084c98843a6c5ef5db7af05b162b448a91d3eeb441936a40c60bf59eab1ab4d3

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Size

213KB
MD5

a4396d5a9e6a31e5116c75ed8445a710
SHA1

eab2c89654a5c3953ae54aec2709325b3cdf5e97
SHA256

084c98843a6c5ef5db7af05b162b448a91d3eeb441936a40c60bf59eab1ab4d3
SHA512

795687a36d1f5c68727ded5ed66d1ac9de37c93ee1a8098f4dfea09420f8665e70b329eefde0922748c9393bac9e0e4da27757e46ed1aebad026ec33ed6f26cb
SSDEEP

6144:Pj79Ib17HfGLOF/QjvVbSgPKK7xxUjR3mB9ppVGPcN:r79K7HfGL7Px7xx0tmB9C+

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exereg.exereg.execscript.execmd.execonhost.exereg.execmd.exereg.execonhost.exereg.exereg.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execonhost.exereg.exereg.exereg.execscript.execonhost.execmd.execonhost.exereg.execmd.execmd.exereg.execonhost.exereg.execmd.execonhost.execonhost.exereg.execmd.exereg.execonhost.exereg.exereg.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exereg.execonhost.exereg.exereg.exereg.execonhost.exereg.execonhost.execonhost.exereg.execonhost.execonhost.exereg.execonhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execonhost.exereg.exereg.exereg.execmd.exereg.execscript.exereg.exereg.execonhost.execonhost.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.execmd.exereg.execmd.exereg.execmd.execonhost.exereg.execonhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execscript.execonhost.execmd.exereg.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exereg.exereg.execonhost.exereg.exereg.execmd.execonhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.exereg.execonhost.execmd.execonhost.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execscript.exereg.execscript.exereg.exereg.execmd.exereg.exereg.exereg.execmd.exereg.execmd.exereg.execmd.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HAEwYIsA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\Geo\Nation	HAEwYIsA.exe

Executes dropped EXE 2 IoCs

Processes:

HAEwYIsA.exeOosEUwIo.exe

pid process

2904 HAEwYIsA.exe
2704 OosEUwIo.exe

Loads dropped DLL 20 IoCs

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exeHAEwYIsA.exe

pid	process
1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exeOosEUwIo.exeHAEwYIsA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HAEwYIsA.exe = "C:\\Users\\Admin\\HUwYcIEU\\HAEwYIsA.exe"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OosEUwIo.exe = "C:\\ProgramData\\BuAQUkwY\\OosEUwIo.exe"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OosEUwIo.exe = "C:\\ProgramData\\BuAQUkwY\\OosEUwIo.exe"	OosEUwIo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HAEwYIsA.exe = "C:\\Users\\Admin\\HUwYcIEU\\HAEwYIsA.exe"	HAEwYIsA.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmd.execmd.execscript.execscript.execmd.execmd.execmd.execmd.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execscript.execmd.execscript.execmd.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execscript.execscript.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.execmd.execmd.execscript.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
900	reg.exe
2492	reg.exe
2464	reg.exe
1944	reg.exe
3064	reg.exe
1772	reg.exe
2940	reg.exe
2348	reg.exe
1624	reg.exe
2996	reg.exe
820	reg.exe
2736	reg.exe
1548	reg.exe
2388	reg.exe
2580	reg.exe
2184	reg.exe
1588	reg.exe
1928	reg.exe
1468	reg.exe
2700	reg.exe
2868	reg.exe
2820	reg.exe
1388	reg.exe
2808	reg.exe
2396	reg.exe
2120	reg.exe
108	reg.exe
2792	reg.exe
1188	reg.exe
944	reg.exe
2980	reg.exe
2372	reg.exe
2972	reg.exe
2792	reg.exe
1116	reg.exe
2452	reg.exe
2040	reg.exe
2464	reg.exe
1836	reg.exe
2824	reg.exe
2380	reg.exe
1724	reg.exe
3068	reg.exe
1204	reg.exe
1160	reg.exe
2932	reg.exe
1948	reg.exe
2652	reg.exe
2740	reg.exe
2076	reg.exe
780	reg.exe
1640	reg.exe
1648	reg.exe
1600	reg.exe
2324	reg.exe
1900	reg.exe
1072	reg.exe
2372	reg.exe
3008	reg.exe
2988	reg.exe
2860	reg.exe
2184	reg.exe
1712	reg.exe
2632	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exereg.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exereg.exereg.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exereg.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execonhost.execonhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execonhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execonhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execonhost.execonhost.exereg.exe

pid	process
1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2924	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2924	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1468	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1468	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2316	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2316	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1932	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1932	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1908	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1908	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2816	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2816	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2184	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2184	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2972	reg.exe
2972	reg.exe
436	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
436	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1624	reg.exe
1624	reg.exe
1984	reg.exe
1984	reg.exe
2872	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2872	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1880	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1880	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2756	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2756	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
768	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
768	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2292	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2292	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
900	reg.exe
900	reg.exe
1692	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1692	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1092	conhost.exe
1092	conhost.exe
1720	conhost.exe
1720	conhost.exe
1060	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1060	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1620	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1620	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1652	conhost.exe
1652	conhost.exe
676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2964	conhost.exe
2964	conhost.exe
524	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
524	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
940	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
940	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
332	conhost.exe
332	conhost.exe
1992	conhost.exe
1992	conhost.exe
1364	reg.exe
1364	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HAEwYIsA.exe

pid process

2904 HAEwYIsA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

HAEwYIsA.exe

pid	process
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe
2904	HAEwYIsA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 2904	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	HAEwYIsA.exe
PID 1516 wrote to memory of 2904	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	HAEwYIsA.exe
PID 1516 wrote to memory of 2904	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	HAEwYIsA.exe
PID 1516 wrote to memory of 2904	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	HAEwYIsA.exe
PID 1516 wrote to memory of 2704	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	OosEUwIo.exe
PID 1516 wrote to memory of 2704	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	OosEUwIo.exe
PID 1516 wrote to memory of 2704	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	OosEUwIo.exe
PID 1516 wrote to memory of 2704	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	OosEUwIo.exe
PID 1516 wrote to memory of 2988	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1516 wrote to memory of 2988	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1516 wrote to memory of 2988	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1516 wrote to memory of 2988	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2988 wrote to memory of 2676	2988	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2988 wrote to memory of 2676	2988	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2988 wrote to memory of 2676	2988	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2988 wrote to memory of 2676	2988	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 1516 wrote to memory of 2984	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2984	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2984	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2984	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2872	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2872	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2872	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2872	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2596	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2596	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2596	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2596	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1516 wrote to memory of 2696	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1516 wrote to memory of 2696	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1516 wrote to memory of 2696	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1516 wrote to memory of 2696	1516	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2696 wrote to memory of 2680	2696	cmd.exe	cscript.exe
PID 2696 wrote to memory of 2680	2696	cmd.exe	cscript.exe
PID 2696 wrote to memory of 2680	2696	cmd.exe	cscript.exe
PID 2696 wrote to memory of 2680	2696	cmd.exe	cscript.exe
PID 2676 wrote to memory of 2972	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2972	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2972	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2972	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2972 wrote to memory of 2924	2972	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2972 wrote to memory of 2924	2972	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2972 wrote to memory of 2924	2972	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2972 wrote to memory of 2924	2972	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 2676 wrote to memory of 1644	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 1644	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 1644	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 1644	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 2016	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 2016	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 2016	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 2016	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 1956	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 1956	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 1956	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 1956	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 2676 wrote to memory of 2472	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2472	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2472	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2676 wrote to memory of 2472	2676	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 2472 wrote to memory of 2756	2472	cmd.exe	cscript.exe
PID 2472 wrote to memory of 2756	2472	cmd.exe	cscript.exe
PID 2472 wrote to memory of 2756	2472	cmd.exe	cscript.exe
PID 2472 wrote to memory of 2756	2472	cmd.exe	cscript.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

cmd.execscript.execmd.execmd.execmd.execmd.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execscript.execmd.execmd.execscript.execmd.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.execmd.execmd.execscript.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execscript.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execscript.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execscript.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe
"C:\Users\Admin\HUwYcIEU\HAEwYIsA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2904

C:\ProgramData\BuAQUkwY\OosEUwIo.exe
"C:\ProgramData\BuAQUkwY\OosEUwIo.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmsogMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsUckAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIMQkAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
3⤵
PID:1260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- UAC bypass
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YgckwYgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
3⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
5⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
7⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
9⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
10⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
11⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
12⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
13⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
14⤵
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
15⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
16⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
17⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
18⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
19⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
20⤵
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
21⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
23⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
24⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
25⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
26⤵
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
27⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
28⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
29⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
30⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
31⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
33⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
34⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
35⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
36⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
37⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
38⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
39⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
40⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
41⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
42⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
43⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
44⤵
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
45⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
46⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
47⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1760

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
48⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
49⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3064

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
50⤵
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
51⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
52⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
53⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
54⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
55⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
56⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
57⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
58⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
59⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
60⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
61⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
62⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
63⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
64⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
65⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
66⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
67⤵
PID:300

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
68⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
69⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
70⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
71⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
72⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
73⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
74⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
75⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
76⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
77⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
78⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
79⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
80⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
81⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
82⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
83⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
84⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
85⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
86⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
87⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
88⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
89⤵
- Modifies visibility of file extensions in Explorer
PID:2564

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
90⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
91⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
92⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
93⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
94⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
95⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
96⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
97⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
98⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
99⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
100⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
101⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
102⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
103⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
104⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
105⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
106⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
107⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2132

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
108⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
109⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
110⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
111⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
112⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
113⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
114⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
115⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
116⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
117⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
118⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
119⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
120⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
121⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
122⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
123⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
124⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
125⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
126⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMEkswYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
127⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
128⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
127⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
127⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
127⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
127⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
125⤵
- Modifies registry key
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAwwIsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
125⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
126⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
125⤵
- UAC bypass
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
125⤵
- Modifies registry key
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
123⤵
- Modifies registry key
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUkkcocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
123⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
124⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
123⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
123⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMEEoIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
121⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
122⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
121⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
121⤵
- Modifies registry key
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiQwUkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
122⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
122⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
121⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
119⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
120⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
121⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUAcQIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
120⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwkccEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
119⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
120⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
119⤵
- UAC bypass
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
119⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
117⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
118⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
119⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
120⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
121⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
122⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
123⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
124⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
123⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMwcEIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
123⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
123⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
123⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOcYEsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
121⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
121⤵
PID:2800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
122⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
121⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
121⤵
PID:2696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
122⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FesUwkwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
119⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
120⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
121⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
122⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
123⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
124⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
125⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
126⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
127⤵
- Modifies visibility of file extensions in Explorer
PID:2828

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
128⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
129⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
130⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
131⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
132⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
133⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
134⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
135⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
136⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
137⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1924

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
138⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
139⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
140⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
141⤵
- Modifies registry key
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fqwwMgow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
139⤵
- Modifies visibility of file extensions in Explorer
PID:564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
140⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
139⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
139⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
139⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
137⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
137⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
137⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIQkQQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
137⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
138⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
135⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUkMAokk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
135⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
136⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
135⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
136⤵
- Modifies visibility of file extensions in Explorer
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
135⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
133⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
133⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsAksMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
133⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
134⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
133⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
131⤵
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOAQMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
131⤵
PID:2160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
132⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
131⤵
- UAC bypass
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
131⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
129⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecIkAUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
129⤵
PID:1212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
130⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
129⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
129⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMQcgQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
127⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
128⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
127⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
127⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
127⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
125⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
126⤵
- Modifies visibility of file extensions in Explorer
PID:656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGEwUksM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
127⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
127⤵
- Modifies registry key
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
127⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
127⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
127⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
125⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
125⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FyokEEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
125⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
126⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\usUEUYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
123⤵
- Checks whether UAC is enabled
- System policy modification
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
124⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
123⤵
- UAC bypass
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
123⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
123⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
121⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuQMQQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
121⤵
PID:2348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
122⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
121⤵
- UAC bypass
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
121⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
119⤵
- Modifies registry key
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
119⤵
- Modifies registry key
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
119⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsAcsoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
117⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
118⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
117⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
117⤵
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
115⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
115⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
115⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKAUwkYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
115⤵
PID:2580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
116⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
116⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
117⤵
- Suspicious behavior: EnumeratesProcesses
PID:524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqEoEYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
118⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies visibility of file extensions in Explorer
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
118⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIMMYcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
116⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
113⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgoQMIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
113⤵
PID:1472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
114⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
113⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
113⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
111⤵
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
111⤵
- Modifies registry key
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
111⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JcwQgYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
111⤵
PID:2292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
112⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
109⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKUcgUUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
109⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
110⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
109⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
109⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
107⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
107⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywUkgsgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
107⤵
PID:2044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
108⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
107⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
105⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMoIkIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
105⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
106⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
105⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
105⤵
- Modifies registry key
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
103⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
103⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
103⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmMkkcEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
103⤵
PID:2604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
104⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
101⤵
- Modifies registry key
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
101⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
101⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEggkcoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
101⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
102⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
99⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUEUMUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
99⤵
PID:928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
100⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
99⤵
PID:300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
99⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
97⤵
- Modifies registry key
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQkcMcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
97⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
98⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
97⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
97⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
95⤵
- Modifies registry key
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
95⤵
- UAC bypass
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYEEowok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
95⤵
PID:268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
96⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
95⤵
- Modifies registry key
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKUUgUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
93⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
94⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
93⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
93⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
93⤵
- Modifies registry key
PID:2980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKgEgIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
91⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
92⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
91⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
91⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
91⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
90⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\buosMogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
90⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YooMcMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
89⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
90⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
89⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
89⤵
- Modifies registry key
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
89⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKMIoggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
87⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
88⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
87⤵
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
87⤵
- Modifies registry key
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
87⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
85⤵
- Modifies registry key
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
85⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZuQckswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
85⤵
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
86⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
- Modifies visibility of file extensions in Explorer
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
85⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWkskQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
83⤵
PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
84⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
83⤵
- Modifies registry key
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
83⤵
- Modifies registry key
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
83⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
81⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
81⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
81⤵
- UAC bypass
- Modifies registry key
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSsQskQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
81⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
79⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIoYcMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
79⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
80⤵
- Checks whether UAC is enabled
- System policy modification
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
79⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
79⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
77⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZiEwwUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
77⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
78⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
77⤵
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
77⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgsoEQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
75⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
76⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
75⤵
- Modifies registry key
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
75⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
75⤵
- Modifies visibility of file extensions in Explorer
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
73⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
73⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkgsYAQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
73⤵
PID:1036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
74⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
73⤵
PID:596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
71⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PugkIEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
71⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
72⤵
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
71⤵
- UAC bypass
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
71⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAEUAsoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
69⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
70⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
70⤵
- Checks whether UAC is enabled
- System policy modification
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
71⤵
- Modifies visibility of file extensions in Explorer
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUIYEIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
71⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
72⤵
- Checks whether UAC is enabled
- System policy modification
PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
72⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
71⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
71⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
71⤵
- Modifies visibility of file extensions in Explorer
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
69⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
69⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
69⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
67⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ESsMQYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
67⤵
PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
68⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
67⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
67⤵
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
65⤵
- Modifies registry key
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykIcogkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
65⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
65⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
65⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
63⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
63⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMkkYYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
63⤵
PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
64⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
63⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
61⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqwUAIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
61⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
62⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
61⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
61⤵
- Modifies registry key
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
59⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
59⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
59⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgQIcAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
59⤵
PID:1088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
60⤵
PID:1616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
57⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
58⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
59⤵
- Checks whether UAC is enabled
- System policy modification
PID:3008

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
60⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
61⤵
- UAC bypass
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkoQMYgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
62⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAsEMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
61⤵
- Checks whether UAC is enabled
- System policy modification
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
61⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
61⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGwQEAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
59⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
59⤵
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
60⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
59⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
59⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqAIQcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
57⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
58⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
57⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
57⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
55⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
55⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qucMsoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
55⤵
PID:1204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
56⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
55⤵
PID:2128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
53⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
53⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NsowogsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
53⤵
PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
54⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
53⤵
- UAC bypass
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
51⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKAgAswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
51⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
52⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
51⤵
PID:1988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
52⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
51⤵
- Modifies registry key
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
49⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
49⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
49⤵
- Modifies registry key
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiYYoMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
49⤵
PID:2924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
50⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
47⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YukgoYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
47⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
48⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
47⤵
- Modifies registry key
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
47⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkAwYAIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
45⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
46⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
45⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
45⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
45⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSEkMAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
43⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
44⤵
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
43⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
43⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
41⤵
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqQcsEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
41⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
42⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
41⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
41⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
39⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
39⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
39⤵
- UAC bypass
- Modifies registry key
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tigMEUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
39⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
40⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
37⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUYgosII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
37⤵
PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
38⤵
- Checks whether UAC is enabled
- System policy modification
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
37⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
37⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqYsoYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
35⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
36⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
35⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
35⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
35⤵
- Modifies visibility of file extensions in Explorer
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
33⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
33⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
33⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IicIAMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
33⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
34⤵
- Modifies visibility of file extensions in Explorer
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeYQwIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
31⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
32⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
31⤵
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
31⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
29⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWMskgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
29⤵
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
30⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
29⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
29⤵
- Modifies visibility of file extensions in Explorer
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiAYIMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
27⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
28⤵
PID:296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
27⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
27⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
27⤵
- Modifies visibility of file extensions in Explorer
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
25⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWwIMEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
25⤵
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
26⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
25⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
25⤵
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
23⤵
- Modifies visibility of file extensions in Explorer
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
23⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IowYgYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
23⤵
PID:852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
24⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
23⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
21⤵
- Modifies registry key
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
21⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
21⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkowkcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
21⤵
PID:2796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
22⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
19⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWUsEUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
19⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
20⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
19⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
19⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMkkcYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
17⤵
PID:2976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
18⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
- Modifies visibility of file extensions in Explorer
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
- Modifies registry key
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
- UAC bypass
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkgEYcII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
15⤵
- Checks whether UAC is enabled
- System policy modification
PID:1600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
16⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
- Modifies visibility of file extensions in Explorer
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCEsgEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
13⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wooUccIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
11⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
- UAC bypass
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
- UAC bypass
- Modifies registry key
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WeQMEEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
9⤵
PID:1200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies visibility of file extensions in Explorer
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIsYkIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
7⤵
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
- Modifies registry key
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCUcsYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
5⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIcEEkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
3⤵
PID:900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-353244242-1744012757106025348-1625494322-10385515811652748658-988705570-636352235"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1349613181-841877315-1277220944-1333856059-2005113749-1755170603618604873-282216291"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8875860701928475797-61429440617214076341324177983-7090304859226358551514074669"
1⤵
PID:2992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1771182617-1881230425-623200348864601729-2953190809930272571098524121159037496"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13928120530493563035644372495208193-560662062-14933154721811983663414449869"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-524612276-363998402440726673881364667-1023987969744105659963633086581005848"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "122264360-1366193312-600552946-838043970-1041616110-11422827303427599551805744411"
1⤵
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-533620160-506401918-256471106-1257081341-427636153-2063402529115621984-348039752"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "947290260229499435-14176965706745709391530729378-1153375320-1186743126-1817063729"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "562587348-1539446232-17840727182113939467-15875894491183653779-1635384101927714641"
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "90418386420614888421169302896-3559046781413343845-690092182-14451443096821390"
1⤵
PID:2576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13009444071064602786-13883614151334419420-6658459151986657429-11623857491678372212"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-458758607-2027079746-1393635150-1874617797-6135432431949349128-1863265535-27483599"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2121489088405314280-155059888436146926-1395891480-8278370162048935767937883108"
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "193209556981685459-4282879281855177165-838432609-598907160-2072217580-356277877"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19352650194486431291155569596-1489018424358159540498488785-16013908471514114994"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "569202192-5117149082037880541412561915-1184803791863977228-14187674951141743876"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1541128780-12160056827039084438159914318892204071987288768-1285754548-726450431"
1⤵
PID:2988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3389196441860904722-2137157300-1556532119-935749575435308401-9387653161258503326"
1⤵
- UAC bypass
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2129936639-134181024-83658136143679745-1286825293-23290141318274218941706850744"
1⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6148600264681983711029367931-1255032716-971865797-280406056216337519-1934131517"
1⤵
PID:296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "672203567168987435617844038031987039924-1110373817-2064401106-507656311838818142"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-513019131160254219228553312613180063651469262898861016373-1314242093-106404839"
1⤵
PID:1436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "374274566201045415-1053514142-1525860014345467621-1053310823927132356-230074555"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1714408165-6162313221423784340-998639939150687782-1219560549-1087325775681983907"
1⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
3⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
4⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAQUkows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
3⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16374947311014360797-19128870111046754246-582420316-1502372500-1473093910-1614418736"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "125211929710825904461366911950964911104-20201851366487375461031540759794519694"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1906013451277406859-64186376-1229466240-6675988731258062179-64498251-328220857"
1⤵
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13098750611922060507113519156-1097896932174278274-14735730431658836321564889762"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18053404421955464692-364026364-8439369152865805251331991975-197072869163580516"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1838979230973673206-99224212-181860789644888589682239662717468117792113701045"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2802777031029621700-63600172425214259-2071018508-2111487504-602937571314595700"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3749753309589203931146728743153265730018516806291705302608-1104361965-91911931"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148884796-43807240204316638113091759803184374901581617721635529597-1570090969"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-604684747-1956694566-1093676358-55086529415353595311684890002-7288137801454446397"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17153640926895226141341039068-1820438032201392061434765221-966067272225550269"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-520976641174260772032462089-1359229793-3727195201815762041900033798161328883"
1⤵
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18760511661297585201557771736251935313-1222565157518872245-1319257595-1187584140"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "266355883-1258459473899364686-104804043-1174165305-44530329-558158182-978953550"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1721255906-1050252722-1451179709-11350566542001756857508700239-1450393276-528158740"
1⤵
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-130472431113884410601438710808613387553-1564196890652123831-1230118407469488948"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-578680939426898156-18567183781150697183-1333021117-1349958957-19433541981247394505"
1⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
- Checks whether UAC is enabled
- System policy modification
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1088875028-277936776-48786848-97986900910428392-89750442614837494561182678723"
1⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQAoMMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
3⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- UAC bypass
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
3⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "956536178-770438135753815317-538528754963939759-14801278381104702821476311828"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
3⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
4⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
- Modifies registry key
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsUoMoEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
3⤵
- Modifies visibility of file extensions in Explorer
PID:820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- UAC bypass
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMkIkIsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bAIcUoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
2⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1912217564-93298138051286292516025841941775431430-508397209-41041578-1883404585"
1⤵
- Modifies visibility of file extensions in Explorer
PID:776

