81b36dd772eb8ca51bb2f73a51fb4f91ac537061170116

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgsU.exe
Filesize
335KB

MD5
fc1dc089683e237879ac4e3765e99f1c

SHA1
f25600cd25484612e605b43115efbc524af1fd9c

SHA256
04bb9e920d0a88af9ddffc3f187b8ff308a2b561c34b88d0a6f9177b1d554894

SHA512
b68671663579707e3e789fda5c1f97f19f155b71b7495b7ebaba3646952e0a46ee3b795e4325b97a71cf39a027f8adc458129f95816f557a3218d3bad91c35e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIkwwQQE.bat
Filesize
4B

MD5
45f680bb6073c390843696d1cfc385fd

SHA1
f66ff8ec67008db0c896ad42b9496b6c1d557a93

SHA256
95411659b6212050eb001ecba5962007d5efbca1e555cbf336df15f490b72286

SHA512
4e3e28a08201f2ed666b6a779e6b7d95cbf69c038742f1698e514fe08930f3671fc82d076d10bf398421c0f2757ac718f526c46eee910cee5aa6d248023b24a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TccUoYQM.bat
Filesize
4B

MD5
c20b0da6dd9823d41924f45a1566fce1

SHA1
ddda4b753a7c2856b9445bb417066b9c1de02d56

SHA256
f074521156e280640652bddbcf98fe504822adfc03c0aacca80380acc521ee68

SHA512
ef83adcdfbf141fdbe22c3e98fb0a2249ff0002f5af0815bb9096bf67f42e631e96efc04896cccf5b115da0f628676805aa70717807678a77f97df397c701bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMEU.exe
Filesize
240KB

MD5
346da98bde17e62a6319e834f82a2e32

SHA1
0e05dd4d19749b79f55a13f9e17b54dc2b1c7771

SHA256
32c8bee0987f13286a7abb65e692238f632c835c75fd4611df1c51ad3ccb450a

SHA512
54c50fc636fd87ad7e62a2932f4e14c6f61134d7d4d9b18fbe5cbdac3a61a3867878b917179ebafdf8fcb362bd8ac506a8e7e8fcc17323a415d8039dcc3efe75

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQEoMoYw.bat
Filesize
4B

MD5
83cc1c842fe757a79cd785ecba1bb05f

SHA1
867406850f4d2c27adc9f57ca66bfe24f0b58431

SHA256
1bbd1ebd16baae0852032b8d6e262139832429dcf167f66175c88f1550f92168

SHA512
0c7200dff7ec3eac81ba1083c3c594f4325326a80375e075d629b0901d640d4cc6372513e2bba6250df7d8e49f09dd804359741ab3d36396b317a4186810cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgsK.exe
Filesize
236KB

MD5
a79f6a4153e3c7a6bf1a3aaa8552b22b

SHA1
2be87c346fad00efa8cedeaa505a3fbe013b9e15

SHA256
b263b4f8ef666e0380fa94b54ff7aa5ee2ad47145d76271af9af2e5304062ff4

SHA512
c2873db401072483efd9302859d2d24cff07ab393286defb2f5798ea7b229212d23ef85eafb9f917d7a9d2915ecfc41e72299ab2a8a462f1b57bf0bb247b6a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEosYgEM.bat
Filesize
4B

MD5
8df3375e3a74c79a11963a1142b4ec66

SHA1
6e0b43fc1953c332a538e4a4eb59e524a31d1d26

SHA256
d9e546dbb5607889d3db33fdf7a42dcbae34dcd12e1127fc039e4cbb9c03509c

SHA512
fca6d829e19f183a5ac68fe6bda62bd5a27658e52ffc37b05a196ac8b59af445a26c33819821bfc17c95e7bfc7e0f3aac2943c2ab285ac52f7836802e7b1d35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VKccYkMI.bat
Filesize
4B

MD5
e827c66e149c2c9c69ff42028a9268af

SHA1
a6b84d4959731f0d9b2bd08e6a736adabc5d1a99

SHA256
99461680d9b1d973fea33fdfb89dc5044bd6abf321d724d9ffbf29ba47f54deb

SHA512
b9b3765e555c736fac67d5e9085cbfca47fe7fbb63466554ed7ad4edb62cdaa51067ccd7c1dae8cc6a48ef1fbd06f3389444cfd62a5d9ed40ec71c666c9a8c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUkgYscA.bat
Filesize
4B

MD5
fcda39a49924044166159e5627c511be

SHA1
e37d0e8e38a8afe0710d5f174579b1f8a74d3656

SHA256
1a936bc698e1afdac239475df3d734bab5d588049fa4d04455fbdd1824e5ab02

SHA512
fba0983d1be16db9fdd1a7db8ceaf3e7274137c78f518aec211036943a2b38bc1fb7eb41a732f22e77d93d1f1482943a318e92add365ac4552ea8ae58ba90b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEcY.exe
Filesize
829KB

MD5
a6f5c1abd090bee12a8d65ad0e46424d

SHA1
39a348838c53bf1231001a1b8138a35e0138f2c0

SHA256
9891aee364958f4475df059b56d56ca56e3f03ca13d834dca1481b37e040770a

SHA512
7a685812530849382581c109b1df4486263735c9ff31320ef328519449960ef56d97daa9626044e96b718839660c5d8e77d16e22e33b23d5b390e8a05aaa6fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIIwAsAo.bat
Filesize
4B

MD5
279259cd032292383b3676431768e745

SHA1
99bc8e97f08044185e541c08837e7aed321bef54

SHA256
88fd631bf37d6b648ffe40768f9f5bad3f416b280443a63eda6b223db685edea

SHA512
dfdb1da11e0aa1ef5582afe8639c74fe643dc6a75a2b686631d6222adaad9ad18cb2374aa89f790ee9f9b069be45b1d4e654ec69e4d6c29e425626d88fc88fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIUe.exe
Filesize
236KB

MD5
e4f1871f4a200bbfe2d2e42710344106

SHA1
2b67a6986921f11c254ae312cdc4d7a8158ceeb4

SHA256
a2dcdca0c35b66dfed1be684753c215e123150c2c538d6004aa0980c388c3049

SHA512
eeedc100fba8dbdad4de1b4a8b38b0fb82f0689709bf6b5296587ca74f075e5241e73f8887e712ae6f4ffa0346d36823ba504d6e2a53c2985a736a12ccf895aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUYO.exe
Filesize
194KB

MD5
f4b517b915dcb215069524c70b9ee8f1

SHA1
288073868a552883bf49ccdf0ca7ba6d03ab573c

SHA256
19f2645402f056187bb8bdb41435ef8ec8bec5f55350872ab170f9c4f9a24e92

SHA512
fc3d4d508e06b70ffa7de6721b6fcf680e73e9eaefb75b0998f86bc29029fc224bad5982c84fa4bc38cf025a041802f881c698cd3359ad6426240ea0201576e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgQM.exe
Filesize
252KB

MD5
bac1729d678b5f0aedd64fb20c3d804b

SHA1
901361cc45d904fa38623e153332ff8da1dbb8ab

SHA256
7540aeea4a317d319b7db5e85fdbb477169717f3536637c86679127651c936ff

SHA512
931270ce3fd6763c2235e938876f02b22184258ebf151415634c8fdb9acc03d9e8bd3e9e38daeace51fcda4b08b92234befdc2ba28146687936f2d664dc2b50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMoEMUMw.bat
Filesize
4B

MD5
5add02796bf728977711d72c61d79d51

SHA1
94d9b8d592845a0bcc148b86f21d86ae6af26554

SHA256
e44649ae06085f1ca6ffa280cf7814ecde0c71cd57b9b156b98f4d37daf33951

SHA512
bf075788d994c19a4fea4bf25109087084ef5914083071f893b2f605e0ab00d9ad16f32920761742746de557f895992d09adc32bbba64dd502b682de6cbcc084

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkgMgwkQ.bat
Filesize
4B

MD5
b35d2b1a14d7e725c4ddca8f0e9d8e1b

SHA1
78dbe6ba19c7aa24428f165527559959cbbe9f08

SHA256
3248a2e8b054e20e24db7407f75a8bbb43deaf49f6a3c89be11855848b83a123

SHA512
0f9003d6af50c3d2441cd67e47b6de7ef3105321a0586bb11c540ded56121c0b09f5205b1324239c736cbaaecf635a59ad849abaa38d1bf1bb8d0a1a96bd4911

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQcm.exe
Filesize
242KB

MD5
a9a2bf6566016c10e289c5c16a43d6e2

SHA1
2509af9cf6adcced51478a4d1f5bd088d8e59820

SHA256
45bee9ba04dd1f4bf5e507c97caccb8650fd0a0a2728006bb1f8107f2a4dacba

SHA512
8e26ea0fc3c78bf76e8dd9ec292ec4dd241b86392fae6e3c3456cc7cff3c3a764fb21e0fcab34a8e00e42f21d9e2c9f31e347490d684b0a01bc086af98c7bbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUUcUIEY.bat
Filesize
4B

MD5
0235f6aff8567d9c2bf7b7b5b172cbcd

SHA1
fb4ea0197446c159bb91af4ff56b1b8628c417ff

SHA256
a7c60b9fd0a59caf35d817c6ac3eae6d75b18635e158c7c2bf967ba0aaf68b3f

SHA512
fab82d185a4e89925bc662ce3e2c0d30e5296a1d5b433671cb51692badd8c75c974284361463df62cbb722c950a0d2be359d1a3d3216415083eda5dcb9994b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUMAoYc.bat
Filesize
4B

MD5
60a06a641f45cf40e969b2fb4dadb9ec

SHA1
77028a77b130ed04e055b4476b7d38098ac66450

SHA256
fea5aedcde14a699d5752fc2ce8d673388c04c729d9653a481697e11553fed1a

SHA512
327c9541d15e552e8100a1dd7adc3d64e36f945f8853afe5ed78c514a7a278edfb4d624da30a47fa930e926566a7e00da872e8d60cf7ea229f608340afb19510

Download Submit
C:\Users\Admin\AppData\Local\Temp\YiMIgUAg.bat
Filesize
4B

MD5
2da59d2ec96df6b39115253962d87533

SHA1
2056675fac67ccfaf222300e8114f535859ce794

SHA256
c03f7c5850102124493fddd58aa956dff4d250389f1e47dd39b6104f8f4d33cf

SHA512
5b81f331e50c5526e00a303fea4788b3018df553acf43d94f16731c63e7daf4ca18852e1672377cb834c15117e194c347892ac4e04cb2c00b51cbee32ea35ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkEo.exe
Filesize
214KB

MD5
844e07049326314fb624453440d985d3

SHA1
1c1142c4924ff74ed00cea88d883235e5ddd9076

SHA256
0b0d6811c5544cb58b640ecdb2729a32ea7a53a01b437c332239848f9d09693c

SHA512
f9ae219e41a0542bd8003fc25478268d0d524be6a71f17b7be4ba2043c7c259c745d73aeb1c34151e07076d82e62cef1ae9882f479a83f91982e03459f382fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkQG.exe
Filesize
244KB

