b43b9a418b25a472db7bc40bd0393681931d1bf44bd29cacddfda8e447704e39

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
Size

192KB
MD5

c534263fb8f5357f570835ee30329566
SHA1

f60c52e34273fa9afb960feff46201c657c18b9a
SHA256

b43b9a418b25a472db7bc40bd0393681931d1bf44bd29cacddfda8e447704e39
SHA512

351cfb0d8a3f5359a99147ab0a7ad656f5f2f26eb5a8e237f19ccb35bbfc362a134ab436b3d62eb25dba03b71d65cdff839075f70cd5fb23277a8f964f02df7f
SSDEEP

6144:1HDk+dYQ+tsJzDJFwvDusfC5PtzH2X8vNObT:xDk+x+ts/FwLuPtCMvNS

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jgEYAgMw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	jgEYAgMw.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2104 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

YuUwUgIw.exejgEYAgMw.exe

pid process

3004 YuUwUgIw.exe
2712 jgEYAgMw.exe

pid	process
2104	cmd.exe

pid	process
3004	YuUwUgIw.exe
2712	jgEYAgMw.exe

Loads dropped DLL 20 IoCs

Processes:

2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exejgEYAgMw.exe

pid	process
2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exejgEYAgMw.exeYuUwUgIw.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jgEYAgMw.exe = "C:\\ProgramData\\SOMwAMkQ\\jgEYAgMw.exe"	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jgEYAgMw.exe = "C:\\ProgramData\\SOMwAMkQ\\jgEYAgMw.exe"	jgEYAgMw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\YuUwUgIw.exe = "C:\\Users\\Admin\\VGIskEwo\\YuUwUgIw.exe"	YuUwUgIw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\SsMsMEEs.exe = "C:\\Users\\Admin\\JCscUAcI\\SsMsMEEs.exe"	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rUwEksMo.exe = "C:\\ProgramData\\yOgwUQwY\\rUwEksMo.exe"	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\YuUwUgIw.exe = "C:\\Users\\Admin\\VGIskEwo\\YuUwUgIw.exe"	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe

Drops file in Windows directory 1 IoCs

Processes:

jgEYAgMw.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico jgEYAgMw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1932 2404 WerFault.exe SsMsMEEs.exe
1484 1300 WerFault.exe rUwEksMo.exe

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	jgEYAgMw.exe

pid	pid_target	process	target process
1932	2404	WerFault.exe	SsMsMEEs.exe
1484	1300	WerFault.exe	rUwEksMo.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1684	reg.exe
2956	reg.exe
2868	reg.exe
2772	reg.exe
2632	reg.exe
1052	reg.exe
2148	reg.exe
1508	reg.exe
2788	reg.exe
2868	reg.exe
1088	reg.exe
1148	reg.exe
2736	reg.exe
2376	reg.exe
1536	reg.exe
308	reg.exe
2504	reg.exe
2776	reg.exe
2056	reg.exe
2060	reg.exe
1992	reg.exe
1524	reg.exe
2676	reg.exe
1636	reg.exe
2744	reg.exe
2648	reg.exe
2864	reg.exe
1344	reg.exe
2632	reg.exe
2556	reg.exe
2132	reg.exe
1740	reg.exe
2908	reg.exe
2532	reg.exe
2828	reg.exe
2448	reg.exe
3068	reg.exe
2724	reg.exe
852	reg.exe
1940	reg.exe
2720	reg.exe
2552	reg.exe
1768	reg.exe
2824	reg.exe
2236	reg.exe
1532	reg.exe
624	reg.exe
2656	reg.exe
1852	reg.exe
1832	reg.exe
2872	reg.exe
300	reg.exe
1060	reg.exe
1312	reg.exe
2944	reg.exe
2720	reg.exe
2384	reg.exe
1180	reg.exe
912	reg.exe
632	reg.exe
1056	reg.exe
1052	reg.exe
2664	reg.exe
2160	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe

pid	process
2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2816	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2816	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1236	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1236	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1816	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1816	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1080	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1080	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1688	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1688	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1580	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1580	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1388	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1388	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2008	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2008	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2360	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2360	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1536	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1536	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2544	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2544	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2176	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2176	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1228	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1228	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1100	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1100	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1484	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1484	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2028	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2028	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2804	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2804	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2696	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2696	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2176	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2176	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2372	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2372	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
296	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
296	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1776	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1776	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1208	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1208	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2788	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2788	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
760	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
760	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1104	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
1104	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
964	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
964	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2948	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2948	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2756	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
2756	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jgEYAgMw.exe

pid process

2712 jgEYAgMw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

jgEYAgMw.exe

pid	process
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe
2712	jgEYAgMw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-26_c534263fb8f5357f570835ee30329566_virlock.execmd.execmd.exe2024-05-26_c534263fb8f5357f570835ee30329566_virlock.execmd.execmd.exe

description	pid	process	target process
PID 2380 wrote to memory of 3004	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	YuUwUgIw.exe
PID 2380 wrote to memory of 3004	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	YuUwUgIw.exe
PID 2380 wrote to memory of 3004	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	YuUwUgIw.exe
PID 2380 wrote to memory of 3004	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	YuUwUgIw.exe
PID 2380 wrote to memory of 2712	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	jgEYAgMw.exe
PID 2380 wrote to memory of 2712	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	jgEYAgMw.exe
PID 2380 wrote to memory of 2712	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	jgEYAgMw.exe
PID 2380 wrote to memory of 2712	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	jgEYAgMw.exe
PID 2380 wrote to memory of 2736	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2380 wrote to memory of 2736	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2380 wrote to memory of 2736	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2380 wrote to memory of 2736	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2736 wrote to memory of 2680	2736	cmd.exe	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
PID 2736 wrote to memory of 2680	2736	cmd.exe	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
PID 2736 wrote to memory of 2680	2736	cmd.exe	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
PID 2736 wrote to memory of 2680	2736	cmd.exe	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
PID 2380 wrote to memory of 2720	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2720	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2720	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2720	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2628	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2628	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2628	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2628	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2148	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2148	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2148	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2148	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2380 wrote to memory of 2920	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2380 wrote to memory of 2920	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2380 wrote to memory of 2920	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2380 wrote to memory of 2920	2380	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2920 wrote to memory of 2540	2920	cmd.exe	cscript.exe
PID 2920 wrote to memory of 2540	2920	cmd.exe	cscript.exe
PID 2920 wrote to memory of 2540	2920	cmd.exe	cscript.exe
PID 2920 wrote to memory of 2540	2920	cmd.exe	cscript.exe
PID 2680 wrote to memory of 2792	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2680 wrote to memory of 2792	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2680 wrote to memory of 2792	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2680 wrote to memory of 2792	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2792 wrote to memory of 2816	2792	cmd.exe	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
PID 2792 wrote to memory of 2816	2792	cmd.exe	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
PID 2792 wrote to memory of 2816	2792	cmd.exe	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
PID 2792 wrote to memory of 2816	2792	cmd.exe	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
PID 2680 wrote to memory of 2840	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2840	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2840	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2840	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2624	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2624	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2624	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2624	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2868	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2868	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2868	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2868	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	reg.exe
PID 2680 wrote to memory of 2896	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2680 wrote to memory of 2896	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2680 wrote to memory of 2896	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2680 wrote to memory of 2896	2680	2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe	cmd.exe
PID 2896 wrote to memory of 2164	2896	cmd.exe	cscript.exe
PID 2896 wrote to memory of 2164	2896	cmd.exe	cscript.exe
PID 2896 wrote to memory of 2164	2896	cmd.exe	cscript.exe
PID 2896 wrote to memory of 2164	2896	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\VGIskEwo\YuUwUgIw.exe
"C:\Users\Admin\VGIskEwo\YuUwUgIw.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3004

C:\ProgramData\SOMwAMkQ\jgEYAgMw.exe
"C:\ProgramData\SOMwAMkQ\jgEYAgMw.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
6⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
8⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
10⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
12⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
14⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
16⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
18⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
20⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
22⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
24⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
26⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
28⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
30⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
32⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
34⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
36⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
38⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
40⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
42⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
44⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
46⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
48⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
50⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
52⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
54⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
56⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
58⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
60⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
62⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
64⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
65⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
66⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
67⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
68⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
69⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
70⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
71⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
72⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
73⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
74⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
75⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
76⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
77⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
78⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
79⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
80⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
81⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
82⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
83⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
84⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
85⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
86⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
87⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
88⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
89⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
90⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
91⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
92⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
93⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
94⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
95⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
96⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
97⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
98⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
99⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
100⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
101⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
102⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
103⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
104⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
105⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
106⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
107⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
108⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
109⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
110⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
111⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
112⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
113⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
114⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
115⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
116⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
117⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
118⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
119⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
120⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
121⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
122⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
123⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
124⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
125⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
126⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
127⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
128⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
129⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
130⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
131⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
132⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
133⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
134⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
135⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
136⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
137⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
138⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
139⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
140⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
141⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
142⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
143⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
144⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
145⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
146⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
147⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
148⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
149⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
150⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
151⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
152⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
153⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
154⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
155⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
156⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
157⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
158⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
159⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
160⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
161⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
162⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
163⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
164⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
165⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
166⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
167⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
168⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
169⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
170⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
171⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
172⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
173⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
174⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
175⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
176⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
177⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
178⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
179⤵
- Adds Run key to start application
PID:1708

C:\Users\Admin\JCscUAcI\SsMsMEEs.exe
"C:\Users\Admin\JCscUAcI\SsMsMEEs.exe"
180⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 36
181⤵
- Program crash
PID:1932

C:\ProgramData\yOgwUQwY\rUwEksMo.exe
"C:\ProgramData\yOgwUQwY\rUwEksMo.exe"
180⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 36
181⤵
- Program crash
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
180⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
181⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
182⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
183⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
184⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
185⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
186⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
187⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
188⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
189⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
190⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
191⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
192⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
193⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
194⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
195⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
196⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
197⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
198⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
199⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
200⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
201⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
202⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
203⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
204⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
205⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
206⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
207⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
208⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
209⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
210⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
211⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
212⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
213⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
214⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
215⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
216⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
217⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
218⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
219⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
220⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
221⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
222⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
223⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
224⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
225⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
226⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
227⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
228⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
229⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
230⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
231⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
232⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
233⤵
PID:424

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
234⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
235⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock"
236⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
237⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
- Modifies registry key
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYkgAkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
236⤵
- Deletes itself
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
- Modifies registry key
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmAAUcoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
234⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqMogkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
232⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKowcogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
230⤵
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CWooosAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
228⤵
PID:632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
- Modifies registry key
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMAoEYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
226⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
- Modifies registry key
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkYIEAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
224⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAokYkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
222⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmggoowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
220⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcEAUMoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
218⤵
PID:2256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies registry key
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiIcsAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
216⤵
PID:2928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eaMQwkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
214⤵
PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\awQIcosw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
212⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIMUgowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
210⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuAcUUcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
208⤵
PID:1236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAkscEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
206⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
- Modifies registry key
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcIMYwYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
204⤵
PID:2332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCIEwAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
202⤵
PID:340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmcosQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
200⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUswEIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
198⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmoAowkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
196⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
- Modifies registry key
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eEUgQkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
194⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RsgQwUEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
192⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- Modifies registry key
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQMsYsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
190⤵
PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies registry key
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bQswEAMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
188⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEskgYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
186⤵
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CioIkAQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
184⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sCIwAckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
182⤵
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkQgYwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
180⤵
PID:2836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqkkgcAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
178⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwgkcgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
176⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgIoQUUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
174⤵
PID:912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiwkEoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
172⤵
PID:2076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMwYUEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
170⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIcEQgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
168⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCUQkQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
166⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
- Modifies registry key
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwckYkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
164⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKIEoUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
162⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cysQswIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
160⤵
PID:348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WmcgYcYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
158⤵
PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\csUkoAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
156⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiwgosoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
154⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vssMkwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
152⤵
PID:2272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zakQYYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
150⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCoMEAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
148⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYooUEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
146⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ySwEEocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
144⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OKcsUwIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
142⤵
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EygAwIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
140⤵
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- Modifies registry key
PID:852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmEgwUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
138⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- Modifies registry key
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jockgoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
136⤵
PID:340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NyoUgcwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
134⤵
PID:928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWMcAwQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
132⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwAYwEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
130⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UygkIYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
128⤵
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies registry key
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UEEIwMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
126⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aaUQAAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
124⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oeMMMIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
122⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\diIAEwMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
120⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUAwIMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
118⤵
PID:900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VKsIAcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
116⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUsooIwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
114⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCgwsYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
112⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- Modifies registry key
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ioEIAYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
110⤵
PID:748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWQIAAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
108⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqEosIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
106⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwUQUkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
104⤵
PID:496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmUwAQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
102⤵
PID:1476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- Modifies registry key
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEoMIcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
100⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIgsAEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
98⤵
PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIUgAoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
96⤵
PID:1636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\siIoscQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
94⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- Modifies registry key
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgsMIYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
92⤵
PID:2092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
- Modifies registry key
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkkAoAQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
90⤵
PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOksIUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
88⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- Modifies registry key
PID:300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKoMcQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
86⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCcggwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
84⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQQUEAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
82⤵
PID:2836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcQIQkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
80⤵
PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EiQMoogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
78⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOAIkYEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
76⤵
PID:1232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGkkswss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
74⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQMQsMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
72⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyskwMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
70⤵
PID:320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYkEswMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
68⤵
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies registry key
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOowAkUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
66⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwQYwIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
64⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UucgEUQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
62⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYsgUwkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
60⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEcswQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
58⤵
PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWAwEQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
56⤵
PID:484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGcIAYks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
54⤵
PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMoMYIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
52⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYosYcog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
50⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuUoIgsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
48⤵
PID:496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICYIkcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
46⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- Modifies registry key
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsgAIoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
44⤵
PID:320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmIYMgYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
42⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XCIsEogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
40⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYgMkwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
38⤵
PID:2768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWUAgsgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
36⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGQYUMcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
34⤵
PID:336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QioMwEoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
32⤵
PID:340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iiIYwwYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
30⤵
PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOUkcMEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
28⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWcQAEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
26⤵
PID:2160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\boUYwEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
24⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\buYUwgAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
22⤵
PID:1292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEQoYcUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
20⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsAIsYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
18⤵
PID:852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\csgQYYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
16⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEgwQcsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
14⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWwYgkQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
12⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tGwEwsMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
10⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsYowYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
8⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAoEsoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
6⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAoMQgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUswkkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12206771601957341094423709540-169709925617058006791434308202-1737759719-243798298"
1⤵
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4923033961591051665-20332195581441440581224795237-104535303487646043283400633"
1⤵
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1652678481-468684609-1281517735-549596980-20492338361418362680639930119865068611"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16249934791767704157-1591696761-1499285172120708776-616671672-1208672902-2077657907"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1912085384-227632099-208373905-1837831321-1304002213-1026446256-448227196709753885"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5102217791213134262282837702062128833-539762545-238900575687299980-1676396740"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "86866242-387570384659993474-370092359-15667024121147865329601288103684106544"
1⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1940924435-1929213225-1776892782013800988929592211546974455-829723740-1851418598"
1⤵
PID:2684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1712965521-1434654708-817342278173011685915778886602119584034-1590253734-398351781"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "55630115255092583516014813651094545216-1735097842-241897584737925640-1663645730"
1⤵
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "877917652-1200945325141600021355926619-2057490211-1794218989-284359728-1843562271"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "484916953-191798923488034031015675294512044686339-868582780-1818563904736722703"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-171924103414387448951097667668-183609185710559665144272411109242443381776913835"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12429808491164887833-2011869715-1855849016-334740784781815638-11423405931525369147"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2089530684-8425334691522851753-1311314172-11978159781394253557-14282767871932106759"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1996736518-18387385851647865799-975996356161946284-1396192337-988138620862146522"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1942547391-57690820-343450874-1939446341566124927-2003985150-626982582222488519"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1591697750-367795092-901779810-1145039851-206327919284175301326573887-1378689816"
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "582658371-18935338793899139741600878928538239351-1312942591-9029504491770626876"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1081428361167181618-457602984-2088485340-7133821141443038623928643013386790640"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2022994138-1369992272-13691692255974777951527213096-1711773881954558142-1534731160"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1232712144-639203731475957769-1907597721-8365781721097384610-13251705301734930113"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1097696709-595614864-1649567949-1804442061-1112224939-1980058315-634376514824485890"
1⤵
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1087542212-11419589021039241021-1107692897-1083527674-1654176291-1585853994-883287856"
1⤵
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-84623389812721013491607424911-854344454-20529766962093600275179983402049327185"
1⤵
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1432736920481903346-1664650497-1050127563-1350514952191114180-1811881944-259080631"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18601155485114328098123123821402688050623811401101245336-1350797320-513317454"
1⤵
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5528358761458924469-144224537118416200911003673198-1005558280-2707779372014860609"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1197483857391394641-1628839521-8618780301833821027194000768-19477126611293515493"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "30518519420383807101513969023-685532033105314402414513718801049053710584499057"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1437976808-2001568832-1202148832138334499-2964267421820107404-1512782654-147747687"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "647717700-525900477-83654665-1176941657-668336024-113463795610047435721680095310"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12400055484485367371590372642-857136857-10517193211582717407-1298898635-191968192"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18547980631205315204-454797039-769259200-1660835849860904630-9939267541611598696"
1⤵
PID:912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-67920797914436172781305170768-1872669600-1454180316-171028914307213055438190914"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15777973348579905701363471425-1901395526603882581673117322-877222390-2036388659"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "512475986-99107794430634286-610893741-18784548921838602490504731103-1806060494"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1447449177-7403353091205943920-1315328240142215993266539447-1955069032-749010923"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1794202219-148258978012624753376826785781564814901-772024287-646122272-586591268"
1⤵
PID:784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1871972509-1502215937-8402691856508486873766278531762557409-1609505156-808694146"
1⤵
PID:1784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6632736341272024485-1854196811707081148-360159067-587962841777899484454983610"
1⤵
PID:1236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2032533625-917220632-55878948411822512251078050238-20970500491987694939-1209098551"
1⤵
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "613063358-453056013-1238044851118166413711488265517779463-1033761108-687002028"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6270107771196057395-1754960646811461375606983595-11215124357016484-2113221095"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "977972718-1380712300991678319-2042450793-1189285711-21092046021867344605-1413936199"
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3217465062044641383205710123514956194771797970933-515622137-18864960601991458460"
1⤵
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "745132209-1284161655374395934820877354-465785604-1301894806-427142364-1157191729"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8106495759418420151598951460-1805955422-204764160221894097-1040962908-15541920"
1⤵
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1319580779134222917830121891004410969-454238905130819955813543863481029543431"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18020446996302113711353748501215398714-1875669915-1537968565590586757-231512165"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1962662761994625234485046740455825605-242716364-2029002667-2061815071220792034"
1⤵
PID:2988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-965120940-969967199489930694-1454471776-56052743416068713951174840813354931139"
1⤵
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
224KB

MD5
89570844cdf612180b73b9d168ab08fb

SHA1
dad62b8c2dac4ffc4ba80d2e36840844e25c84b5

SHA256
686a51a6677a4ff3b3cf3022832fcacef35cb8d33d89f5c478cf405e5028ffad

SHA512
7b6c6bf3d12d4e954887bb2fc9d83723c7c040b3f6a8d945e45b79e45a2e2811d9ecf596316973fceb91b5700ff65c615cf703629664e0bd1bf3a7dbf62aba11

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
Filesize
247KB

MD5
6058c07891cd29aeb2a6f32eb8508643

SHA1
c373e3074d85fe9bba85ca4fab6d3cc348a25a70

SHA256
6dcdfeab694b4bbb3911df3c00cdd750f847702b91ad2a0c6df0632e78eac768

SHA512
afc8ca4504fbdb693ea7ea48c6c67dcb34c0c87f936d9aa6adae07dee601ac260f390e6c297d0171a58f3c4169de5f451d1ce42e0b40879a3bbd1934e4089f81