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kiYMEMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-357446631-1144146657-163124268-83847333217575134131960471043-1723590847472924784"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12451716411114862942-1851341601150665943040910544283380667-19335686971982197430"
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1743070173-1362421953-209941535375103364-1951963291313590938-29104030-1782856266"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1530265457-747358867-5045265512059136563-1770022096-1200158922-1073765695-725311039"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-355852296-1558200945162263634010048459181800030016-68457808655925007679973121"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1793011641463658317-14415421351423540708-1882254842663894761578544109-688867901"
1⤵
PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-45178228213577748491721759259-957169968-810135404-108502438711286572411289119548"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1824189282504126605-485696629-1126408210-11528415721003679732-898492982180923442"
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
- Checks whether UAC is enabled
- System policy modification
PID:2128

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
3⤵
- Modifies visibility of file extensions in Explorer
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
3⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
4⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
5⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQoccQko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
4⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ecckooko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2066273151-2008936985-36854029217223992801627007287-14467467273524610051447022610"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1886829692831988728-1752093085-1823247217-1249136142-1316005120-350043229-1707722950"
1⤵
- UAC bypass
PID:1840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19295884781493789585-13592948191831061000-6175711991755923228-81266717-661366394"
1⤵
PID:848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2511438591843941946-405906990-141678221997712415-1181008544-375811662-1396727994"
1⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1652169789538918664-1624352279160244123711659560-1358805658340725539381633827"
1⤵
PID:2924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-504648447395882401451979682246628462-1333191950-15464207661679943318-1551159911"
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkEMAEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15404256571455709267-153855723-257350779493426123-147680552910107309041768056472"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1889704807-18663021131704681946-473068166-1892781913-1525488456-187773878-1903987309"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-148832615514106977251371306128-5529230531469520344-186898761375972789911055457"
1⤵
PID:2988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-403393577552092300-75276788021146591861211756124-461911451-1251988736-1520949178"
1⤵
- UAC bypass
PID:1684

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DSkAAYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
PID:1992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
2⤵
PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9587630521062818331590532992-20953847891055594488-97066599311207552001399782659"
1⤵
PID:1360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-106025875914652338391640142525-1589659994-6926230361970912943423955651970935890"
1⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- UAC bypass
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1555854563529315552-1803920439-468600466890192571-800905372-16133782541566462907"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2028873816-6434327521283002940-1763206791-143162264918809594881906604257678941641"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-464425853-15967231-853278997-1401174870-1278608598-1359225182-2043513529814028178"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-464806121353552534-1347601327-91743262-8504609-2003799619-20647009621566688990"
1⤵
- UAC bypass
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-601344317-43219034-1629335898-8863594556229616912014525210-372450579228843951"
1⤵
PID:1388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19369546211516796140-2063443542-995457069-483663974-893011775625844637-1769177506"
1⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
3⤵
- Checks whether UAC is enabled
- System policy modification
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\taMsUAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
4⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies visibility of file extensions in Explorer
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
4⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IoksUQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
- Checks whether UAC is enabled
- System policy modification
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8935808421440540674170386298611081872281593302556-1367615448-1175301010484883828"
1⤵
- UAC bypass
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10975552551467897000-14051784031935126585-596768224-15999856691499757609-1925535781"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "527984949-55059275114998269971804450089-552481484-1717791154564868490-321778431"
1⤵
PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1430054074-14241915311659494715-313876129-346866562-20116583114497442914099427"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "262695510-1703421951-191319316529394314-734031544-920638641935112164-780487585"
1⤵
PID:268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1753367108-1736224082-182577252011932050461689784604-903049445-1346468855-386798706"
1⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
2⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1601711644-90654588-85361876-1436799206512704365-3685946301448840084-695165611"
1⤵
PID:2108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "189040340912517585971906042286-1464470383-1377029764-68976615815133427201324095989"
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1127849551-2023134817-542902113178528853816871499771403071044806551224-363348188"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2120

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
3⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
4⤵
PID:300

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
5⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
6⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
7⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
8⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
9⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
10⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2536

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
11⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies visibility of file extensions in Explorer
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:1456

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQYwUEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
10⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
- Checks whether UAC is enabled
- System policy modification
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIYEwEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
8⤵
- Modifies visibility of file extensions in Explorer
PID:2500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kakkwksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
6⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
5⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcoQIMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
4⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SascMIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
4⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1690647574-797603802-1866322860-19878664969488587861118898275-282496578-779858564"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1665057618202957975712440564501016810991-259987215-210151785-2018399550506152890"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-299538794-21282070311746752519-17928552797413551261619908663-19018387801253279883"
1⤵
PID:592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1342496315133980027789315043-2096226733-142263537212171006521548102426-1311939289"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "74162340-1655671914214947832-1807470904-37019366-1748865266504073784197922239"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-124792650-2346381831303024325-2124328127-1903909086-7816099081030375984795088274"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "625582424301041080-4463449231269117564-190730232-57309219924904624-1705642098"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-206293929471972647199379787545843205111244607803338515178629553151020887709"
1⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeIUUEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
- Modifies visibility of file extensions in Explorer
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "95997552-1601734230-17524086751206716916197977992237147798431723501-1890342520"
1⤵
PID:892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1984124301-52382806-1318896408-1444160998-1683790267801332143-547226820-1346158395"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5545463825448860898674057011277629564-1321099462-479175221-215972594-2043814024"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5920500661697699481-738397276-12969618797307036342006699637-367281308-917282500"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4114726201480181959788323785189846193718885334101742660184-656277031-1891790023"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQwEkIgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13870267071777664433130556271970537528820744737651185529884-1146275110-2093962297"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-559209373-1163039228830748629-1621165902-701627263-8581232313231764461692166400"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10022757271282429697-2039351294-627405502273532079188652189414560513312117385742"
1⤵
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2032401482-2126225660-17118459131084735157-2112959983895786475-20010390081578193861"
1⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWQUssoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "465792622578571172941759558-53986045-2002306381964393953-434511705881464296"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16661235131183162601-874035771-1095742547-1617722746219427207-651409117-1079654119"
1⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqEIIkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9349013671080081525446010888-354940635-1468505333-685484273-1150335775-1678326698"
1⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssEMgYgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16865515872126359439381181524-20503095191365828954-1862658802-45114420-1615516263"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19929247201620292895-1896110580-1053344207-1285321406-428486524-1585070915-48672995"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1463896534-1615022981-161606020307729083-5130746482028967513111120866523164616"
1⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECwAAocA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
PID:756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1649392957387010310-1957527137-3661016202012595028-40627694329816778-820098754"
1⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuMYkIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1258355776-155049099618639771084286419161860519280-1378134714-187285915112664114"
1⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1444730406-1989791516-2047897426143293763-465722772-19195597691917373668-934243057"
1⤵
- Modifies visibility of file extensions in Explorer
PID:796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "722740502-431197265-2864980641845999695-1216286986-2027654627946158779-1184882070"
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "569804569905116160-637502054-1805642385-350030658-11789643971178497748-1057729154"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19593358402000349518308583698-8434485431499885370-1849032900-8775947461462037375"
1⤵
- Modifies visibility of file extensions in Explorer
PID:832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16061719481149331865-18695125661964026201-6100721882682857381750968790-1882591446"
1⤵
PID:2292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-107929920980685403115627974039251840592079941511312003732-1546165860486184067"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17691168215485469491681400651-20744577121130594489-1911794990934080068-1116573049"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-711731950-4979691531079486153-1579701798-580091781049251444-1301153103-1977558864"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8433840314276112521478086059785928990-1990847429-149862333-687390903-2102675067"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14745852603949671238262689821024324790768835280-16613894031685025943-1707564404"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1177294507-1807291293-1633333257-1819892886-568197744-2135633165-1569696023280411446"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-53483290014919402321788542561-765020681440324996-3347064331865370610-1791425357"
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7478525172103851822-495043839-236853026-774687306654190466-1687291935385055301"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-207989420582773698812515399851937436859-653183967-446727707421778811299466898"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-689551754163403790-13539848771521639161-1622483032490964701-19798572979043998"
1⤵
- UAC bypass
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-549916037-1374742676-321748142-2043696211-186252493-2107612724681969133-309742069"
1⤵
PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "803301689-762333325-199726710-1860543890864788332-12711953181550621411610663666"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "806956413-1553847781463499187-1726647774-59036887140348744150122140551098199"
1⤵
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1057435370-227383650-1453750852312058362-1728758560-502708210-515342081640454575"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18687541582011723964-201435861738943353-1998044908570987511-349140434-1929957359"
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BuAQUkwY\OosEUwIo.exe
Filesize
200KB

MD5
efe06f447b52838231f82ad11d23805f

SHA1
c5a40524c207401b154e8695a0ee4ff085abe02f

SHA256
c5113cf9c2e609adac2d07240860d5c544d6ae1da44a3a07f1896afc6f7eb0ed

SHA512
3ab1f1fc2753f107db32cecfd52609c99135ac2b88a9a0fa9f7f198ad4149c269fea91373db23ff707a4c497a2cc3592513865c0cf881edce55b45e6e30951ae

Download Submit
C:\ProgramData\BuAQUkwY\OosEUwIo.inf
Filesize
4B

MD5
9a34109f6900c2df0489fa6956f96f1e

SHA1
a92e31c97631a37c6e3a61089a202c77ed3ff578

SHA256
db7f1bfb5362a69213d5f42c86e95a8be1e9a46c98520408cbb9a38fa3033828

SHA512
fadf1ac1fc8e5c9d1283ab0cca7316ea25a176635305c2fb37981e8703120e10086f70581b0a01885c9f198fae5b23fa0dd6bcd9e8c844e6cc87883785f2173a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
241KB

MD5
10bfa6aba1f68aa508b060c43a53ace1

SHA1
ca83fe87268a147429bfd0492b8c3abaa8104de1

SHA256
11afe63387ec62e7feef949893b04077bbc9dc59bc8574c5aa4c4ef4f60abe95

SHA512
86ace25a2160876cd222f642dcddaec47660ccc95378ccb4ae13ce12cbd7d834a36fc63655b307e43968788a542a6f8b3b35d64af9db21e5392333dadee3e99e

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
Filesize
823KB

MD5
9b9ca11d35036652eba08a3f6bf00070

SHA1
20dd7e22fddee0468114dfd062019b1165b1215b

SHA256
63cd9a2716ace4e9ebef121c1e648c5c2c0382993f979b0eb137d6da0d163abb

SHA512
89ccb54e8c015113782a86e476f2ba506532afe4bbb49425e9dc36ae0979c937b8fb25edeb6f70f126df17b7e805dec8f27e858b646e6db3d41d8614135fe54c

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
Filesize
644KB

MD5
fff7a231c3daaa0d037d9d0ac82960c4

SHA1
744030d5fac6e0e89c48f7135cfefdf41e2a0c09

SHA256
70c4102215f79b2695c98adfcb87f8da4d87ea677dead5c00af164f8c4bbc115

SHA512
d0094ec36243513e9033a7d0d1100e1c8b5c2ac446dbaac122d1d21d25a442cffba170686b00b49200dcd34a031e5dd0cb362b1387b491cdf4fffd1c3ac44878

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
Filesize
6KB

MD5
b1d0a5c199d9edc1a273e408124ed491

SHA1
82dbeb87395618e9292b9dd7a414086ae43cf412

SHA256
512c67620d9906aa3db4ebc6839e4a74c832e750d4805c77d6de0e6a76740d77

SHA512
3c3eefcf3679d578fe6d4891071ee4bf2d6e7ae9366affee4838f7a161005035a390aaedbce5527f55fdbd622bcfc47a86b094feeb7f7f454bc71bcdbfd746d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAYU.exe
Filesize
787KB

MD5
b9163f64d2eb7fc5b4022a6d5fc400ca

SHA1
1df2d607d0760ea56ad73804804c7a8900468fd5

SHA256
f2eb11559baf70b61e2c347f6444a3ece934267f0f729858fdfb6a7a858e5bce

SHA512
9089af319de7d0d8fcb541f611f61a2efd343380437a5e04271f647381199f6f897d5e7d0df49396638acb9d823b7b8659916f5bafc13600412676881b96f05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUos.exe
Filesize
250KB

MD5
1223cb82b5fe66c2c3f0de60caf8eaca

SHA1
36be1bc03ac75f1509b149393853ebb0bf486dc4

SHA256
23ee18c4af981e78aaaa412d26bea856d9953a9eb455a01e224b172df64264dc

SHA512
379827d17b2f0a6912355fa6b657a5da5afe8189b592fa26ec6f488971b9e758dafa7476b48a5787acb30c9adde004d5e3924406eb5fcdb6dafdd9c2f6afaad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWAcEssY.bat
Filesize
4B

MD5
d41e213ebb3284e75adbf3a999444412

SHA1
ce81755b8bc8a47d4b54b887e7ea05d05abdfadf

SHA256
d96e0806e476a2eb85c0fb16855a8633985c8ad53acab24da2f44aedfe8e7fa7

SHA512
ac3b11f4fa8311793fd01bb1d66ac91fc05c98fdb4649393fc06be467e3eddad1d50de81d13915db9809fd3ac9aed9fc74e08cecbe0509de0a3f69ff8e1a59c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYEW.exe
Filesize
942KB

MD5
0b5502abbc1ac7fd20321db41d792379

SHA1
5838e4cc80ad8d76b4a0b545744e9cd5056b600e

SHA256
07deae3dbf6dd2eb85becc4e0377fde17b6ecfd53a2dbaa17324f5cdc2d50770

SHA512
383f936b95de7577ec296672106527b83b53e73df56acafb8a7fd863ecca80863f03027caf740f2e49245434e29f761e0875b524b736dbdf8bc0f3e4a15d5f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUAMcIk.bat
Filesize
4B

MD5
7fd1018afd9b07eab0be8190d152230f

SHA1
dcf91927b5e41b48c2ce6ebc098e5f1f13a7340e

SHA256
18fe6a22444641495ec6b7df5db460d870c7dc1b2769d9aea4f4fc60242e1177

SHA512
7692831f89e5c5a6e4fd2ad7ce67680a0ab0744da1dda5a2789ea4fc2fbda78ef70687f8561075b66fd1bd019aea68c69d4170764fb32d1122b2122f0d0315e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ackk.ico
Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIIkUccM.bat
Filesize
4B

MD5
dc3fd90a5a57dc0ed7c91ae28653e264

SHA1
f7150dbc490d9e605300710b8e2e2f684241dd81

SHA256
1a70ce1523a4891c5a4e3f9e4e4ed20853cd54f023d193a5534988cc6229b6b9

SHA512
929f088ac4002d99846b02ca4dc5b6a2517c6ed52924a40caeaae29869340f5ac3b7a6799653402e58d84bfdd9a37eb5887adf20d5e990083188832aa8cf829b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMQq.exe
Filesize
250KB

MD5
fed3874dd4a65945e6aff6d1ca080f33

SHA1
3eb1acb8e0e0561701bece13c0c1705edba31ff1

SHA256
30f45b028fe99dd552ad537d4ed2c7bbea1d0dcedee22be4086dd8a334a2250b

SHA512
240fec11b0829814959b88f08b31c2ffbca943fa00343e7f5e723c1784dc60ea7af8eae63b0539d2c52a6dbf73061118d34cb1645dc3ac61713707db7047867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUki.exe
Filesize
249KB

MD5
5ea2495f2c99295fe9011621c2903e4c

SHA1
53fc04e36395d09eb1ad401fcb3465e4f896982a

SHA256
4007539aec30815bdada4b07fbc3c97cce564df1be17c815831f5d3de5d7a80b

SHA512
a98b3bcd8589138c7c6f5cdd389c62c79d250150c5ba00eba493e703fe36330b556a9b326e6450473b1622b05237d64c1979e99b2c79e73759936c31af668f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\BccMwIoE.bat
Filesize
4B

MD5
d86d6370d8844f954bb74a99a2b5daee

SHA1
741a3670a1cddaffad857e7a01fb2ff3e23e81d7

SHA256
c862afa1668fb626542e5e8324e958569c39b6ba90a86a300c284b0569d53012

SHA512
d6b2e7a0026c3fa4c4d54010aa02d55b0f4d3cd8eebc320c9018861468a281b0907cf6cc97f94bbbf219681c286b5704cae55159a78322d37e96c98f31f7c09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMEcwoIE.bat
Filesize
4B

MD5
26650fabaa12bb4f92bd7631e74772d1

SHA1
b0a54b505655cbbd2b9b2f7d877c45d096848d82

SHA256
27429a24e32a05d3aad1bd21c58a78eec76a14517a9b3cb8ee342a951d660613

SHA512
eabaa86f43c72084ec86902d23053b2fd2dc299d3db2ac6a4451994b6cb2ad3b3ca5a52dff5a4f28945320820e37b8bab242342ac6b8eb163578631d24311bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYYM.exe
Filesize
229KB

MD5
a2828dcfe51fbe19e8fad22c7adaca2c

SHA1
451d600ac042efb1b98f9318bd2dc37ba4e62b6d

SHA256
9e743e45ec1143a39723241f2299d20578a59cb349f50310054a8fc2616c8517

SHA512
812d766944f07afdd1e95f01e16ac61dbaa9b90fe3ad5da7e68a02fbd3b5b4914f2673ecb8a9f9eda9ff07e387aed3c1ca291b8a2e20d083dd65c68db7c02d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiUoEEws.bat
Filesize
4B