MD5
91a1647fb64000aabf432f3f3f3c5bc2

SHA1
27876e48449588ab73c475796c88b49b297d7b13

SHA256
81a34a000ef83af893625aeb930cbc8b31ae062378e825937eb64f2b90c1ebeb

SHA512
32ccc03caaa7638aa7155c141ad5c85bcc561545ab8ba8f6f3e2c2a7f22366055f69b2b1f97de8f0ee018a04aa30106fea29218dd0076da9de4470c41d4d97f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuwIEIAk.bat
Filesize
4B

MD5
3ab8b7f2aeab07124746969458e3b246

SHA1
dadad5612836969422bbaf810825c97d3acb3d3e

SHA256
86fdd3585b0f9104d6f1dbc07426ba0e302d0747eb625743a6cc9ec951b3e442

SHA512
ce2faa33bd98a14cb916b8fb118d4361898c89c2965fa88446364d83af16e0a144ec66e0ff777ac007832e4f87ba36846c09b2a48dc1afc3461ded00de091f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwUe.exe
Filesize
198KB

MD5
cca60682164bb9286cd9be039a368f8a

SHA1
0550fc96bd6d465bfe1eaeeabcdbb9a9bd643829

SHA256
2658554feddc4d6680d9977a6581f9c53df124543128af129d4c03d7527ffc7b

SHA512
ce5140e45dc8b3c445754f2e91bbe4b77f3c43f17f5eb30c033723c80f72cd5205dd7297ca155cff17650f21666544aa3d8da6971dc7bb9afb01de237547a148

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEgM.exe
Filesize
200KB

MD5
129773bf516e98c0489228489495bb6e

SHA1
7ba10c06efb694e7588d09012cb8f2626eb60102

SHA256
7c350253d655ea48e6d74bda345635a0731c53993a1e0c8f5a4cc57a586283bf

SHA512
3a5342b6778af8c6d293f30877da9f5b0399459fcca8cc753ef4b92f14d6c8f60d7863826502da64c862fc4d944568480138574bb4e16574760474c558c1e1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIEA.exe
Filesize
239KB

MD5
8d22b2e61133b3e8e4e3cf0e020c2b91

SHA1
8da43ee10c8d3202d3689111bc1f16621d10914b

SHA256
aee110db9b09b3c3310cc063cd282e7454c13a7c3f5a8c9933d39ee78d09988e

SHA512
a3457b8ca9792059c782ffeb5ba5b0146aa13814ce3984b022f4b5ae60ea72d12f10d8c648b42aedeae0a92c0751b8623c4b48fa9007ecfe1b95b9797f68407e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIoi.exe
Filesize
1020KB

MD5
0e751ba8776089cb8813e3bd42183de1

SHA1
4e3d535e7f20c075b43fce0e64b2574080127421

SHA256
f07a0682f71c15f312bddc0d2fcf7f984d3eb3f6c22507a4d7a62bd858182d53

SHA512
1b310cb066422cedf20186d61f75854f8473e434f84dbfef410a23a864a86d8acd19faf76ce4b9731370935e6a9f4ccaecfdfa981ac989fc90fbf5880fbb85cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQUm.exe
Filesize
234KB

MD5
4f77d736918a61ff5250cbcb429fde90

SHA1
0fabfc90cc79c9f10c6718c20481c7d80d42601e

SHA256
3bda935f2a002e5e0c0bc9cbd33328d6e26529fa0607315e8763f40cd36e7a32

SHA512
276a52bf0bd577f6f93d27dababf19f85c05d0377a6974cb1347425aa6aeff93e3eaf629fbc25af1346cbd5fadf39cd253792d034093bb1fd5fa7c27fe953823

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoUEYIYU.bat
Filesize
4B

MD5
881b4222893c6815848246f5662044ff

SHA1
1cf7627128417421d247c8393b1f6addf8578de2

SHA256
38f4f5792cf3176fc991081b490f2e3157b335da9ff6a07f7fcdf7859ce45264

SHA512
9c90961435284166ce79168825baca56936bb86b00a14bc044c46ff3a83b54e4d0bc3eb138c271a1d3ae6bdebfcff6363c28a7eff45876b5a058447179bf74e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqUowwgs.bat
Filesize
4B

MD5
5cbc440828074a0be0ab83b5b487ea6c

SHA1
be6b12c08a6f9ad5d0f8801a56cf3126daec28f4

SHA256
0971d665f2f55774def17a672fa602df7522f6e98119afe3828e7ed2b9bd1169

SHA512
fec9c0d8ae0da2b6432fab23e6b4cdc2a683dfe74e2bbb94027f62c1a9081f75d4bd409fc5bbe0747b396700f95bf3cb752496d253477c9df5caf799e61691b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqwcoUoI.bat
Filesize
4B

MD5
2f250e8e71095fa5edb3efa5fe815dab

SHA1
e2a215d84b149cb42574bd01144f08301746e466

SHA256
ece7cdf86d406b95277164f991223548f81f05f23e06f6a306e6643902e17755

SHA512
76d57157a49bf6a69bdad524da421b654c9712a146cf3ad66e700918dbcb7d62fa9884ebe712b981b0ded71ba2989e6ff87c34ae58cf19b7ca286b6c7511ed50

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIkK.exe
Filesize
227KB

MD5
50954c4cd70f3560a996a80fde4b26e8

SHA1
60ef3130d6dc36f84f65f5faac12455e790d219a

SHA256
5981a6bb7d93491340a932d3e28ca9937167c73b78093cde7e454bd8c3949619

SHA512
b939b480e5009805fca1e91351459666c8c2400ce4ada8448669d2b55873eeaa9bd1103ce912e3a12babd3ad0512763d276c594aad4a9e0c029e9725acd29a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQQc.exe
Filesize
235KB

MD5
8919c56e2e34418d146f26b0629ce813

SHA1
7cd714acf8ea99f4bf1fdae4ad9e340d43425153

SHA256
32d371e5820cf5dce9217df2b555f360031735c2672fb4f900e78b631e3f46ea

SHA512
e351457a679606ece10a2c88c16f9e647e0c9bd0e4066cf5c3837deb02da920fa5b07eafc8dfec7cc4129ce0562bd4b6c240357429d5e2dd0adc436218a42db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQkk.exe
Filesize
325KB

MD5
aa8b89880cb8a98f1f944bef34c01335

SHA1
8a8c51b0b533a793a560c4600d8255cd4c49acc6

SHA256
5e3982acfbe42d0d7593662867b45c786a15f9aed49349646295b6f9ba44ad8f

SHA512
afae7121692c681f855fbf7e8e9d7be79c16a2b10bbd31b510206ad473e0056243f82fff3df8c60b468712db638e76b2d4a2dd28d0c3ae8312f88d37a3ce82d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmEcAYYw.bat
Filesize
4B

MD5
5e0f7ab0e9716d6e85de45d37a7ca537

SHA1
de7278a5e9062467189b5e533e95906fd8d17616

SHA256
54405736407ad8c667b13d437cc1c4a68d1fb671b8b75914425fb0d1dde10d1f

SHA512
5db759283c549293e2734c3d681bdc5a585c43711786f7e8a8aeddffd874c8c6343de7c17bab37d6f1e31f2e29800a35c8f30e365af682a3de3785f203874242

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCQookws.bat
Filesize
4B

MD5
9b2352d044a4d91ce856ad98540a72e9

SHA1
04d6eaa7a28db5ab9dab3a0e699c71ac982e5c4e

SHA256
a5c35958425338b61b09a56c6c51a8b6a6d5d65133c70c2cfa173fffcbb3d74b

SHA512
7bf7dbcdfeafcef6a1e0dea27b74bb0501e468d9213f0b4ac31dbfd4056eb227ee7cb8c106ca9eb95057dde542e7af795eba8a949798cb9672ad5c9c55b62d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQQMIcYo.bat
Filesize
4B

MD5
d5a189d8afc0a8eedcae4e3d8811cea9

SHA1
c3c128bb564d823be6c04fa4541d820f0940613c

SHA256
bac45ecee7424fc3777426ce577cb027cf3ccc87c500ec2135d9cb9e366f02d8

SHA512
68f9e75fe50564e9727d56ead48288575eca20f600b4764ced2bf923fe06d7e4b71f4b39b954ab638e6864f7b7e6286c7f90b88ad6b9171a3fba792f2bd37af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSkQwooQ.bat
Filesize
4B

MD5
783c75b4e2273b32a0b7960dd12de994

SHA1
2a57297a524355b36c5de73162f0978abdd06a68

SHA256
f9c5c7bb07e9023134f7495118dc1acd5eeaf2ee92efe3d04412a84874574c52

SHA512
5a987bcb659a94c828bd1079376dd385c275fd605e2f33b64829eafbd38dca529be1e1d786a84956b1a8eaa75a5b838db1bbb502821b111c829883023c7b319d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSogQsMY.bat
Filesize
4B

MD5
6332dd102863e1d58963007584214f8b

SHA1
b59351f628752c000ec79af5a716126b1ef435bb

SHA256
fa25e62e1c892dfd072656ece21072328b7a69cb127801d576cebe4e810eebac

SHA512
acada5f0d0ccf81c9cc730fa58777860261fdad41ae0a482678cc766d3e5410c0de1404302018b09146004696b52a116be55ec4e26c76b208ac3f26ac0d93e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYgEQUoo.bat
Filesize
4B

MD5
1d06a25e97de06f24b7fe7e80e586568

SHA1
f8812fa60efb4ee1f4cfd79e36068c43c94bc39d

SHA256
947fd762ccb9cbdd2cba24fc3d966e7aa09006acb000f3a08dcd67841e89791e

SHA512
52df80db86f1de801b1eed40c75b78d672aeb3a1f1aafac2be41cbd5241338e190d3e810994bf9a7bed5ed9ffd5c74557d2a99f7edd5d2539ec329ff93973b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\dawIEAAs.bat
Filesize
4B

MD5
37d20fdb5955b57534061d0172997add

SHA1
cfb0b81a278f64465ea23ae37c464298ae4c64d7

SHA256
60f9fe8e4c1a67424c2713fb962a5cf73bd998d8f858d2f8f2a8d466ed72c4dc

SHA512
302183a47dbc4373351d58888eccb469667160cf0b76116aaca81a6d31c91446515dd319d6a69695ffc530378d666884e46192ed66930e0c13defd335e8a7d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\doMsswkc.bat
Filesize
4B

MD5
10eedb61b9b647564e648e09680c4788

SHA1
993047a69293b5098dc209969b42a6e8250f2f35

SHA256
b2e2276bcbf3c4e88495c142ac781c819d1e021310ce3697203098361cf7791c

SHA512
7cdd931f3427e450094aeb0a06253088cac0728e3eec2018316745db9ef93a010abad01b562ce0a74e0af3a39e34f379c180f8ff710317e46f149defb18c7c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEYQ.exe
Filesize
1.0MB

MD5
4b5945c5defabf3ea7954c3d8748b063

SHA1
6e0b819a68d63c1e8594714a7241b6d81e6a1016

SHA256
51b0613ca47f047477ce18c9485519631c41195e9ba98ead6bdcd09695cd506d

SHA512
b2ee1cde44e9ca1d27d1b51092a195cb07cd66c3fbab34195155077d49f6ffb893a63cb1114cb4a460674db226cb3f6591ca4534561a2dfdc91320469747b0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIwS.exe
Filesize
230KB