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
Filesize
252KB

MD5
d63fa37acf388a27af68e0359018c5cb

SHA1
a741e490ab4207647fb5df7fada9d6e1a958f9e8

SHA256
5d923177843c534dc71534568f033fff9f7877c9505115faf4477fcaa0c1b0b5

SHA512
c4e583daa3dbcf7a517f70b3bbd5c9afb5113b2c92579d96c5bce7473b5727e8ecf48874de2c2cd7bf4cbc236e84de8ecf123187fdc39678a5b236b778f76710

Download Submit
C:\ProgramData\SOMwAMkQ\jgEYAgMw.exe
Filesize
194KB

MD5
359c2e310dfdda67715f98660bd8b621

SHA1
db9f59f1ad36b856ff3a301ad6f2f4ccd07a8178

SHA256
aadac5ecb6d1ef5ec1d57a4bf74c224783a3ae881ac901cee7ff35fffdfbbe5c

SHA512
37463b215ea3fc1459ce4f1b2891fc0eef089374adb817abcfcd76858fb672cc156b6580b938424c2007bf429e018e7e83558eff930c6cb3785f97340d464d5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
191KB

MD5
2eae8c23829d858d231e14537eff60c7

SHA1
a0e23abbe0085960031d517146c01042a7e06aff

SHA256
8c2c84464424ff11347376dd01f8c4f29468a9d17ce9c3a210d16c2b9174a968

SHA512
60be022ce07b1c67d3a89febb69ebd8931cf9a9cfc446b996e1e0e8868b3f606123f23b92270d3c4fdcdccf243de82201af57af3572e0acb5c7eaf66945a7276

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-26_c534263fb8f5357f570835ee30329566_virlock
Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAcsAAcE.bat
Filesize
4B

MD5
48474f4d0bb07f8be3cbde6b81742264

SHA1
134b85807e2d903b9602ba6434daaa641c140c0b

SHA256
13a724f3a3a3ce763cbf87eac619824893d2b737a3f1ab4ac5c0854a4cb4b25c

SHA512
e33b5cce188970c77b8413593ad8ba50553af547e11852e71d178d9bc3855647d818c67e4704ad9f5b50c622eb1379076d7eadd28c30a8175944e54d2199249b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEsU.exe
Filesize
695KB

MD5
f3f0341292c5a0a5da05c3a75fee6964

SHA1
8924a7b6aacb42b86534c9622fc9f40cfad3d91a

SHA256
030052cdd8bf31fa0eb429f7943c34e7df3305073ddf675041517b08cbd16b99

SHA512
a0a6f5c5bacd69e8da573d5d2f19b830c1aba9f37d26d412b36a1d757f2ab06d74d0f352d3d24a8834c34d5807cc1cc7f3b2c0fd444c705fab3da3b70ca1fdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcQQ.exe
Filesize
1.0MB

MD5
370b95f863a5ded7e6d8babaa68ac2a7

SHA1
a5555c73f09951128a2c7e1b304d58b8a33100e6

SHA256
f40993a86634282b755f713e56a09545da7ae789d4931ce2f805b1e9fdaa7ae8

SHA512
5f6711b08d07cad8455e9f267b0d1f46daed9faa82a5763ff0e149b4e6bbaccf6969cb52bb176eadd113d8efef933ff71cf7126517c0d95a25c48ae62f72ac3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AewAcQwQ.bat
Filesize
4B

MD5
7545354225aacc4bc5f0bc639c4ba649

SHA1
00ece1c8ae5088540892bd640e2fa92fc1f4bfb4

SHA256
4e2ff5f4c3c6ba668a5205cc7b8c2c513624cb8d5ff428dd36703dfd77077390

SHA512
72f83c87d892557f5f912dcb2ef5b3832945f8e3f0ccd54b7aa34fe38091d69f89c04af5d43835263fcc2b57c0fe15920ceb9a06c9c8e82069c57cbaba27c65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUwQYgc.bat
Filesize
4B

MD5
cfe6c9e648571449c55f1101a3a7ff7c

SHA1
5cf18b95830f5a812734fec91cd38b038a9e3931

SHA256
223e9ada5d1b7a3e951da93fdbff31d971159bc8f67129041676b349d9192585

SHA512
da678a5c5caba623eb8c2ac280d38f7e9ad982120244f2c2de345af358a6e799c7ac6e035374966cabe4bbeeef11d6629e268e770d436bef5c84b4a211bfdb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwcUoUMs.bat
Filesize
4B

MD5
72fc2caf25dea8a15d6f299cad8c3818

SHA1
48001238cd7ef1c3e718a1ee1e59c0a7c5b72a02

SHA256
56dd2468656dbeb173272db3d4875b3c3e355131fd12562540e9037f9c7b1b9a

SHA512
5e22928954b8c2f456ef5198b365d64ecebe427bc723135e9819da96cf3746fe99f97d1dafb5f9207d301a337837dbac7370d4e429c00ef927d31a95db9e622b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCIIkgsM.bat
Filesize
4B

MD5
50eab499918d59b6a120863bcb622e5a

SHA1
3c8089efbd88c1c579b39fc85d722611579698bf

SHA256
3a9b65b283fdb9885521f6090baa40ba952a06e1e5f6eb942e81f2721d6cbe09

SHA512
7716b2c8942e6e3cc9a61f8e0a82abf1a291ff51581248dc01c9e5611c497ddc89e5b21220e2f4cc77efe3b6d58cebd014e3a458967705c153f9b3ed370b4296

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEsm.exe
Filesize
239KB

MD5
72b3df1380379b88787e1d71a3f33dda

SHA1
fb92cecdfdb281ebc1009562da439fa4b59af2ba

SHA256
7f17efa9d96d188877523dac347a390bbb3b5054c43c48159c2667256648d6f4

SHA512
83e7834596480ca6a281b5ce98b9fffb88612d358947f48f37cf7bdd8e3c91c92d99586fe744e6ac3e4137d1fcbc0eec5ad67473f48ac9971359b74b3ef0bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQEO.exe
Filesize
244KB

MD5
40bd22e22b9346606bb394df365d7a61

SHA1
bdbb53096dd75840acba9e5a57e853cf25784408

SHA256
a98bb4dd8b386319812d547769436974a9261698f7dbfa852764075020747bee

SHA512
9cbdbfca8b53c0d3fe2fc11fd99eab732039a62c8bf9cabe884ac9baa4d0bf9ad8aa6d64253efa7c8a322ae5ab86c9146484c623821f60ddbe46def7570a9ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQgo.exe
Filesize
227KB

MD5
0450fba28e9d48c1ca812653e745fc1b

SHA1
347c8b93dc33c31b55efb3559c145fd06e2529d9

SHA256
708722c04e2e6d1e64ef1cb619f1453ca668c0a0244973cb37cb9da1adb1106b

SHA512
2b51166e3aa253a135be4048904338eab63a4ccde9c385437913a5bad7a9a3c52f4451c68317f97ae9f2f9137cdc1316c38b89b427e3752e05e5d33c6c10c5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUAk.exe
Filesize
191KB

MD5
65552b0a718d0c6de43225986f61f2e2

SHA1
bae3bd23d57058ac3d0f6f25642dded53da277b6

SHA256
289fdeb21287a6ad33a5479b78ab7de772de1fedc77d7a0979899ddfd1d66117

SHA512
a92542fdb62b6132898b4f1808e72e88693ec69973471f7aa0afe797cafd4b8e76d093210d4a948092bef774f70b13cb08fb1e2b0da0c12803bd5a945da8306c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUcs.exe
Filesize
219KB

MD5
98df33747590bac0b37f980ef8a49458

SHA1
85a1648a1adfc7deda0db0fc19114bc1d00a4052

SHA256
6e6a278ac5cde0eb1a0e4cd532e61c16adf19e8d3055747dd38f9f7284c8f59c

SHA512
9fc2fafb302f03481215ca83fe7a1cbc0cb6de5a1b85e57d646ce14f1d36c84291d5dddeb55ae2a6a7c94c34b14bec233ea034541eb744d5ee8389333dd905ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CakooEco.bat
Filesize
4B

MD5
b23f567ba5a935124b32d521dd8943bb

SHA1
6b368b44f580998a9c920cddaac38ad0bb678534

SHA256
050def7949c04ece992bb2971178984dcd4e6fba0e596065427324c7e13a3c73

SHA512
2b167d380feacd6d76280ab4ce8c9657fbea8d3580f510f5933f30d17702d2f79664aa7d6c0f5c56222fa7dc15f6cc184da0f98829b75f7da3ee02b33e9972cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgYa.exe
Filesize
233KB

MD5
2c8137ec7cdf289980439c60f9071e2c

SHA1
e0671915f9f0a3a34d730ed297e60635ae933d2a

SHA256
6cd1bac202952fe41f76b86497da8ba8b555efd49ef8d244421cfaf9babcf70d

SHA512
f3c56387397b77b8d15396dde85ec0f67cc535998a564d63bfe614905b61744b415f2ed44fc6a66f46cbd4d2311007768e8d8475ba2b81a8c8d964fa03814299

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiYkAsQg.bat
Filesize
4B

MD5
bf2e9a1fa099ae3f4c0cb255962bef20

SHA1
c372c1173d67c6cb55b041d2fedf1ed03e3e05ed

SHA256
f6b256ba056c64db3d22dad153f5d5a169da8f469870626b8b1a17c2cf057ec0

SHA512
7a856c4dae53c8db04aebeb7c65a6ec3126eaff24f1f903dcaaafa46dd44a1c3344d95bcb406deb30fef210b270f93ee797bce14a00ce03661e466d84a47b7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkMM.exe
Filesize
236KB

MD5
57ac2f6f17e0ae8995f21031599acb9f

SHA1
18934e86d727b4e5eed77fc74e2f49a6f502f32b

SHA256
cb62f6f8a44c9d37ea84c0e5001703f31120e1b68375589928e87f6b0d3851b0

SHA512
9c15ef627dee62bdd1bfe4b61c1838ee3cb5fd3085035e8c198428727fa2f2e8b0b81e8b51a2abd8482a446503d7be448cfc5e39ed3b2afbd446817ee3ad6865

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckgg.exe
Filesize
236KB

MD5
ae97bb2ee4a29c20b4e1c4156bb13111

SHA1
fe72de5ceae417822372ad1b66ba5f40d23f889e

SHA256
f63eb349a396477b1a29b3a349cfd80d7e1c12775240833a2b1e31924c3dd02b

SHA512
2c6b59c86339906bd313e27bc5a8af4d8c2cc06902e7c767e60f30fe8b09c75bf0082d7f084b836d3a818582148687808575d600382128e7e81deec1842575da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoAS.exe
Filesize
8.2MB

MD5
0d3c2073fed6d7ddc2775ada84a76910

SHA1
f07660b1ac5c117d2a9f6667c942644d47b7a3aa

SHA256
f29ee26d9be853b82ac54353caab238865f615004ccdb63f5da8dfe7ce00a2a3

SHA512
3ed0c1c369523d0a997faecf7e9727428d5dba6c7ee9f355e979d23a8459471cbabd54c3ae206f4d5d4d5268e6132e2210ad8a45d090ebe70df3eacb03d5a585

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMAcoIgE.bat
Filesize
4B

MD5
cf5512dcc06205bd17142e2b19da647e

SHA1
677897fbb9fdc80221ec6e3ab055f6bfa2f621ad

SHA256
6ab3ae693c472cabd41f4c53be819e2bb20f49f9b3c05bde6e5eb6e890d7d81a

SHA512
95a29d805c5144b1288525c8f6bfa6593dbaf00a1a3d28c338cd9a511b05c3aa84cdd4b717fe51745edc683591bfcae377c15825f7311f6c7c53a96fc1365cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAEW.exe
Filesize
243KB

MD5
40c91e573aa32fa37be65b17d6600ac9

SHA1
2f717344560f4e7b7bd558718c514996f81f188e

SHA256
428d2cb1ad262d573bd617dbe63dd542c9a869d1d622623c98a4074cd962f510

SHA512
9961b7cbf0fb6540f901c1851eccdb842e184df7f9bf78eddbc4d3a9d6c8801573d4a51ecf3f6b5cebe0e1cdc3efe862f8395957a21aa009cf34b36f96b773c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAgw.exe
Filesize
319KB

MD5
fb5acd85d4ef127733f97e548c5e2517

SHA1
7a299709c56f347131f6f885f5e3119edca4c29d

SHA256
15e25e286074c5e37a5d6c713ba122dd836e20bb7a10343ae14a070b6b166ede

SHA512
4c9923a60d17799b5fa90b1989cb80127c2c8a5ca73fdc8d3c008e5153d96c17a01acbe52cbe9eb04611ef65f8a3e4496694edde069e61e1b5c1468a155930af

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIUC.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIwU.exe
Filesize
235KB

MD5
fd6d2c36d1b2fe452597756efa20d053

SHA1
901f57dccff207c09db020326c346f2c131a7202

SHA256
8ff485697e984901863d245d52ed33c54fcb6bd7941fa598eb63255efdba7ca6

SHA512
abc476a09c6a662cef0ebfc85260cfede1dc3b52a8ac4b36c6b7b660947724e075de9c2c68a120fe559ce4751c70d0aee50eb1c292a2fbf622fac13aa4af74cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUswkkos.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYsO.exe
Filesize
210KB

MD5
efce57ce70db06138ff89292a33397e5

SHA1
24e33295ed39df2d960056abf0ca1454f3eb6cc3

SHA256
81d0e05bb1f56805c19d9ac0c5d43e815ba26ca7c344117de2a90ff5faf8d619

SHA512
8e0d423f7099bc8d32bf6b4adf0b52b7bdf113463ce1c8713ddb93455e2f6d78d92b513baaf6e1c57399eb28788715ddb87646c854a4a323461b36f0440f485a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcsMkEQs.bat
Filesize
4B

MD5
c6c9cc91b5286b44572af09680eb6c8f

SHA1
ca28cd8e5f04061fb7af1c9e6feb8443d8f80416

SHA256
273bfdabdfe11b3d4d9ef2e499a92fb56d9d7117f1645a047b845411c946e68b

SHA512
580dfcf7652a6daa5c3f2b900d877d1f1ecbd4a50c6dbae928796e7361dbe165a5ce6e4741fb65d16087928e6c3cfb3ded38c2f552b39609633d78d2000e9a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eggc.exe
Filesize
311KB

MD5
e5fc7837352afa77560a02069ad81d92

SHA1
9da9538a09c610a62536e82c60672e8ad539f607

SHA256
6a4fb516c15fed2395c5d7a45fe0049ea2565a5a98402946bd3ebb8b6b699cad

SHA512
2521e4d594bad0c2a4d230d7cf8875657f96f40445a1cccf6ce0884eef163e052e888b221beae2a2d761e100f1efc401d40971e7d0f9c9a28dc37ce46445e6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsAy.exe
Filesize
192KB

MD5
5072aed79ae027335fb3c8362050c9c1

SHA1
0b8d79d144e70a2b6ac841a704ee26a52455498e

SHA256
74573211543deef9f2cbf774e5ff8bb848608f18b1ae93c51c52fc27cac8964a

SHA512
750b27f3528198f327ef7bc54ecb94ef987dca124dc551be45a394b5af0e94c532e9bd0ae51c51a567028af646dd6feaba5f8555ce37ffe2b977489f38fd25fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwYM.exe
Filesize
634KB

MD5
bfac3d82adbe1cb68055cceb42ffabf7

SHA1
35600e81d49cfcd8eb457b1d6920f39fea9ed505

SHA256
2436135382b4eef61409cb5e423f86953d771f35c60289dda7698a2b3d16f5a1

SHA512
2eb935a3ad6eddeacae0573f03a0da07b085854ad81adea2b3eabacb6794350713e5419801edf978d549c89871f4c4225c49165b8067da66b8e08c5bded10279

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCkMoQIQ.bat
Filesize
4B

MD5
8e7d8cc50fb0a7aa34ba5713755e65d9

SHA1
6904475d5855b096a011c57cef0b63e68cdb9beb

SHA256
04ebdfed23bf57fcacdf6e38cb53bae137ff8014251f6698a14ba8355d275050

SHA512
9261679942848d3d3554a3d33d10de9e93b203f07db7b781cb13fea058e06984c9c1e8736c82e65f21523aa4a9630346edcdf44d25e7a5233e557826a92ca626

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaAYwgkk.bat
Filesize
4B

MD5
1f5f7d38ca6d23d342314ab16ccbdb59

SHA1
a3b414b4f81fddf8cbbb84a8adc476e85a5aad98

SHA256
6e33aa62926df9c76ce803898880af92b9975a235203a53a862f95de9e1d0c21

SHA512
ceb89f5962090df1d1cfcc7af474f7e033949d4429757bb7e24b00d21db50c41a12b754e79f990dba648549969dedca77ee69971d413ba0b3806d2435da6227d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgckQkQI.bat
Filesize
4B

MD5
a62865bafb4f5a5c6741266c6c63080d

SHA1
e625dc2d5d582cbeae899bcd47fe76bf0fb34d47

SHA256
572cbee2fbf484e315b441732c887465ec4d5b66e2aa071690b6f3489986e5a4

SHA512
9af12e590f58ff62e6fc8e6ef7b9010b94ce00b00dd1fe8e2b8d4df40037d13abc55ebd41702f89bc2048e1eaf193dee119ed69cd7100abe40ad6389d60ff42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgoAAYUk.bat
Filesize
4B

MD5
f930829b44e2ba534e4b7e2ed5605b8a

SHA1
8692fa9c32080c53b5598c9994aa1eea7fec2466

SHA256
c7596e0c3588a6c7b6a64ae39db9f93961069731e3868af819c0cb424459505d

SHA512
4986be35c677d219b63cfe93039be3559a4e28163e57fc4bff80954ddda00f1ec58bb65d5c3338a3a170bf163c97a151ccf9cec882fdc4ce4199f536f634f4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAsG.exe
Filesize
241KB

MD5
28ba222dceecc6f2b552bda392c44dfc

SHA1
5cb0088e58e47ee98d661888efafe5a62b42791e

SHA256
c770bd2332c2692b5ca3ee951eb30e04b31f8d12a68db936186b459712f7a126

SHA512
9c76213673dd9ee8fc9835424ad6e8ad4b8f9b0d2649ece2cfc2716de7eac11b454099cd7dffeb31754baae5f2fbb30a35d5e01982f3270685702697195b5f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMAcgMsY.bat
Filesize
4B

MD5
5730170bc4e02e5928eea339543303c8

SHA1
02fe481b19f41f6d10448b7ce62d5374fb5f4ee8

SHA256
444b8674c0c608932cb64063754038f58f4da3cd416b5be2e86fb561a74e4ec7

SHA512
5e0df9e40787b6def607d9dea286a95cf1f7724468c1d877d3c913586120b45358f9984a18ec3a55ff8d9c31aeef5aa3188f511fe62e7cf940aedda807a01cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQkS.exe
Filesize
228KB

MD5
bca0fa3b7082fffed1effe9354389084

SHA1
662d8e5ecef50c2aaec4347a675ed9eed6f00207

SHA256
22af7ce4109308a94d56aef47de8cd4eef430851341f391461ef8fb5a09455df

SHA512
15a3421917b60e6aeb979757b7a03b55d1abfc5f22f33359299017004d190dc8ed6a2695c2dd4d98babaaa0f96010f2cf782101b3db584b44bca5030b6503e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYAG.exe
Filesize
230KB

MD5
1c0896ad372ff18a124b2f1b96706396

SHA1
1dea0e2f935ae53068985eb6a6b31800b15619ec

SHA256
330f14265636fad0e18c1c1500ba1cbbf002adb0d839a4d7a301ad55cf40a1f2

SHA512
8bf32e509cfd7184a00c0f2c11d47af38ec857ca064c245f6dbe1125a4a1810d38eb9fee0560d40fb62316af9e44c9614903239cea056561d66a010ec361b122

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkUMEkow.bat
Filesize
4B

MD5
1eeb081b520a41ddd0d187c935f48c9b

SHA1
0f73fdebd93c9cddb857f5ec8b77e3a71c266679

SHA256
89b3fb211486357606c5744c9e9e88e8e47f304f1c281f3590f0217c657f5796

SHA512
7f74443e6f4e20dbeea3b1264d56798a41cf3042869bc4f508f8ee4ca7a834a422424d549a3e418386029942985f087f0207ba9ee60275ff866b2f9f4e54acb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gooo.exe
Filesize
1.0MB