MD5
7b09950fa43dc58b1cbba4e1d746df26

SHA1
a87b1d6165d14e67fef0a212cac926a2c50d97c5

SHA256
b052fff9bdc0181ba47bc4a7a5d8fe2dba4ee81ec6f40e029f8142c21426579a

SHA512
5da4171bed73382e4e673f0751b79cb80e7860e44a3f21a6be90d599a1522256e5d62f636665a2929d8c8653d43350ba52e63d2aef118d0faa7d1a3e6b71e581

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkcY.exe
Filesize
482KB

MD5
4fa1abbde2fe0084295dc64334db50d0

SHA1
b33d6e9aca21eeb0ec4a20d68ed7f002d0dbac2a

SHA256
1e4d7927d0c4dc299a9738c817297f560dbdc2977141ce9ee6301ee50c09a676

SHA512
3bf708004fd5d9f6b3f398f27dc8616dfaac7193cf52758da4ac7f7a068aa8872f86ed28bb07168378a1c6da8592423d3646c715b70bc71298e95a2ddb41cfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EosM.exe
Filesize
937KB

MD5
a78084b964d367f85ad1a7ba4e59abda

SHA1
00d1a76b97e0c6ad99419a46d42e239a93e627cc

SHA256
b141132ca1c723dc7b0e8c6f293443d1428f3896cad3aa3e31cbe7aa2681a59b

SHA512
67feb8a4fd060db6e05449552ef2b14dfae479285cacc64802056204060eb26a5e8625487fb442057dcf22825909a86facbd87d3de9b848b4a06c956681bdf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwokQwwk.bat
Filesize
4B

MD5
6bf282a74918890e4ef28cb8574d963b

SHA1
2138050eebabf561bebb339bb1ebdf678438ec4c

SHA256
0606178dfc91fc1783d0ca4a30b2bbbbf0e64f18a35a611ea34855d21d113b30

SHA512
8427a0c37504521b50ab6ccdf4d1b80057f0a6d8af20342c723c35ff0af27b6fb6e0ea013dbc3a5ca8e9a00b2790d28a7a0f2a9782baa5e41282cf08f96a2c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwwswUEY.bat
Filesize
4B

MD5
467ee3d0d05110b783afe2dbfebad6e4

SHA1
1f0024d4faa4d162400ba7f3c21ae8c779d744bb

SHA256
9de3926915abf9ed8b6be4277e10c22b37dc96196c9a6ae5d17da5ad92fd381e

SHA512
d4694183b8d8f2c3a7519e73c101aa0b8a9336022a4d39c5cb90e687410eddd89e33cf53f043bf630e6195e3844dd4a5b2d24910321c38595250b9255790771a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EykEEkEE.bat
Filesize
4B

MD5
982b87e62087acb8b9348858b69b754f

SHA1
e80ccd0c63929543c11c0c8781169d6f3042ff96

SHA256
8cccbd2d9c2100b16a44fd59c2492874354169ec679325e67204153dbc1874a6

SHA512
0569e79c95d4040326cc224ef3bbcd6e03790ab3b11209f798cd0f86df35c6447a913c7ab5b95bf5b8592ad36a6a35e1855a41cdee6e0c8b86285a57045e84f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQQIUkss.bat
Filesize
4B

MD5
eff34a47a9e173c72c2db1ce20854548

SHA1
5d5a916ac8841eb92e25a84422c7a4494faa3172

SHA256
4bd8e27377dbc62ef433f25360192aeb5f1c25b9694c03e9344c4fdd30b0a756

SHA512
f2d5de6422afb31fdfa22291aeb639bec32a0230231d50ffbac5dc95999a035d394700639ce12e71d9a05a65aa2473c2b4df8291e976e962ace548c35845bf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUcM.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCwoowMk.bat
Filesize
4B

MD5
ad76b47365aa0b420e0332389832e013

SHA1
0254e0cd14a3c4c5a163e8321a02d3d3d5162332

SHA256
1d0d2dbeb12e696117abf7801f262a9fd9c0d804d71ceae991042bec24a165ff

SHA512
e93d788c75d8e15fd569319aabbe7ea9f2952680db55b46b539ecfffce25c06e15e75c2fef5a4b012b7279bcaebcd5f86a3aa45148c2b43a5fb10618220f9a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIYs.ico
Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIou.exe
Filesize
252KB

MD5
beb73a8371f155f6e68dd8fb30967d64

SHA1
2e0510b4cf0ff46fd108fb5cb3bd4457948c8112

SHA256
bc4088c14501a5755b3250bc5aa82809d7e6883278ccac3893e2f034cfa94be1

SHA512
c208574fd3e8112c59bcf86ecc147a1808ed7e71f0d1a0adc7616d1d6fc33ba5829cf9f2518ef8a17c569572e8e1211bb4c5dc491a31a3fb87ee2a4d1bca5c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoQS.exe
Filesize
440KB

MD5
7e2023387e5f6327aceb3fce071554d3

SHA1
eca9a81c5efbd1a8e521d03b82b82930a3c42e7f

SHA256
7f0f0e1f6fb650b0ae6dd3eedb866954670fbeecebd6461a828135c4fd2f74f0

SHA512
888c346d1e95ac4125c466d298a4b74bc03f27dfddc5893ebb389384bbc8eec4232e73629d17d012e948b0ebc60fd72e98c16aa44756987c47430ddd424f8b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hsga.exe
Filesize
1.1MB

MD5
231ef7ba9a062c922f21c7f83769987c

SHA1
fe55777599859f526ad7d31a5539bf06e429266a

SHA256
1a30b68a7ccc5fe35ba2a5e72b5486c878e2570a4a9d2ecf05d69f0bd0294684

SHA512
8517893bb1d8a6f1b2c7de270cbfa5516382777715be834a7e8b6e6858b9cbb30c0ddc6cdd7c589065fc81ca2967cf3607e8b0c083cf2137bac6ed04e30e56aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuAowgcI.bat
Filesize
4B

MD5
eaf62515873fe3084ef9828daa7e4046

SHA1
e4086549480e831b6c9ad113ada2f5eef6cc65b5

SHA256
9677392095002e110bcd0988025d9cf5ac448de441167318bf59f0a3119bf0bf

SHA512
c031aad14bfb9fa5e2435d54cc0c209df763266c096d67dad1c630b93c0e147ab38197601a2d74240d0b9703daf15d9dd5dcbc59ea153f313b0e3abd09ce21cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMMu.exe
Filesize
234KB

MD5
8450b29d15911d84616d90ef0567012c

SHA1
6f6393615b2fad67b06620076790320ea033dc1b

SHA256
985b9afbcf2d53826a70f6043e7e06e867c344cfe1d5c4806169608483fd39f4

SHA512
3fc529885f58c79b30afd2b8ccd392c6b4abcc3d517645688c71696eefba91f4470f1c9d68d1e0e2f79491407b6761f1cafe3f985443431ae06b5969e960b2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icww.exe
Filesize
237KB

MD5
bdd755b608ba315fa8304852eebf408e

SHA1
97bd79f8fa847773454e132685c7531c073f39bf

SHA256
f544bbd7676a0c7ad4da643f840d5c2586114162ad2fd2c5bea89fbf1a5e200c

SHA512
e190177c25cb5e9c53db60e68c4b0026b1f660f8066e6c1fd007f227f55fdd4894f98fc5cfe94798ed3c5d6040b07a0ca3260a5b3ad58857d206c663b2b293a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsoM.exe
Filesize
232KB

MD5
81648915bdb1f88c17b5e9ce0222519e

SHA1
3c980af32784c02f39735c84993a55569af6376d

SHA256
a0335ba19c922fb293bc9236601006a160d11749b85a2b0e88659afe540cc2d1

SHA512
b58c98754775ed02bd2f26696d2083a3b38fc857ccd95016c8ef506dc72e6aa7a8273db33c47515ed813a07c209c4ce42b30fac6fcfb86c3fdd06a6af5db6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCskcQwY.bat
Filesize
4B

MD5
3fedb4d6167c8b99abed58631c0a2fb1

SHA1
4518a8ec67d1367304784864a60fde7d8acb1c79

SHA256
53d7bf9cb8786be5286d1f4307c86b12fa2c5341bdde9fecc2049613b93ab2b5

SHA512
f2b7713f57c91ec80b53e371bcdc10608302a1b18b056a2fa4e04534ee1bfa4ee7cafc936c667b7691242332c8b8ca05dd5a5444a1822e2efda5f4db207ea7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoAO.exe
Filesize
321KB

MD5
d8a891bf7e5a4254e762071ca694a683

SHA1
c86056efad27119ecd69c33b29b55e389b0b1350

SHA256
1b090fcf6d73578383df542c1abfe79757f6f4553d8ddbc0ceaca108949d9d12

SHA512
19622b8c23c4e428f2b2b7bea2526e2222f7103fe5293a4f96da0876b2e88beedba27e60e29466afb32af59429e3f9d3cfe8f33e210d5857c23666c71850fdff

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqUwwgMk.bat
Filesize
4B

MD5
b053528d9cd8c260e162eb79d6b0ed03

SHA1
871e9a31d5042bb17dcfa78a6244a1b814844927

SHA256
73e49d3f47ca7049888926ab881b9e197dde71af247ed657b35834ddede9a6e5

SHA512
54b41392bfdf6e00a1f58c3749d6b3ac576be6bb55bbcbcbb8618d40caa6c03c9efed7e897f80f217632ffa098fea8c49b15d26173e3ade1e1fcc898e944f7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQAgEYog.bat
Filesize
4B

MD5
3fa4be18dc5616daa7dbd69b5aa5870d

SHA1
e960c17299cfa14f8cd3b8a5470acbffa0112c3e

SHA256
6dcfee6c024b97ad9c146ffa4aba07a99f670064aaa45d4b383da19bbe7ce01b

SHA512
973f052e4fecc3966c3d0d5140368ac0b43bcdea39f74ba2ea9215c08c891bc487afa890355974b8cd65d58184563a0ac7f2a1b0788efe4d96805d0a30f00d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcsM.exe
Filesize
520KB

MD5
f150142376b24fa75f10658af50b743b

SHA1
b364e293fb8373104191534f4cc713f820683914

SHA256
e8ad09f3feed244e02532e96a4d44d02a6c81768be9f010e448a85fb5ed8ec60

SHA512
ac81636bf74b538ba0620e2cc8b1a9302fdbe0872b01e5c9e313d7aa19f7f7711e7ce9a1f70e28cf06c0f034eb27e742585ea36a19c3b66cda6aa4c8c8e44b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgYEIEAs.bat
Filesize
4B

MD5
e2786573f06ca258bece7fb323b9b7a4

SHA1
27e18ab6664e7f3b00e66f5754f52fbd96f6e4e4

SHA256
a8930c211805a583b945cbeb58513cd303479441d579884f06e94278f599ed26

SHA512
988f9d05231329bba1085c7b0a5ffb345d88be714d8149cceb8ebf6e9718a3133ed94e862051ca7c05e3544a81a8d25c5c128bbf06b2d7b58ed56d5cc919f2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KiIMkUYs.bat
Filesize
4B

MD5
42a508277ec5285e70847cfdca59cc48

SHA1
d21c361c3600a3bee607450414ff51b11613a2bd

SHA256
3bc54638cf7f59056a13bb27589b04ff181369547fdc04a1e112649325ad8da2

SHA512
74921d541279190dc5f6ac178857c00e2de390c048e646d620285c84c610ab53ad6fad83773d85f673972c95957b8fc1a21423b9c6400ceb7883a86bbd6b3e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmYIMgYI.bat
Filesize
4B

MD5
76b68ae7b03bf7d8f4ca81e5095a9e07

SHA1
5ab93e89f86e1bf3b3ce042de3068cb1b94f50bc

SHA256
4d54aea3ede030e5a950c684b4b79bb3da0ea9df54eea9a1285670ef735df275

SHA512
c6c0e52f6505ebf92a46ad9d07a741f44aca88a3a891ba82bb1ff368f0dc6bff5eab37adf84fdcb39c7df35a1d240ae82b8d87ce8be76303c22323e3056ef3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuIYAUwA.bat
Filesize
4B

MD5
973b0d9eec9436a1b009280dffa53ed5

SHA1
cf417cbb4e009d6c3f50693db887a6cc6dd8a67f

SHA256
6b0d3c640fe9c35fb90181991cb8c7b24d25a30fbccd7f7a5018c6aba1a9819a

SHA512
5ee1e86915b317b8b629745c8d34449c4d8a8ca50f51f9114276a87bdde5fcf2336517bee09b1b12b833219b1c9eb9e9099064ea23132b1ea8e7ba8bd0c236ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMAEUIwE.bat
Filesize
4B

MD5
cd92bdf34b37ac79d01510469964287d

SHA1
eda63403f40ddad2368fbb7f4f80e78a6360cc5a

SHA256
c494028ad9cbd5f95d3ff354f2692580c1e2f7e65900e41a9f6d0034e6b999dc

SHA512
931a34387843cb624ee8b4586416ba329dcbe03a65c12ef11fd0dc6cea1285995c71f155b8a9145c92364791acb6f0f805f4f4db1d0a6bd5766a7d93da7eba12

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWUIEgYw.bat
Filesize
4B

MD5
1315e6a0fa3359eb523335071236c4f6

SHA1
fb5d0dff72900957205d8347806ac8169ca9dbac

SHA256
7e2dc1c00cd01da00934b222eff6a4fbb466bcd6f5a721288cc71949e7a68af1

SHA512
f7ffafb88f777cf3c87356e318a79ec38e7548ab179128614a12c83e2ba5c19b2a7e01be6a6addd448cfbe3c45a9c7aa63a69478c086bf7cf8f1460f52fdc962

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcEM.exe
Filesize
57KB

MD5
c108c87b1b9f0dac5a03f659b159810c

SHA1
142b667b8d02c544ceec87c534ab4ebb27a54762

SHA256
ba619cdfcb165c553d8339977b26135b4baf37f7f4eb58488a42f5d56475aa9a

SHA512
add393541704fb4c0fb30858e3516e20effb5197dfb4d9574a295dfec77fcea9a8ff31405506cb2d2cce3fd39de7f99f0d60cf753ef749767a457bd90d69f848

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgYcUIcE.bat
Filesize
4B

MD5
48e4b6e48758dcb19eac02881a99ecf4

SHA1
f511d7ea38775ec8673c905f4d47493a06f7db22

SHA256
c0e52ddb33267844919180415ad2e0b6cfe27620ea76ccbb3883fd3a8ed3fdcb

SHA512
033dec6172cc0f077b097236fd66db448d40e94f1776be010024f193628fdac92e64046c622fdc337bb3eb5ce498a7f546cab8f8c7929e39b9cb8485f60c768b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lggw.exe
Filesize
240KB

MD5
9ec4b3be3b42f6d9d1509ccbe05b369b

SHA1
75bd618e0278c59e11673a8d33846ceed6b77940

SHA256
1942c772c71e75fd9b3528b519fbdf2b83f380aae571e3563f7c77c104fc6c08

SHA512
f07780c4054df7033a307b2158a73d0ed79b9226784557a0657ebb842a6464d08495f4056682402b7719bfb7c1a4440261352e532532bd1f9286f25ae3845c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsIc.exe
Filesize
250KB

MD5
3687123076a716bea95821ac445ecac2

SHA1
924479b958151d07f073ef0792cd4491d2a6f206

SHA256
36534ceb420f6ff3c8e33834ec172c88b11de730f898ec1e4918f7234190e168

SHA512
da1ae79e2464c33058c59dc1a0fb39cc68582f5cccfcb527f7230be7817e503563ac4c251a1491b163ee1e0754505b4ab9757146c6383699b21fa9c3d29e0d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsMQ.exe
Filesize
238KB

MD5
918dc562433477ba28ba875fbae3f5f4

SHA1
f55c16e63f62333441964ef1b939cb595275ee42

SHA256
267b26826784d6b097cd91956fa05fbafd42e5d4215643c2cd488198df3aa043

SHA512
3cbb2cb1af12537ed6f990be6fe88ac4aa08d50293644d9c958e3db2b763164d7e2c184dadebda861237e3c317ea1ce4840fc909004a01214abb4dbb23b94fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LuEQQUwc.bat
Filesize
4B

MD5
cb6f52e109e34c42858cad48346adb09

SHA1
04a1d881b6e24462bdb5ad176245cd3735582f0e

SHA256
41f76bccb9b0ad9d41fa125e01f628cb24ddcfe5e82a005979f05486bd47d755

SHA512
3f7193afaeb133fa2bae6b822019a7ba1229306042c90611af96132136bd180d780f90a6173cfe68669d3df2a119506c83ef4ab7f3ea20776263b8e8577c7b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwoM.exe
Filesize
241KB

MD5
809d15fc1e7e1d6d158590c20d719ce5

SHA1
7e820b2ab96c9660bf1a41ad322a005613d36831

SHA256
c64f0d704f0b6f8e81c557c8b025a343f4dd0edd3512a610cd9aedd9d74d0430

SHA512
4a690071203f1b872444dafb7fc041e4fcb0afd1f3dac60c89cbc42f3f3abcac7838f6c33587995f6aef500b631d70f7047c04e810cdb01cfe51c3dc552105b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\McMW.exe
Filesize
399KB

MD5
f27eeb8a868a1539a9db1a14de49b71f

SHA1
b27ccf3292b436ba777eafb55b16b66d0e36891b

SHA256
17ee693c5a33b96e3dfd02b1965318f12004ce799ec3b02cdc883bc32e940977

SHA512
85422d5564c0a22c5b43331b0a5f4d41234fd46da4118962b660b8ead6d63a20331dc275b68ee4b73c7988ab39ede2fd606b661782635d0fe2af61ca67c4bc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwoYUEAM.bat
Filesize
4B

MD5
67cc489ade813466070eb8f55791c4a8

SHA1
4b8511c6c0e5829924e3b818f6eadc19964550c7

SHA256
35be1dd3772aaa1edbea7a14be3838987122de92eba7c3bd3175f2024db409a9

SHA512
2f4d2b45a07277ae2c157fc53d27a8277dba0d8229c24b297c0c8801cc0d2675ac0c7b059ffbde383c92ac670ac5919322ee12de948d0d4225417c6d8314f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAkocQoo.bat
Filesize
4B

MD5
ace230ceee25cbab84a2508418634692

SHA1
fcba7b9b910554f4268bd31dd5e49b7083d0e4b6

SHA256
44700b3e18bc7c4c0da018a3c1e895196bd426711fd972142d862fa67c3d7fbe

SHA512
922370be98094b4fd3c82dd595add38f971a1b77d32d942463d4f23a3d9ef8c41cd42ae2fb76d2c3696edb1310fec117eeac02aaf8a679c414760594c8d76e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEwU.exe
Filesize
231KB

MD5
e8bf304b8e055f0fc91673549d41ce06

SHA1
66a5909bbffea05742293e91e0b6d72f32556efc

SHA256
dfa4d5ba03139e80dc7d9c2777725b36faaefea79c8824a90c8d3649cbc9a80a

SHA512
31c13c422de592852e91f322601f861820dd2ea7ac5b075e7363561688fbfc121b4dfc8c17091798a1c0303f0f133e43b5d58e18508da1c230e241b76653f27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYQAggEU.bat
Filesize
4B

MD5
1513465d9dfd384e1c573b0399aca593

SHA1
0ec166520eb7e05b96b2099b26ff6dac3c85b42c

SHA256
08d86a32900c8f88abac7c3ccdc4ecf9af3962a484c44f870b7b1312cf3e9ced

SHA512
128b7b06114a9569b0544ddf7028411a037ebe436178dd2dcc72387b19450a697746485075a07d76fe1fa0fe111146d065068e8cba0fc7d4ad1269a77035d1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYYi.exe
Filesize
229KB