MD5
7ad0be8cfff9d372d35175c647cbbed7

SHA1
51bc27f31bccd309dd2e5833ac95fb6aad98038e

SHA256
cca15e5cf8727778ac7afb5e825561c34507205e2b91158f60e1b1d994538af7

SHA512
5641402c46414c184b1f8bb8e7f126732d3096923749c5cddd3112e5da8149f3cc04fa30c6b87518b8cdd4fe41f41390b9b466b670f5bdb57556a4edf09c9be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMYsMAEo.bat
Filesize
4B

MD5
5e8efa485e509a3e8edca165f78a52e8

SHA1
01d04d6f17204c6858f5033f2de9bbede192426a

SHA256
506d06330a97da700dd497c1c8fcb97349d5b6e04a99c23f74fc5fef46e0ecf2

SHA512
dc49db84b7d367b0513ad2730d904a8cfce56b86c59499855e824be7e404d49906f0fdf652fbee93c430f53bfb11786742d9166a707ae46e8cef6f92efa6cc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaQkYsEg.bat
Filesize
4B

MD5
09ca966c464c9967a9096afe6f5956a8

SHA1
491e6c6f8c076e21a6b3894ffda4a8b5f12562e3

SHA256
9017db171c6c455f37fb69e1762548baf5269fbd92c148b76a0e0597b65df27a

SHA512
08e4b074792b6d72e92834b8d0d494daf93839ef681a1037ed79de5558228fab3c0a9c0101e051d35b1a5eb0501e4aa6beb430d05fe86cea33582ca18971de98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecUC.exe
Filesize
486KB

MD5
b157eda4efcc1d47c12dd5ba6c3b7e11

SHA1
b9f03c274af6278e52dae4dbb1160841e907ed32

SHA256
368363d0d1919f5b17deb9852430cc4b16009041da085fd121d4526f66c5b267

SHA512
0318fe7d6201769dbbed87bde620f830711384711059d0024cad52557ed4c663e5ef668593d2f0a30fcec0a17a4f127fcc235d16e8ae6f9bd717fade86247c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgK.exe
Filesize
229KB

MD5
4074df1c2514ad0b5e4cebc625826b18

SHA1
63791547769dee3d39df3224f40bef0d1c853c2b

SHA256
ec8a4954b769db44acc5e9ce4593157802c77ad6cf1d562d92bb6e4dd769847a

SHA512
785ac83b83e0812a2c1d4b5ec0daea364d8b2ffe1a50172b6aaa632b4653aa83f14a46bde627d0c0026e1b17dd050a10e7ab6915cc5e14c2d228a2989d1c1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAUQUQUk.bat
Filesize
4B

MD5
2665b5d0d9527527ce957c428d8b4765

SHA1
a5339827102f0ccc64fbaf61198cade09e30cbc4

SHA256
0273991c44c023de3dea71d3eacfbb0d3abe40c11952f14b8fd3bb6606ecec9e

SHA512
bae48fd677c828249a7eda312002496abd821678925db1bc0bd96c179294f17bd0289332decbfd16c45c00ed49ef677c59c0c920e4e1c5698d8e2a67dcce4008

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGkQccck.bat
Filesize
4B

MD5
f5b4d5ec48846b4aa372aef25370dd63

SHA1
9a034a6d0fbadad144c08567cbca187cfe19616b

SHA256
13dac9cbdd1d38c95ed6950e04d18273a1402ee7282d041c88c5c3edd78e2ab4

SHA512
6a8d970c1f29d1ee5c1f64208850c9ed2d2902bd165bc2470c79ac4557f1a21c363b0150d53cdd64fe3de9c5e77c8a170ae94ad54f88d7484a5c9ed4526ad229

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAok.exe
Filesize
227KB

MD5
d13b8e8d5683df57bbdfca3e984785e5

SHA1
eef8e34820c6125b27099e972d09a6d5d9de0e44

SHA256
cb4fc61deb23dc4df72a43481f00a5b6c59858434b4402fff05b9202fbd75bf2

SHA512
4666262b82689c37687c0fab82fd9db32da0561b08f65ca10eafcb11c87e3806e4d1ac737ef899aa07b3aef01ed17704514df6d8ea8a5160e04e693f5e98c365

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIAY.exe
Filesize
227KB

MD5
81a6fa029192c7b155f4798506de8fd4

SHA1
721f873a1611a4873c67de7056d183d637412c74

SHA256
25e2ed8048d1f1822e42f3700de8b73fd85cdb1ac7eee91dacae5ab9aa82e8a2

SHA512
26fe47eba73fc35cc979fbedb6eaa443f0805081288e887df06a2c1678ae6c657729f971eb43df95de6030ad2c372a99d3a1353279b888092084a0f716e44838

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIEIUUgM.bat
Filesize
4B

MD5
f617c30e3abff0939388066be0eeedcd

SHA1
33de4dc0a005088e6179247f8ade1390dfb7381e

SHA256
1d4cf9e0978c92de0e6400b5397269584e7c63ad9d53e163652ec25095c96564

SHA512
80f5962d96e55552db3776cff4844c0c1616ba96e0b9007fd40c3ca551413c10e19e1b197ef2ec0c2b432244b70c33a81efef1511e33f6eaffb52f2535730788

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIEg.exe
Filesize
236KB

MD5
a4aabdd6d029765ee806b495950a8967

SHA1
3cabb64e90585de9b06c9c520db0696ca10b76eb

SHA256
729a50d7999cda54917c8ede502b474175b8fdd721acf09683e915298b8910f0

SHA512
37ce4077bffb516fb0b871852c865cda1f5c16707826aba221b891be2604095556ca89f5f2bfb297a876b4f1d9b1a86612abde0fc495970998e3489df272bcd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMUEUkQo.bat
Filesize
4B

MD5
5d725774acbe1455e03fc37d20d3a464

SHA1
a91a793479af54f1595d046f9372a776ffd5ba3d

SHA256
4130b4f97dfc1569cf4fa43b0a3e73952e9f3c68635d86e74749ae206d531979

SHA512
8531eb9807f7d19f093c7ac473a0a307b30b084e050763bcdc49621e15756a54a9dde70269606a1a6554be245b6e968e830356b84679dc3b731247347551b356

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQQe.exe
Filesize
244KB

MD5
dfb8cb4144bc9a25734cc215a5526e81

SHA1
eb2f1ca1bdf23f2a9d3a6faa245d7da56a9a6bce

SHA256
c7dc22ecb7193036667397e2fbae3f72a3e1a93c854c828a0eca69dbf5cff48f

SHA512
10f3048bb1226d8e0dba342cbafec49e57e8f97ff001435503c45c15f0bfd292a801133495ca89b05e48fd0e64d4de8848a555d9dce711ec801e1c182ea9555a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkgs.exe
Filesize
632KB

MD5
c9477d53cc974b3804dbc73931b3e397

SHA1
bbbc59b48d52731c2b35f6a4c977ee23a96fecaa

SHA256
77dfde14cedd28f9e0e643a92c7b6d98de85692989b51c551861f89e2a53e1e6

SHA512
1f871b214d5eafb14fd88ee77346491587f2b296181c3b0838eb688c6b1eb40acad4c708da5b90137e5b016e11e0a350e85a69153319b82e0ac39c3c218341f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwAUckgs.bat
Filesize
4B

MD5
617c5144548f93c42e727002cb6fc9bc

SHA1
6ebcdc9c284813b4907feb8e44d1b3af2eec10d2

SHA256
96a33bfa55289c17137f9b8a4dce54829969b0f5ebcf08074c2e6a5c02d2998f

SHA512
0351f9a572f4b817f64e942f869f67becbac380be90facf63f41cba883be9ae70aebb7d69cdf508587d40b8d9d5aeb51b3a8865f488ccd38b3c4c2c60ec67848

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGMMwQgE.bat
Filesize
4B

MD5
193f1900b9b5ef7d68fd77a3b93cb25a

SHA1
6e0df0819df4b1f87ad83c02d5b1f27c1e66055a

SHA256
70d917adcf94e50788a6b11dfa8b3bb96321bbff5f88961c5ce2292e1d20a181

SHA512
0350c09fd8d8b176abe06ccc7163b54d19386145c6ad29e2adecf4e7cad4e54a5c6cf19253cd63a0bc039a4184137b3165e77a321b5792070dc5396f27e97122

Download Submit
C:\Users\Admin\AppData\Local\Temp\hosokYoA.bat
Filesize
4B

MD5
0042ada5ccd5dcd98296b41fcb07fd7d

SHA1
38955906c17d604d6921fc936b3a11036e900214

SHA256
f05a910740d28be1c1ae6a395db3a4fd27786e27d47985627a1e2230849fcbf8

SHA512
15973bfb1ed998dba77fbda63f75bbce21142096aaa7f30a5404c3310c719ed2c8eef92b3f238c39e06825410a642ee229d39e162da6b4b376c1aae75ea7ee95

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMG.exe
Filesize
230KB

MD5
3d0d5d8600420b7b48cafc865c4ef236

SHA1
1d02d566431d682105c994a35be2d6c2ee33ecc7

SHA256
2cd8842524ddbb74067b639181a8a1ff0b770d2c49c15a2ea2c5dd0139c041bb

SHA512
8724326fcf3ea4660ff1cca98a9bc96fe8acab58d6ee9e3de58b6266d82fee070f975b68b4c6b9ca12d0d366527353bdac9a133ef49933041ca26c750638f224

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCswUkcA.bat
Filesize
4B

MD5
3aaf106bf6adee121c06237bc879fce5

SHA1
46b9d4dafebb072de76f0d02a6b1e41e5864055c

SHA256
92de483884649b102631c4859760d3b81bb46573ced96df0d87587a0597eead2

SHA512
2e0369f8e3aa287382ac66728050f751fb72de4070339924f55d54d54cfffbea8e1f11ae289b01e8952da61a773e6ae0626f11fbcfbe4d178a844b4e27b142bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEke.exe
Filesize
237KB

MD5
39e7de1b9436f3f2b65720aedb0c3e29

SHA1
cdb6eff97be6ed73cecc2a8465b9d1230614ccaf

SHA256
f8380ec8faef6902251e5466b811f393f8e730ed2583a0e117573b3394e45287

SHA512
ed6afc40b4e03c5761ed5c9f048b9cd08dc11d13de5634fb3fd824e8638196ee733e351a6eca1e681e637137a0c8d19d65a45b8e898868a0e3dc4df10d0c27ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGMgUsgI.bat
Filesize
4B

MD5
53c768bee40f44e21cef0df1bcc6ca4f

SHA1
5123b69c8088d77d67c19a302fc1e86696ba2a80

SHA256
a8a70e8250b565fc8ce5707dc518e677928c39019c4516feb611e888a5cb1447

SHA512
9e7fb941adc3565ad9996fd89e94d6d2bd01edc4bd925774bbc4d0e7a6f30b05a13eabb73c5c48bd2c3fbd2d918505adf473856530fd24063df21aacf2f4df00