MD5
7bdb28c5fdcf03c2131c1c06a96d8eba

SHA1
e38d079466d0d80e4727501dcfb29962fddb1f0f

SHA256
f33e7475b7f135ecf9d2a08987812110daf644c830972923bea79adc61bc7990

SHA512
89da17d15ce7b1b937238addd70a08673fed5b357cf3440b72ea92b1a134f0fb3bd7e3f8e0d358325063539e26caf5515bc40ae8bf92b661b5243c214e54bf36

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwUq.exe
Filesize
231KB

MD5
4647d7d0cfcae1514c09d226d6eaae68

SHA1
fed5ddb66dea7c60134d9c553d90155b5f6fb0aa

SHA256
d2bf8de07c51252ef70e2cb38153b5e89a9a109cf2d501011640fc12f6249f2b

SHA512
2e2ccbc0b6803eb32c722895f48a32cbf5603f6a883821df24a20ffa83832a301ae99cefb064003f83fac2847bb601216d6dd77b4c3cef907388d28c6acd64f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmsAUgwY.bat
Filesize
4B

MD5
186bc22d2565a5fb67e61ff8c3c1c5e2

SHA1
faec84325455d26f7e1796204a813a2510422346

SHA256
683d47ce8b45add872f30f869947f88a263c8f0e0254e3f454f846d76d13c171

SHA512
7eb2480d966819f6c83dd2cbe661fcbc5d14e12c8b2f8bed8ba9455822bd6f91d234e7b17a301b41c687787946140c738261ff6c40021c712328011b3dbd13ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMAUYIwk.bat
Filesize
4B

MD5
b9a74db8bb5c2b7d3d6073050fb6b0f2

SHA1
da42d14a94cc24b6b289aed52f25e1b59001558d

SHA256
466988cb1b10019573606a53451a16b36d7a6066ac51d262d1fea02a6f056f4a

SHA512
fc79aa89405a0bce56d7940eb5d0b57e1c1cf892d162d973be9e643fcd2602b9c5f045e4e3dbdfcdf80e6187c8f6616844965c31a8aca8bbd1dda8063e7c4988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQQosAMQ.bat
Filesize
4B

MD5
8307a8fcacb15fe986831e770e7b7de3

SHA1
4ba5aecced3742d0246869afb89b63392e15cd78

SHA256
e6edef19e3ecbcd8250f57d3f567057aa1b2346d4030bd87089759fad9f16e0c

SHA512
c0490627d7ba2d8dcf2d2cd0889eaf799c3456eee63b5cbcbf130b456034844a8bf4cb7c8fc0b5b8e716622bee390c2455b9c273307cc8d2238de2dd23a104fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQwA.exe
Filesize
826KB

MD5
c6b6f50ac92b8c4a83524ceb95da795c

SHA1
ccca601b6b91df175dd89cc6985a2686f834ebce

SHA256
ffad23f6f2ec667dfd7627aec9c2599ec9f56762235588d825a278afac49b764

SHA512
81968c546300b2fba26ba4f3318517588d807ce224b3430e5cc6d6b5d381ce8db437f8f7d38ec5f062af7295fa5a867d18c85a925e02c817224f03a22928b5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEA.exe
Filesize
232KB

MD5
308e34735953ab5a6492a421e5707fba

SHA1
3d1ce07f5e621d84fecd57bfc7d2cd593a1e7492

SHA256
9d48dad8fd89de212d0259a3e51e317993b5ec0c816983531b5b13996c219424

SHA512
d2069d09df60943ba4c27c11a294266471c418f33e150712d2d292a7ac752f532c8ec210c5049fecb8d00599ca498a6fa3de5d02500420909d4d8e67788994c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkMUggg.bat
Filesize
4B

MD5
8e1654878869081db74483b70ceb918a

SHA1
88b11796504064c39cc1531079fa77fa5e33718a

SHA256
7e99820181ed8d68de8398c83d48fdae7705e181a7bc1af7cf1af70aa826f7ec

SHA512
21dbf1514be0bb69daf03dd32b3316c2e7b77a3d54fac6c968594afd05ad785827add8dc65cefb862792618a1cf1d3206a15e30cfe2381b8dca86c26da30288c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwoQgQkQ.bat
Filesize
4B

MD5
a49cccecd01be238032f7c561f033580

SHA1
7f423534a1f22ed87a30bab906ad9a68ac150d6d

SHA256
fecf463dfd88066fbf19fffc7e750f470bc954f1f20898db0edb77a1a5b45a51

SHA512
b838d7c3035beb43249ce2ac22b98ba3cdf5b901744f7db5ff6871f28b926f0ce647ee550869adec608f02d3943b7be8a9c44044cf9daaa9fd01aab3f48ef299

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaAkIcYU.bat
Filesize
4B

MD5
efb21d03cfd3c5acdfc636490e9a6d75

SHA1
d421c0877bb4d1ef83d7ea661d316e685658c3b5

SHA256
a82787e3678eb76b7fceed68d24c558c71ceede2ec532f2202aa32d2e4d3f933

SHA512
3df1b52dd38837aa1e0e69302747fb60e8737ecb1808d14665909b2bb1c8a9978fcceaac7bc2b2b26b146eee858a9f1fde461e002d4a5026f21819db6c2513cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JiEsggIk.bat
Filesize
4B

MD5
20d8890946520e25617994295cad3000

SHA1
b6379b8300f48042e113a5bcefee37a01ab8e9b5

SHA256
e2c5f4122ccc63a2226750c4f6f7f3ad58816d13a7b71d394d5a8c5fd2adf61f

SHA512
3a435d3343354a5d16c6aa9da3b51aa42b1cefa2f376356f9b614e7353e7963d7e87717d7d96c14ae0660df7d528366644c5e9650f5be673b8631cf2042fe708

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEAK.exe
Filesize
238KB

MD5
a0c2f56a0be0bd82cb828c0cb0b77514

SHA1
996f9ed36aa8ee5c6dfb2bb8c5ee8d2a54e4b4b8

SHA256
0bd27a8b0b9ec90bd0a46b3a8328a62f93e2b265004b8584bb91e7ac66c417d4

SHA512
af0ad2f6f5ceeb3826cfdee5e85167dff7ec0453dcbf4c175ea0baa3cca8a136c9c9647cd34e385d0038817e8f4ea794b925cc7a5f92d5b66234893ed81ac3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIMc.exe
Filesize
234KB

MD5
d42cd2544f7a147d1fccabae20f340e2

SHA1
e35b48d25bbee42b2fbfbe5079120c7e090db907

SHA256
4e198eae0ac7ab145c9f40da496472455367be94f64a8ab474e7da53d6ceccac

SHA512
ebbe2fa61f5519fb99e692e88176e182c841224599de6d620248d3d6a1cc360bdaeaff46775e1e9f3258085bced71665f413988885d849d2d0a88c8ef6931635

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMca.exe
Filesize
640KB

MD5
659374ebca50def4fe690feb96488f71

SHA1
fbb43ac514365eb60654ad879b261aa462df51fe

SHA256
58731dde9da508e3f2f3fb0e4654c170a06541b7bd7412285ce0f3237bdbef2c

SHA512
d90d360ad3c85b42106ba53fa6c820b7b746f5fcb36e168bd9b97e20b05a84b41ca9e5afdbc46a8b27f456e857ec9359b228d55cb2efba3df863598284b0d5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYIq.exe
Filesize
250KB

MD5
acede4ac2d64004f434bb830467eb431

SHA1
b6adc4c7fbbcc03f0bdbd0cb6c2d3c649dfcd2a3

SHA256
753d1b3ebd1fd0024e81bf7513ff381b2de5fd3a523ee7438de0125faa136060

SHA512
9e321d5bc6f25c182b31a2b8f52a2b02f42ddf94f3d99291d995610f79622d84066694974cf8fcb87c37d5d1211edfa7e2eea7337f1a00999f5e6b79f1c7f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcAc.exe
Filesize
250KB

MD5
40662180f57b3bd1d7530b43e16b0468

SHA1
bc4cb949bc9d83dfbe48869c782b497d75724a3b

SHA256
caace99a5918a6864fb4588d5706a08838c7ddd361912808b3f1fb0cb04cac2b

SHA512
da18f07b3102fee207828075b529a20b1a33797b9b9445240ed8f9f3161c49db64e0a08eb58c44ad1e757d4d02e0c0aff041609988c7df54de35808adbbc5331

Download Submit
C:\Users\Admin\AppData\Local\Temp\KckY.exe
Filesize
320KB

MD5
ed397f938090f7f97df76bc9b9106999

SHA1
6684fe61db50e5b24cf4884e303ccf5c648b8e80

SHA256
eca4bdefb18eb77dc2fd7aeb5ab9eff93c34b23103df2e70ba13642f56574d5e

SHA512
8dcc7cf4006eae6b345ec8eb0f2f4941840ab626d330eee818f78c81f6d08eb88eef419e739c93584dcaced7aebddb442bcf98437bcafa5d817bc98baeb5255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgsI.exe
Filesize
252KB

MD5
1743204f408d134abfc1bdbedd86d52e

SHA1
3e446513373e21cfc0f5b546470050a61f954990

SHA256
e571655ec6961c2139d4ec228cd8baca85364d58a274a9d2bae1cf899883ca06

SHA512
2a4ffc16c846b0d73e9b9aff83743bd002c178419263e7866360c88037c47059c2720489050e2fc42423731ee9fa957137872bd3c975390fcd3ac4aec4c7c1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkMG.exe
Filesize
231KB

MD5
1f45d76adb46b6df6a950f38c964501c

SHA1
114a74bf54e5cc816281c0dbcaa436be1032a2f6

SHA256
3b2f0bf53e47197b1336d7a01608be0a8cced797892518c54bea331b1ecb19ea

SHA512
1fd508cdc1823579faa7c11d25c48d54a06c00d3bc6c1740f66e1baa7a5167f2d1d4e37d139b89225f3544cd4bef960d9a25386d1c47d51136a671efa3376b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkYK.exe
Filesize
888KB

MD5
346c8d3cf33793884d39516892655f8c

SHA1
2f81d8663d0cf4fe3cd4789511e2130f8842f738

SHA256
acacb419ceee83b955745afd611e77db721e424b71ddb6c6564ba806b9275df9

SHA512
f36c712445c819db8622f948d640e15f7009ac4c163c38d5d46dbbd9bbb16c5e2b34c92e95eddc6278e17c43b6e08f8c03b5cd93ff094d4b41e6d76719e1a24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwoo.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\LSQsQoww.bat
Filesize
4B

MD5
5a08a48e185a91e0bb6a1e89dad72058

SHA1
af1e010d38739d58469aa37cecd417a1cdf46204

SHA256
1f5ceaf3bef6a23af3d53f904798729f0a557d78c44538a8fa435093b6c19f25

SHA512
fd82cd01f13d7152786f2d320f25fe92ba54b0fa59e9c74fba94ec6e698955f7b00ba16991088833991b5bc5ecf8f111620d1d0bc394e1121e5999af0125a804

Download Submit
C:\Users\Admin\AppData\Local\Temp\LywkoEYk.bat
Filesize
4B

MD5
0c8d3ee73ee37f212d5a19740a7d4145

SHA1
b2d38e5fbc81cae2f003234b4ce2af0e945db3f8

SHA256
8cadf9c34c11e04f93461922db9cba3285f8e11e046daf4c63d18c6804f35f7a

SHA512
34cfbe5cb52ab9ca3e17b565e6d68659df5dbcc89b6e3fca6de0872e50bb748677b16e72aa9866746114cba7f1cc7f3b1de9c447473beb6816542926d80a22d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAkQ.exe
Filesize
184KB

MD5
bab250ec31faed5e8246eb734e519a4a

SHA1
451ea4d1b549fe097362c2c5ce33d1ce38e776a1

SHA256
7ca64602ac1ec08e49ace86dcb80a57f844b06bf849512c307ff057823e73662

SHA512
c2d7a3dec8be5e65598c8caa9981992b75b46af3dbfe91359d247e900ef90b533c3d6946a896990b8b37231506da2056d81e7d8553e39fb3c1e915c1ebb6ae3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQgm.exe
Filesize
244KB

MD5
d19120716b9753f591ae6f80312ffa2b

SHA1
a4dc2da86b19211666f951c13f760d4dbb0c0b1d

SHA256
85c285d28f8a4b4c7ebb90983979fed0dc4469ae40dd87a63d038e80f75fa95a

SHA512
1fe5d92bfcdc7c698b99b0048aa5a15acd18e142caacde86872f3d9a5a480b8e865ab3e8b7d56f1bf614d3bda61342151aab61c7ad64e422a18366102d0f282b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUoY.exe
Filesize
195KB

MD5
1ddd566579a806639f8d17d2f9ef7d0d

SHA1
0297524e1ea8540dfa84eb13e8ed656ae8ab096c

SHA256
92188e441e77e0909cc1f7dbb1c51e0fdf5e0b72500d1f7f6c7d89f3258f74f0

SHA512
8fecf03ce40c90186d4cf0b325574b720b608f4a44e5f5de2315d8fafa09b18602063ed06ef2e26552faa599c2a41e6134288ee73441b537c0d691a620521818

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIMEsoE.bat
Filesize
4B

MD5
05f9b9e3b4e708a55aac159a68a333a9

SHA1
9ba9372c076c64fe58e3ffde369f6e349d483d80

SHA256
affabf6a49909a6476047a9b340655551aa70cd12a9dcb00c353ba58b3b88cfc

SHA512
41e6a3e3d059db73de8f8af6c2e1751026c7ec058ce189b3dada6ad8cdf5e72e33368856aba5abc69a3d4c7d0a8b47ff14d7feed0310f0ee6727953975e07e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgsK.exe
Filesize
242KB

MD5
982d6e76273df89cc525de50a94bb71e

SHA1
efcfd9d5d6e937df932a70799d6e1cf8f9cd7aa5

SHA256
0746a8564172e6e76060a7244518e5eb70dc24d50a6d60c8b8a44b08f42e3738

SHA512
b369c149a59fad7b9552c424ae4927de7d5aa54fccb2ccba6a86b1141714cfc904a154a6327063b5222616887d25f462ff8fad7b384f1cd7fcd0d106a7ad5e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkUa.exe
Filesize
241KB

MD5
18f50646dfa3528ffb64a0ccd5545936

SHA1
9e84e6a61e4088def41e10fe5d1eef817150ebca

SHA256
fbfe81350c41255ac0447dfb113eb3a3c39edb08171965716d08c79bef7148ad

SHA512
8066b9900f43dcf3debf7ebc7e403cd626bfa1b8c02b48ae1493beaffbb07bb5b759b9ac0f68e48b85ef6894a689486aca68eb54a4b133162b6b35d1744e6229

Download Submit
C:\Users\Admin\AppData\Local\Temp\MucMAUUA.bat
Filesize
4B

MD5
52057c19048a601c9e87eebd90d463f4

SHA1
575c2ae5ab66497b42bd843a262d3ed1a3c197d1

SHA256
805791f591f7d6bc89583e0009bd0b4dfdb277b4ecfddb0a52f7c423f6713db5

SHA512
f03f300addb9c351783272c2b0d55d2623ac90d59b27241cba93122ee81abbfdab7faccea56bf206cd0e516dfc6d9e0866567fb762b2e77b43c791799cd2e923

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAEUsgkU.bat
Filesize
4B

MD5
264e45bfe5154c3f88f098d18e0dbbda

SHA1
8a7548332259b25704622226c1274a5174eb7639

SHA256
02552a647f7cce5933d282d14ad07ef95aee40b67d52f6488264bb886bd09324

SHA512
663aa690deac9a329e5c3936c60f8fa6893cfd1884aadd80685d430414c8ffb399813b4a3ab1c1be2ca9155dd579c4ebb54e6d786f0d474ae0abc1bcb58ea5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKYoUMAc.bat
Filesize
4B

MD5
936427a8158022209b56f7a32a048597

SHA1
8c677bd5127d57ed7ee69fa2e7967ce521d61b31

SHA256
db09978f7104c777b16a19c2950c1af054bfb27b956ce134add0f5d86378021c

SHA512
9161de3dd47a3d9d8b10c6349c07da6952ddaf4f1066a9a107734eca462c7ca9bdd7905a42e7427a756659ce509e1a9bb058fe4ed6979ea9dd00ae6da212cd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSwsEQYs.bat
Filesize
4B

MD5
bb892b60180879bba1f7582c4fd08945

SHA1
697075135cf67d666aa32d943c892759f8d1f20f

SHA256
b8675fd91349a8dd82c5c68cf1adafb474147771617c1d4bd29abe36f9b128fe

SHA512
281d4a81ed97f150772027b88119cd6e1aa833f811f7226e1fac9c703dc01d2aa2bf51601b8db2ec3008de582273cf037ea443b8befdbdea3cfe0e7cbcb5a1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiAswgkY.bat
Filesize
4B

MD5
4b2852ac10a2d35672e8410578ef6b00

SHA1
e87e0262c5487f2af7967f076d46d4ca31c1a2fa

SHA256
4523d728feb0dff7faea03fdf40b52f87d61a47c48a084d29a76be7a7b61b331

SHA512
90bf598ce8deafd6c3e0adf0d85ccccab9346b2a619bace3bae335d79fdf0915e9d81253419ae5309ea4b45b27f64d0bb84186d81bed3a110848ee37f5868059

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuwUEUMQ.bat
Filesize
4B

MD5
302f15716a9b5024d77ce63f57db3df9

SHA1
5939e44139e51d32e71710c8f3c4ed4f7a7f0db1

SHA256
6e0040a228932afb2539c787bf7f3a58942ba4805146f6ed7fb6d9dcdbb49e20

SHA512
9b64c89051114a487b205aa39fddd1f90b4d969b0abb46a6ecf71cf35e4eb25f8e4c44be8c4accbb55a8430bc084e4ba3eb61366fbfc29f7df0d2ba9321c8083

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEQA.exe
Filesize
248KB

MD5
04ba92e32b9704c3684062a169fd8f80

SHA1
b58a68f4a8085fdeaec1403fb824b5580fd74502

SHA256
ec591d9a267c2e5aa520889f2898ac14e6a51f74ea5a315b385ecc50f6cccbcb

SHA512
9a4ddf7718eee33d26394844353552b98911e51104fc67ded352475d0cef878ab8b814ca41d90ab168e41b086b3482e9044f4fd46103ce5e6f105d3807bd653c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQYEQAMo.bat
Filesize
4B

MD5
9998a1f5316cf5cb17674c74a8669bc2

SHA1
bcb9e02e7ce553801c1792c7934af77f00a89b6e

SHA256
23b86318dad2151954972818d5aedbccab56d42f90bf55698e48c1be437e655a

SHA512
353f1d333834aae7d8094bf2a3ce0f79d027e96cdfa264ee1ab8269b038c700e318b406a548f70e5613f1b3d7352dfc0d0d7eb5b6ea57fb40c41026dba695ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcQW.exe
Filesize
221KB

MD5
1369d2d3c33da06b1974ce13db9253e0

SHA1
acf8858ec3d64f10b1a08aae5aeefedec474d250

SHA256
94654874ea70bc8b1e330c1dc9c8d333ef23cfe6614cc96689621b96de049929

SHA512
8bb65986487ad2b6e2b048aa227559d842eb62ad1cc69d9d68941a0670ba8bd569af215c70cba62c1b7416c2bf871f43f40f3a0604b8640bc82e0f62e82f55a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkAq.exe
Filesize
240KB

MD5
1977ac0a1bfa15bb6c8c8892590e9b70

SHA1
4513fb842461348d11a6b5f2a6cdb82b3d579564

SHA256
5a35a63dfd56af2c306dc9542278f540cd9686601dd2e4e1774fc5cbdb0035d1

SHA512
e4b6bc0c704b3b00ae76790d52ac0ca1aad5769310e877edce085d251425983d94d89790f17975c85a13435d8e525cc52a75aa79266ff9b15a9ec6e41ea2144a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoIs.exe
Filesize
1.2MB