MD5
50ef45a5e9ab578d93e7aafe81e3b0f4

SHA1
55444cf278fc103dcf4a711559b85644b0a1ea0c

SHA256
58ac90752580f02c9e78579911650533341796a43966d3b1ea3103940d0f77ab

SHA512
663f58665a54796ecb059d40323afadc85882c9e9ac6cdb3d68287272f9e81297ead6f36f31de5499fc482185daa1480ac59cc029eea386f49e0b2213e90c2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgkMMQUY.bat
Filesize
4B

MD5
f5b57bbc1a830a725ce7ca884c72c45c

SHA1
e0acf38d317491181293fd50a724a8d6a669c530

SHA256
d0137cd12d390a612aad0d1d4f46d2e14ba4abb9c4597edc9cf71e30386a5318

SHA512
464515d0adb7050ee929851a35c8b93bc1b2b7ce0b59290ff1badbe850ab7b724960b96cd92991fd69bc480cbd60c1386dfb7c1580e7715c57e71455ffdfd42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEUMEUYU.bat
Filesize
4B

MD5
d8114366465114acc4a62a670c718df0

SHA1
3046b2a500fd80140b5708a15daabbbd0e642693

SHA256
1faf3dbdd590cad60d18832a9fbd51d0ab82c89f20927909ea68fb292cd88b98

SHA512
13f762cfeba0a095f1abe8c378a68ee5cc0bb37bc3784e15c8f082de417ba9d305512751e72b880fbbcdaa39e37927084667d19e1c0f6d154af4ae5ad7f8a09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSAQQAcY.bat
Filesize
4B

MD5
2417cfab6d87ec2beb1f7223d9eac29e

SHA1
c0a940135a65530dc8a062dc0c94e336ffdc5ea1

SHA256
a0ea8309bd8a8f2b6a8662081080942eceb0d4b8a462786ce79f9cc3f741c306

SHA512
b256624e026e978f7b445c19b8b480e668392918330bd57a0efc07ea1841077ccef0bfed20bec6de2142bc3d872be8bf31cc1f87185c4fdf98e0e87f0b0ac333

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgAokEcQ.bat
Filesize
4B

MD5
4ea35e135bfaf7f5025985ceb90e8296

SHA1
39985c4cbf5a7f2c8313a0ce54b6cf3ac0693e96

SHA256
00042142914b9710111dfa6bb84e989ccb5b022ca9399d9cc589cf37601e2888

SHA512
86ddaf9e22d4627bfbd0d7f69d13d67b315df417cbcee79360e2b85141018e4f5a7beb7f795d603c3aaba6957a441add724027d8dc4b1adeb3cd934dc29352e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgYo.exe
Filesize
228KB

MD5
006246186e38a113241940dd56aeb78a

SHA1
9e80897763dcdc796a2e675daae5964e7fbdfd2d

SHA256
b35906487c0588dc2337b4f9815c21d43006ee331c5b2878ccd4800eb219ae1f

SHA512
2963a1c95f59243f3ba867dcad2d4e74470bb05f9c071cd121c77bf0d5d2a1680261c8f841a573e26825dc39bc94ab8d1f6cafa4af443fef8fb30d3fb4526288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oggw.exe
Filesize
900KB

MD5
548e79d45d470a5e267811e6d4b1981a

SHA1
adb3e81e9d9a932690cbe535c6b806ecbaacb451

SHA256
b2c44341ceb00fcb03511118cf8ca5bc7325dd32b412174bd37e58cd0354b11d

SHA512
039c4daa293c01ca7fcf9bb6520682325cb41a29e8209444f19f25b9555b183c71079e9666cfd26b9f1464b3c530ea5881d761c3934bd7f8c837e8c910992d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoEi.exe
Filesize
243KB

MD5
6cdc477f0bc2b07677688f8d0e743890

SHA1
6200b677cf137b284855637f7cb096c2691c44bf

SHA256
afb8b1011f967164c8f6aaa0242fa96e96bbcb18b8f0203c1b35fb295d72b1fc

SHA512
b14d6c96b1673437f8f0da6c963254c9c07e2d02dfffb615fa3375d915141f2a1c1a91b35e0454ca73de0b4a4c1684bac0aa6e498ebd3a03a316235202ea5e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAIQ.exe
Filesize
238KB

MD5
9e944d0acaa7ff2f7b1b25cf574f5509

SHA1
1793bdb0bd913955adc3b3990173543afd7d3239

SHA256
3e103423b597616d1addfcc7846f6a5175709eda60a9abd9e98ef586ac61e786

SHA512
be492694f60cb5554b9688dcb5e98ec97b1659634b597206178192c8b236fe957ed9506e399c1d31ff6699be0fa35a90771d548ddd7e70a8bdb71552453be4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCgsAQAE.bat
Filesize
4B

MD5
30bb58af4a57a4846cff4fa9ef265757

SHA1
dc52df0c5eedf9b75bd7500b01207f04feb1ac68

SHA256
90aad943019a44b1e6212a2033145f262f6d2f24790c099f6c9e62789338e445

SHA512
301271b7970a85e305080ef634c865514b6f4e8b7448eb85e6302f4710a7f5a58fbaac5503eb6bb04efe743a15cc93799465eef191c746b822b84795ee8608a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcYu.exe
Filesize
245KB

MD5
3f70c453e6fa9ccba6d3df4dbb6926ad

SHA1
2b4833c81499da6154a102ab34a74d1102f23a55

SHA256
14379492e09268b78cf58b3cc3170f7e492ef49806de24b6eb4db4c53198d8fd

SHA512
fbe32bf95e81a9dfab5eb428ba428007a1a20872f1362600a801f3c9e1d6aa8dfd10a011f456ce7b389d3a0f2fa32b1c8c2a959c7347f92554b17f4863a2710f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcEA.exe
Filesize
78KB

MD5
b8bd5cbf874d6bc779cb88487a97b464

SHA1
13e551436a18b9f86112992f0153e575930b2da0

SHA256
48e2623ed0a780ff5e2075ecc474f025e0c284400127da68eff65f63d24b2c18

SHA512
0ff04cc3e36ec484c2b45fba48f0559c102a6d6d368c844c42729dd6483059fdc759ccadc2c62d098dd4ffa0a2957ce8acdb077adfcddc80ef58bb39f0d2e2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsUckAwU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\REQK.exe
Filesize
240KB

MD5
6699ed48d596d8c8c8aab5b7774fbe7c

SHA1
55fb6331f9c2085f2247c334c4957b36211986e6

SHA256
37ca34d28b5e1da467d8e25177999887fa5c814da732df7b439e5472fbd57d6f

SHA512
98ddcd8fd58c830b1f4235cdf1eadcb10ecf6587a6367d4cf9489b490fcf176b3a1dd266cc3a57938ad248a4065a445e35fdc3c8decbab09efa53bc1eb8d131a

Download Submit
C:\Users\Admin\AppData\Local\Temp\REww.exe
Filesize
1.2MB

MD5
398b9755f840797cdf596ec860799cf3

SHA1
c195d487b503172ce3e0ca421c8a539e304b0df5

SHA256
f2abd90ca61b586bf2176035a0a2b10fe4783a111c8c3a7349c50d1ea75257fd

SHA512
3667ce090ea9c5fe101cecd8792560d40d631d068465d0ea12a142fe10c41acbd0b9d447cc54aa47af1aef79b42a16a83d15c0eca58d82f9ec006be46194f72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKYAkYUI.bat
Filesize
4B

MD5
787d69ffb32211eede3ba5e9d22cfe59

SHA1
ceec3baee12e845033fa14594e67de05641e1ca5

SHA256
bcdbe5cff9a4d2c6c57219545c9a738568abced0c0735c491a1c29df33af4b66

SHA512
65e890d80824488e87c76c96c9f43741249e47e016a4fb6efa1f811277c4aa94bf92494b7351589da3a415592ae609f9973473d4a1f0987f40e8132cc0203b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUss.exe
Filesize
254KB

MD5
f82d2eec3401835160ebbe2c8180eef4

SHA1
f93af6853c1b667755909f0265976ccbba529ad1

SHA256
c46ca2b15f036d165af18cef1464f8548d186d127f105e73edc1f8285410912f

SHA512
312142a3f7dfd57ed2c08d4f021fc5c7bd37f7cd949c4eece3d30eac1a8e79958babe0f22c60b0d53e667c561261ccdf1cf236755980885b0e5dddb7b1942ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcwW.exe
Filesize
239KB

MD5
85f683efd58566ccc26e096409488e8d

SHA1
7f25d465e6590f94745cd514b3d0d53190b823c5

SHA256
a9026248f839914f5a7785712acfea747176731286a885e09518f1a971219b77

SHA512
775e76a443a6949aba6c0f0f9cd50378f9a712d9b3d6fb8bf2cc39f9b77c25f1867b9a623fb3d8b4c65e059c31fcccab2bf7f1258773636573794dddb9c4493c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RockscEg.bat
Filesize
4B

MD5
4cfbb125e9878528bab91d12421134d8

SHA1
468d79c2e0229e3ef8a5592b4df3e148050fb828

SHA256
f302f0ea1db5df02bef4e6520435b493640eff8cf840ac709d6b5e5f746b3f76

SHA512
456f758725f611b3f01c1e5c0a87681d7d16606f92d54bd27e556665304487af14c4e4d05c88523d621c4a176be07d3ca45873be776ced94dc845f73a388253d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rsoe.exe
Filesize
232KB

MD5
7ba6fbd54ced11ea5bf9668d08497998

SHA1
4b2d2744319b28eb9140093cbf81e2c9d4001bec

SHA256
7de07427ec3d9b2f9f04e06a5a347761d4c8982a77cfdd023a2e128bca7354c6

SHA512
e34768a2783d31f933eb382d8f23546dcf81dec73365dca04688e0f04dd6038f9d2d324e4b7462f9e48e39e94837f2be9253e63760e80e732c0b96ee8ee4fe58

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwkA.exe
Filesize
231KB

MD5
79adb71befa9958541371ba36e933a8f

SHA1
bef3c65d2f456a8b64d7863eb415e339eb32efc2

SHA256
d35c8d377d1ff05f400919b3674bc5fd4c08546852a4b693a14ab715059beb0e

SHA512
c532f0b19a5d80fd76a33e9a59c17f9495b06e59a49ce9fee868759285432931d1eadf6c6ff4fb22c16357611176c28dee33b66ce095ef0ae23a138c1e6bf244

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEMe.exe
Filesize
252KB

MD5
205ed7076af92d4059050546434954e2

SHA1
000cc16ba0ede71bdf9c3fc7077458519101a949

SHA256
b9bc0cc782b5cb79e993097cd2ce1ed3f268f5f2744b34a6fe490f9177db99e2

SHA512
be009f1f259902606778bc26dcc4f22d24a2d7c891f21ed24cfd0f96a4b0d31d632f6d25126b49223d0486fba9ddd9fca3c959de37cb3fc493c89e9dad7747dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMok.exe
Filesize
245KB

MD5
67b73b232c670a6a0e4762d7b14e966b

SHA1
72871681db50cba5af82b2cbde28c843f174b27c

SHA256
a123de88f707a8b0de3bd78c71eb019f0236450da74b12dbd49f04f8563179cb

SHA512
47aea5cb152c6c0be4a9f724f27773905b13a7264282eafdc46509e207d6e892263c6c19025d2373fe941b86c89fcd32919994b9aab56121219a9931692c5fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOskMQck.bat
Filesize
4B

MD5
92f1dd300039f401cbb06d661aa2cd10

SHA1
42efa866bb7b9d0f934bc6b98891e68c22a3f1b9

SHA256
51ddd3255e8733891bf871a663c9373076e646adaa8b627674171e04883865b6

SHA512
304c7812a0a41eaa7c8c8ea8fb36bae903813c6442f7705118d597c5bae0fa652298302ec81129a664461742dbeaee5f1b4ea09712fa1c27eb7fefdea3381a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sowk.exe
Filesize
238KB

MD5
a99cdad04f9185421a29768c9c48639f

SHA1
80806ddb0eec55c3802d4013f8a5c414630d022a

SHA256
745247d0fbe1cedf8a916c0a98ccaa29a9bd1e65ff0bc8beabea0b78dd6ad08e

SHA512
bd73b1f5b53b99d8ad012fbb4353e109c9b2993dda2b701a7a360a3a503563333716ef7d48862b10d85d38df8b6be497955c0ea6bbe8e507ddf2db896d3b2ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sswi.exe
Filesize
247KB

MD5
08b8ac9804ce9fa404b0eaf0f32c5c07

SHA1
ca0c6308935b6d68e900354a29a4dded20fe2742

SHA256
da54a4934a5836321fce6e69b76770f9d8967a14b7977e4a3230e46b2a395c1a

SHA512
4774d3b7360de1b5b8adfda34ed92306d599cbe1dd3bfccb79e5d67045690dc56de346b7c35ed307e4a2e9b508619becdfa68c7856fd772a24c3a956ff7cc234

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQQe.exe
Filesize
1.1MB

MD5
eadc91662c0ae9805a0c8caeebf97949

SHA1
498e83a9d40ad8eb508ff297d5e7fdc452e7496b

SHA256
b8926fcae88a940ad3341c11050c7a190a9cec809c5a79ef3b86ee70d46e7d23

SHA512
207793d58b81b50044211ea956dc66e224f1ed55fe322e3e2ad853bf361ed8354ce6da8a1b75be816be1e31842c548061ac358bedf6b6f9b122d93b87d1fb9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQQw.ico
Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUcs.exe
Filesize
230KB

MD5
11db37af4af89692fdb4248632036608

SHA1
9e8073ad273c7f0866e196dd267b14ac04e89a5b

SHA256
521d3fee73ee71ffa8278472a36163dccb1efc799a5cd50da95829359113eacd

SHA512
41a8d477c94255ee0f6fa4b820c368654efa8cf66a00170131eb4435b0c9ff322ae0dc96f72d3f083e7e63fd0393c501f3f8567a2f1d54555f002bbd1c476c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWYQwAEo.bat
Filesize
4B

MD5
6247fcb0b8d56e22edc5caf6bc1d0a8b

SHA1
7f0a5ea021aea7e55377433f953f9f81a97a0556

SHA256
5be4645906d637b4f7311212c91851b64a34f83d48e87e18689a33a940e76c30

SHA512
57101d1b02efac060f2130ee12263a98a79a7a12e4b453d351a8ab2b0ec151053b88a0ea16b0e87399d6778a083fea4e189784d6c68d8e06b505802d72b9bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TywMogoQ.bat
Filesize
4B

MD5
178582097469d14fcfb95eef3618f6d4

SHA1
852189c22160c85f6243804526a92d498b0ef663

SHA256
40777b08e71b9360f386c9fce99bd9ccc03c3564793d28032e15b0b62188cbc3

SHA512
7c4bc0fdb78e13c4b66d8b9e6b99158f9f4bbf996a39b608dbbc68f49272e2d464dcdfcdb64fb4377d28a992fec0389221da44f1bfeee74dead53b6e2ec389c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUgK.exe
Filesize
246KB

MD5
f5e98c22857dc98f1ca5144cf55715b3

SHA1
b1e96a63b57117862b8dfecb226746c27c02283d

SHA256
e0a0afdc47c5d637174234bcef1b11bc812d02929a16a168257685d6034f7aae

SHA512
5428120dc0558734faebd448900dd480f9efc39874820d6b0ab0404d5c3fbcb6037cdc6c8924b55d4c9e34a4c3a6ebc3b0b8f5775f21efd419e24885b7054c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWkIkgMg.bat
Filesize
4B

MD5
519dd848df38027387e572e73d5ca342

SHA1
76686f14f5a1a991dd0d6eb3a32b9615d7e05ac9

SHA256
03983ebca81ebe56989c0ff292a443871704c3ff557e93e29e7943aa4f310a0d

SHA512
8e563f921e122c789d8e3da082d95ac38e5514c7e7cf57eef47d65e273a7f6af15034682107b23316152c74c9090d0ae166bf3120ecb4a09ab4d34d9fa6cd38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usca.exe
Filesize
156KB

MD5
975d70f59d1d534a68cf81e4e181cadb

SHA1
05b0ce3fb05eb9c2ba0441d5ba2b41998de3230b

SHA256
b796478b386185ed8a1f3043031903e1eeedb6c2ba31808ce9c643e8fa864c94

SHA512
6f8907d20b7c1b0a608b8e0778ffa67087f26592d2f69aa6ccb0b112953d00050b0491eb40737440554bdc7ae9e73651f4dfebbe643fbc311ac7c7a32606596b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwcMAwwE.bat
Filesize
4B

MD5
242383e91e09334b95b8e594a70accde

SHA1
a06dc4fd8d859cd14e5c59ef68f70526afa42586

SHA256
42e8dc5b2bbd3ca48f7c720cde151d0bd6abeb231f889c683c1718a51c9d6fcd

SHA512
2767f000d1b036aaacec27a3ddb6335154aee3c62745a587179c9f09d64cbc8eeb44b440cf9d6d95aa2cba979016ce1d55ae2abe237ce166bff2d2f0f86a7a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEMYQEEo.bat
Filesize
4B

MD5
92979eda28f674b03fa8ec8e84224f98

SHA1
33a62ef9b2490fdd0ac32a437f0aa0196c03d01c

SHA256
a8da4138937fb39ebb3f216b56d37b8e9b3fd19bdeffaec1a234d0572a788646

SHA512
d7cb8624f3c870a9f329db5dee4c1e82095c5bd38a067b0477c75dd502c3660d120c16f86adf5febec1430d7a5f1df9bceddd045d7f4d689867aa99d5e983e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEsI.exe
Filesize
229KB

MD5
003a5adcd66dcdc7a4ac1c5d7d36e618

SHA1
58298b32051d339f7015f61a283d1fd87aedeebe

SHA256
5ab726606593cdc0db8e0f06867dd49518f185ff5cc7a011f4edb530d71010f0

SHA512
2fca8565427c955bc604507433fbb72cc2707656e073373ce7060a5adbe8d59c1dd5413c739625f4fcb38341a40c22dd4b65cfe36e348cdf23b30ec584923cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEoMEYA.bat
Filesize
4B

MD5
fdf7a9a7e07b7dd4a076ccc25569f7c7

SHA1
9a4cf9e2d1204e2e0677b6289abad8009f6b06b3

SHA256
1197057dfe7da6ae714d323553578794090a3db5008171ac39e865b465e5f0e0

SHA512
d79bb2f208874f7b68598d8e65e93850d704300fd7c2e374b7ce0f4354b20168b65ac5103cf33acc2243d5e11b674043e8254cf24ddce9b5fa617b884b698bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMIQMgkY.bat
Filesize
4B

MD5
abfdab3df1736a1d3cae5cb4a86d5a5d

SHA1
e63de6d38e75109159b1b0c992e12f6f18afbe58

SHA256
ee67f1a08e8b791fe7be63d4bdfa701fdbbd1b69305effb1ebed0e96ae2b09c6

SHA512
7c874d276a2a6f150abeccd177da95b5e31692f1816a87fd343bf7b6e7ba123dd2fa6d88d6e14d33d16fd6b4bf970bb7478abc62250112a43072ba742fc75789

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSQEQcEM.bat
Filesize
4B

MD5
44209efd29eb06c27aaf21b76686d896

SHA1
8e70298b268bdae273ed4ff37b8e51f894d35776

SHA256
85565cc7a59b33ac95d1a9684d426603b1c8703ffccb3ce939ce460fc5a859fb

SHA512
9ccacf8d3e117c25cf45745e893302ac72ec840ab289c55e97d117377406e1b8a1df041101203d46198ec58041f997ba047b0f291b758d390aafea2c02bbda34

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUYYkokg.bat
Filesize
4B

MD5
a4447440d2f7adf0ad048abc9dcc5570

SHA1
1c343ce02be9766c6468655113bb8595c719ba36

SHA256
a1c4ad4816e02df1e9b8116ed88952ed37ef2dfc3dfd433971e6a194f56e6fae

SHA512
087f09af5026109253621920448e4e9c05966e69211d8f36ac98ea4c485ed7ee54e0e219b3ce608853a24b4bf4fb41935d4aa995ee3e9078c994c2f2da0a71be