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUko.exe
Filesize
236KB

MD5
63f350e2d8d8b5a4fbc806aef6408052

SHA1
d842269bb3e77424525184f02510f221e49f63da

SHA256
38f1e446a5d1d0ad95f761c1f5aeb54914fa1a54a8ca3595d5412cc6a8e63f69

SHA512
e8a6ee4748ddfe4ec252e440906967afc13163bdf1967545ed918305650644b027d78e64d81a94aaef5a851446e82c9904392916607453c6150046d09fbc7ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYEk.exe
Filesize
223KB

MD5
ad0d6ef2df74bc64cac26b57fadd7369

SHA1
3ab001e602283e61620e0bc32ee75fa7a5ebb23f

SHA256
59738093e05f5429a14667608017e75d5c03e45a2eb2d16783a4e57b5f734a09

SHA512
06e4193ac556dae5f61ec7ea3cf2e80224232d0e1323f9bbf6d57b6452f25e321238acf736afd137cc5cebeab432686079fed5b9c11bf2bee4a3b162b39c905f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieIUEoYI.bat
Filesize
4B

MD5
c6d9e37002cbe64e6805689ab5c8c7b8

SHA1
32e23ec8731a084dafa96eb73f82a3ecb1e10aef

SHA256
718444e38262f5cab4af9663b9373737d0083507bc491e680724cb2b3286a337

SHA512
efba67f52d6d5688e8b36f6c2a0ec13606e7d620512023aca6898485a0584c7f208b2f0bb4e9c69ede620dcc8f91e9c993689aae01109ef483630053a29cf568

Download Submit
C:\Users\Admin\AppData\Local\Temp\iessIgcA.bat
Filesize
4B

MD5
b4549a8a4f2e654c4cbbb14d4ec698c0

SHA1
c35fb3ca057974d7450047cd84732ae7a1d697b7

SHA256
367eef28be0f913767f19f90f3984d420d3f2306d5d861fa3c21f535167b668b

SHA512
374437e7994e3bd77b280126d1b85e4239401fa4e9103ff1207389c5449da5dd2f58d16136149894e0a5140238de1bee57c5e6b0fc9b340b2a50f7729917d3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\igAW.exe
Filesize
1.1MB

MD5
5035520642ace7dc27025c49c3dee5dd

SHA1
08c3788bbd95cdc57de089b8e049ec81ee5e512b

SHA256
622e2cd2e2ca332f1e63e4168d57b12d4e177b35f8cdb1c384a3fd9f7df48361

SHA512
f397d4da9b621102a6fe8051fa1671bdf9c6285aac2218f3d2d7d93c3f40f209cd6cfe5f795cb8a774b6f3780b80989809bbbe6a91bda6eeddbb3314b50dd38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\igMU.exe
Filesize
248KB

MD5
5fe823cba8504f4d9b2b2fed47c72864

SHA1
79e720c39bf93d736b99ae5e5a0fb6f638072411

SHA256
f46572323f9f0d7fb7fb34fb7e3ff8a95f1616dc59656f34588efeea13614388

SHA512
b558caab54da52b62d4f9adcce25395ce0076eb6312cdb67378b4e1087071131ccfe9a7873b36e35b8abe6d546e8bba6e5ff5fa236e3a297f144ad1f13e22aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\imkwccAM.bat
Filesize
4B

MD5
8a80c000a3187d44f748ab4eeadcfe07

SHA1
6446af3e9f14c6e512e330880bae4a8fe1dbf010

SHA256
7379b06d73018aa19722b78dd19330323a01c96c7c9092025d38bb9e00475714

SHA512
f047e661d9a7c3e5287e5de448a720fb6bee62fd3654a36894b2bd372617062f4c12c42a688803854acacb5c78235f669a9af45112f727209b789b224609750b

Download Submit
C:\Users\Admin\AppData\Local\Temp\isEgUgMQ.bat
Filesize
4B

MD5
f00c049d125aa28a64a090a8609d187a

SHA1
f1eeca0d746e10a89c1e1d0ff3847fb15805180f

SHA256
0fd45cc2ddfdfdb811c12f38ff5b38c4590e728ee57910597d6914c6114d09b0

SHA512
bb4560a8f786d0a0f959172cba212e3144e072a550701fc2c963977722f65f50ac99ee4a2eeb13d32697df1b52265b2f7e32762a700f9e230093b88274cbcb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\isYa.exe
Filesize
468KB

MD5
e24c002ef9df88e6b1a6ebd0058ca862

SHA1
9ee2021f75249dac54362ff045df5c29da4fba18

SHA256
a642a5637aaf2ffd8d59be886dc7de28c71e3ff1fa11f1dd13c3e6f39de2206d

SHA512
233d7b5a3f8592ae4f6a179234440c1b78abb8e1eb047ced159004b43a42de2abbe2a46aa13f8895f692e8e19a3d66c03b07075c4c4c6d5c607d181e65961b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwUy.exe
Filesize
827KB

MD5
2e79451723872381461de1824e94d2e1

SHA1
a488b5a5129331caf7926252217dc01507f5a578

SHA256
3acced97b154f99d8b3d5cdfb2b10a669064742a55808826d03317adc1674955

SHA512
9ab3775e322898660172a9694f4cfbe7d0960d40643cb3a6ed02a57b15d051bc997dcd1ea6486cb22d72dce062d7bb76c0ea0a2f23a851f74995fa4cf33cd5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWYQUIEI.bat
Filesize
4B

MD5
528f297c258f6804ea324cf0be807a69

SHA1
4c10db1fd3534963be8ec3126cbb5a66e98b6ab4

SHA256
9dc5d5ed8c36142e6b863dbad86c290119be41089060389ad1358f7fe99abfee

SHA512
1640c005eae464c9038f3034b0b6c7f87b4ed155b4eaa9437989b3b68e593219ff068c572711c8a69896b37a7b9cb5e55ed4919101d33f75cc5547b548af5a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkkkMwcc.bat
Filesize
4B

MD5
89c4c0970934350784e8885cafec8a57

SHA1
7f011bc218a759b4ba1b6b635e2a36565b86115f

SHA256
c9e05710a58f92fa0405cf93f3d4951ddf4208ea68dddbbf36720f4af6380f8e

SHA512
4fd72feb313e911ada9f7ad9a19c88a24d4c275b1e7e3415187b6a28c5f81924db2f2b13032144a5d8880af7a60b3f890ac0aaf4925588a90b7e159f0aa5a182

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEgc.exe
Filesize
982KB

MD5
a14143190625f0ef1ee610f33439399b

SHA1
12577894f9ce387497298b4ff8b94e26d36e58f9

SHA256
7a12c32b134146c735e299eab6983cde8fa15201f4cc49c61bf2a5788c708756

SHA512
32cdf021be624425f3aee5a0a1d24568964a0563fc32d36316e8307f061c5e75e2158194af8a2d321ef41c308ba210f5a211fedee3fce31d1f746435d0581d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIwK.exe
Filesize
238KB

MD5
1d9118cc023d133d6978e72bef4bebab

SHA1
b5f5a600965364b3c13e04d742dc2de2329aa8f9

SHA256
ebb96faefbf3ffb67ad219b28c198150075af76d3a987d9268b9872ad5d1b4f8

SHA512
ffac060047b31a110ce317fd0b7d225cf62b1c5c7bb34ed1cf7f94797f61f621dca773fc6107e19d86cb8c2302fb8523672c69aa019cc137bd393376661388a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUEc.exe
Filesize
237KB

MD5
b6d2d7841439dc3eb4f782273224ccbb

SHA1
74c291044f6bb1cd742fe90c85bcf98f49831e8d

SHA256
908757bd66b7c0321236dffb2d40ee768c7d2dc7c93a2fdd679681b4fa69e9cf

SHA512
2f22daffd671cf80e654d170d7e5365ddbda475ae7edab68882ac67d915fcae20cfa9bc30ec661ef1c2c3340c3a739b46a10950966bd6bb99b592e3fc6dd24a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUMw.exe
Filesize
345KB

MD5
098f3b868e714f6c9ca4ec34ead74dbc

SHA1
792bc7819731b59bb7e4ff2fad1590b1deb517d1

SHA256
a8e9e899d42ce9f6ae458027913d5a2dcaa604ff86ef58bfcf16bc63fb8248d3

SHA512
8ab79889771cc79389ffc17415457a1491f8cc1f916c55960793c572ef5f627823cbfecec97c92fc4368f87d5816af59c75a986fd9f93ecf10256d354ba1915a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUsG.exe
Filesize
220KB

MD5
b0a8e8e9fc601b543c335e1a75e6b2de

SHA1
ae9e2ee9c105524db03fc476bbfffbce9d67af3c

SHA256
2304b62b4ae6a90208f0f33af831e8c0c6cabfc5fe6ae6540a9bbafb7d5e9513

SHA512
a4a80b94bbfe44f6e3900c700fd6e17ed69234db8fbec612149e3bfb5708621da3a3282b6ba57429a3d8225dfacdf3dc4ebd82ecc2c9bd15292c357779ddf55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\keQgAsIo.bat
Filesize
4B

MD5
dd2328b625f4313896a59a99ae4058c8

SHA1
a922559073181a51cb8b499673280672ca885685

SHA256
3c1556396cc9bfbb0fe397098b6ccea3014dbb5d19fa3d455ce90eeb5d49333a

SHA512
f41c6e34fcd377f445983dbca64abc1d88f9aad84a6199ecebee158030dc392851da9769add4fa09c925beb7bc25a7d44c8d6902b207869ad0c54cf0cd182650

Download Submit
C:\Users\Admin\AppData\Local\Temp\kesMcYUs.bat
Filesize
4B

MD5
6f72db4286aa77d013016e26aac3afa7

SHA1
5a91823fc285b2e49914253dde7e8da09a6f05fe

SHA256
8072deaa8202afca1156f7bbb95572a7fb2d68753b9e232a653009ac220b8908

SHA512
872c88921c2e0de1b99a37fff6220ed8e3359bd196337c0d4b15b52c9bf841ed9c37ec4d274005f8566887c8a68cc489953d85a69ff2eff9964fc859fa5c4926

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkcssEQU.bat
Filesize
4B

MD5
006562f0b370e00bfe2806e790e3d108

SHA1
5e2d6cfa9ebd6cbb4488cdb6a4c40db0cd4a8003

SHA256
f971f996241a1d058d3641648f4614eafbfd87787f6c45bef9c45a4ad6498bbc

SHA512
fdf271026ba1caefdea4c61da6411c402ed062df10c5624dbe1b0124e680030e1261dcc5039c8366081f8f3a2740cb9b4a462eda369f00ac2322019f45375fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kowy.exe
Filesize
227KB

MD5
36c61dfa1ef49fc42d9f121a3958d7ae

SHA1
869f310692a06efdaa65ca0a925ffa0a1b1152bc

SHA256
c373ba507bf0ec35c0cdde211b1eece354fe2fce125edbb7f2320dc0892cb45e

SHA512
e9d35a8629fb2875afbb9b2abf037a918edbf8e4f2f03599493ed6e017bd93059a07adcdb0bce588273e4c5337b38ee173147b8d9b550b5c267c9e381944e9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwES.exe
Filesize
365KB