MD5
6c9fd71fa18a035f2c5dfd2ad1379e80

SHA1
c4c677a63dc4cb1929e54d108aa760b038eed692

SHA256
d8b851b1886d96acaf42ef91cd66819e05f60fc03944bdfd55b998efd5ab1191

SHA512
65e6b86bd3713cbd0d632072a73c283dee69d5448dc0d5ab96afa8592f848b542f8485ffa8434bbc3fa21175b42378e7018b97730fe921e66744df901ee9c3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ookw.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaQUMYko.bat
Filesize
4B

MD5
b89dae8f25330eb7c65958be7fc13016

SHA1
7e0a3ffbe24dd94a8ac44fd0a388845760aeab4f

SHA256
8817db1abbf193110f949ac2796ccb47fe681c991d2d086ccdfe56d37fe8bc03

SHA512
936d42e8fe20a2b2a86fa7436673a1281a27ed6c6b5b0bc47d1b6668d8162f3dbcbf3782d89f39cac2b044aa446b5dfe816cb6ff6831d16c70374adadbb69a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\PawQYAAE.bat
Filesize
4B

MD5
f1679886e776c0a9faa840fbf8bb668f

SHA1
41be032be3f302efed90243f24c096c99fa755c5

SHA256
db118ba8a801839a9da40916a647b32726aebec4ba4e12a24b62dd26ac2812be

SHA512
cd49f7a19140d5083e94c65da53aaa9f057690850cb875a1f1b934c9a2cc223ca91cc7384fe8fb694e7c69c0f533da056052d98e95c07f02c95301c04194d75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgEMYUoQ.bat
Filesize
4B

MD5
a2f8d6efdefe756dbbac7c51f251f3fa

SHA1
21e8909e96491c550d2d9b33f4a3261dd11a1392

SHA256
966e65633f4e3f14ee0baff687f655a4ad226cc5f361afc02d59297f691fe3a1

SHA512
3c75fac57fbd82d13acb29e1873e652765af5a238c09a1f3ed3ed05e686e417c38e0f7d33be94ce9655c51c73023fda115c1f411606a0834859e6846f660c106

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgy.exe
Filesize
228KB

MD5
b16d4c9d3829aa1cf44a206795f2f996

SHA1
71cd19bb856043689d4d312770cb918a57bc05d2

SHA256
eed6af9338da7d8ce302ea487b6ba5c52ca599a3474b5d44464f3e5d8684380e

SHA512
46a1cad8c45c2b7881fe8dba253fb5a878c05df1dafd7b9d7662d69dd47c6f857a622ac0e0084101f64f8846bb19e751b34d7829313b187fa5cc098e93d4ef0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYo.exe
Filesize
207KB

MD5
bdb931d536c523c4afc35750810b882f

SHA1
0031430b2347e5c02c8fc9422c7d5d456445a26b

SHA256
0e9a652a36971e025eb4cacc18c0f56f218e4d753d132c1e5e83f5cde3c9b9e1

SHA512
a444a694d45d18bff62cf7d662008ae0de79b54b3fb853e8d7fd00111fea7e969957f69442ea865ddf9f410cd2a4597e937c5d2f9dcfb55841ee612c09f4385c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQIg.exe
Filesize
227KB

MD5
e0932ddfaf50ba33205b8ed6ec377e3f

SHA1
d0322dcc868820a3302b45ef1ea1d7ff2de7c187

SHA256
1877e36092731782f825984071eb7aac8072576564c4cbd519e3866ae1a5a7d8

SHA512
643a8d5cbab8a6949e211c16a6687e9fb476405bb5faf992054385679eed24d01569dbfa382849f4c1d824c7f1e73cc53e03f712df8e2efc8882256b62e5d1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSgYMoMg.bat
Filesize
4B

MD5
49ad97e9992abf0dc4899be4c5b9e03d

SHA1
4c9c50932f97b7c9bef5789fe5a4e81f47449a4c

SHA256
3db9883ff1ef21e36a3e2446620a2282cad82f4e35e7f650f8aa968512836fba

SHA512
a0623d5bed84e189ba83e19caa35aac33ee2c9627c9d733afa8389a46abba950f34cb0f43bdf93ef9ad4f7b2c808b7caab96f3afbdc8f6030f51b9651c239946

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYQu.exe
Filesize
829KB

MD5
e07693bfb552e1a0fc01f5979ca9ca7f

SHA1
f8dddc783a25ec315b08f3f8553eaf18210504c7

SHA256
1b19c3e0d1b9e19c5d51cc2540784a143c55cb6f75396d1745178a244c0d2980

SHA512
2739c9ea4c63de0259faa0ed1d45ad59a725c669a71e6efa8f3a62ef380c45f7c7b416196d085ff268b0dcc5c5214fef4939e765c9883b92939c3335cb56ecdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIO.exe
Filesize
203KB

MD5
970e69bcd60fe9e20bb3ba621d437442

SHA1
7757aba767628bfb46129137ba3b7a937cd2d4ed

SHA256
45346e48f23c653f95c3d406540e3d7c13ad9f84850fc747580d37ff6a29da8c

SHA512
3b977937d1e44ebdd5217c88576a5bef77359eebbc61a720418c979d2a52484951a58f3e8ef8a9687eaf78471f855a333c7b579f0f49641571e43f8783c24dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QccYMQIY.bat
Filesize
4B

MD5
4b28ce7362a9f0a0c89ab14eb4ad649c

SHA1
6b182c4302eea1cf0b24de54cd6fab967fd79953

SHA256
802d05515bfb235aecc7638f8f404bd525f72d22bb7c3e5db72e3f9debbd27f3

SHA512
916736958ddb38a813eb05d9b6d89ca46205d3371868a4102229d1d9b48b7fb14461db113d89445223948cdb5dc075b04954fdd08d05f676d21f6497f99b80e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgoy.exe
Filesize
233KB

MD5
5a1632f64b4a9a8f2059ce313203f712

SHA1
91d4fcaa6743777c44f5c1e8d1c023f62c2bef96

SHA256
348a536c659f3b30d777ca23e62cf89269089ad628249b6db199c5bf0ee2eba2

SHA512
ec0f2eab11f34729ec7298e595535568926825ea75b5f616271c075c4bb4e4bbb99abc0fa8ac6fa1728e8a4e63178ece8463e476c7aedf0ad1ed01d184348050

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgwK.exe
Filesize
639KB

MD5
d79a2867ed3799adeaadf97b38a9d451

SHA1
b0c89e7a8202c990e27f4287e5af9298c71436a3

SHA256
ffa254ba2ed027ea5761b701fa48660830aca3ff423ef8ea3182b049de47c6be

SHA512
3abea4d7e3e41aefdb84e7f428b0c3daf60dd4ff40ae0d0d42717f8d94f127a7f6f0ea59be2151c04ebf4c2b02023f39ad17471e2a6438b1175117f4b02f39d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAu.exe
Filesize
4.8MB

MD5
e5f3debdea913a4fcbf2ebbc2b4dcee9

SHA1
8fd3bf5371ec27d67f78137a4b37e7e491641b1b

SHA256
2279b67402e82958804d25a6b0d543d7f1f65f98055a17705f0ffe7244594606

SHA512
7bfdd428c8037fcd63256e902229e9937e2640da992efbcbe2906d2a518e42a8ec9c703fb8e46e0a50adab602034cfb3e7a2c673c545b27c8336139997553572

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkoS.exe
Filesize
188KB

MD5
3c8a29585bcee8085aeb085330bcb068

SHA1
eca01e05dfebb8ebdcb4bd41b608214c52d6ffca

SHA256
14ca670d97ba35ce87a891d0d3b657320d050900b98ae5e15a5fe79ce4de5dba

SHA512
3aee63522c51fbd3531d3c27f4e10e2995c0704bd1036bd890887d031311ac7eb1b240fb68b2e31c04f704204d136d6623e22566c7b14e39499abaa9fadf7202

Download Submit
C:\Users\Admin\AppData\Local\Temp\QokO.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QokwUooI.bat
Filesize
4B

MD5
ed74ae6b9610eb2797b5c174564cf197

SHA1
c77fd63bf532696ccb25f4c2f9103d420e4b7e9b

SHA256
16cbb91ec94af73a651ea8bface4da929d99765ebde1b3cccc94a0608b86ac5f

SHA512
e273edccf5af8722dfd67742efdddc4e870a295eec61d5a702ad480f60f365c6cd091766792c5e6e2a4184934f13eee5acae97483c9f283a8fbfdd71d29d9dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsYo.exe
Filesize
227KB

MD5
9e798fdc2dd99f31895922dabe1503f7

SHA1
e0da8546ab55d30bb39362b25191483d3a73bf46

SHA256
c6fd3afdd8a677212c44bea07bae9ab0787b7fffde2acc7e6b1519e305aeee68

SHA512
b61647a8763770f5ee1a5b6fe9e551118fc4c37a36cdf8b3da2055c16a3b16941cdee7755e34c1780dcffbc4be28a1ac90df3525059a72d9c6314388bd83ed2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qswgcokc.bat
Filesize
4B

MD5
264cc6be6b6afb14a91deb0c32dfbf8c

SHA1
a3a7f6f6d906d2979d120d81c334eb8db078f6ac

SHA256
65ddff03a4561778375cbee17eaf877296edee63314f11fe3fbbded60b5beaf0

SHA512
8c136e3b9c144f4a88c4f52e1df9cf8ffb81c23e96f04764c6770be7c5c0050dcf16aa84c5af36fbc823b6202e5cf25f8de61f386b9aaae3875f645892426d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qswu.exe
Filesize
602KB

MD5
541e91069ad5e74948b9fdc4ac5ca5a3

SHA1
767ecf44262786fbb9c52bb549176d36ee4e21c9

SHA256
5f782a63bc350dc41ab9da302a30d814c1098a5dedcdda01ce6d57adc72ece94

SHA512
61b91c38b5d6c222d6975d99cd3306a5f305664ddbbca49d10ff9a42886dc742d1ae9edb1f469b454e21b210d866f24bb10642c0a889d0123b5db9dd01219fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwcU.exe
Filesize
793KB

MD5
3e7f5f6e166d319982f0c4019e8c2cdb

SHA1
c704ee43428b6f4374c6c807608b60b8aa32b699

SHA256
22ef12471aca2e6638840ccbb243c9411e723518ee684cd5f22b1ce748d660c3

SHA512
f33f9afb9041466965e7a20d79849f3fc7c0b51df3ba32d02a296dcdb273132a7e9af9dc2e72bffb6c435e92cf92cca7df07e3768847b33010b7f846a1949e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGAggckI.bat
Filesize
4B

MD5
d04911a13936ed6942d4fb3702163132

SHA1
0fdca9694a4d26ce20f7207b2698ba58e0c8caae

SHA256
f779f4911bd6404a6de614a4876008756b014824c27626828afc0de46489d94d

SHA512
25b5e29d126d3b6c87702381e2ad2259b4a77e71bb4308677478f7060ca53bd4ccd5a5ed6a258555894d92080d6c5f34eafa7da1195f34eea3cb4942c1267f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAom.exe
Filesize
635KB

MD5
331444212a03e077a4861894c9fce69c

SHA1
549a90e950b78098631c9e7380a0a45acf023c9f

SHA256
b8448474cb1cdc048324ac8a0b9874ba3aa7b2c7d264c2008452534e281735d6

SHA512
5bfe7c1ac7f035ccccd375f7bd4a564e8ff6661da6b5ab52e9dd6bcb0def9a22cd843b380f6e7579ac31d57956f1edc723caf3b894c5f3d7b0b83d860729931a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQQEYoAU.bat
Filesize
4B

MD5
04f226af293ed139f32945a7053683b3

SHA1
916543a1bf41632454a7c9c99be0e934c91b2f21

SHA256
2bb6119e90bc492fefcf29789a832ae4a200ccacc7b34c8055266cf480c32ddc

SHA512
e86e92d540177d20c3f0a77b4bc66d7acc551c9c2754e99f0d8e99b5b79f11a62fcecd04b76a9272cf38bd9ddd2203082c8e71415731e527055c683e02f7fa42

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSQQIgwI.bat
Filesize
4B

MD5
994e9d810a40a46ccb5df4fe6c1587b7

SHA1
c7175cb62ca55ef6625c7ea268f9a8a9de0a5c22

SHA256
7d1d9d15fdbbcac0d2a33c6c8895df699defd862b39df11e2378343b12cbfff8

SHA512
08a0f5d3354b455b3252d8f0389c50002ffc4010ab67d4be68007a1633e78400ddbb144f5b4987f0f4f2b7ba99ded7829e152729df3cd55797b5c03a16c6d078

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUQw.exe
Filesize
909KB

MD5
4b95f8271346348fce78b82f1fbf0993

SHA1
ab6d01e526bff75b0a4703b6e6a2eed596640884

SHA256
bf5733b8356b80904dd70357f85de8c396362c6ba5118e4a88c0b9c0ce8cf633

SHA512
61ec698e7638280783a243f447b58956d0d63cfdbe2e9f727edb790ce89936c0310556f9af7c82036e162d4e52ea678fa093072a9be9c8c896fb767616f58b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScoC.exe
Filesize
245KB

MD5
cb9600fb9fab0d2fea783473943422c8

SHA1
64aa3881ec0e2380e0de05cf438f14ec40e3c24a

SHA256
1d8c862378e6e42bbebb0edf27f55b56af257a17484a0bd115a865952f954e59

SHA512
47bdf2c71e0104b9eada7f7773fbd7ddc2c6409f33ce53ea87cfe88df231467bf520c0c68b0a92755978042a469af27e5a09df6ca9e3b647bf6bfc0e85ebf9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skcu.exe
Filesize
238KB

MD5
1a6f3e7ca400973e9121160d625e9d91

SHA1
ac1251140130916acc011c1ca4f648d19b51d16c

SHA256
da38cb6d9e62cecf6d5cea7b4cbeb59019005ee6ef59daf674523d3fd3b86114

SHA512
30f52d12a2e74211d968de48d5c4610a68930cadc79c6ce6cf6ee211c3d97357da18bdf46a491c645f0e4977aa20a490d55edd5d3697b98e4f8f58a0b2d1004a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sowq.exe
Filesize
936KB

MD5
2d1bf962a0efd40395b211243c0c30ac

SHA1
ac28d1f52d8ba3712617e7de803f460881f16ab8

SHA256
f9fb39a8271c66010383a47efa4f33b6ffd330a190e9d02986f30e365a91275e

SHA512
c42fee7b2bda8afd53051c35cf2f2e4b6c3ea5baa0dc6b5b4b2d1ce6cbd8affc71456d0eb0c505e3c4e7944dd98def56a14e358a85d761a50b985a8995331945

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuoEMwgg.bat
Filesize
4B

MD5
a7c51768f39e0435d7ec9df3984c7e10

SHA1
463a21afe917883d042689b7408ed519fa0968a4

SHA256
c92e4dff06e76041d8a3e09f214a6f5087f3244e45d65589a41b7de0c44ddb2a

SHA512
c9b888bfc72f0714fcba8b966a7fd66f9c9c883c8bf76193f1470f5832aef5dd6c40a820e31eeb26a555bd8725f728c0ce294c779eea7930650d9312aba3b4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEoG.exe
Filesize
206KB

MD5
ae24909ff2ec3a7137ed87a6a518b5e1

SHA1
9b3c35227b4aa17af2cc2ca3ae04a9d35ad0d9cd

SHA256
166d169008ccc84b3558ec811d2a8531571a5145debd934d4bfa8269d71cfa41

SHA512
6944973a40284808cd5bfc54cdcd9ae4034a84f788a8cad3645e071b61e07ddd3fc0208e7986fbf2d3983fa35d0eebcfb88a7169e6fc6471c290447d635d7294

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKogcEsU.bat
Filesize
4B

MD5
f4d6d96eabc1b6d122737ad4d3089a32

SHA1
854819027507949727564bde2b421a3ffb000d7b

SHA256
1b8fc16f1618bbe8ed5707411aec1b1a2b7ebe81bea2d8cef45360c2849e40a6

SHA512
dc87203b454cd22dccd0237b5a36989c9d00a1e34f3d707a9d9106f3a81ff42291d7d220af1d3706ca89366441d8bcce0ec82864c96a317d87844bce8fffa63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMYA.exe
Filesize
295KB

MD5
c744edce690c0963c5eb1368d0751a1c

SHA1
7d2de058c65daa8e11f3a4e2819c61699a77a93e

SHA256
90713998d64bb04ddf6088abb6004aeb18f446744673e566580acd27e7c88716

SHA512
4b9896182ca169563ce92ffc4ce7724a0008cea43e9252551ddd87c377a97731b8ecc082526b3ad6979749225338169495aae98f6e2bd33a6652796bb4fca2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQMY.exe
Filesize
250KB

MD5
4053fa4c30844b4276c9e05b653454e6

SHA1
8090b56d1eb690fd1954fdf9eeea7fc7b85d015c

SHA256
decb2e28c6ed87cfbc9dca12d82bd54f68b58fd00148a625eb920a2165db1cc6

SHA512
cc1877f99c36b8697e1a6650de268f2326b01836213d379e6c5fcfaa4893a7c4948e17a9618a8146243f5c835b2719e1f3c0ce01feb5e681e11ed03152d665ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcIYsEQM.bat
Filesize
4B

MD5
2b5a87a48c7c6d43b61c5982d6fb6189

SHA1
24996751ff7d439ae7fad72e4fc1796b8662591d

SHA256
050ffd589467c9b38cbf9134ac29333e2f56a3beb9d65fbf933b7340550415e9

SHA512
c142ad4bf41fb9f6c054860ee3fd7dd9834d14e1e4f560db14c16d42a1ec4b99e4b21aaf7c625c8c9eca7e6f2b4d3bc3edabfe065517fc7e2f43da3f8ccdab3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgcK.exe
Filesize
237KB

MD5
e58ef85eaa860f07432725740a557fa6

SHA1
d721fa21c58bb546d6d363c5378600aa6ba1ec45

SHA256
abcfb69198a26064ad3d73d35de188622b465db0b4abcac3de625f9f3b91f0c6

SHA512
c47c4567cede7f2cb0d88606c6aab6642aa3811fa835ad565f03f10e0cb57bd4efe93fc7acc6a3ff87e0b198c76386734e0338377e139defdd6958429f93b669

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuEcAwcI.bat
Filesize
4B

MD5
3d1eb19d19e95fd18bfc728c7ef0e1b8

SHA1
fbb0c613d5a281bc467f43694da135c46eb900fb

SHA256
3d38f7b0be5777ba68380012ff3c87f16382c343b75e8ca6907ca82ca52bb511

SHA512
bc829c24429e6f54fa62017dd0d59301b0814565650016dbfc592992f1644fc7f48d7ac8b3536bc17b23d86fd9be084405f219702d85b70a7dfec84c6e8f0dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwgAkMYI.bat
Filesize
4B

MD5
e84fcff78881238baf70e7f2420f5591

SHA1
44aeb27d0a795b8a247c4d6fa67504c815b86d4e

SHA256
f984fe84613d8170da2f60a208e8db1b036810eafe0c7344ab436270315aca08

SHA512
1d5be34ee114fcb5cfa06816481340896fe5f24fa6ae5c49960329b0ffeed3177e64fa58950d18b2ce923f3532b510f1c5ba6ffcd68e60963c8536a3d7e5402d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyUAAIEk.bat
Filesize
4B

MD5
4b25160894ad873590d5b3614a5a9b6e

SHA1
d4f88d17981cecfdcefba413020a3c3368641f50

SHA256
b664c86bd1d942a5e2994433bf5e11c49a3769fce21e1c13e4c4858f3f017b99

SHA512
fd68524f38d96bc529c26be8f73f54fbf32f44e028cca157f2bef0d6b8a38754e36140c27038cc1f037567fdcd8720ae1a7a43df594faf281c6b10f07270e1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwAMgQMQ.bat
Filesize
4B