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgwG.exe
Filesize
226KB

MD5
5056530ffbd5c9c0a3adb4365728a31e

SHA1
b3043bb6084ad15157ac7f4dc7260c737d09183f

SHA256
dd4ea3bc1bb467790b0ccec2a966208042100acddb53a489da940359e0ad9c93

SHA512
d74caed8bec3191efeb30de8e0b953b04322652436a6b581d62efa4dce1f39b314a3c4a01280dc930547c4237d24619650f107933cdb81b882ff3a6af7369139

Download Submit
C:\Users\Admin\AppData\Local\Temp\VikkwAow.bat
Filesize
4B

MD5
b7b0714f236bc834a6bd11d24ca346d9

SHA1
25dfb0a7f2c962980c453012d48c0ec0df1a21b2

SHA256
c0d4c2d1e3296a000871141d84a9cf53ac6436d0861fd1f8ac8486eaf6784c5f

SHA512
77487a426cd209e31145d1f68ff7b22d4040b847bc1189a89f99f3568f38ae779f948cdd7bea5ba09077ba0aaa5f93218aa3377fea99afdc8969b1cbf7383b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkwO.exe
Filesize
238KB

MD5
f4a833598b6ba85465f7da1d4b073c55

SHA1
f71936e13d428e5fc97b7b1e895ee9aaa38d640f

SHA256
50ff0e243ef76eb003a95e0f16fe5f01d2691cc269def46794fb373a5f79ee48

SHA512
0196f6328773c6a2bbd72d2de2573bc601115db5bf48fe26015d520468deccb822484721775270abbcf7990cf42042c514a0bec6d8936c56df2d0d96a6d0f015

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoUk.exe
Filesize
232KB

MD5
c89025fdac032136a4650d0ddb5e2320

SHA1
82f46154cc86e62487bf8c51caa69fb4fb3e7ff4

SHA256
ea24ae82af6592a6e3316fba9e5c99b23311ff2b8ca2fd3c8251c484d69d45f4

SHA512
a6f7917ebabd0edd2cc7af58235dbdfbbc5bb89a00667f83004a54356e480e857c7c942dab615dde3d09c1acfdc1850d659b686759afc2d88d042019ffebfb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwgwgkwI.bat
Filesize
4B

MD5
e52a2a1eac00ce98e9df1e0e5e112b58

SHA1
2e21dc0778e0b9160f38676dac5097663284f33e

SHA256
2e5afa5e2cb4e4d744113d6d506a32e96a7125d946a9f6b94fc690f214055912

SHA512
ebdff1bfa1cd3a09e6eb1ba420159ad20009a206467b183bba751a1a2f9b8a7291da87a8ab9194f18253adf320b24720cbd02117cffc7742b9b224da97d85e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAIG.ico
Filesize
4KB

MD5
9752cb43ff0b699ee9946f7ec38a39fb

SHA1
af48ac2f23f319d86ad391f991bd6936f344f14f

SHA256
402d8268d2aa10c77d31bccb3f2e01a4927dbec9ea62b657dbd01b7b94822636

SHA512
dc5cef3ae375361842c402766aaa2580e178f3faec936469d9fbe67d3533fc7fc03f85ace80c1a90ba15fda2b1b790d61b8e7bbf1319e840594589bf2ed75d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCQQAcMQ.bat
Filesize
4B

MD5
a5ae2a592ad1f75e6cca743945f9c846

SHA1
4fa8b0a2a23e832daeec1e27c3603f673cd7ec4e

SHA256
5dda748cc74409061a1b88501c64b674ae1172c5da4f69c15a4b6650f1feaa46

SHA512
c6873cf74be4bbeb3a258eb24d6ee5234035b93e5de13936eefaf63d13bc8ae9724ae6f0d0dd745d3484b1e966df9fe5e14ebefb938abe51d8a536432dcf32ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKwEsEMM.bat
Filesize
4B

MD5
eeafe85303995f45d4e08295fcb9487f

SHA1
55c70e4045ae51971a129dad3b54557a850007a3

SHA256
06116c1345e16f527c1ecd9e2e610d7bfe03d33f29800836bde73df92ce2515e

SHA512
0ac2b76eccfc6e35ff5519bc541eef06e6bedd35c0c9f6359030f9e334141af33756a579d7c1c90f5823153ab732794d13f0812273847483cc00295be83f847c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMMO.exe
Filesize
327KB

MD5
6cef5819c84b42d0f85c2f177ca55047

SHA1
0e503a48d72f8c5d8b340e40191f259afcbd082f

SHA256
e4ffc17174502220345460cdf4267efc1a3a1a94a76e2e232829a921e26b8992

SHA512
4fcd189a9418c05176855e85aa458515d768eedb818d9232ab423de492dc5ab7736de900dabaff37a62f7f4d8f2db09e71dcf3897121a764532817bc8f401f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOUcAUYc.bat
Filesize
4B

MD5
03d6d1a579c1d46aa36a087ae5c7f6d3

SHA1
5b31a9109e061bb502f745adaf16fd44fb3257e2

SHA256
8217eb0693384b9d25f40679316b65b3e6d9b644deda7d1d1672c9d015d7ca16

SHA512
248fa921cca47c89c448ccc738b1a9a6078fb34bd88ba03494249db97ed441c0278fe836a9df53ab636773389f9f911a0233453fe8569f5c8474d71a71667f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIES.exe
Filesize
203KB

MD5
7ace8fc883de8b29417b5cdc448b1db8

SHA1
122277c7a7ebdc27e5dedc199e8b7fb718a54f7b

SHA256
a3e0f324c56e9e27fe9f6efecd07036782ca4f4c8adfcd1a79578c6c13643538

SHA512
8958384ac44b23335c8f83e08c4eb64cdd783f9878caff91e0ac16b90b0b013243678626e3a0bbed06bb796b0d9b0c2434b7a8061bac969522cdc1db0abd9336

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgkS.exe
Filesize
840KB

MD5
90e328ec3711637efe04cb0cd9e06fac

SHA1
a4fd8c26b14b12f60fd4546743290ec8c8590696

SHA256
4351ffe36edc2f1db3b974e6b10230f52a78f7d54b0d8ce7b9ea9307060e696d

SHA512
78451d519859ce4aa1413be11920635a088c1f4a5a353b5f4bfc9925aaa05ecdcfbd81849ebd5686e3b2ca22d691b948c6f7b164ca874ac9f5e3e6ca426adc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XikAEMQM.bat
Filesize
4B

MD5
a762bb21ebae91ce5aa570d1c65661da

SHA1
fc526cab23676f424fa4be6c81613d3759cf2e5f

SHA256
64c60dff7bfa67afc0c215e5c5d16c93a801617aa9ece2678ce03b9e9fe43979

SHA512
d1385215b268fb20eebfa962910d09333ce0cd6762e292ca1912b933bb477a05d95b8c8af6f8aab5206edbc8576484c7079ce23567f14e9bbe4ff21a883c46f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkIW.exe
Filesize
459KB

MD5
0d1a7daa8f3b5604e4a1378893ebad49

SHA1
6e8aace8f78037265f7df6b826b726e5e30fe7b2

SHA256
9a7579bfb77857896c8aebbcda73f1fc6cb7aa092bc503e708e07aeee0908ddb

SHA512
77dc6bf64e8eb4368bb7b962f869cfaec589cd5919a9f2f61447f2494c4ee4f24aab442750cee9b1a7c7c6d81ec2ed7b69be9c6f67809c9f79fd123aa3e19c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XowgggUs.bat
Filesize
4B

MD5
14b74649b4f7e9a334475fa07927e74a

SHA1
455f5f969d29ef032d0072ed75ab66e1a5c50230

SHA256
9e1002991955b2bfa47453ec91bc61c8f9349b5ee455cda02b50d14c7aeaa82f

SHA512
204a3e034130babfee5010499ede9ccefbadc80d4f09ffea286f81bf28775e5d4752e7e6e200d82e058a5e73c5caad72975fe3ef116682dd24394155533f7cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsEs.exe
Filesize
243KB

MD5
514548d92b7d28cf0498c2bc8cc50b96

SHA1
dff8957fc19c46df15939485da5d3ef2bbaefdf7

SHA256
3e4a8d7715729d6602bc4de1a97e752bdc4b202eea0d10061bea3606a4284953

SHA512
24d8dc633b4ed0dd5ba3a234c4e55bd73d9b0fb7112136c00d23701da4c91c75ec2ba58bbb4c69930d7b1ed57b6c155c1332f4f97a91873cf6336de11c32185f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGsYcUgA.bat
Filesize
4B

MD5
ca67e4efcb82bf33d2d6637cf3fb8e08

SHA1
2d165a802c4693e07c7512e19ef08ef9a154a339

SHA256
5d6f1d7ed052a7a46823dcc0dec8983fdea2dbf48569d6c90233aaff779e9885

SHA512
4dde1fec7f6f61376b9b1265fcd893fafc76ecd0762a945c20a42eacd6cbfba712507cd218356d2ed02e8ab434dec66296b071a71005c0953cdaabc5a702d9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIoogEUU.bat
Filesize
4B

MD5
9102a06cf02a3df65284c0fc3131fac6

SHA1
4365494bf283a940ef27d79bcd17138418fa13e0

SHA256
b0ecb88f30ead30ed0a035fc6e2894a90db86c2b8354606a25a07d614b022c7a

SHA512
d870826c412153e197459d3d16663c6da8af70bfad30ce7b3f0c94428b33224b903d21a4fff2d021be15c6ee3e92228b80b5b0c96fca539858a5a7cb637c643b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKUQsYMo.bat
Filesize
4B

MD5
11a747691431f8ab6de5a3d9d763a7c3

SHA1
d082b767bdec0e93b99254d4b00080725de11a80

SHA256
20b7cfff83340ad0bebab0ea764f5cfe400627f1093b966aab2f04e7e7fa514b

SHA512
824bac67f3ab5c5e96261d3245e35321c1a99dcb2f0635b2c10d7ea9f2cf39bb30b0d463fb06efea5a41533c72158d1cf414000b58778a9ab0fc4bff6c2b460f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQsY.exe
Filesize
830KB

MD5
7d80d65c20ea0c657fc77e261b91c481

SHA1
ec9a79e1c84ee207d2c35e5c1137ed069a97a6ce

SHA256
345d1ea6ef37a157577c5fbefdf3cc0ed49300d856875b034770a07a92155814

SHA512
b9dd22454a124ed72538d347d72409e59bc227bd32ceed72229a929e377a11652ed6be889a59ef04f6099b5477710e61b1dbd2b9ec38bca5416fe3af0e8a9e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcgYkIsY.bat
Filesize
4B

MD5
cd1b33cd51775bb8ff69d296980a50b1

SHA1
3f3605b5ff18a93bf5d104f7afad5d665d90a8ee

SHA256
b44ee21987acb8c714457722df07797cf9f513f2a3ac8b91cdaab7fdbb2a0824

SHA512
23bbcb51cf6565faf2514904f2215605214f60d949cc6061ee792d2d3c2e96f402cb347d66cceab3e5f6ddb3383d8e1aae4b441bb2f2694cab057248584a173d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YekQYEQQ.bat
Filesize
4B

MD5
ed2fb463a40048465aef2e08b4b5b562

SHA1
b32cf0c7c041b441ac5a6fd3d96dfc5d223a4604

SHA256
086f3287aaeed70a54da6010b1fee10f51d491e30aae8f671782b3c84905f7af

SHA512
ca6b41b79abf813a5581fabb37c5b06d218ee06aaa40e22f67590dfab75ed8d2a95d0f53233f1268a3744fce1eb772bb0f26a173ed4193e4266856e2124a5db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgMwEwYQ.bat
Filesize
4B

MD5
d723c857a82e368c334ef3a614608927

SHA1
f7b6dd362a39921acd0c560a5ae568d1e9d088aa

SHA256
3b6bf67719a4aa6a0550527853aa9c5078e0ee6e4e99eeb68a9a102ecb4b5c07

SHA512
1f92fff9df93cce1a44d24ec9dc90d49f910c0e355d351427300a669e1b8a527e4bd62f3fc3cf8be7e0af2610b97b2ad2307b79baf532d25ce07e1eee7efe883

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgYe.exe
Filesize
248KB

MD5
604a251999ec2e1a689440f61fc18f43

SHA1
6fe634eaf772c61d0f9f283700ac33ca4829ecd5

SHA256
f0220bf942d57415e7454e6118ad7aa469295f667500d288362f7ebdf97f2974

SHA512
7fcfd3cf2415a099d2d538b069e92090bed66554aad88f9073ad1cb98be4cda1a1fa2b8bc9819689fc627ee18883ca5972a42c70d32042be5bcfaa8ffff0ffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqcYsUAs.bat
Filesize
4B

MD5
cd508e685c7c81250b78a2eadb52e654

SHA1
931cc41eb6dc21c8c7ee91cc805f4ce73ce57329

SHA256
579698fafaa52f5ac54df869048946bcd4bee5772413117d23aece19e5b5d09f

SHA512
731245007e946309988b76edc1abeb0f9179f446c196afc8d75e4da898712966ee3cb6e2e7ff8ae8ac52716ac0aedd3c3700896d9ec9e63dc4fff36d8539c6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YswC.exe
Filesize
234KB

MD5
42a685f40e387fac6727738591acdf5b

SHA1
b99e632c9874a4f2cf5664850455e662cad22860

SHA256
1449d1d899bab0d684b91e69a60611a88f30d65a4c683f206d8f00f56589761f

SHA512
55d13a6f1eb052b0c8e0ab63e0e6bfc164c59fd308c12008f2868837b4bfba0f4d994b9c9cbc1f1cdea1500ceba5136b52d1a0c33df8be740a752e202dc927e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwMS.exe
Filesize
96KB

MD5
0ccc2a777511bc76b09e745d9e2ab43f

SHA1
bce7b81c1b78f3449330a8771669af65775dc07b

SHA256
0a4388d880cadf923fa5c6fdb23cda2fe4809595d29863d967ea420748fe2368

SHA512
84e0a9f27dd6adacfeda8900bcedd39d77228ce7fee5a006d504ac838dc6db1a7ab613f4a7110310a80bf8fd77a6afdfe82f5931c6a5ea95780dd55e012eb628

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAsi.exe
Filesize
786KB

MD5
bd8fc511133d717c935b513ecc368678

SHA1
a4a5d7d1c39623a78f269c3e7f4d0b9d5dd14add

SHA256
608083d41a4d0999149c82498ab5d744b6f0bff286443274fc329e84880f9210

SHA512
95e256e89e3d582b7e3d4f230317f97656ae0fb6d2ea0fd8b308b7e1c7d94768b003286ae58afdec5955334c0d97798f0c1f31710343166119713cd56717361b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZogkYYQM.bat
Filesize
4B

MD5
dbe487b046cf55a4d11cba6c1e1f8262

SHA1
250bbc8ea86a7032d5d61ca5c5d1dfadbc68a8ba

SHA256
6d926a84a448443d8d8f6b91f871ef143935e2e1bbb71ebe0376d907f4fe73c6

SHA512
1bd860a147a4fe9aa3d71064d679df4eabcd0197469d0194575b2f3cc978fd2e8b62cf51c01eef658c00f18c21f0523dc864f7532e6d28725dcead312f5f42d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zwsi.exe
Filesize
1.3MB

MD5
ec9be94a0ec021818cd90425248c9740

SHA1
cf31a545f8f5fd90c40f025087c33f4d76edbd3f

SHA256
48050a22adef89b98aeec0f9c1b2b20d1e5e4b236125013bb17a26cce3c24adf

SHA512
6f776c865253aea9b0996b1030075e2f3ee739ca9560531c6a2a78955a0c411a691b00463b50d012dfe6c8f6b3b1b1d64a067348c2bc636d617ff5aaae406ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAIi.exe
Filesize
245KB

MD5
6b1fde902a3c88639947aea3c35fdae2

SHA1
b5db19becae6c80beb9b367182156253e20fe54d

SHA256
cb623afe3ef122056f470f4ea313cb925e53a22e5e73a0715591bed1af366b56

SHA512
88eb29451fe2dffb9d294037029965989df0072a4b9482f95529791407e46db524c74e41c4e61711c2808fdf62cb101f61609e327ad2aee039ba9ffb722ecf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIsG.exe
Filesize
231KB

MD5
6a08b92634803461c9e03a0f147701fa

SHA1
143b5a26b6d7263f11a1003858bb812dec4624f0

SHA256
19cec1ce932df4de0d315208efa92d0a397aa4595cb5c7ae3fdb974849925638

SHA512
559b8271e058227cf1897949d9f2d498519932153a65995e2b661b2b75ffa3732bc9310657f559dc9c554380e3f490f62ae3c7d65a8173201c2596e2db67a57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMsO.exe
Filesize
1.3MB

MD5
c8d6481d2630d52191038e5691854775

SHA1
3b4ca6770d4e01ecdbf4d2a4a4ab31299a322815

SHA256
904e854359024d4da8175d80c1fa2a3f89c25d89cba0aff7003e158981355240

SHA512
7db492495d5b7f4b4b0b3d265ec2100d4b06ecabf30c2e25bbe33e98471afc8873103bbd76fe835be6d840810bfb7c14685b16eb385ab1efec15c56e569c9f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUYkIAos.bat
Filesize
4B

MD5
37705a4cf19b8d92ce9520169dec90d4

SHA1
158519e4a83bb68f0b67eebe2a9dc04180aa0c47

SHA256
0635f07c3bcf2b6037866a57c3d6367c5e7042b60d57fd4d4d1f26a686059ad1

SHA512
b9698d7f1ce4532545b6e9c33f1a1903cf5904665ab4b2308341786a19befd67d9c3672847770678dc882df68ead6015d2cfdf8852ca5022c50e5961e9f29317

Download Submit
C:\Users\Admin\AppData\Local\Temp\aegksQoI.bat
Filesize
4B

MD5
89670ce427c9de1b3c7233f32e375fdb

SHA1
cae08a1ebe1a54d1822b6e19497b7fcc1687faf0

SHA256
b640b4eff45db3f62c264595e58e506be9b5cb7ff28aca3fe5feaf38dc8e898e

SHA512
141634a24b3f90e18107be29633423d98b1e9ddcf8cda5c5f4288ff34b93e23087a5e4c0015fb7656a4c1eb600071b0059f5be53cdc59b1de448de2e42770d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\awIk.exe
Filesize
237KB

MD5
2c03f8d7bfcc38ac698c2e198053b859

SHA1
12bc52a14cce1cca8ae200540fbe541e9c751d1e

SHA256
341862f22bbd3bf0cd45ac1e084daa75ab9ee849418d91c3db2607755020e95b

SHA512
cdfa830bad00a8048590d68b65994a9b51093a7411df192cf318c24691f0d87f62c241e6d1c00d31491f69cc2e0c892a431d133c139fda73213682d1f03a2760

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAQgIokg.bat
Filesize
4B

MD5
5237435e8c07206a2a53b36008508fa9

SHA1
14dccfb7ce6f24e36b6409c35a2db440d8181553

SHA256
e8994c2aff321b1c6d5caa17ef9b69358ad68fff6123211ceacd36c667a615dd

SHA512
ecf9899ebc99d14d31cf69d422da9712ceb61b60e576b3402678e01dd4c6b01a3b02253f968b02e718f5ecd9e37d0936b3a96ea2610fae0cdaf79f2bcdd7ddcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEoQ.exe
Filesize
241KB

MD5
52eb2faff39b3e6e1d60a66b68f62b48

SHA1
50e87a42260b33c1fb7b70ce10472d94344c7fc2

SHA256
be0cf7970e27941b57d4746307b4d757382e091121e7455eb65966c65dfde87d

SHA512
0d3e026876069074fa3f03cdec0a92982b274c5e4658e7208cc3d93264a483a306de2408b66cc05de010147e4782f1b0c92216c89ee91921edbd2b28235b7406