MD5
0931fbe4954d0c370ff587a7f95572d7

SHA1
36cfa22821f4a5082f2b53a72caf82d77b701101

SHA256
73333c31b92427c06bcddec782d94b5bac1f5bfa07349de8255ca5fc4f850588

SHA512
d621b9818431eba0b90cf96070964ee49dabad1ba714b65889a8480596979ac90a132015bfa17962eab1afb6796e5e7aecffddf7a0a2a417c5c8e827f2959ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkQkYwwI.bat
Filesize
4B

MD5
a186a403944fdeab2c58fafe806b6a01

SHA1
0fdd50b730cfd7d71db5e9cff9f78a770e3d4ff5

SHA256
c83a8928ff7b43288e8c74e363099e25b2ef98f582082c81aeba5d307e721196

SHA512
b8d492f3ffdd83467b10f693db9fb1ff9527c9c0686048aece20e0e7eb44ddcc78e19244f7883c5e318bf03de148f26e86141afea7c2bfdc6841b02720e04d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEsO.exe
Filesize
317KB

MD5
1b77964e141725e53cb8ed5d10ce368c

SHA1
c7dad65de261cd68ccbe9dea57ed56823624c498

SHA256
453c2f061084715e074877a8fa2eb4239096cd2a653dcd2ffebce5257496f3a1

SHA512
6df3edcaf0943d3700a74a54ae44b45b3a626d240537590e496a03e78c4e034d3ff5f4456848c07e920e7b9fcefbed6acfa7f949b0bedc5efd3d6904a150cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIMs.exe
Filesize
282KB

MD5
e4cd98e0956c6277c397a97d850df179

SHA1
4a5914f8fad4a67544470b4d27970e890f8c1f47

SHA256
d996975bdaa95ed9285ddc3032247c14cc8ddee914ce79da3ed7e0151b4dda39

SHA512
4c29032e17ff706c4bf6d371f2f9c5810913266c61ec8b71f0a7bfa3cf0a43617cbc0a00a3ae2a6006dac9ee3c287d00776e41c60f09c58f457b4ce5e2c7f005

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIgu.exe
Filesize
247KB

MD5
3d89c8835380f91510970e2163f84be8

SHA1
6ec771c56e5cb25e5e7d70e3e5982396cefe5af6

SHA256
b91a871e79cb5cb570fe319fc39c93bd4e099e3887c9bdf131bf1af4b5a5f550

SHA512
6bedf55ab24678a38fa1aef727a48d26412194601a8d43666d2ee6efd13d899b58e2a47483da513a08590242950f4675a76e8ffe4cee6ab29e00d516829a7796

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEwwwcc.bat
Filesize
4B

MD5
721225639be4133e117deda394458776

SHA1
7e82a6e2bd74b918a7c43f588f2597414109be3a

SHA256
d9ee761b144547d1eb41fd0276a921c3449cdfde973378306205fb6d1812ec9d

SHA512
cd6ccdef5302d9f4d52076922daff999665644d2072d66670ba672377eaf9593487ec57fc214dd8f5e7a1eac734bef80cf39a73b76df28246a5c3eefa830403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEy.exe
Filesize
237KB

MD5
768298a5faa7fdf3cb415b5be64581f3

SHA1
0ba88e363b8f5ca75850a17544b7e8fecb96b69c

SHA256
c28ea3656d384742365ec0ec1dbaeae930674d837fec6dcd2bd781de40a704a9

SHA512
5ddbdc0d8ebb019baa3724995411a4b0fd95039976e1bb1ff2a62a21169da7cd6f929aaa73f294e74c4e5bf17ec09f917e703f4c7f166a6258b27ffe8103fd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUwe.exe
Filesize
327KB

MD5
3ad831a632367519514f78e5d3022984

SHA1
904230cf5a284d4dc339644e77f06dcdf5310c92

SHA256
7a2a416d00b200a7be3c8a9b29b134dfd3d3e05295361ca7055eba9c7a78975b

SHA512
6ab0db40040df0839a80b6bea90dfb99e7d1377227aab855b9c29254b813d77bf67235709eadb6aae8037b70af0b1d54887530a8b8550c0bf306fdbb9797cffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcEY.exe
Filesize
243KB

MD5
5e57d9c24ab6c9f84a242176f5ffb366

SHA1
21533bb1da4d43700ee9711491cc0af8374db132

SHA256
f58faf7129a12f203a351d552978eb80d4dc51d42e1a650050b065b174438199

SHA512
eb4ea8f305c5219951feb9f2aa35f2017709345327d06b4e05871b7446ec7c8443b2055e4f55b101e1a383bf91bb09f12d2a0f13a9401ba1e46a4d73b9a3cd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcgI.exe
Filesize
803KB

MD5
b28c9bc33ab0e243331adf30c84c25ee

SHA1
e8d6dbbaae92ccecc180afd5be497744d51a11cf

SHA256
bc81ab93a9e7eea3afeaedc1b848c80fd7f1a475be6471baa8f3211c438aef48

SHA512
176af1ab1d5e85e6cda1a986b4d7cc147a7ba5eb5b12ccc056ccca7f29df1024e375fa017111c8f34a8f816df7406ac5367163ae5b445dffc744ba56ca02d094

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcoAQYkQ.bat
Filesize
4B

MD5
12bbc9ff3117596071661534d192c332

SHA1
383b23def72e6f1a803d8d18e5cdb0319146f6c5

SHA256
8629b470ae8cc4b66a5e86d9734abadcbec43d67fe07a990bdcd6321bd5038ed

SHA512
c7c4a819f1ba7f45e314658fda77ae8e2d8e469474b07736a1044a6b5a6774e998feb71dde4bb04c9f281f340fd71fe05b7cc8c1c8f2290d7e82a9c0d760f12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgwQQwcI.bat
Filesize
4B

MD5
cc0cb8e83eec9fbb49e38d991024eab1

SHA1
89c47c96c2d3181312e8d38e218064a44dee76bc

SHA256
6ed356a6fca8004b024c15ad975aa36513549e082dd0b197c57904174b01bae4

SHA512
b2244bf5c915af3b33bf425c4c827faa56401de37ac18ae61091ebfac4e4ff9ae3a54c387e9aa383a21895d28922dd613b0482e3337d1a53b589a8cde9583583

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkgoUUMM.bat
Filesize
4B

MD5
0e9f6cc24e899342da33277897ff7a99

SHA1
bae75ea0594b0659dbaf041b568933d7d0bff480

SHA256
61a67b934f0d5203474e571856a344e66fb1398f3accc195641419f4114af998

SHA512
09847b4d97700549c0be0fc102230cb98ec8dc4f17db2a328dcfe7cc9aaa974da1759f8c13268f146f6ddb96c885501d7199bb916ee2d5ef028fe36abd1f7e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAg.exe
Filesize
243KB

MD5
497ecc07e7552b10ef40975c14927826

SHA1
d2d2c77f9eb549afdca7a5b781132ed7ff0471af

SHA256
415ccab0ff80c2212764a19983c48641dcd8912e45278680cf1042e58e7466aa

SHA512
d0e2833d3377a97853ef22c6b6847109f0778edbd9fcd3122803d4b2fcb5976de5c580b8b66b2bda62b3c994408e43a2329ba4da078d9cbc00a7b99149a28842

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwksAsQM.bat
Filesize
4B

MD5
66812546d341d59be6e04b81ac948e5e

SHA1
819db6ed29609c915abe254a3b87edf1b4973a50

SHA256
822b77b8332ac55436af8805c3d79e83cee076b272fa5db457a503f2e34e578a

SHA512
3096ff5845d9ad02698fa4baa9caa53dab015703b3792cf5b32a0ebb9672c5d37489f970b7f96ad152c7bf07165e06fa850ca17dc3325485dc42cedbafd5bade

Download Submit
C:\Users\Admin\AppData\Local\Temp\nCowQYkI.bat
Filesize
4B

MD5
b53c62c6c9323cd02203347749c6f659

SHA1
905f45234ef359dfc1f7f7dde954e086fd8f6f9e

SHA256
bd5cebc0fccf85e779d52681b0e9e50cc350f417ccbf5e01b4d08e041310858b

SHA512
a7206f189e73949b053dd698092194ed616b8acfaf428a1bcce76f904be5a780551c533b6ed16ddcd0c26846ac3273298bfacc9bb1eefed6616571eb7f4e7a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQIkkkMQ.bat
Filesize
4B

MD5
fc73de06273a4384ec20b6e182a12ca3

SHA1
ae0d440d4d4fe154b2e0846b08837e6d5e31a59e

SHA256
72cd72f18bda0c356f6fc1ab331073adba3edc857c64d8b761e7f0ceacab1e7c

SHA512
a1baa224d14abdad6d1628aa927e19f8b7f8577d17b0f2a29ec125f3b23bca1b2b0e510b184b68098615927876fd7b2ee1463bda88e8a6a4f85e15fbb50b802c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncYckQAI.bat
Filesize
4B

MD5
8495203a8092c1f133fce90137697719

SHA1
661f91c3f06a5c08ec4b5738547fe00df2067286

SHA256
03a6ae6b8e647a8f769ffaf4fba4525d6a3c9a361fb38b032b77b69c620b9f34

SHA512
774feaf4306049809839571f5bdabf6f9462cf54fbf9e36e5938692ca5e507802284f39dae6136caa625d445f4a48cbc2da8f0260c7bc1626795e79f76b1216a

Download Submit
C:\Users\Admin\AppData\Local\Temp\neAcoUcY.bat
Filesize
4B

MD5
deacce3a90dfb9062f11ffa505c74e5b

SHA1
7e2c11f8882a9c88d14a26617765ed0ab7210982

SHA256
d683f42d9302cfb949128135bd1ba68ce64c877ff291c5ee219c1ac97c772711

SHA512
7fcf681a1e1eae2cef1cb49e9be1e3d990d293b3510d8cb61dc34207313ab4afe2fd89981e97e32e779e6c0b60928af78542414036547fbae930d13d38288570

Download Submit
C:\Users\Admin\AppData\Local\Temp\nksYUQsw.bat
Filesize
4B

MD5
0e44a15a281839e78e7d9cb04e4f72d5

SHA1
19f1530763b6319d973185491a717d59fba3aed8

SHA256
093080523ef441f7c914b7d9078a8b50939e06b987d858b65116bb1145d453f7

SHA512
c11a6626c1ce09b26f44e4182f3dd8687e342f971460013dd9706f1165864041e5ac83ec12bfc50dd867ef13a409475361a3764bc61166bbeb61df15a49e6f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqIoowIo.bat
Filesize
4B

MD5
26da31e2862380b762e8b8973753c14e

SHA1
3bebb823d431ad7b2b8fae579aad112a78f139e0

SHA256
28ed723d374ec95847bff54a8b2c5a6463c84ce173b8c6d842eaa5b6eb11dc36

SHA512
81b6d3558820eb3076ac932bd48e71b4716302b998ea03114d40ed94aaa35812bfe97f01089bf9237d588805ddd2031b7fcfd2cdf4e5ade4083016c74957f90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskQYcYA.bat
Filesize
4B