MD5
b982e580b98d2502030a7367eb059b50

SHA1
c83998620dee703b77c40165ce277ade542dee76

SHA256
2e9a1ae0206ec8686f6c11771ccac7c01a3c518b69fa0bdfd43a79e4be735394

SHA512
b91217cc5045913d57342b0146f56a987980f549bbedd614ff7ed8329ae902b150307c8c2e84bdf18c2f7baf6fbeeb51e80de010163968a9d931d6f8289182a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMAcwUkA.bat
Filesize
4B

MD5
e1ed6c86a1894ad870d160b217293fb9

SHA1
966de0d0de985a18fd7b1c38f16e5d8344d58ba9

SHA256
97c439a893d8ee5b78d341eee7677c0c4a30edc79695ea7bf82de2cf3b36c1d9

SHA512
490aeb3f9fc729eb8a2a50e41f4129835b63a825edf213d583c6ca23bc164b7380493c75f0f591c7a7c0b69bb7e9302f8242923176bc80992675eea9f4e1cfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYm.exe
Filesize
229KB

MD5
2e716277afa2b2b2b092e04aea495479

SHA1
fdfb7da996c73c231da74adee1329d5f98aa99c2

SHA256
5fd990970493243803ea3e31dcdeffc7abc57ae2829a7836080c18ce59332abe

SHA512
77d49e63e346413d492810cb27d7dd1482e4ac3a64c9df5da50d8efab73af1c00d31870e5d06dd0c5449d72841f9a5e84beadfc2d4a21aa62a82add6d7b46f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\WogI.exe
Filesize
196KB

MD5
8466a7687c70b691697f9139fb8b2452

SHA1
a99d3b6927e415a96280aa3798ca56548dd69369

SHA256
1ccf200318138648bb6b32a11f2498cab0233dc39fb41b479f991e4354824a7f

SHA512
2547f93cf85c8be900996ed26f2a6d3131a4a50c7d354c584585be4dc7c9363fc875b0ad40f9a814c952fd1edeea363a37a86898fef843d8f756adac75799991

Download Submit
C:\Users\Admin\AppData\Local\Temp\XccoYwYo.bat
Filesize
4B

MD5
29a7e3d77989e91ada4cd6c6b5c40dab

SHA1
5152a2981c78d0c3feb55057199565a10f6f2722

SHA256
82d3bb1665ba946bc7a2b764ab3e15c8f55c1b0281cfa3f9931fefbeea7d6621

SHA512
5306ac2bc315abc7f81161465badeb30574c049a8890245707582646fa0f92c0033bfa479cce1eda0b428bcdba35bbc9b4ee48c24cc98b286cdc035f79709380

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyIcwQMQ.bat
Filesize
4B

MD5
6215ec842341680162966a61a9c564f1

SHA1
dcb26ac6dee5f5c9c34b2e3742c652df107b3473

SHA256
26e0d5bacc1088f86a8d57a0ddacfc8285918be762a2dd6c187733a4ae0d32b2

SHA512
5efcb882cb595f7c40eed80b0452562e2863976f7767b022a0bdc639f8dec1c8023f8e4322a7e6aac670bfb5a3daeb101b52a6788c747697a662eb03844e7569

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMYC.exe
Filesize
246KB

MD5
8d3a6ee8f254912b650b6b8e5f115e93

SHA1
06798f2eeb88cf9a27428339baf02f014e776e7f

SHA256
5da8bf70aaef91b34f7c524a20b94cfe76f1eb9166685e670f827305437ecb33

SHA512
32cf75cfa952b2f6727a0c12f5766fd0a52db5b38400c19294f2472e23bf411247686a35a7b8f075aabaf0b44567b9028813cbca4a0c35ba673f3d0ac6b17026

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMYsUUcI.bat
Filesize
4B

MD5
f965dc3d7b96219d970a62762f35646f

SHA1
7a11c778b63d220e98296c7daeb829aeb104692d

SHA256
30a5c282b98c66356bee892d2b7289d0bf31b44691826dac116d83abb8e6b57a

SHA512
6663efde24d66a1de9e033d3f672bfc72e4997b16259d70d5106a4cafc368b12ef6e350b7058358bde94bb9e0ef906491178c431c6d5b10ad02be563fae6fa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMoW.exe
Filesize
248KB

MD5
e24e46fb9f155ee513ee210055856c30

SHA1
ff016788e6fd465da5a3968f9de0f543eaeb7db2

SHA256
d2d22874619f36403a9f45589b1ba57eec17964f18aed2e0245997e5a752664a

SHA512
0b47615f190d9ff4d147b8078b7626b5fd133fb80b3d4778cdbd0003faab61fdeb97b5f254e4e0a7f83b92c8c063abec51312ac6a44c36229530b197189ebb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqAgEAwU.bat
Filesize
4B

MD5
bb00c182a9bcb87e9fb88115c2d528f0

SHA1
02b4dab3ef9d5a9d57dcff7b7d36e2875e01900f

SHA256
762c355a03bf05b02ae66a959e4f5f168b977665c4b58193a2142945ccfb076e

SHA512
029dffa2fdf2ae2452dc2d5e367e9281d40ac05d1427b83884450b8aae723b1849d092118366c2782c22e8cdbe19eb54a80cd853058241763454f3e22ef0e8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywgi.exe
Filesize
244KB

MD5
72bf150cc369eb7137fad50728faf5c9

SHA1
0e62f05f162b9880bb2168464a4044eaa1dc09c2

SHA256
bb2c5a6359fc562e2ba93cf85e26a289e023230cbebbacdf964ca79e59c75b66

SHA512
9ce32774e471489bc7b6dccdfe3662b09f47b4c137cd0e583ae38edb143158f9297bbabe96ebd90a02ed604be2537483c51e43422a5b3b7384711a5da5aa1d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aCIUoIoc.bat
Filesize
4B

MD5
d8b82519285a2e12b3f7c76a470e9d33

SHA1
8c429d4b9059e28c8b0f139ef9d73b5ff0898ebb

SHA256
158710a2d06a10eb32046be37314c76767aa9e34db8800f55b2b583147ea3c9e

SHA512
4a7f58f293833d1d70b29a18e35b8f2ecde9a77f3391ff6ca1609f5e34fb94e599cc46407ddaf833ed2b9c3e4265c44ea4bebb7f9491144479872ccf13d6cc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEsS.exe
Filesize
241KB

MD5
d26dd7a4aee37528875940c4774e53b9

SHA1
f86be17539e232a772b529e88454cdce3c495b0f

SHA256
7f1fa4030ecae18f9f4df843eef9e71dbc1792b38425e3df0c50b50d091a611a

SHA512
4850dbec2d18b6e8f406c735032de30fceeb6727456807e59f70c7c8ffc7574176c94e6ac5142581aa4bc0056ce8e34d3c0db9976968baf10bec8638dbe284ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMAu.exe
Filesize
238KB

MD5
311332af5711703f8a13eaa8d8ab91ab

SHA1
d21a0f3b0c443241cbcad1f6404928ead5f4598e

SHA256
407c01800ba17f17693cb94f51f1e76fe442163be6a1dc3a95207720e63d911c

SHA512
e9432249f5e88846e807e145f6113c2c144d9a2410bce0ae6cf317da7982f5a3aa24395f2f7853443e756bc105e4d42f12d2b271ca0deaacfc0bc120a8ca6345

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUcU.exe
Filesize
1009KB

MD5
45ff725aa3f27d8b9ea96770ce8d46ec

SHA1
72599d3137d35e80d3052760728ea338ffddd3fe

SHA256
19be8e2d8fad9b97635e3ef7597d75c0c73cf71602fc7d770e2ebeca854485f8

SHA512
592449ff646f59e59f889c17f56fb9ae0339de778112d5a9b05b6ef7584c94918dd917c93f72be96607798bc938de9e5b0cc85164d2cf18df8a1cd0ec8916013

Download Submit
C:\Users\Admin\AppData\Local\Temp\agke.exe
Filesize
224KB

MD5
ec489d42c8f1a28634e9415dc069dfb0

SHA1
3ae0ac34f3c9e6ea2c743adf66465b3b0680e11a

SHA256
d9ee6fdd2c86089579cbc4227990556c6c31088278b0cd9d185a7dcea313bae0

SHA512
6629749f10c92b249832093b1c442c6212970a4f8daff54a8d0ea8a69c917d44e47bbd30733bf46ba53a3af1349cf87ff20872315ca6c3ec16d9807ecbed7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqMsgsQA.bat
Filesize
4B

MD5
0ed0af5e50e799bfc40d9740c3e599b4

SHA1
c094aed672e953cc7daa09895256de34fc049e4a

SHA256
ced2c01fdcd0ef7cff61e7638dc70bd499095f2c74d4b9bc142aa27f37055776

SHA512
f98e4274701ef05405493a48c2d5d405704dfb122304a3fd4613b97217b4f5294e75020752a998b1e4c18a0154977253e7289855bb63de3976f6a061df1c6fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\asce.exe
Filesize
239KB

MD5
0a6e7b733954c061cf97c203744fd951

SHA1
decaf9eefb73cb64e8e2c0a226749fc22865ab93

SHA256
83fd59dee08d293b9456407efa58dcc91df4d68f7f1a9ce8fe60f970ebf201f4

SHA512
02cf9ede9df1abf6db92d434a8dd6443c5499f005786c922b27073300f10ff4c54b008a45eddba32417bfb0dba43b2e22733904a48df2d6a995a82bee788e092

Download Submit
C:\Users\Admin\AppData\Local\Temp\auAwEwQs.bat
Filesize
4B

MD5
3c36333415eb9be926d41c2b23c07089

SHA1
6e7792e98d7770a32387900abd4afa6489b20f0d

SHA256
d6a5f198f4f5daecb1d19c206eb7d32ce4b7a8a683d90d570d19f5338782da6a

SHA512
a6f9625a2a3e4af90591e68ffa0253938b01b635dd74459fb06c3f9132a8bfc025c0bd897acc2bd04c32e2526576b92b84f01debeeb5c9c9a2df10eeb2ea614d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIQwoMIg.bat
Filesize
4B

MD5
d2cf0c7dd844fd8342cd7970ee347013

SHA1
d848898da6c6040b9125896029693240106e5b86

SHA256
a3796d67f470a0c3aaf4a93585bdd55522fc6da80c41afc699318890a69e8515

SHA512
9bb3403ccc1493794fbb14a1daa5fa4a6fe63583e9fee20b665ec0641364d82acf301c805f9df1da464c99bb1f889342dfd31abef259bf3f1a20e79b0dd7ad91

Download Submit
C:\Users\Admin\AppData\Local\Temp\bWIAQIgs.bat
Filesize
4B

MD5
829992c9086cd95a07d0ac29994bc298

SHA1
a091772da624c533c6a2d51f238d049dcade0272

SHA256
f43fdf81a8d5e4ac9c70b98322d8d2e375227e78c7c098cd5620e05c918e63d5

SHA512
47c5ac14343a388f49382eb24691249e260f1723d8b0b0a7741ebfdf0d44947b13f9809ca6c254e9a1763ea5fa709841449a04c7829471f719ca4f97ee98ec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcgsYAEs.bat
Filesize
4B

MD5
58665f5b6f0651078075e3dca2a489eb

SHA1
f4f6c4499df66dfbdbaeef5b195fc3d20e92ded6

SHA256
e7dc062e13c9dd6d5c85afe996f79ed375b4e224a65c6e2cbb33ad112e0fbd8c

SHA512
6c08bde415d351464a94e6d066664a35af299a8197affea0e8129486ed0ef6e4ac094c176d5eea18b526fbd22dbc9761dfea5034ba770ac0577bb1e821f8db65

Download Submit
C:\Users\Admin\AppData\Local\Temp\begYkQsg.bat
Filesize
4B

MD5
4cf2342a7e56aa524369daf034efa949

SHA1
d79c923ba57a7ef952a2badef464f6f8f85275b0

SHA256
008c08c90074e4a5e2b59355cb091e9174f563a131b4fe3cad950ecb20e96fc2

SHA512
326d7ce86a0ebb43e78f5029cd2d9b4ae963158c831e1e9ef495c217598e8b62d9f9b9c7c7172f2d3eea963b59bd660d2db5f811dc6fbf1da15db8afbf5ff192

Download Submit
C:\Users\Admin\AppData\Local\Temp\bogQAAkQ.bat
Filesize
4B

MD5
eed81682423076e2f6af8e76a86864e9

SHA1
b4826fcdc48d424655f2f5417822e85411d3bff9

SHA256
c2a14910368ac81526a35c1bf8420ad7e8aef35534b88adef6ed6230983337ca

SHA512
dc6f6935e03879bf85e0ce629befa27b41a0dc6800825398afb4f6794e92832d92af5b1f42bbda001d5065db0a5c45d57bc135751cdcce6d377b04cd107cf285

Download Submit
C:\Users\Admin\AppData\Local\Temp\bswgwAYY.bat
Filesize
4B

MD5
71828ac5f17ec8d59976bbb330653969

SHA1
942a3b1d811a3a25acd31433fc6f9d17af5dafb6

SHA256
5ddae38260c1be7d8f1a734a3495b7a20bf811048c036f5caef150c67c7c8564

SHA512
e15116dee220c12fcd79c218ce5b5216dd0654de76e203ecaacd0b65ad41a60398042cdcc9bbd398fc7edb00308106294c0ba5f38fabf6685e1090ca77e4506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAwO.exe
Filesize
201KB

MD5
8d78f82ccaff937dc2d002f72fc36cd6

SHA1
9adf549bd523138cedf1db59e78ca478c6fe7afa

SHA256
8b4f494324653406ff1d17a698330d0b0728220490448aef219aa0d4e07a8fc6

SHA512
17a7a66c541d2d86f334e7d43ab26f551dd3550a5c0217a5ff197ec2fcd2ad872c5473022c20823b27481458e726747392c2134471c64dd7d1084c8182497ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGEYUsEk.bat
Filesize
4B

MD5
438c0aa61e126be85a7b9ca6aa14189b

SHA1
1374a4f65d07ae4806fc8181127c154b84384576

SHA256
47b2fbb9cdb25f04cff3b6437ddde48d7802b5ae53865ef0d5452d7dc45ecad2

SHA512
328b8bdc329ac51d3bfeb60495fe62b215cdd2a53105342fb849263ea7a6551580f1865bc95cf0f800b1f824ff7b1b6bb14faf78f9cd55732a2d0d574e750ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMEg.exe
Filesize
251KB

MD5
9025bcaa9af64b3396a4a0e883a9e4cb

SHA1
aae5d2eb2a42bea0e407abf78366107bc9e9513b

SHA256
f35faf5fa7b1f6c970d1503ef5e41f4c22363a748d966d5a8eb1d670a81caf0f

SHA512
863f10a06de359f46f332d98da8536be2c318e4dbb451b09643e346831e1601027db194b55fc69b5164ee073f76bc0566a8afdceb3a4ab05d4959d92668b345c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQQC.exe
Filesize
314KB

MD5
8bf1f6e0c4bb3617ef31c95e75938942

SHA1
ca506761b7a8466c457d684872263b00986c49bc

SHA256
26ad7053bae5221bdbd05fa52165dc4c5824b598fc0892d036491bf40282a8bb

SHA512
16e4755beb2e91a1b80865efd76b043e6f0cbd321c0d565ff7ed3efa69b0889e2cd84f02301c7f6042ae1cae5d018d33957360dc0c894f6e4cc4089526529742

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQwooYsY.bat
Filesize
4B

MD5
43004ca754e3d2e1e354074de5d3796f

SHA1
648473565d379f49ab1e7a0ed11590c7f644e90f

SHA256
c9b31dc16d94f234378dae62d8d0b2bb61a8e694f9cc8218a7f6b27b848c74d8

SHA512
1d4e3e839709e768f18101f08df565cea82ffa343d58ae308f4046ab2a32227f7662922d92c8319bdc00e6770340b76d7372fa556dcaa55ade7b5e1099d0170f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccka.exe
Filesize
245KB

MD5
b8b1bc7241faec603720384a13d0c905

SHA1
2900fff10d12c4b79933743204b53c5bab6e5411

SHA256
0e5893d781160a61c1eb3433d8be065cea04bfcfeca03d3b7cb9399427e80de9

SHA512
59f5c1271d05dbeae72e084259b052e706726761f8087b5fdb26672297ce72f394fa332a8b6c729021e59a5cfa93a52472b05d7e2ba1e91e8a17e91295d4a998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccksEsEs.bat
Filesize
4B

MD5
037f02587eed2b6ee2532bc321e56245

SHA1
06445f046a4269ba424e2b3cee22d07180a642d2

SHA256
e0b0f73053ede20e22cd7828ca772f36c9bf139c289b669ac70055805a5edb6d

SHA512
ecd120c89b8f504704966bc5936ad21fbf6f1037236c6b8238177bfef7345ecad2ab5a485f9c4d9214dd246fb432d79b792e4606030c9cdd1201f5bd56812882

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgwE.exe
Filesize
231KB

MD5
b7c78a35c0a6723c0a3c2c8d669ca46b

SHA1
0b2adaf29302c6171752257f0eab5077c35b1e2a

SHA256
b43dbe87b769c2a8379b7cb597e0d6440a30287290b7a6a314a1b6b88541d293

SHA512
b7fb044b71032df4e5b073f2bf257c26ffd822bace2e82b472a4ad2f86a5ad1a01cfd921ad4253e48965ba6d646c739cda46b364a5df460b369a27191d1595f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmwEcIYA.bat
Filesize
4B

MD5
9139ff071db42102de31fe584fda5966

SHA1
ee5a550136c799c029815c12208a5ff14eb04b98

SHA256
7f306618d7c35b2f3476190d0f4777465f9e401701e592a42eb2c2b4a079faaa

SHA512
aab80e4e374a4c695b5ec7fe6f6b61cffc65074fb3f0a923052c8abca266911fd936b00a0acf2ea6b8c652568f674a74daf24195a8a81f0e5ea5a5744ac1ea42

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyMAEUoY.bat
Filesize
4B

MD5
f90b3ae90a13e7b101b32245bc0c3f88

SHA1
f5597e7ba27d342207cec42eb2c46149d0532b83

SHA256
05b8cb97f38ccf8aa7655f342e6b82b0314cad260eba04b410e500774d68af5b

SHA512
6707ac2e2b9391c78efadd43a000fc1b9304d8a1fda5bd64a4a461a8f7f7fd7a20e5a0593dfed346b0f07b15a3361492b8bd215899af6da6c297e0a2a1edbda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyYMUUkQ.bat
Filesize
4B

MD5
bd9fd9aa593a41287b56a1124a18cef4

SHA1
ca15f8d715d304488883d2bb032e68323c7a28a8

SHA256
5a8714dcd96d209eb3dc4aa0fc420e6a137c4c3aa2c5999ff049d0321990f138

SHA512
c822b2aeb28cab1b249b2da352e0b3665f6f355aef9856b79c161236352606fbb89e79c9686c813d299d40b6f22349177cd89fe072c817f010fa3132c5186d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dGwwsgkE.bat
Filesize
4B

MD5
de7283aed687a6ed2bc93052dc75eaaf

SHA1
f2d42afc0c4ec5446cc5aa051fbc053881ab933c

SHA256
d81ba87cec362830fd0cf278272a61433ed34d89f98efb77f5cab68bd4a44c9e

SHA512
05539c294c06a1e75520e8d887855d1970dc65de8e134011e99bde37dbfe444a7165aaa05107bc6ab50845e539dcc4ddef3bc9a0310f6621010a44eee427891d

Download Submit
C:\Users\Admin\AppData\Local\Temp\daYcgocw.bat
Filesize
4B

MD5
781352aa2f5d854b2d7f93fdcd4499a8

SHA1
ebf4a46660027d995c4e83ad33b961f61285962c

SHA256
eac71f8b035e06a333c717e19fb31e126afd445d01d7d2c3e04e5710b2e5766d

SHA512
00e5e5326f6bdbccec6b51372824378e75dc75c67f515b35f216b671b2bf27960b446afcb0b133cc75050bcc1b96a5d06b5a77ccc0490b3f1846fc04ad156941