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEwi.exe
Filesize
238KB

MD5
4d5d33897b5a62d4e3759700d4596976

SHA1
9dc8f5e8ac7954c427d2a907d3e4ef154df9d730

SHA256
f70d5068c39f03da05c2b4853051f13b190ab004e48ad724f9fea1ebb37ced74

SHA512
155469737c7abf10aa0139058880d5063b36620d9c2b4f3dcc840391a45ea4a795c77c5875941027d1b0fe8285347faffdf48b67db1913b4451cc0efb845ced7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMgi.exe
Filesize
252KB

MD5
a9fb258263c060d3e877a8474a93b0a3

SHA1
db31f2dd421a1a337deb94aa081b613965354fa7

SHA256
cc0180342d87bcf8bb3284c8bbdc76b2fbcd7464d61476192adfb8e66261b429

SHA512
03508a20a497230df0877cd351abacd8a5cde3a6512987df4bcb167cb16a3c365d9eb9b82fac4fd1867905c04fdbf67ead2434de15f32d2943f73099bb1b2552

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQkW.exe
Filesize
243KB

MD5
07aa0df2f57df45f769133e7150122fa

SHA1
0587d1d17785b9679e6702842d37fea5e8d29152

SHA256
8f1584cc0ea8a2088059e0cc0ab4b8c89270f8979d2aff05870cc787716ebf89

SHA512
deab52ecd9119b8f19f5a0a087faa0fed36a43924e9c3058f090bbfa7d4650ff64ff1a88cb13ab1df550b6f6a2e81fc3c80e0c771e26bf61738626945467259c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkwcoIsw.bat
Filesize
4B

MD5
80da9117ef1cc552e96f4af2b9ecbe92

SHA1
4798b6871cb1613d4eddd946b9e13c320f2e1583

SHA256
ac53263d8a20786b110e149717ee11c2c085ab7ffe9d2c727d63d979ec4dcd9f

SHA512
83358d31f6f49b52527c9d6fe60eebbc95c6644a0c22f871066723b932803d65e3d5a74ebba43bb6ae69dd39c3592a090ab84bdb841cba6ebd74ddf1563ce31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmYEQAcc.bat
Filesize
4B

MD5
bb7f9b13f8775f74333d3816657fbc86

SHA1
cefdeeb94eea97090c60ed6b2337a5b23df445fc

SHA256
dc3977f8be984149f30ab297f62b6e0245953c7d4d69e5a334cbf1bb2814716e

SHA512
56dd770a9f8e5d7b68e859c3a65fca1920c219f64c5d50fa2f7708156f0a027cdfd391c43e858417a8f28bd197196c1f09630d091cbf4e97d6f40a4884270451

Download Submit
C:\Users\Admin\AppData\Local\Temp\boowEwUY.bat
Filesize
4B

MD5
2dc0a77cabc23996964538c30c686d21

SHA1
6973dbdf5e2eb2713f9eaf516d01aa243ffe860a

SHA256
caf8ff9f03e8392753b966f9a2016ea175a276381566c4d27b1a54b40086a9a0

SHA512
8f5a98be3bc0b70bf40edaf4464a1859e1fbbcae32d0d16aef25828b75bff8d85ecca6b8715aa486a7880e5e32bf5cabf55a45ef2b1697d9a8f4f8ee33502261

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqIIwQwY.bat
Filesize
4B

MD5
fbab88a1388cc76eca4068dea3661e46

SHA1
4c69036fcdc66becabf590f506d549208bc62abf

SHA256
a0861dd000fd8cf60823f6b617095ad3232c05d082994cc94f02f613b2e82a47

SHA512
5450db55c527ed06d614329b404fe8543387cdd35c46e4235ec4b67e49e11767b65f90251c49cd776e59bbe0894d1dd06bc8d80b2c43efa6c759e58e548e1427

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwIM.exe
Filesize
511KB

MD5
d382d61d07f73a91674705be91803106

SHA1
59f25c9d24a590dbd2da4095a5e015307e33ece7

SHA256
d31f02b5b09d658f07a5835f0d4f232b0cc115102e621a711319063dfaa2541a

SHA512
36fcd32b9026c3cac241314c29a0470a0fa38672bcb4b396d561510499514851f010145e53c801e3a5749df4a4e63fb43706270bac4602fc530ecb07ca115f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEUQ.exe
Filesize
1.0MB

MD5
abe31eb052ea3eecbccf042a0e7a09f5

SHA1
c95191bf1896dfa695cec9e40d06760fb478b4da

SHA256
d27676adbf3cb50ebec2739231a34add17d431a391b3100e13a71012ec6bb10a

SHA512
5cfdd75640bcd1fa45991e05bfd102ba23d8a38685f89e35ef89c4d45759d850c0d27d85cb8241691db149d78deb1ecf7291d79869c6a9eb9f7115147284c122

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMci.exe
Filesize
247KB

MD5
7411b71a0d3b47f573cc1c0e8ff5095a

SHA1
8461e4497613f938da19c6ba806c0731e42b06bb

SHA256
20503379ac2adda7adc215ab39e021d7260e614fac5865afbcd670db8b58ecef

SHA512
0551ccdc500c842488cbe9fb857bfa44dbaaaa30504a0ccf49a21a0f86a282d48ee59a767a389dab1379327059a9161d78c564b9d1d02f499338c3c67165a74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYYM.exe
Filesize
230KB

MD5
75f633ec806ea0647222ffec2c37ea74

SHA1
3d872836cfb073280f7e55cd51ff7de0f77d3f93

SHA256
a2ef9054b6e15cde6f468ac8f7b8ec4e3854cad07cde5c83bacecb1339c04d51

SHA512
9667f3fffcb9f39d470644121a43578f605efb456edb83e591aa48e79ad7c293342ac489d7e6dd93a23e1d894bb6cd48c91267cfcf01d8b1b324ff4442f337d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckce.exe
Filesize
1.2MB

MD5
348c288f199f1c3d88a1ddd53dfe8105

SHA1
06101150af4570cd6bf687d759eb93f476f172fe

SHA256
bc8ff6f4f7e9be5c99e2accdcd92ccfe4ab6e3ef4c247488f7a34fb038c2e2e2

SHA512
dde14d36e71d3a23f744d4b8b5f6d0ba042a03b948632da5b8b45f3724e7133b620b27ae6d33fb3297d433498d596a5ee3da158018a4f1b72c71e89c13c468a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckkO.exe
Filesize
405KB

MD5
733a85ec3098713ecf52695d081b71d3

SHA1
a510f8741b904b2812dcbd44e73ec3a0c3511259

SHA256
1dde86513d2796d8df4133373af484be5d422bbf14ad328ce43cb8542eff23cc

SHA512
e870bbb3511f6b7d79cfb860fe85ece2cd699df1223104a9d48ead6ac59eaf2b45408f2fd0baa5df969f72aa74d7fda710fabbab8db7e48b4d92312556120d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckwswwkw.bat
Filesize
4B

MD5
291e0f22ef2cd6840099f4ba9eba911a

SHA1
7a0451527eef5a655e015a02b6a3dc2f3382c4dd

SHA256
644b1af36ba2710ead4e1217c4299d630b9737f4c8b9df4499deb9106112db98

SHA512
8d4a263eee2ff55f5e6e9f29d6fa15fe10705633e8a6722cfb802e116003e70a83363bad2b83d1e13a8fb6aea51ab2e5c90d08b71c1d9b059694f6815390f599

Download Submit
C:\Users\Admin\AppData\Local\Temp\csAkskAg.bat
Filesize
4B

MD5
3e0901319a411619b6be737cbea26793

SHA1
91d8bac95907248dff30aeb8bce4fa3dcb8cc199

SHA256
5db294b03c6424c92d2ce42f06fdd4311b96c24d53cd9773c3dd984c1757a042

SHA512
6e5ddad03585e47666f2f9116c9588d9d66c69ba9ec378008fd7d5fac97c79511877aaeeae6d5d6df8ad753b21deb38c62ed296f95ec3635b5a6229db2cc8e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEYi.exe
Filesize
851KB

MD5
48ec0de6065c17f1f0de8c80fb14a77c

SHA1
ad0a6a412c790ae13427f58cd0784ef743c681f8

SHA256
19d719d7df7ca7a61932ac49834ceba45135eabb28ef01e8da67f1d81a48e283

SHA512
5fbff6eb8f522457f2dea988bfcdcfdecfe45024fcef1c5b5e2b4f14b920ae8d6de76393d247b379d56a3f2800ce29d98f0d8649163120ab6ca764033dffbe5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMAIIEAQ.bat
Filesize
4B

MD5
b58d9f46a4e90dd2fe313fc097aef74a

SHA1
fb82647c4547715e706727ad37dc5b11ce5326f7

SHA256
7bc5237b7e0b1bad04e1df9b21012b944b52a85cacdd2ab2f9a092869c828f63

SHA512
d28bce43b335530ace8ebf96610b0fbf4b51a22ee54b55d89e9f3d4b94e5028e57a751d4c83104e9f8cffcbe321aed6bbc3134164686de17e1020db3861e89c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dysEUEYI.bat
Filesize
4B

MD5
92110dca474e853fbb0871cb1b38856e

SHA1
e9c6d3491c3480415b475ec50d54af07ad373ce3

SHA256
c71f88ffc581c939b29a0fea125eafff7227bd05831d6dd5f7d6c1e282ea6182

SHA512
581bc4f40f87b0e796d56252f1816d226dfcecc94857a881b74c3733a9461cadd9e86b30f2b70c8a349f03e0280e801a431c4f25f2a37d033377ed98514c246b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEUK.exe
Filesize
128KB

MD5
dfacc8877e5e337ae017f70efeb5f727

SHA1
e0b34750cc9234a6415e280c0333b32c088219ec

SHA256
df08368e68291d1bb8ba4c1eb2b356c9f1c5d1cddb68af396de56ecaaa2b3dd5

SHA512
236ba4baf1474dcbf383078bc2ee881dd997a312c25e1ba09d9020323343c231f0b48926f8e06910042044cd7b029717a41e01680eb164de110137bef3edb0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMwO.ico
Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUEoYkoQ.bat
Filesize
4B

MD5
ddb8cfa158b63090e1d87c11c70fe2cf

SHA1
f7011ff6adf6ab823ac3846730ecf5a302fe16c7

SHA256
6d33ce49b267b5e85b841c0d553a1d79bc4d8e1ee890e7d2d107a046619ac6e1

SHA512
16f6b1df9baf25e4968385044726493f449394e9225d5d70e71e1cc92ebadf1c4f208387b3bbeb48edd2378a5f1f54edd0e288687f481976f3cff9aa68f18ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekgO.exe
Filesize
228KB

MD5
3137f7d0337a4dfd2d975855a4b2dc96

SHA1
4b36a4f60b4d42c79bb9a98f3f40586a815b02f7

SHA256
de6212ffa6feb58410d3118923118f40eb7473e2f0283f38f31b46b4a42563f8

SHA512
b266dc3a3ce9e015156499737ce2bef3bcb89bb0401c3340abdee7ab98407e2244bfa1c0f27a10a97670354e66cecfdc3b1ab16018c4c0fd1d0aa6da055fcec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGUYMQEw.bat
Filesize
4B

MD5
be1c1f9fc4b2e675d98e64913e523ae5

SHA1
8b9031fe4f76f9966cd0e4f86bc36d522beaa22b

SHA256
9ce9e57f3c0202c8edef2e663700650bc88f23f70f85e3dc89d24e8356ae9f63

SHA512
222eb680f0e16915aadba92bcbf2191a0ca02d59e3cdfbf4c9e494601401c45a692803882cc18018712d210c4eba308d5829c2208a2166345a9acb82f1736c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMYe.exe
Filesize
960KB

MD5
434b1970f321b08c768f8ea9b31399f8

SHA1
d111c87ef9b2d8aa90be1ab4f54fbb53f331c476

SHA256
09566de04b9a77d548c6cee82f16b1c18665f2ac3325b21a5e46a9e99eca12b9

SHA512
61bb481f62fc9e4ec1fdce2af6f004df9b2e561606e0f5e115ae462334157f8214fefd7551ac6d42347180a67dd6508909e252694b468328b66baee33dfe2d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMou.exe
Filesize
200KB

MD5
425993518f0136ab3ed23f58d85c43b6

SHA1
c1cf11beed66ffd095cf5103995d3de07e619427

SHA256
acb13dabb15463e8637b48b6a4818d30ba70e39e759902393cb5b5f2e261ccbb

SHA512
015f3dc9067e1002c23b363c6ec0558890499ac842b25f17d3448477c0bd8f1945b00a2ca3237d5ab01a3dfca15093c576de2e29632b47b892fa7a4d1d09cbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\feQIIMAk.bat
Filesize
4B

MD5
e919f454eb7dc052c306916c2133b480

SHA1
64f265f4b95649796313e028b7959f5c3a609137

SHA256
968af8771c3ef2908c8164c14c6e9de9e46d847190bc56a975c64463c9304182

SHA512
c300b4148ae6233555a2a7582e4b9da6785a3ee72a1a101581777ed826d5acbbd2097a09b85e06ad9085fad48b16cfa5abf5513d52c5077bd9c73e810dcb568a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fogS.exe
Filesize
1.0MB

MD5
8ae9a692f33209145733ee400a3e9821

SHA1
0f5470dee8a522c082ec5afb19ac0e389c2f8786

SHA256
e222e3a28a3f0e2cea806c5f204c8daad7b3bf5266a07fa2042880cfc62a1c46

SHA512
0d85488ced8aeefcb86ceb6f1bb0a506ae5071b4ae775fb2887107e14ed120b15a7818ac59b045cac21087bcc9776c89d93e46f5ba7851909fe75fce1a0f40bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fokG.exe
Filesize
599KB

MD5
27e82c67d1bf086371553d87e5e0b302

SHA1
415b13b9316e374ac52ab67fad5bc30b1dd709af

SHA256
27255ede96dc46925fdfb645fa37418ada38d9aef747fe7ffc99468685d3323f

SHA512
2a14fb3b51b5308ece7b24bd61486b03bc0c2fdfb273c6418d3c9e52a35e21fd794050cd17a95acb2f3f5777d4f4bf9dfe877bc70c638a866e17831263c9b766

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCIYYgcU.bat
Filesize
4B

MD5
c6690ad255f100696c4cc36842e4294a

SHA1
5cc51f9ff0fc9dfc42720bdaa90fc474886f9bc0

SHA256
f120c13d83a735bfcdf312bf5cfed3e076e41b904549b682d9d18786596ff812

SHA512
26d0604615da9999d492374a7f4d971febd8f1a2e5b80160cac577943ae533e2096a5bb8f3a53e883d8e4971e8f0d7a3d4f021d9f9abd35aae068af13c27d58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEEC.exe
Filesize
235KB

MD5
2bcd23232f0c3970244afb541afe7ec1

SHA1
72fe2e18e44b88840408d6b3ed85641820c785e4

SHA256
cdc26011977cb133dda409fe3b8abd23ce918f1d392f74b7cc6483f550433641

SHA512
e9787c8019823a56a42b129bbe852dc9a1fbee5ba37148e78d6383eaf825ff9823738f8a8cc55d13e8cb440cef7a2d3f41a646bfe545199bd76839adf7432d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcq.exe
Filesize
627KB

MD5
30e052eef4f6022efc09901e7756ed4b

SHA1
f0d49c06e98726626ab3791b97a3e21577ee46f4

SHA256
082f4d778606786f13a00593721a42ac74816a308c21b4bb1ff8281563cc6445

SHA512
e9880a7ecac49092d5a92553305b97b853e8db0536b7c6ccc453da518c1828e37172b2b9af6c9e74a979cd8a3b420c1d4b22d8c033ff417d3aa3a1136812979a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIG.exe
Filesize
249KB

MD5
abf6f9c48fc6a0a82c60dd6772485537

SHA1
bf251b0eed58ff5a081653ea89ffa6784880fc3a

SHA256
974a732a1e3180b5fc428c177c8a60ba63cfdda32ae1aea28e49f5c23cef671b

SHA512
45c51996120373e919a86c0b6b09ef7e235f433f2c1fb2d131561fe2b967a287be4bb32b8e7f74ae82c51348ed7621da708d391bb97149195e89d4aab159a464

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIUYAUAI.bat
Filesize
4B

MD5
c2539c8f8eb81cb1a6567d64e5423288

SHA1
a42d48fa84f920e20bf2b9ed036efeab8de24d2c

SHA256
ee82af746251773678245414978b942429a01a01abb9c067e639750b113854ae

SHA512
76e4f94dca994f11b3e8972c53c7a8821abf8c6d95bdf34dbab43dee4978b8507248a84f9fc61906b571e7371c9fbd4a02731913b6a51679fae81e748e27e92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQEs.exe
Filesize
1.2MB

MD5
580cb892c47684b6e3fb702e7c808ad6

SHA1
1ec3b6640c5aedc574949b5c63d2da991530fb6b

SHA256
692436ff8711d02b3e5d17035d16406a3c09339d14f9621813f2f78f1a7bea65

SHA512
28806d23f31edea53119e1800df50ca265306ec2b450f9e21b5417e3e0aab3a3a48c85112aebf6881fcc132896c7fe069d4a0be9c2a01f0eade8bb3ea18efa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQMm.exe
Filesize
236KB

MD5
26a37242bd4d6cbf18ae3bacac4ef716

SHA1
8f8d55da0f6cee5232b437735269fa6cc8a0522f

SHA256
cea677b9a972399cb2bf7899960e818565e8770768206fba813cb91eefda9366

SHA512
2adf56be358351343f21056842a0dd99a709c2064d5129714fcf793879ccbdb99837270949ffea3d55e0a03259ce4f3e77e3ebe367a247201c51757ed1e052b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwYY.exe
Filesize
234KB

MD5
e47a9e0b23eeaee14cd33d62a22f4f16

SHA1
891873a9fcf1774b8e2e8adf5a5a6b8d9455cd92

SHA256
d77ae37f19ed22989d77e6488d38b7eea128e5ae1ddf27661e21f764a74e6d6b

SHA512
d08c285c0017d05153a7cbc67e71a8e289211995b82a914858a93752bc798c2715e34ddd9b08127f6b242e028b1f9da13e4726b1b7c6b5176ab173a8c70b76b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwsm.exe
Filesize
217KB

MD5
777e814f968a83b540c540dd57465c24

SHA1
5fd863c565f1e45829326b67771a4da38bf25e14

SHA256
5656fe40a9aa4dc45dded15c76ba6d2d7bb4da1e6b7b2c7889ebdc1778c034a3

SHA512
fefbfc30b97ba88f81c395ca9accaf5bcef04ce9b0f21a50bd9b3615128fcf75eaa74a66e0530d5371f95501d7507f05b12f7b1287e5998f41c7afec1b84fdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMAwMgAk.bat
Filesize
4B

MD5
9f0e6519d6f3c08604c38b542d397c1b

SHA1
406c502dd2bb7c3dfde9c98519af6f431bb8ab9a

SHA256
6c584b815e4f645934630df6e91a8202e381c47c34461d0d29ce8d2cf6f92e49

SHA512
f94d71c46315c3fa7b050f443abdb4c01bbcab8254901fd96c1c6a55826b78891e4c0c0a20213ddb0c9bf69ad3043830bfcf1514b22b1d2b9a35256f4ac74db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSgUoQcM.bat
Filesize
4B

MD5
adef1738074f5601f407ca71da2ab7ee

SHA1
5b5bb198633821d0c2d0f2ace018c334c4a07363

SHA256
110a9b93d4943c8d7941a75f2328ec4a2008aa52ff68a6190ef08171f0fdcee1

SHA512
51bafe99bef4071005d308fab41d88dc2fb9c0bd840714315e453a01e52c04678a5eda6d10b9348e56451f51d2f3a440435d9bd762b8a9fbd1486887adf2b312

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmQEQwQY.bat
Filesize
4B

MD5
376f8ba8a03dcdfe1267579cb6bed9c3

SHA1
aea3b86090c6744b63bf2d8cc08687e79fa44f28

SHA256
467137a6e5dd5fed25d579f42fd37a2b01306e042275eaa76de2609d37362e70

SHA512
f0ebc056c57385ca91889cad0c619b889e9627dcce5c63062df868b5997ad55e4f10c32fb6a9fa3a6e5d0f98a51e70fd3bc4c2506211e454c59b4826159c6b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQcQkAsQ.bat
Filesize
4B