MD5
2f71b87c0fa5940ed95d0ad1fdd40371

SHA1
7baab5803cee79e5731f8e814f84562f8f1c2214

SHA256
e7d01385fc9d6b64c4cbc7907bff26b4f90295cb4ad08e51ea39c97bb65fc2d0

SHA512
937ea8a7f2cafdeed53537067945121c373e576c32dbfcdfe73a665e853a521120991e70aa28efcefbd3f860fb7279820bbb84f0dac1d9f4e312c3afa35304f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIUk.exe
Filesize
236KB

MD5
3775828b087ee2be7280933971fa9968

SHA1
bf56caa6ce749898edb476c3f61b17c5e62025c7

SHA256
a8bacea2344fad0ae798975c3e8cf7b4e21f8d50e95ee18b39bfa12588c207da

SHA512
7a2a35e0dc9e6958d447d359090f8685ff6b3fafd943bc1daa54af46664e4d96b308e550fbc8a658e7eadf06609acb2432c82d31e126520e55900d1c8d376b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMEkAMIs.bat
Filesize
4B

MD5
d82d352c26077e8e5a5bc51554d79e90

SHA1
834eff2d4f468c31b1a676bf2731c467f49d7544

SHA256
1ac4f77204323b6f0f4188599076397aca37a337843cc8106ee5245f18810443

SHA512
ecb261357656cf2295d57058b348c0cfaf738d0a8a709611f87a88037fe6343881c951476ae5b65993cb599f6d87111cab87798cf127733a43b50833e6e58038

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQIC.exe
Filesize
638KB

MD5
1319dbc9d1aee8905e5957122d79c632

SHA1
bd925bbfe92c6f0b26acf17bde24e73438fcfdce

SHA256
821456f894d6bd40d35b3d2125ff8de111f7f6210fc6f047f842db067305cde6

SHA512
3ea42c3b7fdcc6e18ecfba47b6eeabe0d504ce21cf9ef2ed7de07f205980659e03d1c8007d552d3e9fff789511d540fe1cad8414297fcef689a8a2e2b38c0ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUsi.exe
Filesize
790KB

MD5
1d28da5a6707766eace76d09eb701729

SHA1
bd3249004155348e7f526610933e99c3ba7ddf1a

SHA256
0d5c365832803b91f45dea9680616563aeb8aecba6eb764b47e99cd99b15d237

SHA512
39ac771e09bdefd7a82894157c70229d4b3bbfc013a2eb872f22fc3d1469ee9a4de28bc280f09f32d7f4163626774b7267b0576dad9fee4c463fa1c1c3182aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooQU.exe
Filesize
204KB

MD5
f117fb1461abeb50569f2f87e4de4292

SHA1
cd1586423357e838d73e405a2b4979678ef2d824

SHA256
98088f60c4e04c563a9db43b85b1041e9abfbb1e6684a2232877222deb6c9f16

SHA512
5c9ae79db469123bd30d9ff1972a44fb95484aec6805e78a47a47cfa7ea6afde80721f6515a90b6a90ad33cedcfd642016430e60d8f6527eea5aa7d287a50cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\osQm.exe
Filesize
819KB

MD5
f899c9738c544add8b315f3f3f671570

SHA1
9716305fa4f54db3e9ba391bf902a0b75762fc31

SHA256
b5482c77ff040bff899d28312dc3f810b06af877a4de4c6543671cf222a26e91

SHA512
da803846cb27f85bb0d60e32d9c007bc8d6a07d914a1e1ef1a06ae3855d9f04e69052db4462f98083a20e360828a317f4cebd91e3992f0569b2848e0735fa668

Download Submit
C:\Users\Admin\AppData\Local\Temp\oswQkwko.bat
Filesize
4B

MD5
6438508a36b19299530e869e4de94acf

SHA1
9e2c9993485b9b794f89f357130eb91e00b7083a

SHA256
4a267dbabc5374cf9b47e8a9cc50d426494840536a46554c4c48dda8d5a49437

SHA512
1d1a002ffdeb0d2c8d0816b641e10eacd31912061c690ef4785507c6ed6a26a4239dc689f3ec52701a8aced3c3c1420b6254ade20107f435a2dd11c7313d18e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqUYgMMc.bat
Filesize
4B

MD5
9cded7d3e52ea5daf3c8bf32936d5953

SHA1
16223caf18fdfdb0e859bf6b289e648588fd8452

SHA256
87ca2d7812ce4f7579b1631faaa63ebc04aa80a26bd321a2b1dbf1b27f435ac3

SHA512
8fab14d1b5d42423c17aa553f26410ebcd089590b33e540feaddc7f440a33f3dae0bf274385ffe4dc9baf438cce4c492ef38d99f93b89bbaebb4c9ebc1745412

Download Submit
C:\Users\Admin\AppData\Local\Temp\psgsAksE.bat
Filesize
4B

MD5
2c76b418184d269e008c891065ed6046

SHA1
f5ad3be26e124a257a71ce7c33d3330ab2970656

SHA256
d63b8f65c0837fa6ddcf8748e482abd88445093f18e4a7e06d95f5a1cd0702c4

SHA512
80e607dbd38702af7ba95423abcab6d4f445062c83348558634664724b8a0cb8d4ebd47c3180a08e1cc0f6470b6f61691b7affc6cdb2e28eb10560153555af78

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMgA.exe
Filesize
223KB

MD5
373d58871252d081103f10a27ea4b658

SHA1
b4c5db87cbdec547117bd6d491edd96424ece8b1

SHA256
2781c1d6485fb6afaa2db1a0de28924a678872f6275ff9172b8392a948450b6b

SHA512
f92005927e12a5bb1bb6a1935b872ac61d9250f706006273f5cb571e1b60a1cc89cf95270715881cb07e4b49ace16d5db97a9b75f3db36b66977550e7b39c77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQkG.exe
Filesize
231KB

MD5
91321bb47804abaff420a659c1eca8a3

SHA1
50ed083d9eae8ecb5d0d3d4c3ffad8cecfe71799

SHA256
f80f4d654a687d703862b2f8fef56727b3d3734a2a581527bc8a1e2cde3eb097

SHA512
848b00a3f98ef71073d78542e5448eab6c72c0975071864e784b2f0244d07d4037cc2d1f3702041e4d04c3883a2e55b8c9b53d5dd8b1a32fecf824d96ef224fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcIK.exe
Filesize
246KB

MD5
ed24fb0ee3d90a7f7004575cc41ca2f1

SHA1
8f16a3091a1b0fdc4827cea4bf295452f1c45650

SHA256
cf831c38c4f5cb000c851ccdd0ffef9cc714642cb567481d7e5b6a4a20e4d23c

SHA512
795f4c76b23eac670a4c5faa55e7142c22ce851d3ece2c17dcb1425b4e8202e28b679af4050ea8382ddf5b08ae6519ad735cfea0fefc18a007d4ae0bc8bc0dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcgy.exe
Filesize
237KB

MD5
208b83aaa5f1909a0aa68dd2354072ba

SHA1
963c8cef6f3d82e7e937c357e3cd99df9d2a1ade

SHA256
535966448fb6d9a13ba5bf0d32162f0d40b450d91cdfd499a16c18d3c13c9c9e

SHA512
91bb12c94b1f8b5e4efd83e24abfd9b152e126755699191a3572d2ae474adaa8203b6d39948981a1f67ee9c03171f16d632982db4e2f0530b887b1e24ab06136

Download Submit
C:\Users\Admin\AppData\Local\Temp\qssi.exe
Filesize
233KB

MD5
0b0679a4c619528af89a95b250f06a11

SHA1
10de72b99c3afa393ff92570373e5cd8f18f95c8

SHA256
895520d999f2b1b459c1b9c0459e39ffcec659c9cb86b6ace09c7553cf827ef1

SHA512
85b4c76ff735ee1d21408502200733f058c512344da336cf40dcb97af08faa83268f094b4e78a47b6743dd374997aafb686418652dcb3abc56af2efda4810126

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcIQYQwE.bat
Filesize
4B

MD5
467c71c2c39d587b105ae34bb81b9b6c

SHA1
e72c8ecc4ce262e4a6286c0a42ad1fd5a7f0680a

SHA256
da152401aafdb5b2cd17a8efe55c142cfc61d3865afade9486432bbc8aea8e5b

SHA512
7b6fa1cd7364ff287ac16169119e82a540f82ca5d9e873a38b9d9fbce632cacfddfdd62a2f0c4e0d8773709d9001f5df041e4f70046620ee1e2aa797ec507aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsIkQAgY.bat
Filesize
4B

MD5
30cbc02ad7ab19351dac42e668819753

SHA1
9e41bb72b789991fd31451359cea78a610a6055f

SHA256
4f953d92e62df76fe590f56794840009d730bdf643401de9072ffe722bacd396

SHA512
cbf656919de25131ac8b74c8a8fa5b15bcb15b91c11dc25ad7d33aa5a00b968a6ac6f7edea6566b4acd242d4fc5403f3813bea1b46ffe319fb3656e9269e63d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIcw.exe
Filesize
240KB

MD5
93127f3d4d56fc4261262408a0078e66

SHA1
be33b74e23a8b7ed9a0e9451130e444871173742

SHA256
3500d37500635e2f829e2fec7bfac9a10b5385560a1492502c24444f1400c761

SHA512
bb7641439ddb1be96698fa162afc0c73745050c5e67e82132dcba300344ad4b83bdf95e06e421fdade9078798b5d0959fefa668da2e6679c603338a4a7ca21cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQAk.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQgQ.exe
Filesize
192KB

MD5
28b476834baa2fe5a738e839c902183f

SHA1
e61129d1d5397571cfef14510496e0b4340db6a0

SHA256
3722c24523cb71a6f3184bbae5c6b2296a4031a96c330a35683fc25a0146b80b

SHA512
5e92a2041200e696e0eda30c0f00fefca8c9d4415d084688a0675d0e22f89431d06af2241673c073786265402e917dc559ed9feec8d40cd6bc1e1571b9eb0a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwQ.exe
Filesize
221KB

MD5
c5cf8804cc69b3eadcf685dd8d3b0bc8

SHA1
82b0ad07e3939d4f61e6194d6a3d64f4a6408635

SHA256
de1b1f848482055f206ef3e1ac70b04351c5b276d65124d85738e4fc14157001

SHA512
249a80ef68e37fc43cd283fe6a3aae441818061714334073ec8fb4036503b1ea475da3795819bd34213c7705ca5fcb2e38e6c46e90ecb45171a305957308ccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgIUIcU.bat
Filesize
4B

MD5
32348fd6fd479ef252c23b849ce57b93

SHA1
3068394c7c85125ec6b2d220627091aa85cfa965

SHA256
c22ee624c8bd8313a1c4c29d2c65b25fb31e9a784dcbca9b88f712e0daa41072

SHA512
04228363f13bff3bd5721e929f61f6081940774f79351dbf54bbca18e0110b62624fcbdc454ab09ee8a0873ed3fe1606efe2beefb4213ee45402e2c45cde8eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\seYAckAw.bat
Filesize
4B