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmUAIIUI.bat
Filesize
4B

MD5
bd260fb48996f12fb684912d205e9d45

SHA1
925e7b372955d749f223f39bdb444076ec12c5c0

SHA256
ba32f18fa22dd73addfc7171354d4398f97bb8ee39ca638d42b37652db246bb1

SHA512
75e815eb412534402deb1d32a89b756d9ab012be1817571c8449609490bf1a6fc8c42f96ee7e2907d3fa06c682e1797a4bdc14d0dcb474475825896c0985c815

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAMI.exe
Filesize
250KB

MD5
05c3e6777a14a8c7456fb6d9f92d2f3d

SHA1
7ec97bfbdfc83a4f403b7946969f766745f886a9

SHA256
326c7ddccb9d8e5104c5849f0e9b963f4f26d5c9dce5dae6e35008249cd13eb4

SHA512
8c18e29c76dce151614edc53d7a718b34e2c749505f48b43836c18cc1d60d0a6954e07ffb7b3cb380283a4e5e9ef1e72c5b03cd7aa1092e23bab2597c9851b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAsK.exe
Filesize
235KB

MD5
32e195d950767361229390213d7050ba

SHA1
f65bdb7202d0165825468987cad018d43fe1d9e5

SHA256
5a115bbbeca7a59d96651a0777d98c7ef2a3338271fa33f0457ad5468cbd89fb

SHA512
9a4f3602494b9a321d879e13b1012ae9ad44960b38ecc165cc05c137b2890d1b23283b99fb70461323739abe1b4331b8a79dcc76971f59f9290eb651f5c54f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMI.exe
Filesize
238KB

MD5
4ff54a5f63ad43c6e129dbfb87445f7b

SHA1
976eec26cb8d7dee8cdb1add9e826c09c7c69b27

SHA256
9bdb5dee8618e05264d494df2bd89479ff45538eace45abc83e99e14d81c9dee

SHA512
61e3bd4f9244df20a0b8ed0ffe9db539b6df1ee06c92304e6fe2a5ce98bdfaefe57f9470228d26237a8ef56d5312852ec45edbe954f61ae9ec47dc05290c64a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIQE.exe
Filesize
190KB

MD5
f4a75a145da8451b255a584d44d71a2a

SHA1
a22fa0fe2c01098ce3be5aa3b0acb9bfe85a93d7

SHA256
b50cfa70a6fe7d769f42b9ed4176045c7d5a633e5a125cf276bb63cbdc64501b

SHA512
04c4a79dac59527e2ba147b5367413ceafeb9691dfedd773cb20653e88b9618eba72894963d445190bbe3b2183c967b121fd6be6e86cebf0e755d4ee7d483d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIQ.exe
Filesize
245KB

MD5
4d82e2f025fba3615e7199a60fb2167a

SHA1
756161821e45eb778b34a99931a4a98f58b0e94e

SHA256
18c8c1464954d7f5746f4cffc532fb82a0514c1c3313a570e447c5a3183ad959

SHA512
4f586d220bd47ac7c48fdd10f17046ff627d4b1d478b3d3c21423ba167b7df984efc79affb8eaf87002ddc1b002ba15e4b39587889b2e937a5c4fd6a5ea454d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSMEsQQY.bat
Filesize
4B

MD5
49a63efc68ba5659d825ee8fc4d72cff

SHA1
01c6f52763775f015d624c4287dead91d6370d22

SHA256
3d027dfa6048277bda479d7ce26cdafffa1e63e8cbabe5eda840eeeabd5c49eb

SHA512
8a0b15606d88a592ea91ba375c73cfaef04d82155779a87bfe2cd79e18428b844d3111e832e5aaae46b6520f9fab6da5b38b12e1b51efdc209841c951e4a47fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYsYMYQg.bat
Filesize
4B

MD5
7e4b0484deb7756faa1acd27e243b387

SHA1
7891c56c515d990dd726490a3181d99e8a93689f

SHA256
dfbf613b304d142dd276cc55d8c234488fe0ce8355307eb3e532e5312313d170

SHA512
f9fcdf3f0a738e1dceaa03af34184190d7c1ad7abd18ce8e4e68ba3a043999c7e0dd7657c4b2f26703f90e44312283785aeb0dbda68e8f35846ef5b7fc0516c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\egsS.exe
Filesize
245KB

MD5
d7f702464db7314724da250fc91dcdde

SHA1
d134c38555eb9a7b85bc7a590caeb492c941bfbb

SHA256
a809767e3e9105e2dc0d660864daca021b9dbad63a36508f4c33e4f46152731f

SHA512
859097dd6b5dff6fc114b500d341cd71cd66f293a0a83070a31d1cf2b03f7cee9f757569b339e715b262578eb92fd5ac9a85d9526f5b316b1771ab5cb84dac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewkK.exe
Filesize
194KB

MD5
810813ad0f6f4193f870edb03997eec1

SHA1
927223d47f7b4a9c2085cab00119437df85fba1a

SHA256
b0c32e15d217fbeebfa1c5310f211a1a6457ec7b82d9942d12efd380f9fba7e5

SHA512
8f0867c6efdeddc6bc621ea7be44c1bd4f36bf95390a6acaef1ebcc888e39eb8d93ef60c7d00b92ef4e101c9d412da8da7a65e3ac2d77e38263805efd10a31f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewwU.exe
Filesize
381KB

MD5
0e5b7433f04cae13adb5387819890509

SHA1
7eacd14bc97d6d76bc483a8c6fbda6c1a50f7c88

SHA256
f7ba31ee1010e611c12b2131db92b1a4ff352954f4ed65e550e122befb29a8d1

SHA512
a496a7ed94bf08427cd638898bae9c3e8708f3ea8c5d2a8ac1ed17162a10ecef6e5e75323644547cc9b9a170465d3c58b609b088ea4aa06ea1d5f07f8772eb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYwwMwEU.bat
Filesize
4B

MD5
a1cb59ad2b2fb7d496c15df80f22aa65

SHA1
5f830a99bf996d7380d405f12762b3f0739d16f0

SHA256
0f2f29eb2205f548706a9ae9e8417f37c0be0585f4f6e7385c80d7429979c71a

SHA512
fa7d2bd5e82e389979d9681b94d3450a27e2a2112478d342f297308f6732d99bf98d253ff9965f2c41b40f934a110971a6bd3e58681deaf87e8e997a9f4b2e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwAMcAgw.bat
Filesize
4B

MD5
43b9cf09484edda378fd348d8275a43e

SHA1
048d70158cb65fbfe1afc58c6a40afa847f800c3

SHA256
c2f977b420d73753ed0656b5113cd8dabfa67341a98beddf776dda552d8228e3

SHA512
7d06b11383b8fdb670234b727c7845dec263a71d9d63ebbb7f66145300db5b0a6672be231ffdd1805cdb897fbb8671a7e6b6ff7b9c1213e8632176ac11585942

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEka.exe
Filesize
200KB

MD5
5460b383daf08da952678f35ff011123

SHA1
8af89f168612f48b86623588651108094c73c00f

SHA256
4eaa7c59262651c564b24c41ae64d481e21caa23448083992ecb18b5ee2e7d7c

SHA512
2715b00437d4e4bd93bd9a3f3ef83597034f501905c70e2288e516a4fb94b7d8163ef1c6f02ab8371b2d8ddebd8d3dcaef72c479cde7af6260eef37cb76fcb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUgW.exe
Filesize
913KB

MD5
ce903633b074a62352aa526412924932

SHA1
20fdf5c8fb5d2e7adc864f0a5d484dad96ab2c62

SHA256
c5f3b25f4148d9339222444dcd0b0f3024517a18c657967a86beb58dcdf820e9

SHA512
3f8dbf4e6d8754dd139a3fff76f94570a0ebe0dd5a025807042b8ae4b200316544e56619182d923776893a198ac8895e9e559a15ecc7b68630d748fa478bad53

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaEIkosg.bat
Filesize
4B

MD5
6a5073cd8a1a3315f82835b8c85f9c19

SHA1
e5699fd3501f28a6fb7ad755cd1bbb85290a2065

SHA256
cd78cb648a99c3d6946861e454a77c9267a4e7a40c1bc3acb135815f497b65cc

SHA512
d52d7ae7d0b197ac5760c0e9d2d74f1a6494298533cc74596100ded2f343a4989097954820a168366b1da74165f95d92d34a5480b842f31bed009a2808f092d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcUY.exe
Filesize
201KB

MD5
f67247115a2f36f98099f40d4c4afb88

SHA1
91bab2bed2783694decf4b2f36d32356e60a7b1a

SHA256
daf982ea324f76e12da01d41d749c0a89c8c19de553678a7f158c79a30986180

SHA512
c07b8e16fadf4cb1ead5e72cb9e29d5d702dc253f15f3fcba38978e109ee05b25b7d8350d611ea562ffe6cac1602899b179485010a0d698b78d1df25fce1cf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkgK.exe
Filesize
189KB

MD5
e656de50d9ce2d3475e24f6fd839e624

SHA1
b5bc169df4a04584d17cfc6eb2d3c3df21b9370b

SHA256
a370ba91289f14912cda5cb223fda69fee7f6e713dd9b4e3a986a0b4fe467393

SHA512
69730bdb92ae97a38e7710d8353e9edecd79a90eee18dbe1dd6ab66dfb6e41fc110fcbd6b9c3fcbe6963b827a44bc4eb8c9cba5cda9c8d95e81fe850b70c14ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwYq.exe
Filesize
815KB

MD5
d59614bb2f81c2457a9d891c2cb357dd

SHA1
6e2fcbb3059ab1131cc0fd1abe4d15f7a5de7b7c

SHA256
a380d4144e25f6dd96ed34621d9ba785f81eaa1ed6adf180ce9ec596cb4bf9e8

SHA512
4d80b85402e6efb60032372665e301ab50482315a53f3ffad77045e5b0b643f21db43b569f7fe3fe072a42bdf695bfcbef37724e30153647edc631ed3800d91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEEQAQYQ.bat
Filesize
4B

MD5
4474b728c098c7a56124fc3c2753bbb0

SHA1
eb392732dcadbfefff30a8695ea873433316f37e

SHA256
ff68c5b4f36d7f26f566d84b0a770cd3825bf6e8acda4e2ea83505c55efe8fab

SHA512
362afc85d9bbc2ad02df843339913fd03ece468e4876b1bae9d5a1b916eb5d515a366102dd24937188095b7bcae770db2aa3d69a0c235ba0e6152d9758269aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQYQQwok.bat
Filesize
4B

MD5
c9a6700ed482ce0b0e1cd11702f73389

SHA1
a6b5c9185cd98b8946e2ca4cddce561f3ba89945

SHA256
577a7bd1c985632845f78061f016703b561f125e8b8037e9e4e6b9576de021e8

SHA512
af0d974978ff0d6dd51e5200939ae4f2ea1e327b8acecb1c46315562f0163b98d2debb42901a92beacc108699ce585f01af21d6d1be3dccfca579b082e7de827

Download Submit
C:\Users\Admin\AppData\Local\Temp\hScgwcoQ.bat
Filesize
4B

MD5
33ea16a5711df5439a17065fb2ca6444

SHA1
ed152a6eeff8baf18ad612ef5b111e40fe4ec0d5

SHA256
301110b8c47af0a70355369299b70c097247675a80558bf68faee7e8c6f2178e

SHA512
e3852a885fa2b1d8f9138e7002fb47bc96801a4f2090bda9bff443b27c8fb75d06fccf46e64c10d476b24c98effd1c428e98e6062de5a3eae597db2a6ffdd574

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkkIsMEM.bat
Filesize
4B

MD5
ed998d03bb186afb0b48cfe1df7c0cc1

SHA1
ee5cf7a8510c33b0f8566ddde5b0ecb626ba0122

SHA256
81840394df00565a4fe30ba3dad4850c195a865a8e230c1c7f2d6b495356a9b8

SHA512
bc0f31fed3d748c99fa1eac93c0373f70b1afab06e17cf045dece249c09846a9a6d9d7f73a2bc80e1b10f36f8d48ae2212baeee750689bb30540e0fa140c99cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmEUYEwQ.bat
Filesize
4B

MD5
ea64d74f3d552dcee6514f68d9c9d959

SHA1
d59e31b0fc8e3232e1fd581fbacd0461531610c1

SHA256
b0b640cb9684c7efc50a6cb7144c89c05643c4915300ccefd366392dd71edf87

SHA512
5f8e70a9baff4aeee012ae6421711b89f0f85b48dc64a3e6613f508a208d1e8de927b2b94bba76bfa35d90b6394751062a6c06c49f91006ada797f7d9269f211

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEEMokgM.bat
Filesize
4B

MD5
90f1a8c123d15d42379a17d356635bf1

SHA1
2b3dc36895178097866f2ac9bee8d2ebe510d0a4

SHA256
b8692c7a4d3afe8016b0621e898b41c4938215fca51a0700347f62b75f90eef8

SHA512
fd29cc6e43c708ce860abd806179b4b16bd4a0176764c10e1f775b7ed3db9cfee7ead97a0d5b481daf6de1a11af78ef13e44ebf22d6d3f9d221fecb936a04eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEwS.exe
Filesize
244KB

MD5
bb53bfea4451db592d7e20ff744bec60

SHA1
27daab3a23a5a3f6f5ffab18e9f1e070bb7c5cc3

SHA256
957e9813808df153b90fc53a8eea2090b3c12b5d90e5885faf7394d1bca56152

SHA512
65cc3819cdbcc89b89c43d747fb4622a0d5a6ca4d8f1ce0ed04b4a1f71c612031db74923fa56f46085b78f4efb00c4c346cea2a97811a926a380ca92b61fec83

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMEe.exe
Filesize
194KB

MD5
4ec8cd75da00e3988ec36bcefbbc6f9f

SHA1
64b7ca73ed600ee1f8956ab0f799189ba9be4380

SHA256
2e9f435ef9c61a36f60f4501ba28d2bfb0eccc7b79d5bdc0a5d638098b6091d2

SHA512
3e3e6b98f942b241a8133581c0e4db46c337e8724f0f0a6d32c40b67dd14e7701a78557714ba2a5468d6696629fc54f380fc48f0d10d67079592cbd61363fcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQQq.exe
Filesize
239KB

MD5
4d5579e3e7f5d815d3424905486fb610

SHA1
3d3ca81b8efc04db573d16414095a62cc15232f3

SHA256
0f2ba17b2062f319868065e6801df06cd2b63bd2629677f6e305c71310b760ea

SHA512
1784f0bd147f81fddd980c127b924bbc835d75c0e487015694d997c9664815af7b3b1099464e51dda527da63122b84bbb01e615101b77035713ef3171629ebd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\icoa.exe
Filesize
240KB

MD5
98939c9cfc2e18f9e419735aece08d6b

SHA1
8129e7bdbc1c0c90f4cfee7401f2c873589c9f01

SHA256
99f84e49b903faa8337ef42c510c5a6db544173c71c63a8d77c51b4e24836f17

SHA512
78c13be42f3fed3eaff22e5fd395b77e171b1b2bf9b00cc1acd35e097d552d4635ca0dee0173623db8410ae9a80117829ea3af67b78078915a7bfe6dcd444189

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikso.exe
Filesize
184KB

MD5
0fc6a8fd3e555b26cefd65a6b1e75642

SHA1
e5eda99832fc2ce3c80a942aec4c11179a167c8f

SHA256
e3231c8b65021c68dd01fc02e3888ecf9c9e07d9582882e1af7f5ecb13f0962b

SHA512
b3f8378a78671325ff1306dabd50eea49ee136a9e6325f43c3ba0854ecb180825c1950f33559dbf6ddf2ccee265033548edddb7715bd7e2d6b99bb1561291e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuEcwQUQ.bat
Filesize
4B

MD5
2b27da7171218968a46dafe5c58df365

SHA1
e7fc55198638470fd4802308192ab575f5352427

SHA256
c67c0bde6583bc73d39207cdab3f597cbca26091cf4eff5c140d2f11faadc0db

SHA512
4c69e3339c2f5e88bd611f271ac1570030854e346556fe6e439f09b9d04603dd6783182ce93e65c6e39191520b3221434eb4c54e25045e3f01410ccc29d3506b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEMgocEg.bat
Filesize
4B

MD5
de8ed082ce2835089160a3ef69b2f90f

SHA1
5bdb0256e49c04ac0548ab2cb60cff6890f642d2

SHA256
cb60c8ea70289096d46900e5b1f6f3eaae8a3b36039750ec3a2e510ae0e44b86

SHA512
6ccbe7ff7f83707f104991a1e5f01fc6155e8c80a7386c7c895d85571269e5ab14b7684af6b2f8b4862c923ffe7f7b78ace1f3e801015a8fcef5a1ad95b2a949

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEUu.exe
Filesize
235KB

MD5
8542918ccbcd330a8b08a870795db68d

SHA1
bdff89521893ed0c0f431108d19456fdad8a0976

SHA256
9f94eac45a8183dab9ad69898198f709d6e44e170fa027302964ac92222a723d

SHA512
bce8d250a3c3a1ea830a11b68c2b1a31b74f6d976b835b19c53962cc886ac7a845eac2bac22572a89ced8ec3cd206e2b78886155d27103f03a9157ce82b34541

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQoe.exe
Filesize
247KB

MD5
ab395b7effabbdf9adccc837d8f4576c

SHA1
5833a784b0d9781c7a5f0d358d4f90f26c98bc01

SHA256
7e4500d4d143a38e1f752bc7afde907b7b89b9b12b753e0794cc219c1c1d8665

SHA512
c1f7c8df5913d2c75e9bbda39d98ca20b7235ef825e6c7a85fb268049157adf945271d7e18980fe158e13532eab6f8ccdf8631db1195bee4c4c96e0c7f2f5200

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUUG.exe
Filesize
243KB

MD5
3327a668dcfe51248ba304e091127d4d

SHA1
a67db498aaa7029d697e9983140822c2e39bd6a8

SHA256
74fd2baa1e532cf6aa25892e768ddcb383933323d61d6a86aeb102a5088d36d5

SHA512
bde58d04f6d89cb9b977bdaf3b4ac409aaad0810cbe277f96e438500b3d85fdade7475e64ba37754dcc41c5624063f734ac6f5b3ac7cadabf37fceb7f7463752

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcQi.exe
Filesize
729KB

MD5
753b7a92465483fb24360c16dde9a1e3

SHA1
dc60414c0e98c4223c588be7d4464d57e781b368

SHA256
0c57dc6097955b3b75caa5ac607344562601cfd6d63ce71520ab7cad360418a5

SHA512
3bba4cf06f07529017b2e1e13f47d0a48c21ed2c3ba04cc1e18a8f572b9eed307fee6f9926b1ead727a3b4906af142251ecd05ab5b53abbe9e179b2cda13b788

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgMe.exe
Filesize
1014KB

MD5
91b9c45271ace84f20a1577d137aa8f8

SHA1
13a43b8c55a206da236b7129ba743ee0e0403f31

SHA256
0e7ae8c9097863576a048bdeccb52fd1578138767b0bedcb732f665e99433fa4

SHA512
d86e6dbed43480fb010e0154dad275a23f71966e5f5ec70a8d12331e047aa4fd3af4c1e72b450ea4702cccc48568a10a4c5bc206088f6cd09091bcc98905b28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgUU.exe
Filesize
189KB

MD5
ee44d8dad249a9e6bc12027423c2b678

SHA1
ea7306d92d53c8bf23471277ef306188df24dae7

SHA256
636c90d5c53b1dd624e754548e2c67a4ff7b8e108316d5143eae40618b8874c2

SHA512
1e667f27374c8f2774785de80e735a9ec1c488931c391ed8b304a984d8050861b25856f2d41cc1826ab66ec9c654f0bdaa6e2c1d19c546a9c36b03e3a701f7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmAAkcgE.bat
Filesize
4B

MD5
02614a1ad71441b253f5772084444223

SHA1
8fc9ac5777ece233042431f9c7c6a6c2c880e8cb

SHA256
0b7ce75a4a5cad1305b7ec508e1dd6395a944021ff6458620a478ed823c959c5

SHA512
4e4c077b9ba07457eff2e2dca9b553974361a466331025f38aa5201f3fb086859c57ff742e585cf87fc13ef2f3073073cbe148e0ae7f6048be958f1573975ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwAE.exe
Filesize
241KB