MD5
a25c1e187ac28c34d5164ecd3652ebc8

SHA1
d501f66256edd9af36d15cde2e5e973bfd81ca3f

SHA256
43bfc976640fc494b99fbf945c44bfe78dcebf70ac450a0343f610564a91b47f

SHA512
b89628fdffb90274e3864f5adce4c789b920f6b4b224fbc70b59fe464f3e4e9a99bd10d1cb09c758150cf1c5e8569c35f007c756b94971c54e9392530f5b9a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\isosAcAc.bat
Filesize
4B

MD5
e357ead5e75584a6fbec2262ad13e711

SHA1
012943e95f94148f6ced273b843d88bbff7426f5

SHA256
5a206f7ee76570f26d5d1392a5567f1c91b98c23f7f986d3bbce37bfb08a7880

SHA512
a5303c98a5a2521e648086a8f1d13555136a6d172bb4198ca1244000313fe93254528c310858203f6df7707e11f4bc0484ca572e142e76469bbbd7f6151c0942

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcYE.exe
Filesize
246KB

MD5
8e1ac0383909829d43baf0e51c060a74

SHA1
726e099c26cea7f9da6499416994b2054fea1fec

SHA256
55ee05412aa29772073b860167e88ad8d3a05dd8777174336b73ab0b4760e1f5

SHA512
17532e3ffe45fa4198e3171dad8921fb0fb7c9dd6107437af42e4380504900f8ef3c1b5da9ce5582d7b4ecf9b7943ae5cb542cd3a430e5244b8398a950c2d003

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgsY.exe
Filesize
302KB

MD5
f80e83c115c59cbf2b9fb62fe8e1032c

SHA1
9aba8206337dad970d3de5948269b748d654a65d

SHA256
19ac9ec68fa9b934c77519153f569c7830ac3db6fd68c7126cc73f5c03c89469

SHA512
1fb953116484ba1b874b67697aa2675ef158f5cd0c8cd0c2a8315a9ec534f9a9d877653cf8c22065075c5f2912ba5d21c4879024757fefbb3ea9fd0fdf82468c

Download Submit
C:\Users\Admin\AppData\Local\Temp\juwcIQME.bat
Filesize
4B

MD5
54c5958f53538afb13d276470ba02715

SHA1
1b702ed7969c475747ff1d6be9041fcadd77d36f

SHA256
46a2dd68f4f362c84300a6091a28619d079c5aaf0898b6918ce68134e1dd9241

SHA512
9cd3f90f2263c6d15b1856bfe0c7e8d5242984c5070c984e2d4a540ef368bd919124e07fa407de9c5b733dcab54d0300221a81eb79d75f10ba55afd422a6d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwoe.exe
Filesize
307KB

MD5
71f523331acf6c8046d874a626da2fea

SHA1
190898ee51a9febd8b22ade4e043346ba2b5d371

SHA256
d8a9fe835ae125cbc4bfa94d70f65a9e10bd271ab0f65d62499787286c424ad3

SHA512
795948d4ed22e8560015f2eca307e5e0a44dd8f7aa688d292978ebfadc7b5291c8d3f0fe0d1acc0dc6d96d7ccefc97b19a226ea6c294a749a0c9eca6792038cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmoQMIsQ.bat
Filesize
4B

MD5
e036d44066cc261cd3dcdc628951186f

SHA1
d1b1a4b78ad7b64304ca6122d79decf925f766be

SHA256
8410785d8fd724ded1af4ea07b1efcf5ffcfacbb721c2e0f50c5b2484055a2df

SHA512
1264e43b207540771579529c84923fb31d50a6698afdb5a0c949c89be386bf979d6bb8f10716e89e3d15fa1b015b5e336e92107e0506ddec95303595137f5500

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAIO.exe
Filesize
636KB

MD5
f84584d9d98b6e41ff6c4b9bb6b4754e

SHA1
df76635dffd3177043a665305ad325a45d1ce1cb

SHA256
3cae80c74173b255760e48e76653144f7fd7e1cdfd7773a14b20e0f85d00b44f

SHA512
90d755c0d12aa0e885c7516aaeff9308500a7653679fd8a87a3ce3c4ceecdb9299b9456766e29600e44e0ea35210da15d58f009fe39d8214e4dd70abc6ddecec

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOYssgIk.bat
Filesize
4B

MD5
9a7b82f51e50f6f65ebe67ec5e5b746b

SHA1
de3d1dace0770db743312f8f076da0388817e8b0

SHA256
b139f82a6f19d9e591a32499ca8d6d5c5f1926d2acc5dc388c41f0c561fd20fe

SHA512
8502cfd442731d2bbec4ff7fb52cdbd83a1dee080647aa5dd4cff1e392693d26e4e225ca6de019e2e494255e7adc5fa0bfeecd455c6cf2aa5f36e6f6def7784a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUgC.exe
Filesize
782KB

MD5
9ae774fce43fbd91c2cf6a1c59ab2d12

SHA1
8ed538edb2cd29cf4230be8f52f541616173103f

SHA256
7da022a6be668a8bfa8f797e3830767ba1dd625278504577c01a2f5e3858dfd6

SHA512
ef0efcbb171fb2eb2c8d4064a1718cbc024200f6d3ab298be389d2be05d16fa11233a55a7fc5da0427e050de4b676fbd760dd05f4b65137bc2a4d5781185ef54

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwgm.exe
Filesize
501KB

MD5
10bb701686ee5de02f5eb50e63af5af0

SHA1
ae9a9e8b4d24429e7b6330c868c9d26855f3d732

SHA256
d6fb51fee1fbb9a55a74d4157dd3ccdb7aa018d071e3102b39e9535b118754b8

SHA512
be7151334297ffd77209a1ec570d98af25b543dcca07dcfcc85eb9d3fcba331e31514ac53980ec95adabee5d23e72f588ecee7ef95a76cbccdba486986151cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUa.exe
Filesize
230KB

MD5
e4f9b8e8870869bd4f269cce7ad09f03

SHA1
6626190a7517994af1cf837bd46e9084080d8f69

SHA256
ff594157f469d86cb246d86d84a5465b196423c4faad4e2da83ab8aae2bd0acf

SHA512
589fd486a14f9985d0df3083597c1a85cd9e7b0c5f8643090fea60265dda4c19cddb33301fd1a3b09e15700a4eb33ffd2f255fb5d6f48ce3e3bca0635fa064d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUq.exe
Filesize
246KB

MD5
02f4c4e38edd9d1a674194ecc54d721b

SHA1
1de9e3a66c59cea267bfc0888180bc56d50614b6

SHA256
cd8f540220486c0158870ccd47dc12f0a66d68edff347d4e21c0871586e234b2

SHA512
8e1354d6b8041cbce4f746e9d90f96a85de44e71692c2963a44fec9c97637d99de0263d18444099223f3dbfa73115db8130dcb69e66abae2c7567bfc7ad8ed59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mksE.exe
Filesize
227KB

MD5
b659abc66594342d394fc73abfac7a6a

SHA1
3cf289cfeb0dee0247746e3fe3f01b51b47e8248

SHA256
7b8f319b191e8015f428f1609b6ad3cea781868818ab70cd824c095f20e8a0dd

SHA512
227649659559fb44e675e9fa71692ca04621f58d7c69e670f8b37b47c87b56b96bdb58366a462cc77c939257c05c0ff62d003ef824f66c37c4e1e0334207f6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\msQssQAU.bat
Filesize
4B

MD5
58ed8948792603f3bc9d50b372d21042

SHA1
2dd93795a0a5c1114121f6a0e0081fc9fa0ae970

SHA256
35dc0bf824982beb3145a6a9fea22b397a3fa8d1c49eb3b6e843fe958256ae99

SHA512
2c62de2b17c04c9346f0385f42f4b7cd14bbb967a6568e8bc7b914f30fbe8c0dfb1da258b5dace215809028004561f0e5423a2bb022591404eb0ed668ffe5083

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGQMokAI.bat
Filesize
4B

MD5
753288c20a81302a9c89bfd6a74f2795

SHA1
0bc71e26470f4002f654489b0b3280e9571b4773

SHA256
aa62d12fe596768d97316953d891f30a6bb5ecd412c75c195b67aedbcb5be8a2

SHA512
a9a7c8873bc243aa34f1b781d2416c3f9d128adf212e68f553cbf984ead1ac8d073fe09cba1577485e698e770c68a24bcab1ee3d92b14221541be926510f8b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUwokcQI.bat
Filesize
4B

MD5
c9fd31ca9bf802659e93bfe83cab32ff

SHA1
ac46da0e78e29a16704ae0ed100ecba06a24eff6

SHA256
015743f739b9bd8f906dcc6c7fd6aa55a5bea5fc81e55dbc54f5f732b9227db8

SHA512
c5d024ef5e34ccc7a8be3e5028e5cd09b18db77dd190766501999923611ae04774a0cd6729d673478909c4180ddc7ff57299f5ae1d89889d56da0bfb0030282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYIY.exe
Filesize
228KB

MD5
486ce7efb07a92da851e52ee4cc5e9b4

SHA1
6b7b82a24991bdc05ff32ed6f05fe7d17d4a2bfa

SHA256
353b5c3a89199f58946ce972d1ce31943a33d3e777111b2cacd7c8a50a1f967e

SHA512
81d86ef1fb93b0f33507eb6ab1c32669c7fd4b787a23a382903353b777905272fef466063677aedd28814164385ca4df708cd5cc558918c2cd6e419dc9238630

Download Submit
C:\Users\Admin\AppData\Local\Temp\naQooIos.bat
Filesize
4B

MD5
e99c360457338e070988b6c5615dfaa2

SHA1
52c1cb1aabd5945d92c36e9cb139b12c397a072b

SHA256
8d5ec9945d0720f1fa2b938ff79d80a318f09f894af744b22d139db20dcd2053

SHA512
c14aba969067877c6461df11ebc48d47ef36973339d2e77efff77b392811244770e0e39ed917ad595caccc848194bfecac17a766f5846ff86efd67bc2f7e3667

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncwg.exe
Filesize
210KB

MD5
0a42694f457a2520aa7d57331f75f309

SHA1
16687fdd85d2e548bff180a84abe59453cd90251

SHA256
1300e2e2cd9d0aeff5335b0bc2830619cfbefbb494af04f54039a263c801b0d8

SHA512
2e07b845090766e7609d35434c8c9b3cd66a0fec3d31c5d3de469e481301d98eeb0143ed755846a330442ed985bc34581d4037e3f16fc6d3bfcdbcc2692e83c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngAEcUMs.bat
Filesize
4B

MD5
d1ae67738efac8c7c9a68666243f0975

SHA1
d9871e7b5b02ddce8917bd4e0790ecd8165c301e

SHA256
f00437a928649cf0c42249a604e5bb4f8fdaa32c476a3707830ed7e6979e190f

SHA512
2fa889de9d99f03851e966679a0d5f13c2fcdc6392d9a85690d31c34f8a240c2a0f965a94b79b16897d9049a58ac6dd1e4edda003b6229e1d81c20e319a08cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkoq.exe
Filesize
230KB

MD5
e2ab108d7c47232ea286bea24d71bc2f

SHA1
8621db95b1fc28cd4a662e4b386063ecf93c1836

SHA256
94378becf79594e58a9e26ed7a407858ff55f50ee3393abeb67e53d6e5b44df1

SHA512
ad47e2df506db8091c0d72b56ed7816f9bc987e3afd58b3647e94390689a9468727b87f338669296b565a5a9121c3f540e1a2e2ba8b11086604738b908eb1960

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmUAIQIE.bat
Filesize
4B

MD5
cb8b4de4ade82979f37d784a40874a61

SHA1
5b37b00245f87d23c7efe9e3b67d2c3a3bb2c4f3

SHA256
788f58ec6041a2b032e147356811e52866d14320f0f4420fd5147870c46eb293

SHA512
91368baffed024b55d2bcdc6e0b94f8760b157826175e85eaff73f5c5b02cc4192507c035b7a6d7006b6b53b79db9eaf6a71056629fcddad80e2c33a700a8ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsYI.exe
Filesize
250KB

MD5
ad4d1f4db79e96afae91c1ca36d9f8d8

SHA1
82887d0d070785930e49077e48269dc2b5770ecf

SHA256
77c0095109edb184ebe8b9c39806b89a22ea04b4dee122fd3267aa59af8d2b52

SHA512
8791ceef8ddbe954a03bc2c3c912b0dfcfb8de5a59ea451c7f4e4b48b3d75263144ceebef51278431fc535f4f0f83012414bf8cff0808c0adbf14d940fbb70ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAYw.exe
Filesize
245KB

MD5
6009cc8a4d57b0790bd976b7b5e57ef3

SHA1
e522dcd99acdd8475987a8d1eb3a4b16f7f24d4b

SHA256
4d769de1be6a79761c810060dda75cf94ecdc7e37c8b91be6dcec1444a7fbd9c

SHA512
80424f7414007c30af4744d82439902af4ed9368be08e10b3080441b2e23cbd6caad18dc096e294592fd64018d246e9b7dfaac3368f205ca6a7a721f273d613e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYIW.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooka.exe
Filesize
245KB

MD5
d4ad0218593d4c23260883b5f21c31bc

SHA1
1cff349a0404c0c490edce006027dcb6b070173f

SHA256
5ae6f1b184d3837ab5f43621584515f7cc9bbeedd71566953190cdec5ed18761

SHA512
4965b72121fea2382f193d520e78ba688d3a5491d9876e8446a0b65ec82582e6ef0e574616c4aa0c77957a96c28e56c17ffad1f295f90a2bde5ab1b938b57c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUUA.exe
Filesize
252KB

MD5
fcc2b788c16488d247049838a7bceb15

SHA1
f0e03b755297b00cd1ecdb8b376577d6af2d28f6

SHA256
711968145fdd7879838f2cb2031a1493f20bc49be00a846d251a5eda4239b267

SHA512
b3d449ea22f1c4c6c429d63a98cc04a8b57dfba9947619f527306ef90101ed2e8a3affec7c96698fba956b2496d322b21623eb997036fd1a85d1feed73983bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqQIMwUI.bat
Filesize
4B

MD5
a74791feb7d0a2384cedd05fe15b4ddf

SHA1
f7e2ff531920d55a5c9001e1daea2f25c0aff76c

SHA256
169e34c84311d15be4e474692727abd0d1e0a556eb85304ae291b68a7a552a5e

SHA512
b8522e720bf9af672f93585f1f7fd3211b81f584cf68f8782d405499bdc8f3e78335079f74f978d6dd79239b427a45058b5439e6a0b0405b848d2a0de9689c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqcIEYoA.bat
Filesize
4B

MD5
dd90a67f0ef7955ada1eae0997bfaa67

SHA1
1241da15cc6d2141aaf1f48812c91e5dbbd7e653

SHA256
b1d6ec0b5a9c63fd9fc4c78f58bdda123077495bba2f9e71c5024645134965b7

SHA512
bcd90d001f122a5762de72e2d67a2d7674252eff5f00cf4e751b295f02bfd1cfb77b3a9acda0d4a5ed639ea95e90d73199680028cc6cc69dc760e40e8c828ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIoI.exe
Filesize
577KB

MD5
e91235bda561321afcd59de388fcaff7

SHA1
f7a27fea4febd11ee15993f0544c4f70582d5f84

SHA256
3c4b6a554d3c2a6b6b8beaf8414b554009a71b406e066b28a772fab359b9bd0e

SHA512
f69b2311c8455702b10e6d652944870ebc67935a07ef06418f6d2ce6e60b73df38b6d69611cd4fef9e428270df3a6b2f04bb555f9abeb20eafd585aa7daab272

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQYc.exe
Filesize
229KB

MD5
4d4e702efefb0e35cc9071ce69ce29f9

SHA1
dd56cf9c77e56c33ee71c80c22f8764a6123c77e

SHA256
2c06769a039e23c65f9bb306d6a94de2c8e2ca382651c48ac02e181657614e67

SHA512
fbd8391c9d1add47be39a280ab08410378d6e9dfe5178bc671283ec5059ba5c35450a38d719aad30193193a8aa9e65cf6a4485e50bacd4f48738758488e5a0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQsIsUAc.bat
Filesize
4B

MD5
e41a440e1dbef995ea6ce8b313e18a28

SHA1
8fd3032c6d693286c8a0966a7686a08d6641101a

SHA256
d47bb461de4eef9612afc193fe9119e5dfbee63ac562fca874c140fafa5a24c5

SHA512
14b2620a19211c62646b5a32de502863e8a60e951aa1f1a42fb4a0c9d53c2b4c70b31da4738e2f5df40ca62ec9f9e83d3a0b303f3b61be608227ac1992845013

Download Submit
C:\Users\Admin\AppData\Local\Temp\qSAkogAk.bat
Filesize
4B

MD5
799d2ee926df508b0a1e96613951e39b

SHA1
3077c4f1fd2bd38335ff907a1553c93544520ea5

SHA256
81891b46d64d2b78e0bd05938ef8b000d2364a1c236677e0378a5ae0d0afcd1c

SHA512
0eae0691e63be09be30836bab5df7e79e43a03a2f356c3fd37a53a66583c9aee5a5e21a1ce5b39622c87655710ad354c0dee0db6e7b682e11b78b954e7d4fb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUkckogQ.bat
Filesize
4B

MD5
b817af96ac4346761a17637d4e97b848

SHA1
6fd7539c6613caa52dbe7851450258ba8fa1892a

SHA256
33f0752229e662a5b61bfa67dad7c2082f570bf11c44b0c9d2c5da1569544c90

SHA512
9011dfd00c32096a51dc8a44780a519d6ee802799d15f56f95477b870b3814055f20b9ae94f6e51307108aa891cd4d58e0ba6303411e943458fcde1879585fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgcM.exe
Filesize
639KB

MD5
e7ceca2c2ca8bcb758f99f097841602d

SHA1
203c8748968b1503c36d0439e391344c402567cc

SHA256
322dcae89c75902c9e7539ac37e7edc164d98b9cbeca366e9f27866c61ff945b

SHA512
698f6f2c65c5d402cf9baf505f7eab083e827128e9c9357b2303b4d5abf61837e04c9e59e3aac37448712d721cd2b17da4ef41acbacd1ffa459a9360cad57864

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQm.exe
Filesize
231KB

MD5
b57cedbafe5a6d3fd2c2dc7ff3448fc7

SHA1
d465158c0c4ab7491b91f17189b8830a133f75e1

SHA256
b263f4508a82aca27929f782affbff42e950b5543e15a5e51488fbc83f29953d

SHA512
a69781397254ef88bb3acf273dc0586988df778826b33cfd783b53fb2cd4c5afa53ebdac19ee715751a1351528b7d2f32634325c8cb31c8f6c92534542481be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEMk.exe
Filesize
332KB

MD5
1462c92e3d1cc54e91d2c4c1d9fde6c0

SHA1
2f8fd3b676f41d08bf1dabe64dae22dd9425805a

SHA256
5f30782ea9184f91e66da4448bd954b044f8bb5af1119ab328a3739cee1a8246

SHA512
abf49389f0c07a7c0f1efaa53cc461a32041489050a31619c5c059fbae024701043e7398f5efdb290a8e0d8b7f0629f26f6e1d7cf8ca1c7f9da518b7d5ba4904

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQwa.exe
Filesize
232KB

MD5
b11e94d939bc015267a188e3ce3f8a53

SHA1
ca71e70143e2396adfd7892ea2b50642f615107d

SHA256
f1638f15c4458976be62d089d7996300b664b79d51fdfa051d687a3900a9d73a

SHA512
db26206c4a8a0f86b91756be2600651da238616036c9f8209b199564636a42c2a10ffc968bcc6aa4fec906912d813706bb032e0b15a32ed34ab74edb3501c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSwAcYck.bat
Filesize
4B