MD5
b903520c6cbf7479fcd380df998dde0e

SHA1
498c9c1f0b3596a47924363826a0f11a8773caa6

SHA256
9d8f14580d5187cd81a8f3465dc3bbdd28193be4eb08bd4e37bc62a5b89ec93a

SHA512
1500bf3b650d00987447fd3be14885c7ec6d1861f9111434195556b727071aebea50a1ef25c00f4671be363996017373b5f166f27db325c5965f9828bcf0e112

Download Submit
C:\Users\Admin\AppData\Local\Temp\soMq.exe
Filesize
205KB

MD5
a6699bde799136c1059b6dca253fa8f3

SHA1
775addbeb8bbfee2a65b299d487f950382ed181a

SHA256
22cd6774557c6ec4b104dc734f45f77d608dbe125c0947872c7185debe241d7f

SHA512
10aaf3a174dc3f9dd947228e020e783d7992178152b046cfd15839cf3aa5b6ea21ae90852d6c48c1a9caf2ccb5ed62e514d1651f0b0c101d6b111b81a9754ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssUi.exe
Filesize
231KB

MD5
fd307d083f8fc20b5e7bc06ef2dc23d2

SHA1
c647aff1bcfafceed4951ec7464764a4625b4e32

SHA256
e36bd82182993c9fa07de216c3e8168309295346c31d36f23f74cdb58f82cef1

SHA512
b2a4adca1ef5dc217c871819902c4f12402910b5202efaf9292d5d36626beabd724f6be14e1f8ff75dbb4b9b19eee7d9490db999662e98304091627f86eb61be

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwQ.exe
Filesize
207KB

MD5
58e7ac8f4dac713362cfa533550d1378

SHA1
09a8c36619e122cc3ee795ce3a47261d68909e12

SHA256
60bb33c79e3b1bf50b14fb695230c0477ea8f52d6c7e83a2d7157a6f3c7d9e0f

SHA512
3bd3586c05d34978f93f6c6758026206ad759bc64185f3b0c98deaab4e7608a2d4698629813c747a163617d5557bc49e58387cf74485e4795e1278a7ae1cbf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\syEooQMI.bat
Filesize
4B

MD5
e3df4a30f6399b53de1bff8d37e233cd

SHA1
7f8ada2f3626af56c92374100310b5f145988127

SHA256
2de318586b1194a17808be0dcc50a23c3c87435fcd4072b7251db9a26eaba449

SHA512
64d5e7353769fab744b643912e78ade1baeb6ce4057ed19cb6361436d2f7c142eaf1865be07408c21a010c217753bdc3b066b322784ff3cfc0b7cc64927b94df

Download Submit
C:\Users\Admin\AppData\Local\Temp\syUMoYYs.bat
Filesize
4B

MD5
982ce1cff9af90e5de8732e4be24a338

SHA1
c1ad05f04df1ab7b681994e30fb3d410ce78e635

SHA256
51300fdb984f4a36862939af141e57fb3545ec8a33fc932553b49d9005530047

SHA512
a2876fc0b542b3c12fcde6ac5d8a80de8b3f10b108b3ba89e727f5906b2dbdb76ea8ce003caf7ec9b7ed28046c52139070fc6567dd8c8023750a5de232f7d60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sykMYoEg.bat
Filesize
4B

MD5
e7e167efd6dde72aabe0a05439e0ab12

SHA1
383a104962370745abd2bcdf315d36eb4f656cd5

SHA256
ca11ae6236bccaeb59590b244308772f025af1a6c41426f9d667caaa0046cad7

SHA512
c59042d69a91a1c5f8f8d67f2f6bd5b619458e9568cddb37bba3f076898229f80398766e320813180cc8e78cf9dcadfc5059ee118b4213a562f1e7b2e9610133

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkAoIQIg.bat
Filesize
4B

MD5
906910b1b80bf2c20692bacb08fb4a0d

SHA1
571ab0d0c3ec30b6f1768f93fb89688575aefed7

SHA256
d2b444e2f4758ef8b8215c7803c61bd0c5cb916df81d4e5bc7ba8001b3319cf5

SHA512
11d4166c3e0a9b2a63457bc02bedf7484edac467d584308071390753ba10467110f3e3b6818f14f48839f028793ccde6699e8ee4e0344aa3993c0dffbc64fef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsEYMMUE.bat
Filesize
4B

MD5
b44d21a3873a66de241b4ceede30cbf1

SHA1
35df18644ea8d254912e98dd9076012c046d1b51

SHA256
debba128c08446540d54cc33557ddb9c22be5da0e9aff23a1ca22c967eccf131

SHA512
d3638538c35aa39d9e3b6fc665a1b46f4013fd420dd2cb239fbaad079fe45bcdda6f5d44719d68379d6e9c53eb1c9218e0f7d1465de6bb6d8c487c30f104cbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAgc.exe
Filesize
1.0MB

MD5
0db297ecfc51af2864677c36ba413d64

SHA1
7a6af4a777b48e6cb4f5246e5d1fb9a4da865a3f

SHA256
1d0fa54b823305d21527dbe51ac069013bbd62af9ef8c7e2a2fa98baea97aa29

SHA512
becb97713b9117c33f8ee2e917de04860275461d049884f7b034cebaec7896218732f3274747ed381970385ea184ab1f261118c4538772605a294fb6e8c4e328

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYS.exe
Filesize
227KB

MD5
52564cf510d33e1a915db2eb798e8469

SHA1
6f705c549bf42b833bc1d0e0fa8b2402ef201041

SHA256
5e80e32cb16ee88cfcb8761b127acad555b34538ec8b8ed9da737e0e74263689

SHA512
b0a5c8c1e011eaf36c079c62d2fb5578eb94c5ab527e2638c5093c912bf22e68e5b508a132768f35a3346a04709d195c8b1411214e16995b5a2c6dc0bad10742

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQcU.exe
Filesize
240KB

MD5
7715241dbea377df85d5fd78c378fb48

SHA1
4e96a28d1e44336428948fd761297a8b63f50846

SHA256
f90d49971b371028828c6fea2926ddc6cd9395534d11e88f0da0c3cb7d20ce35

SHA512
2feaf35b7509b825c003dd9585f3e2cefc4a056308f7a50ce32c003e0ae3c723f2675190e433bd64b900c3442876cb6fdd3ccf83200852c98911409790f2dd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQse.exe
Filesize
826KB

MD5
5b135af664424c0c0a0eeb7f37a4f9b7

SHA1
b2cff7ff0d9f62b59946a8cfc12c271e9a4a16fe

SHA256
51a22fd8dca056f8acf974d8b2ec3578125caba88d7fe86f2a07ae9fada22627

SHA512
b36d8918fd49f287c6943f769395d5d904892480ff33e95cae9265f2c4bb0593e8f468118ed47d1d79bea7cded27290ad1979679e88513eefb4a1bdddfead3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUIA.exe
Filesize
8.2MB

MD5
c2fb96c61a057e7d63b3ba37115d2355

SHA1
99d4f8b80d9e94eb5808a547310fb2479f69d4c3

SHA256
8b33272b572bed25498a0cfa2a740df0335539491a20d803d5a7d8f2991a8f19

SHA512
16f2e4e8227aa32ec7f18b3a75629130fde99ef86b2c0a5215604525106db209c281d16e3e7cb0a1efb2c997393dc03a671ec067cdaad9da06b37a24816ca164

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUsG.exe
Filesize
240KB

MD5
371f05cd5dd403dcd2fa663ea93557f0

SHA1
669702e2cef7cd8b674dad34eb24da407d5ccd81

SHA256
4f795ffe173f43f4be3e95bd9085fb1ca31ed36858ca1fc6fbcd3f0d6deb3720

SHA512
9fa6913789289f96865bd364b36a03188089540e93a16d0e1d5adad765e0fc119327ee9ec01596aad5a8410d657fb5c2d336c1e00709e1d0ef21f5b85420ca10

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYce.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukwsEAEc.bat
Filesize
4B

MD5
797e3d02af07b1ed55b52c0a397252c3

SHA1
bc22920c4ca05547a4f1cdcf69bca674178439f5

SHA256
077490f978ce9f6c1bb2faba0a4c68bf28cbfb6c67faa3af139aacd70988c74e

SHA512
dbc0e9de2d97df01cbcf57a1f69f0d60060840ccad21e3f30b04f5b8a38435c2f8d43755d10cdfa7128f2fa6950174ae2a1a90ab07147bc491bc36b3c40282d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaEoYIYw.bat
Filesize
4B

MD5
32448aa29e9c2000f060297821b0d717

SHA1
6c863c58a08dc157c59502589c3f8d5d55c59b73

SHA256
91139021c232e99fcc6a7b5137270127fbab4f1e826acac66607d3e260100912

SHA512
ce946409676c7b6dcbf1bbaec2231417823d903d22dbfaf91d2395615051e82456972a7fbf37ee0486be313ee0a207145c901b2d783d37063996c16c8aff9db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMQS.exe
Filesize
240KB

MD5
352f1d48a9b08da31212038b92d584e0

SHA1
bb22fcc88299763728508ab65b3b6fb30b41382a

SHA256
16dc843208ae503a8e0e1a6beda383ed120efaab63888930e1d2b9e27a351f8e

SHA512
d1364dd11caeeb253911d75a18cdf35a9d836ab7c312857ce461b0fa950e4e4b267f9b24b92b56b18aa590ebbb81c7a41105c69c96dd1bb02e328fb136ad3001

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUK.exe
Filesize
241KB

MD5
4d0a6f1862acff0bb45ecd2224e3fce0

SHA1
178fa35da12e2137c9de0ded8dbbcee1b120019d

SHA256
2feaaf025062806853ac5f643cbed2fdf7652d1b5513eece2953dfd1c4fea75a

SHA512
9434e8987fd232c1d4f368af0d678d86bc91cc97a9decf38080c27d44a52822d10d34a8e0adf57c1c19b03cb79df1a36310dd35791ddb510d6bcfc30488b192e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wowc.exe
Filesize
210KB

MD5
5c97d1a31f6b9d56bfd083add44f0dc0

SHA1
fa9dc1c413e12da9239878af6430bac3f2213613

SHA256
4f97cef745e635610632c609c03e82bb508281e7812c2ce36132450958fec3e9

SHA512
73d13e64e1a9149bbd56ccf39cf784193d566c542ee748abd3c4d7dd3b804a9842f4415c80ebef65c4a0b22011570a932abc6fb9fb91e9b5d3ee3f57800d7e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQG.exe
Filesize
953KB

MD5
fce53b518f0fdea577ed9bc6d554afa0

SHA1
1cae94d848de72f02798e3d656459265844829d5

SHA256
40db338218d122d95ea60d687c0c27aacbd664db7b3fd33653f4b4f5c0b19cc1

SHA512
52de349c7c0e36e9fdaab3051df1d7ea1fea72b956a6df700f1f638de82f64c040d0d623cba05236dcb7aa524a51a566b1647be17fb35ec4c5769b8fd47d541d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEEAEgwc.bat
Filesize
4B