MD5
ebe4addae1498c548dc340e78cb092ca

SHA1
dbe9bd5f165934f203a25764aadf00360bebcb4c

SHA256
536f67fd9915909afc77413ae831bcaf9c052fa4b91bae175e91bd019a1f85c1

SHA512
3f15f22518b054d709c3b80cbf1346b113158d07dd9b0b8b77cd2d301bea3cc4cdbe323ca17c7b4cf2c0f535503a3013af9dbd85df46665434085d4ff29a364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgkAEUYc.bat
Filesize
4B

MD5
4052f628b3116e88c15467a18ed8401b

SHA1
3d9a776d71e46afad7aa1c0c2ec0fd5103f667ce

SHA256
9507bd5aa6a4904ca243acd2579e1bb84329c1ca6cfe04d6ec38dd73d6f41042

SHA512
cc4cae3878310f1306ad98ec2b0216592ad47d3acea7aee8a8ae57c9ffacdffeb083f74f3ccba4cb98d7d7a1656ea24f23c73c3f54391cab04d7e032755c7edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmgsMUQo.bat
Filesize
4B

MD5
6e88977058d234383f3a0ee723150359

SHA1
7aa1f8b269a33b6acd9bfce9455a5a2dfa5a01f2

SHA256
babf8384c3ccea19f7f0f0a1797ed3a0aeb25743ae6924c56b59809605c261f3

SHA512
86aa8da3584afb612d973cedef91215a741cc34e7eb619eb40e4ea89be223c602428400ea654359773f976c7807faec1e023972e45646779cf84a54c9b7c04d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mccq.exe
Filesize
204KB

MD5
75b088b7c081567b870eea989237c362

SHA1
1e7481e11ab3a198db90bd12b0f300a2bbbe78d2

SHA256
7110865027e888e3207672640805ba06068ed43ff01486765d11be3ce4c0c2b8

SHA512
bbb7e67289ca20cee9ef15c231d66504991f359de9dce7e87e87f854b91c6a204790a4e4a2be91faf14488919d759d79788a06bb5c10309b26be03768cdf6dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mckA.exe
Filesize
244KB

MD5
3ce90d4d382f3ae16781621493ea1f7c

SHA1
613a1834c9a44f7bc709f1335e30bd5dbb9a002d

SHA256
f2383e3d3aa151963758cb7694340d6fcc68b7fa2760e7148add0688f7c4a670

SHA512
ac1090b16d4fb56eed780b857254f56e3e3edbcdf12b6e7d369be0f68e6abb96fd19067d9b43d27deee86e3a4ec3549a7638b0ec3495aec0e297f9ef985f1377

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgkQMkQI.bat
Filesize
4B

MD5
6235cf686cd7cb07065253acaf4c2e1e

SHA1
2e0f2112675e61a42726aeb0e27b999f2def7186

SHA256
4bb7bdc5932f2d06eb120d638a52da810be77e7638c4cfbb418215b138b13876

SHA512
1579a44850628febe403aa4cb84bb701ad415f4a938ede3cfcaffbfac9c70fc0ce61b0b1307938213aafc3b4b3ac3b21768fb1b500cf809eec0eded19440d6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msQgcIgY.bat
Filesize
4B

MD5
ef62a19ec41214cc29608c110842ce8d

SHA1
e5c0b750bbf716d4b447c5c2106bb3e4e206f20d

SHA256
2ae8e354a05568168b9f6b18b5d26d27f95d863c9a2d8493ba242bd5c4124445

SHA512
bb9a6a427679e859f86b5406601190a2f1bacfdd02194e7eaa720f3a0748a30330b3b1f35956ff8c2981b0bfeade849c28a93b43fea8f36e6e3370300e0762f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwYE.exe
Filesize
246KB

MD5
cc19c2eaac4b623fd3c40f98cd7246f8

SHA1
cc7956e167c1a1496c0e8304c5960829e99c51d8

SHA256
3ac62275ab21eb20aa2b8c599c474b6a1e7288ae0abe594b8016ff7ea7319076

SHA512
e3f672e51b76405faf2bcc2ea1ab98b0384a3efe5fb1ccb233dcca1195adc8dc6ccf3cc3db62d14ed485a82d8172019c88c7f1b5dfa03695a97e4ece5314e6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nScQAcMk.bat
Filesize
4B

MD5
47431fcf2d034fae39a4306ab3fe3f72

SHA1
0dec6559491e52beb11212963f296b61d8c483f2

SHA256
d89a3d86638153c6e17773d8f2bd9cbe33fd360ae4fb2b225d7f6a558b32fad4

SHA512
9c3706d775c7f3ac47a02818304126aa4bb9eb66266559a5cb57ca94a5eb6abce34df76dca03be52f47a147ac4b07c897fcffe1d296c311f17d7bd13234d4008

Download Submit
C:\Users\Admin\AppData\Local\Temp\nugMEYoE.bat
Filesize
4B

MD5
9e4f05a4e6730a9efa82d04fb24ec8aa

SHA1
b910db00251b92d72c6e1668df94df77c9940ab8

SHA256
3f617c6b756d4465231929fa99b0f42dc7f5745a94704c0666c828d1813e5d81

SHA512
ea554d5a9dc2ef65b92197575c8fe18cd8f71236cab8aafa1ea1b1968051631f4851af5a4e3769692aed7775c384df56fdfbaa37f8580577536a12e43d4e1bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEgYYEgE.bat
Filesize
4B

MD5
0e391330f76598620fd9de47c40820af

SHA1
99fe7dd4b9a79de7b1e4834b8010fa71b412079d

SHA256
c35f56517bd115d5355d88a6869ca1fc9f9345ab2b7b7a466ddce6201f6f7f0a

SHA512
9157c81acadb6a0690c0876afb66f4acd892d62758fa8cf00aeb8fcb5b56c8fcea1b78c15209ed1e94787acc7af9be79c19d43d2754b0f69f9a37260316523db

Download Submit
C:\Users\Admin\AppData\Local\Temp\oKQgQIcA.bat
Filesize
4B

MD5
eb1a1ff21e6cce680fcdb6214dae13c1

SHA1
f7d3d8d46ed2309eb69970540fb4f0cdad5e6d80

SHA256
c0fb123e2a7b6c81023e03b0bbb4d364571347f1dfca6b80a731a39f1451dfa4

SHA512
844889ffa7bc8f8dcbbab7b8082d541ffc2ad181c5975dc13df7cbef3ebce124828ad62b4476d31f7b8890395a965cc542369050501219d4f5aeaf39bd95b6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMIY.exe
Filesize
186KB

MD5
830a0c5f697dc7761fc5a17264c68ff3

SHA1
f8563a07c878c4f8ab96b4d021b987062be87b86

SHA256
8488eb73f2c072598f36bf535d8cbbe478f77ae325102413e11a3292920f243d

SHA512
ec57b4092579510f6c81dcbdcba2efc20e8bf461f9e7e4d91089824ca9bec8e3e102da616952f32c8d85d842ba508f9ea7c91dc65a48ab095e97bda452c767f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQMG.exe
Filesize
234KB

MD5
a9dae7c0296bb2f89dbb90700857a610

SHA1
44ca42990b5ade02ec565563a581f2c25af6a95e

SHA256
70ba0064f8858e5c27e16e1c8938f00ac898cc19f174bbb9a7d475e48cceedf4

SHA512
b9874b34588e8cc4159bd977b482e523747056f4bbb5ba6c9bd7226cbd99eae022803afd0c8ba5f408b2f149e90a459e768959af91c1cc75bc2e837ae634b64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYcy.exe
Filesize
243KB

MD5
8e6f50044f46ecc0204110d429c61333

SHA1
48d0df21425599db95bafbc26e973006b183879a

SHA256
67f8c8b0804c9dd8672957a553500017406c3ffe6fea1c289a49a93ba62ff844

SHA512
808333f170d5ec2d0f233c2e8fa53d187ab6b192f1f03187dee809513e7b54322994c99029432cd3053ca80c2ed8cf2b1ff956d9abe5d76d83615fc323da2362

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocEC.exe
Filesize
185KB

MD5
1ff882ca78f103366d9ab66159e595a1

SHA1
1b03ef649d372596f4d0da01fa6b0520075c23c6

SHA256
30a8727b2e75048720bee6d4563d3dbb0cc38506bc40e426c2cb338f7e35c6e9

SHA512
d3fadc214d9393edbf474bea20470173d30127637fd49cbb5f3af86e00b701304a801cb391d8d405a90fee958d71f560e240230afeed219cb404331b59275db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiAYoYMU.bat
Filesize
4B

MD5
c327fdf34d1f46df9260597ed4357db3

SHA1
b988d87deff37268dc1cd3cfc8d5691092d41649

SHA256
a211ec85f52c5c8ec7823d2c76634f4f4283f0d9b279c0f54b7a6c98a819cee3

SHA512
adbd9c505bd1fa0400592e5cb11e4b466f6e43caf910e534e3a57e112e9e6376500ea0137831634cca9a1719704aa997a32d5e7de22401905eb64949bb00b448

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCwQAAos.bat
Filesize
4B

MD5
d354456657dc2852968f3e3df37a7925

SHA1
dda29ce94f382ee4f692f427873e8bad70b96567

SHA256
6988ac7527c6ba8b93bf65773e8381055427d20020391d85680a4178e684d20e

SHA512
ef4fccb67ce1604682b9e06126423df5e0ecb70984eabf17d8c13993b45ab517acfd10335b9120bb82116c0c91aaf0f2bce537fb762d8ab6b75a5363c6ca65b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\psUkogQQ.bat
Filesize
4B

MD5
a964eb18448065f342c7f65c38b3f912

SHA1
9d14280393ca8966aa04c0546eabe93b08ad283a

SHA256
58405c70e954c2980a86cdfd359f75ef78e00d88a7e9d7e3f0c0222265223903

SHA512
496a20b2176dfc5ac0d3c92d2e73eb33fbdd7761d523d490f5ed178b3a22ea77f357724d866fe61a31ad3c9cdc4282f3c14da27cecdcdb9d6a9fd5452ac75585

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAYo.exe
Filesize
207KB

MD5
3061f130644fae795ceddf26d9bf31fd

SHA1
bdabbaf3148030552936d588c790ad74028d6ded

SHA256
80ee4cbb33541d0061aab4e112ebb91443c48a75ba38584408843af09753e850

SHA512
eaa8ac6d190a85f2f64f878fbcdbcd100dc3850811f47f6cfa24c7d84a9592b8021dca06dd03567e7d8585cb5e786a274d93b6df8fd2cd1a24ae0014fcf5b00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIkO.exe
Filesize
222KB

MD5
d8c46c5f6ff4d37ab3a62b42db689d46

SHA1
fee884f54b00d3a957e35c4263ed44c5b7ba5593

SHA256
c4d8da0162aa3fa89d577502ee5b7cb930580d129b82ef12e95d7585760211c9

SHA512
b686d73a69206600f7d983ae5040720fea0e9db8fa73b08cc7dff9dab7eb2b13ec7ca741b01fa0ddbd6ad4aa1643d54b008ecf637c7d4ec19afa04b5162e33ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUoIgAQc.bat
Filesize
4B

MD5
af3bb3eca675b5d4e116d9b40d139620

SHA1
d109c830eb91b73864ffcd3b1741e335fd284b06

SHA256
879acccd5a03dabdf8202590acc6048cc929b746d19eba7d53d1f5a0f4e72353

SHA512
0f5d01788e6c2516e262fbdbc26d7f8e89f5725e8c5791af5c94d1a38c3e398abee2b8449ef265cc9b7ec55ecf76549c27c746e0d3989f5eeee9c119ad4eb3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qosW.exe
Filesize
247KB

MD5
b9e4e566d3a745d76886fe4b65457ad6

SHA1
4bf0163fc1dde03c45c17e63422673e35a3aa1ca

SHA256
024bc8a57a74f43491563a276aa1e248e94c9fc472049afa0bcab8fa72f16cd6

SHA512
8bbfb7dcb28b644831b3c155cd4854a9b1ecdc5ebb2e022ac75a917cb1b10bc99f0f680808aee10f9283b4100b7dc8ea538518f4fbce6d724c6df3715f1662e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsoy.exe
Filesize
240KB

MD5
daf5246d697d61616447c3bb4df08c3c

SHA1
dd6cc0fb9811061616ae2dbb20f2ebe713ef542b

SHA256
7cb1588ff98be31855474bc6dbc28c55ef8c2677a9bf90aed8fe351b67e467e7

SHA512
cb24c0e8c3c4a348a09f7a38d9e1ddf318c435ceafcff7c5e0b392704b44e3d3abbdc4be94d0a79ebcacfd6182bb8e73d58256d4c72e3109c326e391b449b058

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIkUIUwk.bat
Filesize
4B

MD5
6d4e5719de8eb2a0aad958aefecd673f

SHA1
5cf7beea1ab419d9e6333af3e47b04fb52024b5f

SHA256
f39fdefd86eeb3da22fc5935e3167bbc574af101997c635813e13aeb21b17a62

SHA512
bc4aee8c435c196e46c253c869d72f8aa708d16ae97136db529ff047479a96ba10d10096021dbce6472bba9abe3b4162a1c113c1432219dd6e6bf635deae5822

Download Submit
C:\Users\Admin\AppData\Local\Temp\rWYckEwo.bat
Filesize
4B

MD5
ef0889e1d1980a9ec00bd389edc466a8

SHA1
879fd46752b4efa98d3eda5e759d9e8bf52df5c3

SHA256
99e354be2a855a42c26b9f10d10562d8a60a75eaa59d1635b0955d298363df4f

SHA512
610d13a0ca2c1ea41109fc0cbc731dd1cf4997d31f657bad5928146e4f580702f7c4a1112ac6717f452cd06787f7211eea07b38a45280ec83faf1029cad2a80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsUkQoQk.bat
Filesize
4B

MD5
213c64d707e098d9e0645bfac1294ca8

SHA1
32a3e5c4f5ea87344e50787a1bf89f047f8fd01d

SHA256
0c95d27ee7dcf4e3fd180505a72ecd50d99706250cbb2f586d5921e2957f5886

SHA512
9419d3faba6fe79a355b6b63f768a9e28ae0288261eb53b952526a5ed978c4c24b1b81f309a137ad4e292d81e0994dc2f2a2dd8c300f383905e28865b581a5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAAO.exe
Filesize
249KB

MD5
ac4f34af37ed299bc5c5865edeb2c66f

SHA1
4c6fca0ad2fcf80f2bdabc26b8d0596b562d319b

SHA256
327380386ad8e3bd6a7408a5bd031a3d697b159d56d43d09cc3145a23f601940

SHA512
075743d97d14ff9bd9cf6549553afad2d68c5a3186b2716e0730cd2c45096523ecab7ba1cd7be5b6adb07d81fba389c0b905a72dfc4cd87a9ac3f1d96db5c758

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIgu.exe
Filesize
234KB

MD5
2a47b9d0fbc44fa3d2a508de0f9de4e6

SHA1
be784ac02a9b641679bcbedef854f434d161ef6d

SHA256
a6b6b4f78429c867a8d2d3db23df5503197522bb1147590b96e14320d082b76c

SHA512
4d7f8f36738b3d764fe817a830e45d5cfb901b8db75234a5221ce739fcbb7ddb7c9c20d440b73400057bb547fdf2bcfb46ecd3b32fb3236481e2df966a51e55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMEK.exe
Filesize
447KB

MD5
d0a0052ec502958f541e1d4d1ac33a06

SHA1
cc34eb2314155fd314949dacc21454a6aa589d3e

SHA256
ffe3bdb965db9dd8aaab8e90121495ef1a6c83d6373a8934706086c5052c22b2

SHA512
6be04a90dae1265574b136e10ee54dc0fecc5ce30a695cd5600c9894175d9b1436bb91638d42cb4c66c89cd3f1f1ecd5424ef476a3a20f5db56685737170af9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgEW.exe
Filesize
223KB

MD5
5dfff9dd5debb777201e81925b25f315

SHA1
8c6bd2a10f182770fe0bb99e20a4c97b2f6dc781

SHA256
66f6af1be43795dee4de4ea0f5ae601fa3151917a45044f9b74345a7222bebc4

SHA512
905260a999132aa495cb9029df16a9d8183e59fbd1978c8183368632843f7b52565fefc69496aa9d147d455885b4f9496422761234e30ee4dd2dcba1038fa43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgYM.exe
Filesize
235KB

MD5
7f62ca51bc97b57305d0400c824c61cd

SHA1
15abc908f1e0fb01b47d97b20e4e48662c9732c7

SHA256
e936126d17c26a87fe5b049d15a1668dccc4ed451011a7aa1e55116eb2e22d0c

SHA512
4e7c819f6585264036d850cbf5d04318a023e78682d07300049997721be8bef397d2c4732e604cb9b58abf36d048118c33152963073380706adc7fc60ac5120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\soQw.exe
Filesize
624KB

MD5
cbc9e61a65562dd1c96ca4de5376b5bc

SHA1
7f903471033508554e9698b6e5eddb2817e883f5

SHA256
b8bf3aa5a55338c3a50e77cd23348b9bdb6c8c9cbf13163345db0044af7a484a

SHA512
87e3ce0d15a51feba819e6500ca0c0801831a905fa752e3e285e2f9849f600f67900863341cab27508d86e29ff61f305ecb755b835cf1a741ad9d95d03974c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\sooW.exe
Filesize
250KB

MD5
f9ad5b0d8e619c40dbe671206f3cc13f

SHA1
4739ff72dc5bbb7e0b3c2b209967e8f42467f02a

SHA256
aac6f87a1e999e80127257e037700d03eadec5cfb9b3bdd329f6bbeab5d7acfd

SHA512
1ba8aa93a94d0d5352397900fc24499a7ffe1fdbd197ded9c51f7c7d505e96059179aaa85874939a5ad2ff54a31044c602762b037ba72f4d50d1f396d57ebe09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssYw.exe
Filesize
239KB

MD5
e8a7db10647a3e93ee6802b2254265b4

SHA1
7c86a4d63fd0297f258cc9e2b772f23efd981d3a

SHA256
6497e4efc1331d5e9aff4243e21cb655a42c6fbb3e373f4f32a13727d4b39522

SHA512
5203bb97f671dc97b33901bbe6e1748658eb19de2ac9192368814504e9aaa594987eaa04c941adb6438221c4e2b878cae5487339d331c2ef33c126715db0b62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\swMYkQwg.bat
Filesize
4B

MD5
61301b3bb3c8b09b65ebd585470fb4da

SHA1
db36a791db8dd41555237238164f6b990d852a4e

SHA256
e58dc01231da55568795a0d46efb16634c9484c353771870aed0a9405eabbf65

SHA512
09ea65dc292a6efa2c4e5229efaac3fc2bb11941f19efea67f957246ea556f4731806e35b7f1bac85cc647e167ef72d524f4c97733907e71316d2df6a8e10dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCoowggE.bat
Filesize
4B

MD5
6bf3e3fe35556b2a8647a64ac8160fae

SHA1
8325dae5696ebedc974b285ca8449cdf615ad682

SHA256
f11162f79a4e887e6ae71985ea352207222a02ee385f02d706fc4fd6884c9174

SHA512
c55ad22b64d21e6853246667983dd74f8be570060765e0eed0c1127df1f6eea364bf810418ffee44d21cfafccdaa548754c6ce4a899edf7b1ed76c37ede34853

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSwYYsYg.bat
Filesize
4B

MD5
bed12853ee18b4727f67eb9beca33d99

SHA1
1b51b2e29677eca89d5f42a6aac4af6163768468

SHA256
f6117b176758f3d71403804b41fbdfbc389fe4344ff4febbf94c6f7b859d4c37

SHA512
2ae2c87fac3c42a445fe3a57df24c7d14722b3b23b9b736a088499b2cd211f3e4a8db94faed7f9bab17bb8510a1d3a1ad66aaf01380332c7e5f7e4f9d9a30d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWIAsIQA.bat
Filesize
4B