MD5
88bc7d7c02e40af35d8544f9ce02c781

SHA1
f0e71935c7af1424cc2a5f5befc6d8c185c444bb

SHA256
5fc3ec64a8a1033f46fde50f86a6d0acb7c5b7914947f1bb1eb877ff29d4e9c2

SHA512
9331e2f6dacfd0f78cda30c2af7530c70aa942cd6cce2df97dd9736dd70f569cfccbf3d7ff3f7e13e3b2279f40eb82d08bd4d6064a76188457f5726922ecc99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sccUEUUU.bat
Filesize
4B

MD5
83a882fbaac509e371834d359fe41be3

SHA1
ba560838cb53c53691d4c0cac9a126f87860f7df

SHA256
d242b2fd546c29cf84de15bb762df72a5b836d589cfade12c80db84decc49274

SHA512
21498ee1a4e536371c9af1b5d21652a1613f4e447f1c2aee3727a012fa12a83c220977378f708e0b189c30d9a329c6da7b28457b5cab81d381c84058ae69ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIkO.exe
Filesize
246KB

MD5
bd9951d238de145995a06bfbec06c883

SHA1
cdbabe8b48cb58ac2e640b0f8d563608ad33d133

SHA256
a65de142aeaff470336ee83872c7a991573b54ebca5657f6ba1131781c66f6bf

SHA512
0453b9401cf77aac9679a1a4c9452223a7902a2ab8046e384b45a44f72b6dbe270aed3a7fca1f925128f2340393715e499ac7a59254954d1c275003310997982

Download Submit
C:\Users\Admin\AppData\Local\Temp\toooUIQQ.bat
Filesize
4B

MD5
dc1133b2ea53e1e10c49c5eaddbf433b

SHA1
514f060bfca1310749e7fa8f71c4d91fb879ecc4

SHA256
c73497c4ebaa236a509e52909cea7a5e3e40d5df3b60404bf8b3c09c1649d30c

SHA512
6aeaac5307befea75a38283cc79a150d7f324a23240d7661a0a1ddf0321aff56e4bd6d8361598084fcc562eb4d8f7c3e03d050f43843df4c2ec95c086b911a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsMg.exe
Filesize
233KB

MD5
d2d87ed0d75b1914d51cca2631107c32

SHA1
ab90553acd78ef4622ed1b7a7049d82075efce48

SHA256
4a9ec5bd8c82290c03327f09cc696bc0b543bf06cbaad6b4b2bf89cf4fe0e5aa

SHA512
7ccfe9b10fdae85a508ed0b48ac99e0d62dbc8486a38b596d052dd189032c2896caa43dd9dc422689fa36e84ec1f62e7b92cc5b29548a3d5adc3476063ef0247

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEMK.exe
Filesize
227KB

MD5
82bfee64a445435c9e0c10b7723e734d

SHA1
841f9718ea0e82b04cdaba2c47d1aba059573882

SHA256
14c8ae02291c0786425e1a952de8064bac27184c4a1946cd1546453536e3a747

SHA512
ac35e8e88960f10fcde73853282fe7f57ad86c3569d8f72197675ba76e14b4a16a6f0b6c68b33ad8c3f30272dc8a0f88c71f70f72ed7ed5e991bf1e454acaf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQUS.exe
Filesize
231KB

MD5
6ce08f2b1b63b49b14a7831158390dcb

SHA1
9132dd22fa9fc2f52d54301ab7928e1a8f24c823

SHA256
a2246749f7b503a6ce2627591fafd4fec6128e395db6d522ccead3a05134790c

SHA512
8b63fd67876955655d2112acb1270342de131f4e4c4e17f7002ac5e423f7f4bf2d0b0532c8b3a8accf44e9b80be589f1cf241b5b88a262986f1e122781b8b0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQcgEssg.bat
Filesize
4B

MD5
5fdbbc8525c81a0ef12b0f42e2e354ef

SHA1
1856ce296980e4e22f38197edbdd749a072698e9

SHA256
1d9ad474370d58d6c85105d06704b450f9264c8083a437f4b7c109065ea3aee8

SHA512
b4d68abeb61b5ad5dffe8b1bba2d7385c0ee4b3565795ed394e95b18d20631d85d06b29b70782abde28acc7f6f99692c0a0b62aa0730651f961a578dd1368bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugIA.exe
Filesize
476KB

MD5
1ec69aea05397be8675f7bd42d006005

SHA1
4a32b194940f4e9fd7e7aec18335be0569e0ed02

SHA256
701ff655b57d9038a1d8b29b98cd458607acb60fda363548ba559c93ab54aa26

SHA512
32cd4e1476c0d145daab7452a957877bfabbe0ea4fd335cbb9e5ad3f4398b3cc0138df225aad07b5475e77728b8038d22f40d28a25882d8335937e08e595d635

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukgO.exe
Filesize
233KB

MD5
c7cb035ce461ed5f4de45d474061b7e6

SHA1
7aeb74b92647d0c7d57517542ad342c23531d862

SHA256
e0d1752082a30eee5c4b32d78e4fca107702f54865f4759445db3c794a8edc93

SHA512
b6b23f78fc9ff37b2fb4635b5378e78fcb07b458f1187acb03f1c312f65c612e0909776216e9c289ff5b4b23cfa524e784350127d7956415d32468e8f2e2d069

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosMccgk.bat
Filesize
4B

MD5
7f5b48b96b2ab6b0fe066caa27c0d2ea

SHA1
5dfb4697d5b088892669939cc9af60ededd83b6c

SHA256
83e29e26c3b07c8385bd2685535f919d88e3c4fe0547bfc354335d74924fcc4a

SHA512
0ae51266f6237514a03c866b0c32ca1ad583a30f157b73f925601c7f756fc0a37c9d2fd155fea6391781de309d54da4e8f116b5c080075a8db71f07a05241dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEUg.exe
Filesize
231KB

MD5
37bc669b270ab2f73cfc14d4d2032221

SHA1
4ed20c7a04039f63c9b209c65ab2cc0ad6513072

SHA256
6bfbe3d4a90635a2ca4e9d1d3520b8e05f0bd5f3bce9c2daade6569293582def

SHA512
5bcf7bd4bd9e1fd42931db2d06da16d21c5cff48110382a0b1f0fc2811ac56be8302003cbb9cdabf44ee905a21ed1b51fb42a78992db931d2a6d2a01bee05ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacwgosI.bat
Filesize
4B

MD5
5f4afe494657162c8605038199012ba0

SHA1
1c53e1431c1a990635c4fe575f65f7976ab16471

SHA256
bcb7afa24c047fd8d9cd790c3f0ccd5f5f648888794d052a3b73e9a28c962a2c

SHA512
52b21d0c81748ebc54b90cac2f11f348bec2a7a58fb3d9dd9ab0e4ade86c9f19bcdf1625fb7064b63bd30372a75470722076aef12794b4a2592792b337930f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgYsUkcM.bat
Filesize
4B

MD5
2f8ad166d4892b4ec0c6d19eba72fcac

SHA1
44979a8acde52add6d482054dfea0b0f2feaac80

SHA256
da25679554cbc9573f4e75dfea96294aa8df1a48f3a103454bab66a2963ddb50

SHA512
07700f5bca35e937490282bef0c3b0f04fabe0ec9574be06a1ad3640df3e1b69e01f2ab8f538c3fc6a3c93814d94b1f307538fa40d057d053a9cf97333ebeea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgoAoYkE.bat
Filesize
4B

MD5
e770c2b1a19dc50d1bfa6f8cfe84da0a

SHA1
8bc53a782346c761c0d11321a2ae80edf64230a5

SHA256
a3b24d6928aa4bcaa2067bee6f5660fa7804db3f3385c160e120ccaff7363eed

SHA512
e2bf1971ce87385b84441db167794ca8b8da150c694b9909d3ecacab496bdbf8b376955ffb1e15479f8d1f3d3bfc47872340e1387f3bed99ae53bdc2dfea9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\vosAkswI.bat
Filesize
4B

MD5
01714ad9e435768874cfccdeaa3d94a6

SHA1
2cb9dc17806b65b4cce1e3a44df30187c2dad327

SHA256
59eaf94febb838c12d68e2c53a6429d42c02cd020eac34399e3a3c212628776b

SHA512
ac3a22db8bb2fe950173aac705cd10853a22cfcdcd82f352b515ef14351298966b4cfbad6510b8cc1206498ec5597dd90f798a7454dbd1fbfb4dfcd27836afdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwgC.exe
Filesize
232KB

MD5
1ffdd399fc4b9966c2a9449528cb45cb

SHA1
5c9f7262b8331f399331350378babb1358f0f371

SHA256
cd6ba2d0881a03051d3b5cba9a7ce2a2b26175e6d9cf1af67d697f65d3910c00

SHA512
7969a2b9e32a50595f3411e8bc0315f09b29904cb9fc3cd44803f7a80cd242fc643cdd384df0306255d9e7b6c17e0da323fca24028c2fb9157e78edc6c99bc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwk.exe
Filesize
236KB

MD5
c682edc93ced68a9ff78c805a03aa2ae

SHA1
c5c5094bcff6461b7193836b7c3afb17135f6671

SHA256
0ecc84cf21ed4ed92ccdf2d42ef8bfa1962bced66a7c54420f69a03c49dd83c8

SHA512
59c868f475d0d989aa614a5e81ae63076109e70968a5402542a0b64ca478d460be37961294a1ce5d20cd4d4569543d7c1bd042023f2d15bada9a64bce0a23c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEEQ.exe
Filesize
741KB

MD5
d4fadbf2c226dd04135a523c96fefe59

SHA1
9bb8c7c1466f498c50c3aaa384df8a6c8b788b12

SHA256
afa3c050cd233c12eae5f8efb7d7518ccdbbe95ac8a2cf7c56c1b37b3438d68a

SHA512
38815b695be285b292792eaffb7aa2b048b240dcfb279724c0880b6a8f23a95aaada27328eb22c18e5f96d81c64e0234b185078f98408c41d1ac23c5d97dbecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKIEwMcQ.bat
Filesize
4B

MD5
822449a1e9cfd833cee6a6ded5f70cde

SHA1
028d716dc72077471a460b590f36cabf2233793e

SHA256
4918cdf3b0dc6e46bcd0741cbeacec6d3357cef12d51f70029ad4be3006e6766

SHA512
f2b5dc5c1b0a968f5d2ab24332208e55fbdbf0f47334a8d1465053cbb6e3674f3cf18dc3a1d242db54359355c195aa38a684811fc069b6aa0a40ff117c0e4e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiAUYowc.bat
Filesize
4B

MD5
55a0e7fef30396aedc43e76c762fed54

SHA1
fc960f2606c07e48345504924605539b51f300f2

SHA256
d6b676654e293f7172838b4ee4736c515df3b99fef089f35c1fa38582a3b861a

SHA512
91d1f4308237215e1a0faec01435407d0cd7f5bda8f4ddf123766374f49de7abb2018ae58eb5fb2a4782f89ec158bc5509ee63d73a67cfd719abf1701c6722b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqoMAIkM.bat
Filesize
4B

MD5
cf26c302dbedd6d6772acfc763f8211e

SHA1
5aae7641138c240e40a20054c3d5a8e14766fb3a

SHA256
b2e7780d8f94f6c159570991e83d4e5595d52b9af221bf5c0aeba458db3f0512

SHA512
2a45f46fbb52bc0bce759c4016a15a145b9aea5689685b9e0ec6993ff72b477e82b2eef3c08fa70d37a005502f44bc45a117eb1ef41982e5685192cd0013ea76

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcgE.exe
Filesize
243KB

MD5
8e8072b851d63cb33b16e5d8db8dbc80

SHA1
89ef30d42447121850253dd856490e76dcdaeb1f

SHA256
2b0aa5b58a5f2806fec4931a5063bb280012d407a06a64979a714cdb58f38dc5

SHA512
b15ec31d7049dbbf6bff60f0075c6584b67b094ce042a877c42696a44a60d2f171a24721d84f8c149addbb3b5be164431b33f8fac770a914b77fc7000eb9d38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoom.exe
Filesize
244KB

MD5
bb53beffc00bd2e13957b6636a0f68a7

SHA1
eac8bbfa0658cf3c467e8ffd03f04e340e411719

SHA256
244b789f1d88671e8d126c2e279589505a0ee4fb9fb3f1b266bd6394af6b1495

SHA512
775b3c62836b76389bccca0b5fdb183b208b11609e78e8169ca86cf5f0e07ac075b1e3bcb81666a063bfa3a7e536306991089d951e3064ccc769400487211ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsQQMwAA.bat
Filesize
4B

MD5
f1c8a8bea091556fc06e460e16ef9a40

SHA1
be6c48cd84dec2fb97b5b544a0c7dcd2d3e11ce8

SHA256
d8dc883041f7178566ba4fb1b67d76d4b9cc1cbbc3a38fad8bda5eb8d2bef11c

SHA512
e297201532afb2acb61265c985937f0cfe1f1ea7f065b58915573212e8064fe246d70455f61c728f495b712f96590b7392ca6d7287864f9460f59adcb181dc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAgoAAUQ.bat
Filesize
4B

MD5
fab5cc02c57fe6b0a0b8b307f261df8f

SHA1
85140650fd58be51e3734e6b352847dbe2291544

SHA256
e8e1c5bfe2b1ea1d4864bdfe171a4d9f37c33299f0d94eab81c33fc6a531abc4

SHA512
88a8747df8f3aed573aa8427a7d02016f90d926cd34b5740dbb1087b5b7c6eea5713c3932aac15d262be040db3df0d666d7c9c67b37534a68a5e940becf2cdff

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAwswgYE.bat
Filesize
4B

MD5
04103d0cbaa7354285c54cfad39387d1

SHA1
f5d691e07082dfc6cdc8357d5a01226efd552f1d

SHA256
7c47207a1f32a967a45461db78c3a2710ca1052b9cb1f3b3750626a824dd0566

SHA512
1dfafb2c744385a35c626aa9159b3cc49f69c541e4f4b5c782edb835122dc8ea598414a083509a455a01168bb25372a8af0401998993c41fe12eef5eb46a29fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqEEAMQE.bat
Filesize
4B

MD5
900867d23a81a0968816270d843c7f7b

SHA1
bcfe33a36b2ce96dd4299ea29d5c0517f22c0f35

SHA256
115df1518113a924198f85808c3af68d6c67310f2dea5f8fd3c08640e122db83

SHA512
21811f40dfbc3df22bb2c626e12ce9c56181a2591ea6aa6b80508946adb75777bb69fb3912a2979798bc481a5c2b80d02e3237434ab40e45ba0eef24868ecd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyUEkQcY.bat
Filesize
4B

MD5
ded72e4e6bc182905b9fc149847d497a

SHA1
bc7cfb705c3e47b140abac9cadb78188354a4dfb

SHA256
b0fea18ca3043aef2ef914e25ccee6cbae437280520a91d3c27565e2b4674463

SHA512
70e09ab03cc45736471c1c32d545133fb8cdb2456c5e5c759c94f1b56da5fbae408e915f238136578d776193c434489dea9fbc273fafabb46e866ec22e9a457a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAgIMoEk.bat
Filesize
4B

MD5
5e7e2905e8d2765b86486c757ffe4a4d

SHA1
ca51780e07d80fd17a0026684b48f05824084f10

SHA256
9b669b080b77547bf6d13a31a4e8317fd2ef29612ad392f925b3ae73695d686a

SHA512
998413083d13bd48d29fb1f46a414953b19389998ea1db4d80a5e3b920aa604a1252d40638058cb9ac4380ebf173eefd4ac3ac6c5a9ca43c8c073a6d33a74392

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCAUcAII.bat
Filesize
4B

MD5
15b35992705d77c8fe2805469c2b45e9

SHA1
0d029d47696fa5f52c8f06db117f9ebbeae7b441

SHA256
dd27bc56727ac530db9045aa58c99785fc31752855a688e37aecce2c8286ab42

SHA512
f9082400f8401db93ab1fe0389f7744fcd70f091974620fc730d0f339fee3c92d5eb737377e6b546c85a97fb461241ebdadfc83335c26a9b92a2e14808862675

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCcMcAcc.bat
Filesize
4B

MD5
4a00c3d8cb841cbc282e64c5566b0a65

SHA1
264b69066fc7a42f245a7ae1f1c1822d98ddc117

SHA256
54685211efa36dc71b6844a89f9ab7b494a797e116c4349188c03fe52b87467c

SHA512
4a06d6028d008668219b9c9634f01c2254f20308ea0ea9574f6d0063c9093bf07c7d8a2531923fec83805326bfc50291e11ff359d832450402ea378aaedf1a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUMg.exe
Filesize
235KB

MD5
ea36fbef9e49b1d9059e7347b0f586c6

SHA1
8389156dfe8a4b836ce985f79e1fc360f2c2f1c3

SHA256
3c02e9665bda9310713e7ceabc772dac7a0d35319c2772aa22213701c59642ad

SHA512
1562ec455b389a330b7c95c86e17e4cd11868e60edec32aa91608acf38a945b1fdd2d6d74c1fe27993b36888a40ce43cf3d5075de3a9487ebc4f3bb462c812af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsksIUwQ.bat
Filesize
4B

MD5
8304747a692bddf5bac4c8136c83d356

SHA1
7fb3e62073b345210f1f1b44dbc432b15c058a2c

SHA256
06d65971e58ba7624a3b0483a5c83651e07633a51c181f838b3bb5dce5a3e535

SHA512
72b76e3a739c10ab90bd4ba063f7750d95d304dc47c564df233bee6abd8c6407f94805c1e646c935398a2f40ae7edb2d533f3091f38366f4a2365397c14217a6

Download Submit
\Users\Admin\HUwYcIEU\HAEwYIsA.exe
Filesize
186KB

MD5
1f899e1d3f15caef4b3d5d0968803ebb

SHA1
b1a05e88f2b6dd88974cc0f131ec41c104e8a95d

SHA256
b178efaf0beec362a949e2593c8839d2504f93790dcbc09d4595620cf66db316

SHA512
5102654881438cf2f8568ffc368c5310d5c15bfa911cc1555b34de4894c57e1ca007789dad1636a57ab5b6db233176d780776c13b29d39e08c1c9a9f7753d24c

Download Submit
memory/436-257-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/436-283-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/436-80-0x00000000001E0000-0x0000000000217000-memory.dmp

Filesize
220KB

Download
memory/436-79-0x00000000001E0000-0x0000000000217000-memory.dmp

Filesize
220KB

Download
memory/768-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/768-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/776-329-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/776-330-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/796-161-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/900-451-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-82-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-114-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-4-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/1516-27-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/1544-441-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1544-450-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1552-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1552-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1624-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1624-306-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1660-127-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/1840-273-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1880-353-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1880-377-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1908-163-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1908-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1932-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1932-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1984-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1984-307-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1988-390-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1988-392-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2076-304-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2076-296-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2184-211-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2184-233-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2292-425-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2292-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2316-106-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2316-137-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2364-369-0x0000000000120000-0x0000000000157000-memory.dmp

Filesize
220KB

Download
memory/2492-103-0x0000000000160000-0x0000000000197000-memory.dmp

Filesize
220KB

Download
memory/2492-105-0x0000000000160000-0x0000000000197000-memory.dmp

Filesize
220KB

Download
memory/2676-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2676-66-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2704-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-185-0x0000000000180000-0x00000000001B7000-memory.dmp

Filesize
220KB

Download
memory/2712-184-0x0000000000180000-0x00000000001B7000-memory.dmp

Filesize
220KB

Download
memory/2756-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-225-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2816-209-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2816-186-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2872-331-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2872-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2924-57-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2924-90-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2972-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2972-234-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2972-258-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2988-40-0x00000000001D0000-0x0000000000207000-memory.dmp

Filesize
220KB

Download
memory/2988-31-0x00000000001D0000-0x0000000000207000-memory.dmp

Filesize
220KB

Download
memory/3064-210-0x00000000001B0000-0x00000000001E7000-memory.dmp

Filesize
220KB

Download