MD5
ed1fa7406fc22b33f6c6b6e5b98eca7f

SHA1
52f9d3c36fb933af753187bc4d9d667ded3ea643

SHA256
f99287de00d448e21d454472cf81bcd3f8ae06f896e6bdd795e6283b17871152

SHA512
aa14a25b54a91d00bf05eb53a99bce7f641f4cfd7bc83306bde91d1e43885710658bd157ae461a6088c1f83924ac7f4fe778ef0ebf9b011718a1ca6b40bc6b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQEwggAg.bat
Filesize
4B

MD5
e34a4026849feeb1ca8bbbf2a2816623

SHA1
6b9f2586d75202b31b4504371677c955de95d925

SHA256
059ddfcd3a504a5b147de0065fbc5c61a90480747727481d8a1fc0827b8c574e

SHA512
ffc1c0587588ed8a5e4385c48d898701f1be40fa215b324cacce2f18956a50ae818bcdd77ab34c450042a73ed6371f635cec642ade3a0424ce8d5c66c4a0346d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcAscYgY.bat
Filesize
4B

MD5
f03650574fdcb081cdb01b1abb67aa5d

SHA1
f7b0fbb9cfe15865ad12287abfe9c6ca9c25366e

SHA256
0a30ef26b428c5775606aa770a13307bad0052c88db72b9fbd75e1e7460f0e29

SHA512
e36cf6aa237e4d80bbd2b928868bc16bd8a4340a6f928258ed91d226ecb941f27fb59d2f968ef6e2fd7cd0465f62bb46a8989335e203635c48a1783cd9a7f818

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsoAQUgA.bat
Filesize
4B

MD5
82ce2a79107d616491e23754867fbd16

SHA1
1933ee140d4ca935c3f37f3e4bcde0cff56142b1

SHA256
905a3230de1fcd8f3d5b4490356cf9e71bce47e29436b35116c096c379062de6

SHA512
1c19c128ba5d5c069ba7810983401ed5ddb823ca85fb779ed67c20b0a062a6afd8f542dad40689f4112d479b61233095b9eb503905f0ee3098065d81e20dbd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAQcUsgg.bat
Filesize
4B

MD5
60829b4391be5bdca7521bfa108ddbb5

SHA1
783bc3231319d201069645ba4ab9d76de273483c

SHA256
3b80a0353e67fb62b58a532afc7d6498581c705ffba4a92cfb7512f26ea516e9

SHA512
d43a07c94bd56b2591567ba251e0bbd5f8a20808f861f16095d0b30875e7381103328a4d451c275aff45ef632baca58aed4b78bc1c92027b9567c1a9aae0f23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEssMAAY.bat
Filesize
4B

MD5
0ab1b8ff019b89a0c8c789ea67959028

SHA1
d4270381246a94db8341886e2ba2ce844e305f46

SHA256
cf35247bd50aed2b002b381f9c7dee064a20ddb20aad70ef392c9d2477c8d5d1

SHA512
478ac3cb047ef99731b50ad08edfacd5c87934c10929047b5eba55b7e4a3d62fad65eb053de0476dbd81530d6eeb2c2ca55417a19da5c4de113abbfa0911cc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEsw.exe
Filesize
229KB

MD5
6108066034d3c45ac33f864a1b49ea63

SHA1
1c004c64701e759557256f1d2d2b47f7bffbcd42

SHA256
c4f7094924fc56e1170853c4b91c76b681a4abd3b3cf8fe65aa429fa14d574d4

SHA512
351962d5da3ed73ff615405a356d09c695c5a0007c1c507538b9563995752284989f31ad050216812b0d3ce2144d7ac8e75f2325ec3c6171ff89aa8544b79841

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIgm.exe
Filesize
234KB

MD5
edae4896c677427da2df7231ecd1aae8

SHA1
bf250aded9791357b618c76148a19c8bf8824af0

SHA256
8f2d4922cfdc02b6cb20c458cd26bf61c1ccaeaf4b8a7986dae73d144c82f864

SHA512
a38a928114ed38f3b2600f5b8b2b1b342cd0f233638cde2549c32022b0a60f900cc501438379bcd7ff3a57db47d1f6ac9a3fb1b0cd145420373f473f279125fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQIC.exe
Filesize
1.2MB

MD5
798da0f6642640f10a60c6e3157bc33f

SHA1
0395972ad3163e3e05f2245092d0c77c593fd0b3

SHA256
2913eef73160bb094dd4d30ab70d752787cd05def33221d83223898d26db313d

SHA512
d204705a3b537e7768ed7245e7c7229b69f567ce4fdd5d3ae9237dc1735ddf31da671f220b8e8a832df669fce6b9110e442ea4da00c02e2747f5cc5937f2cb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygUW.exe
Filesize
242KB

MD5
5e7685837385b7fd41f6833817bb5370

SHA1
f2ebddf61712c7362d133cd8d9b6145358b4600e

SHA256
7b86f2325f1b91e5895d4ad8952506fd2b12e743d4ef66e2706415e9621f1408

SHA512
4c369a7f5d24d90f3f63e10e59351cbd98ad060dc4ded67e951b18c6ef636856d0d7cd1145dbf9a7dbf5e1d90734ce0e776ebb949a465dadf3b6c36a343269e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiYoIgMw.bat
Filesize
4B

MD5
0216479ee10fcdc97e74656587724b79

SHA1
349bf166a330afffbb8b81213c9b2065ef6c2b77

SHA256
750a399f8830510804fccf432316b709be7bc7f1044df6627283d1a37f973984

SHA512
dffa3bc0e6ebd0d5e37bc0aca8db59135627e4e4f05c919e30e15878a325304cd7b91ef0ff912190ebf4f428b9d3533158ef1dd9b72aec85bb9d5e2c15858466

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCskswss.bat
Filesize
4B

MD5
c068a29c9c7e8203f21e0c09ead15ce8

SHA1
136984bde790560b85b46d58166b1c0097e9db93

SHA256
f592e961353df38b1c774b562677b5b248fbb05e54d5e8ecca2e0bc9d0b51f04

SHA512
271078b813a7737e26e95cf71d8486cd91ce1fb4437ae6b50846e69a60e2b7f7ef6035020b0d248203ff43d2fa2a8bf5743c09b2dbc42d280410a9ee4b26bf36

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYIwgAUw.bat
Filesize
4B

MD5
00a01120defbe3538af8c1c9ed2a737a

SHA1
583fe8b612b471702ff665f5afd79e14151674bb

SHA256
f52c266b423127ba71ee16b47c1b7d2367535aa557f73c6a30879725fc311d3d

SHA512
4b57853631af0f4b31e549045fc244e28469e1c1dfdf01614d33e76a2fc6f9f0b7c4530074de9916d86d81fcd7ec8a610c88f594cae2fea06e7be99d5e9ede46

Download Submit
C:\Users\Admin\Downloads\EnterInitialize.zip.exe
Filesize
1.3MB

MD5
41286b287fdf4bdb771319a312883db7

SHA1
d838c2725ada11805f59f074606d298e678bcd22

SHA256
21e3a08dde1485ea26ee4718fc38cb89cb15e0027e0350ff311d022172fa173a

SHA512
3ea813957d20ed1d977c617b5f345e1dea7e085722255c27c6e63c5c92ae6658c7036c682ffa63d036e2554d008fc642742b0551472ccd2784fd53e65a6b033d

Download Submit
\ProgramData\gOQgwYgw\qGIQYMQY.exe
Filesize
193KB

MD5
8cd3d8d04fc1a447ad07cfa3353b014b

SHA1
b38fa85d27f5c35362c8bcb29bd301e9970cd06d

SHA256
782b8981579fd4ccc25e5e85f831a5d3aad87a62f2e26f0bcc697942dc052efb

SHA512
725ba3a79e8d50c82188853df140b34ac5f6d8447ee5b7e23881575a70556c8e49bca4f92f6eea70681bcd935280b8c174e920f77fadf50c2e71e512f0aad41b

Download Submit
\Users\Admin\nQkowAco\HakUIUEI.exe
Filesize
189KB

MD5
4744ba86829738959a7d7210641d553b

SHA1
3224e4678a966fcab1a0a973725e511323c42e30

SHA256
888abba6e5fe783a30cdf4300d30068c2b571a709df8f91c81efaaa9d80fb0d9

SHA512
74ee6217bd0d473c062e2af3a0333176faef7503d377c7c4b1d7d248e04240f5543e199a11bcc5ea578f9afce6fc181f2ac5e95d97c5736ce04105d8b55ab234

Download Submit
memory/320-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/320-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/340-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/340-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/572-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/572-605-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1052-594-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1052-595-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1148-270-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/1304-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-127-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1352-128-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1372-550-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1372-551-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1492-529-0x00000000001F0000-0x0000000000225000-memory.dmp

Filesize
212KB

Download
memory/1492-530-0x00000000001F0000-0x0000000000225000-memory.dmp

Filesize
212KB

Download
memory/1536-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-461-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1568-462-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1680-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-199-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/1820-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1820-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-390-0x00000000022B0000-0x00000000022E5000-memory.dmp

Filesize
212KB

Download
memory/1860-389-0x00000000022B0000-0x00000000022E5000-memory.dmp

Filesize
212KB

Download
memory/1980-2118-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1980-2119-0x00000000004B0000-0x0000000000502000-memory.dmp

Filesize
328KB

Download
memory/1980-2117-0x0000000000470000-0x00000000004A1000-memory.dmp

Filesize
196KB

Download
memory/1980-4384-0x00000000772B0000-0x00000000773CF000-memory.dmp

Filesize
1.1MB

Download
memory/1980-2115-0x00000000772B0000-0x00000000773CF000-memory.dmp

Filesize
1.1MB

Download
memory/1980-4385-0x00000000773D0000-0x00000000774CA000-memory.dmp

Filesize
1000KB

Download
memory/1980-2116-0x00000000773D0000-0x00000000774CA000-memory.dmp

Filesize
1000KB

Download
memory/2012-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2028-509-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/2028-508-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/2068-293-0x00000000001E0000-0x0000000000215000-memory.dmp

Filesize
212KB

Download
memory/2076-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2152-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-5-0x0000000003DA0000-0x0000000003DD1000-memory.dmp

Filesize
196KB

Download
memory/2188-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-616-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-21-0x0000000003DA0000-0x0000000003DD2000-memory.dmp

Filesize
200KB

Download
memory/2204-531-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-562-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-245-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2276-342-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/2276-341-0x0000000000190000-0x00000000001C5000-memory.dmp

Filesize
212KB

Download
memory/2308-413-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2348-436-0x0000000000360000-0x0000000000395000-memory.dmp

Filesize
212KB

Download
memory/2348-437-0x0000000000360000-0x0000000000395000-memory.dmp

Filesize
212KB

Download
memory/2404-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-81-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2532-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-317-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/2628-316-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/2676-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-32-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2768-33-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2780-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-486-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2872-487-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2884-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-176-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/2900-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2900-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-105-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2936-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2972-596-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-366-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/3068-615-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download