MD5
978ff1b506f4eef90e4ed5bbee676a1c

SHA1
541a40ac1b939375b6cc1ec8ec05733e0b1996b2

SHA256
d7340a5ac3cd2f9a254dfbc78b69bd33d9bada44c8e082f78cffec2aef7d3347

SHA512
d4c4c1f0bc56a0936cd896ae77cd00ea299bcd18778921394f47f5bcf16e097369ee14e78e61c6b5a45dfab3df998eb75df95297cdb7776c5b675016e238ad26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkEsooMM.bat
Filesize
4B

MD5
c4b353b2891c397cc99fba2ee6f92f79

SHA1
b54039f4605d1174d33d0f84d63a3d336b6e26ee

SHA256
9ac070a4fef9aadab4c05deb150fdc6ea52a20e313b6597657fa17f45d4260af

SHA512
728ddf1f87ecd097287dcc1f8767455a0bc5e4aacb0a114afbf31235df40ff096676cb42a1d5d0800522b39a38131d7dbde1c2d8fab32a6f3a4ffbe2de1b0749

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuYggwEo.bat
Filesize
4B

MD5
b45215f611ef8a659f981256ab36289a

SHA1
8a322810b7645f140d93a4cdcef2481bcacea3f3

SHA256
653805cf3bdfb3c98afb0b7f87f6472c87b726e6c8e9492cc641442d57879f9f

SHA512
ebfebba9429751d8697780a92f3d9413c5556ee05c6e2e2e2b12b928570bfc513159c507e60dfd749105ae91a92344acd5a58c037bb1aecf0fe5772f5471c218

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAYu.exe
Filesize
228KB

MD5
38fabc370f417d58e85122da0f3bc439

SHA1
2a83a8516841517f9ab07c1e5029ce349f4c0a55

SHA256
15c68590093f14469d984afb7011566415b27fe5aa6dd1171532101da467165e

SHA512
e1d85879a804cb087a4e8b3c07240c82005f1091c62bf60e0a00388d38ebe9e1241ab9a604b88f7b6b034cb6e4734e716f9cfd9ea3c181c1cbc4fa4c7e94c42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAwE.exe
Filesize
805KB

MD5
2332c1a9a306159ee0d048e99be9e64d

SHA1
f03e9af140d966ace069555c4c5364449ff03b9c

SHA256
341ecf424aa99d1c78c52223435bbf4e209b0f2570745e28e1368de5e6f5c922

SHA512
5ca7e76b9ee8c62cddd74d98a15c46213549b56830c4092692d6d726386abb7ebc23c8f2ef67dd921ab168702a7005eadd539c1a287bb8fb2f5b4d04177441e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uGwkAUAk.bat
Filesize
4B

MD5
70575941735d98d0e0065f5a20c77ca6

SHA1
50c9a10eeb324a61392d7b56d6b06ef9cbe94534

SHA256
b3e0223b4b882103a4a65344e279b6e3291ebed4ca41964afac73f76c90bf119

SHA512
b1dc34938248fddfb0cc7e0c70e6aaa6800e010988a807dd7e68aa82de4b93661b302cb0f90c5eaa65bbd97bbfd22d0bbc86ab21fe68bd2256a4cc314ef93dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQgu.exe
Filesize
234KB

MD5
d36aba4f596de92efd6e511775bac268

SHA1
01ed1f9abee4d64d38201e49c735b7b46b8772f4

SHA256
5703ef798bd3ee30042935fc4103aba7a9a11b48a50eacf86af81b5da9284257

SHA512
422d3ef1adf0d17df4dc259de6601b13f8a03d72346fcca1b57636f4e90134198689c9b7036197acf86fb84c038ccd9d75b31014dbe922240042f801fb608dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uckI.exe
Filesize
234KB

MD5
0a6eb250fb996732df7683f5bf72c562

SHA1
ab8cff24421ebee3e3febd2746733bd2e8d643fc

SHA256
72cb39140f906889e219a71fb33d65bf13390c3f10f01ede297832a87ead7445

SHA512
ec7d01c739e28d890ddf7d0be8ded4453d33aa0c1bb7cce08326f2d166d0e71c87a2370ee368e7ab078adefe00a14717c43726a43e4edd3aca17b61bbcb04ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uikUkcEc.bat
Filesize
4B

MD5
a41bea70a4d44c6e1a208d6f722562bb

SHA1
573691e36906eb055fa9003385f6ba3e856f863e

SHA256
934ffef590f3651243823e93e5e6147eee4fb5e8614afd0dc6d3f2f1eda5d864

SHA512
c3af5c2adf88d08f036c2bee1c79b0102b827b6196c38effa2a97159606380063b7d843b3a8c3f8dfd81d514d027b6cef6ed8f6000415509ce9dad6780ab7936

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukUo.exe
Filesize
950KB

MD5
f80790e0aecbe5f14851aa736c2b5d85

SHA1
a043d8299efe4ab77c4abf7c2ef9f7a5b1703712

SHA256
19f767aa17c7d3629b00d911406804d167e5a722b4841d7625a0faece7595392

SHA512
175489df2acf00b37f97f1fe8f1cf308b97e1a0b43d317d9b45269963febed6d65d80371814b10ddc6f5e8c8531eace6693b24d34fcf1949f185a0869a4bd22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\usgggUIw.bat
Filesize
4B

MD5
3e1a4ff9472e61546278a707d7f49243

SHA1
490fbc6bf3723e8dd3a4a7fd6719f7e139de7c67

SHA256
d485e037fdf12463f30300a8e92adbc88fa5e381bc944494a0006d6f3fd0f962

SHA512
747eeff05de7bb54a5b3458092853af3708b18e73c1e23cdf5024f9670e0c5b12ecfe68ec1aafd7f862aa37cfc191864bfdd98c10e25ce46ff171d89ccc53768

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwAC.exe
Filesize
4.1MB

MD5
c2675814200d57829c70b7f6e85852ab

SHA1
bae946590c5cd9acce2a11cd434d5e0d0d627fec

SHA256
b2e2c6369048be3651cb29c4e04e331736b0bb0503cc306a51ccb39d47bece35

SHA512
8e2ada56ca79722a27bbe4f86d68a85c97a56a214334ccae7d81ca65d4997efb37cae1f828577b830c654fdaa45643eda21795591dcad503c75033e1937b4ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwUe.exe
Filesize
225KB

MD5
bb92247843c70b8c2ebea3c2fcf2b737

SHA1
24623bab9d0b8db12ff1a44cd65439b0381f29f2

SHA256
64305972f947ff545375ce3a27bcfba08edb6bcbe4cb5bcdea1d9a286777c074

SHA512
41e7067729b49254a6cb4311d26d4158b3ef73605fbc35a2a790e1e02532fac0041f8c5e13514da309423c7a1d2b65993e478d6bcf31fbcbc4a4738dfe2e53b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAEoscgY.bat
Filesize
4B

MD5
65e61845961ee53b4ae77529701855f8

SHA1
facd63cafdbde243280e6ead7590670f6478192b

SHA256
1e9a619db218c83d36d97971dbe5226d1792b5c080a93c2748f8a603a5d9cb1d

SHA512
edd34cd02ad05289bf5a285e64347f60e73b1b40ba4f1881c30a8f0879df2384cdb580df295c6ea07ac7d48875dae109f60500a171990cf3952e3b61fb2ec981

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAUo.exe
Filesize
229KB

MD5
421b9054f501f1970bc530d568fdf0cc

SHA1
91440479b769b6cc4aabbf0e6f648eecec3d5853

SHA256
e56683ffb3f18e694ff9bb14725262dd2778871b831048449bcd9f449205b817

SHA512
84a43aee848cb9806fa9d1af56630bc4611eb79ced7ef1db70559951bb5e90caa825f35a6e114f013e300212a645b33dca075c709505a2fa76f2d7d333b6a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAcs.exe
Filesize
955KB

MD5
ed28b2b9a8e5387a9b3a042d8d83b1b8

SHA1
7db775af17bded02c3f2726c0fc4fb2cd2649e59

SHA256
fa0e99dca9ba6cf88bbf69d636f345127484299d3da9d8f34fbd278ad7c7ab72

SHA512
eccba4f25665ef7990278dc92583e1a458eb26779b492a4f37bae481b5d3919a9058d2be3b9066c485e78c3c6c3697a7f99c04adeef2796e31bf5214d6877d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQoy.exe
Filesize
850KB

MD5
a45b16706152aa0f1c56bbd8e2a3ae6a

SHA1
40b1c8b011a2931fbe13bef34e0387b76d6a43b4

SHA256
76ca1a7220a1c6a4a98f51a3ffb69b7adfd97e575e19cb5c0e216d79acaa4379

SHA512
ed355ff2fbdefb68ff40e0bf89b98a29ff6545fe4a0020dc7a4f2a9774603e3dfcb5df8c17e0ac517fc9dcd93bc8b7ea9746e94b2c90519dff0c8ff4f20d9931

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYIMkEIc.bat
Filesize
4B

MD5
504983534faa062a468edc8e936dfbfa

SHA1
5b07fc4e9e283a9c4f55547817b4947672a4a9e7

SHA256
7831de704d3b0cbfc3904bbe9d9aae8ec35e5b91ee42ea2ae2dcb0499f531423

SHA512
54d6d64a520080561049d89e127bb282b04c15392b0a6ee6d0f53e5a67c5a186b2c56f320958499e9ae35c2e22855d310e23db8a7c0f0875cc3d4b05dda3be45

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYUA.exe
Filesize
192KB

MD5
35f7d315569f9c903d5c771c329ac134

SHA1
204e39aafee859ebf46a7ee52839523d04f92889

SHA256
f85e64d3625496dfa39dcfc1597c7d6c1b1bf1bd020390ce22a404323cc087cf

SHA512
ed032a85eb2d7fd503c5def57ab7417d5dc301ebbf2553980d863bea60fcb37c92c49c926e2d2c28ef7ccc34954c350b4bc7fa67b9709a165fcfaeec04f82523

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgcy.exe
Filesize
231KB

MD5
d03e6ea0cbfb83e14b074599fe39f0bc

SHA1
05678032501d33a15691294bcd9efa304f58555a

SHA256
b8e80476cc654b5213f6821bec1d22e2dfa875b96e5e56173e5c2c4139fb72ab

SHA512
27668cabad5b28525414882658dfd2b251f74eccf5010ddd3d4a66554e95962123f845a48624f7c297c568eec7b64cdfe54b708354f09f49e23bd48d842d77cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\woQg.exe
Filesize
186KB

MD5
0b3572a971bd156d22e79742d88e1781

SHA1
90dc939fdad60af78df2d755078789fcd845146a

SHA256
f36648b2924aaf37ee8c03643ba90ebc177e260f910fec8c29df9df4cdacae3a

SHA512
00dc665698e01123924fda1c280653dd9a844b97c478468396dae63bf52944f52c3fc711faddbbe0f2c06430f18ebeb30bad616f630e39e8d7c5c6305a0f8e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEIMkMww.bat
Filesize
4B

MD5
613d3637065a4483c3b9542ee44af706

SHA1
6769e4f26a0aa2dfe6caa34a29135195ea14a8f6

SHA256
381f43e84f9d63821e3d05dcd1195de1ff7e58be70f2ef763fa03e3c7b7ada88

SHA512
c23555a4e459c3b10c63bdadcf2ba456659ac97f4e3eb7fb396a88354e944702f274563dab9efd760462999b73fd2db4dbe5128e44e94032db28a6bb4bebf67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWcQIMIg.bat
Filesize
4B

MD5
968546abf64ff99da72c0657b8969a66

SHA1
22a51853857e790331cd38af96db0147b50abc92

SHA256
93acf12c8fc1b2213493c30f8805f9cff5dcf8253d2cdf22ce03b75201029e09

SHA512
eda82fa0781d6c76f37b2cd882872726a8e9e87e49c8046395b3dbae6a6cca76696529973d3ceab7047294b2b3370e4da64484350110df91a3250ffc71281ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeQwAgUQ.bat
Filesize
4B

MD5
4b68e70d6a7c18dc974a5355c98765ef

SHA1
2f7081d19b8315c27417c8937261d20b4ba9b8b4

SHA256
11e92b3b3a3705318790cd107efc9d2026e47fe3b477903b4b7c21f61096a585

SHA512
fbfc3df0ec515c40bc90b17a90daea46e3d25c11b88d942eeec36bdec1f98bcf243d6b6c51991c79388e9e746737f4d916e015d8aca5f75a08397d0d6242c968

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmUskYYI.bat
Filesize
4B

MD5
3a04123b88052b88fa4373f6130f70b9

SHA1
d99d25be44341d75e0544a4e27db9ffc4b5108dc

SHA256
b83f177066281d91893a1a1edc930880a499db0c1e3365cf37a4d5aadf6ee77d

SHA512
9ebfa32b2cc0904ac6542d7617c32d5da6b006c30216c53deea4ef9d2783bc206690b30d7ec90bd6a4c4a09a137e64315183fbb2635368ecb192e939c8485a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAoi.exe
Filesize
602KB

MD5
67de382dd48bd2dc71079a9d58cc2d07

SHA1
5057c91869f1801cf674d036e58a3616bc22fb00

SHA256
07bc96df590db8e95e07d9aff6254bead5d602b4cbbb962a43cfc3d1c40dbbb8

SHA512
86cf16e43e7f89a800dc593f7dfe77c53aa402bc25f8a5791c4d720f6c12d2c35ca185f7d75637bf7a2e7be374892c691e21be8ac4d7eb3fe4d86dea7dae7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQQC.exe
Filesize
643KB

MD5
72971bd06f0a459c535249c1b1faec12

SHA1
fd3f7c3b8671ac7e40f2fd1c26cbaca2df41dade

SHA256
81edc26bb146b24afc86228f1fc6eabab242c81bc08f7967a4a859b0ebe65d36

SHA512
ce665e926eeb78cd1a50ad603c7cc293abbd5aef61c2f9fcc6d9499c4950c861627976f795a894544898a7f574dedb58862b29e29e52cfb12f7c243884bb2206

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQUY.exe
Filesize
183KB

MD5
92392c2de84c419a1236aecee83cdb93

SHA1
b7e1c4be5c1963f0975e033e87fae411afa4c3d6

SHA256
99de1fbbf4139801334077fb230f2faf86c34bc15ce18a4414aefc09d77fd7fb

SHA512
63229e1be06c354a437ae5312d9ee2fec7298abbb3764c533f25ec14c9c38ae6bad39fa6d0c480cff200b80cbadf766acd8dadb47d4bbf9d6f9ffb0d93f610d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUgA.exe
Filesize
230KB

MD5
cfd0718e77bbc95584e76c04b017e095

SHA1
c1f97793516d61beb45a2cddf8a8c2ec4c93486b

SHA256
a1f5d44699d430ef875410c11a47073d7eefa38c38c6caeaedfbb4b955662937

SHA512
084080c1ebff8f493c9aa96daf005a92af3af02fa5951dcbc69d77aa560d2e2f2f297d65243909d10e0d90faf00d2b339ac8d5b3636b8a53e6bf2b01e2adb6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYIy.exe
Filesize
775KB

MD5
af8ed539a1745978ade2228dac4f9ded

SHA1
360a7ebfb9a46c6a18f9e3eb0cf81729338a2d6f

SHA256
4a2109c762b859ecdd611f3551c233815c6bfb6555119c83b3f852e8e07e5b2a

SHA512
79e496396d49ff5d68c74c4bcf0894cc52a565e8f5ec13d65106401d386dfb15c2b115a402022e01c93094d64c245da4bb65ffaa776486931f94a2c56a5d4ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaIAEgko.bat
Filesize
4B

MD5
f86425e4b56e1814ffacfe4a271e0e34

SHA1
8c67e02169037907d870d2fc2c95673b652e6703

SHA256
2514336606d3654217261ed18040dcadb5fe7e0053309ba0b0b5c9c0e5fbd1bf

SHA512
43329232dad00c48986477a47735708bb359c9750326fec11af6aecc6ee2496768193aded2a53a51c770ca4402c7b17fff0b74ec253401b6d8550a6fb169a7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yskM.exe
Filesize
384KB

MD5
4c9af561d3963a9f5a7ca6e6eed43874

SHA1
9ec86be9ec7f70e4014d2e4e1cd858eb4949b85b

SHA256
e9fffb99542d47f9169de043a847d574fd6cccce58a536b62cc73ea043dcb5cc

SHA512
11ae1b6da037926839e22ceb75fddc3d8a88175b31e8aa4a534f23ce0189fc54a9ffe2c495206ee8fdebbaf1724b54f75ea4a7370ec1bd11680a8f451c1d29b2

Download Submit
C:\Users\Admin\VGIskEwo\YuUwUgIw.inf
Filesize
4B

MD5
ac04969bcfbf65570a6e99e25c216626

SHA1
a5fad1dd7b5617fb61334d3168c1a48d3ea0126f

SHA256
10159923b4e9bb410dfa17d4989f794410e90fa7ba122addcd6970988cde27cf

SHA512
c594d6cf3f66a15e69fdf23d56ec84324616ec109fd8c2d45f5505527805e957c0626211de4c3494b7ca9a2fe05566376f1a4360e46a799bd6709de44d89ec80

Download Submit
\Users\Admin\VGIskEwo\YuUwUgIw.exe
Filesize
200KB

MD5
c0292b02ba443c01dd219a095a945608

SHA1
fca6821a2a9db99e3f508ce9ddbfc51a5abe9f56

SHA256
2896649ebb4178b388bb718b7adba5842c6d32630af8c08f70e5d6caf888d2cf

SHA512
3ded882bf593af745f6a05242a2f5e3379125ea7c7e7e228bf9bbd8393cec310be42ce539f09e1cfba29672d70763bd3e5f4236df7213eb34044fab102f29c53

Download Submit
memory/296-580-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/308-689-0x0000000000200000-0x0000000000232000-memory.dmp

Filesize
200KB

Download
memory/748-415-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/748-416-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/760-665-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/876-440-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/876-439-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/964-690-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1040-390-0x0000000000380000-0x00000000003B2000-memory.dmp

Filesize
200KB

Download
memory/1080-128-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1080-162-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1092-113-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/1100-391-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1100-425-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1104-654-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1140-548-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/1140-549-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/1188-81-0x0000000000360000-0x0000000000392000-memory.dmp

Filesize
200KB

Download
memory/1208-621-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1208-592-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-369-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-400-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-112-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-82-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1388-232-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1388-256-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1484-426-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1484-450-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1536-127-0x00000000001A0000-0x00000000001D2000-memory.dmp

Filesize
200KB

Download
memory/1536-294-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1536-328-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1576-570-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/1580-231-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1580-200-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1660-269-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/1660-271-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/1688-186-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1688-153-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1708-590-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1708-622-0x0000000076E70000-0x0000000076F8F000-memory.dmp

Filesize
1.1MB

Download
memory/1708-591-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1708-306-0x0000000076D70000-0x0000000076E6A000-memory.dmp

Filesize
1000KB

Download
memory/1708-305-0x0000000076E70000-0x0000000076F8F000-memory.dmp

Filesize
1.1MB

Download
memory/1776-601-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1776-571-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1816-138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1816-114-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1944-223-0x00000000000F0000-0x0000000000122000-memory.dmp

Filesize
200KB

Download
memory/2008-280-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2008-247-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2028-474-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2028-442-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2072-528-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/2160-152-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2172-184-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2172-183-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2176-538-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2176-345-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2176-377-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2228-464-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/2228-463-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/2332-343-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/2332-344-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/2360-302-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2360-272-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2372-558-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2372-529-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-185-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-13-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/2380-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-31-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download
memory/2380-209-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-5-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/2380-17-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download
memory/2544-353-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2544-327-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-634-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-633-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2680-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2680-68-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-518-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-487-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2728-320-0x0000000000290000-0x00000000002C2000-memory.dmp

Filesize
200KB

Download
memory/2736-33-0x0000000000290000-0x00000000002C2000-memory.dmp

Filesize
200KB

Download
memory/2788-612-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2788-643-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2792-58-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/2792-59-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/2804-496-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2804-465-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-91-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-367-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-368-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2840-509-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/2884-611-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/2916-199-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/3004-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download