kinsing | 084c98843a6c5ef5db7af05b162b448a91d3eeb441936a40c60bf59eab1ab4d3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Size

213KB
MD5

a4396d5a9e6a31e5116c75ed8445a710
SHA1

eab2c89654a5c3953ae54aec2709325b3cdf5e97
SHA256

084c98843a6c5ef5db7af05b162b448a91d3eeb441936a40c60bf59eab1ab4d3
SHA512

795687a36d1f5c68727ded5ed66d1ac9de37c93ee1a8098f4dfea09420f8665e70b329eefde0922748c9393bac9e0e4da27757e46ed1aebad026ec33ed6f26cb
SSDEEP

6144:Pj79Ib17HfGLOF/QjvVbSgPKK7xxUjR3mB9ppVGPcN:r79K7HfGL7Px7xx0tmB9C+

Score

10^/10

kinsing evasion loader persistence ransomware spyware stealer trojan

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.execmd.execmd.exereg.exereg.exereg.exeConhost.execscript.exeConhost.exereg.exereg.exeConhost.exereg.exereg.execscript.execmd.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeConhost.exeConhost.exereg.exereg.exereg.exereg.exeConhost.execmd.exeConhost.exeConhost.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exeConhost.exereg.execscript.exereg.exereg.exereg.exereg.exereg.exeConhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exereg.execmd.exereg.exeConhost.exereg.exereg.exeConhost.exereg.exereg.execmd.exereg.exeConhost.exereg.exeConhost.exereg.exereg.exereg.exeConhost.exereg.exereg.exereg.execscript.exereg.exeConhost.execmd.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fsUgAkso.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	fsUgAkso.exe

Executes dropped EXE 2 IoCs

Processes:

fsUgAkso.exemUgscsUQ.exe

pid process

1244 fsUgAkso.exe
3448 mUgscsUQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exefsUgAkso.exemUgscsUQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fsUgAkso.exe = "C:\\Users\\Admin\\LyUgggEw\\fsUgAkso.exe"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mUgscsUQ.exe = "C:\\ProgramData\\IScMUQMA\\mUgscsUQ.exe"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fsUgAkso.exe = "C:\\Users\\Admin\\LyUgggEw\\fsUgAkso.exe"	fsUgAkso.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mUgscsUQ.exe = "C:\\ProgramData\\IScMUQMA\\mUgscsUQ.exe"	mUgscsUQ.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execscript.execscript.execmd.execscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Drops file in System32 directory 2 IoCs

Processes:

fsUgAkso.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	fsUgAkso.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	fsUgAkso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3668	reg.exe
368	reg.exe
1968	reg.exe
2672	reg.exe
1584	reg.exe
964	reg.exe
2776	reg.exe
4108
540	reg.exe
3364	reg.exe
3744	reg.exe
528
4448
4916	reg.exe
4960	reg.exe
1812	reg.exe
732	reg.exe
3600	reg.exe
4128	reg.exe
5056	reg.exe
3600	reg.exe
3088
2276
2784	reg.exe
2972	reg.exe
1028	reg.exe
2208	reg.exe
4228	reg.exe
2536
4568	reg.exe
5032	reg.exe
1636	reg.exe
1684
4704
792	reg.exe
1544	reg.exe
436	reg.exe
408	reg.exe
1376	reg.exe
3532	reg.exe
1268
2420
1648
540	reg.exe
4888	reg.exe
2492	reg.exe
2044
3088
4432
632	reg.exe
3884	reg.exe
408	reg.exe
2392	reg.exe
912	reg.exe
1780	reg.exe
2208	reg.exe
4104	reg.exe
4680	reg.exe
1484	reg.exe
4632	reg.exe
4108	reg.exe
400	reg.exe
948	reg.exe
3976	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exeConhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exeConhost.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

pid	process
1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1608	Conhost.exe
1608	Conhost.exe
1608	Conhost.exe
1608	Conhost.exe
3260	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3260	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3260	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3260	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2576	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2576	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2576	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2576	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2156	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2156	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2156	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2156	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
1892	Conhost.exe
1892	Conhost.exe
1892	Conhost.exe
1892	Conhost.exe
2512	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2512	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2512	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2512	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3952	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3952	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3952	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3952	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4992	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4992	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4992	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4992	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2852	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2852	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2852	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
2852	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4912	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4912	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4912	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4912	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3260	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3260	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3260	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
3260	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
464	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
464	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
464	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
464	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4164	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4164	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4164	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
4164	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fsUgAkso.exe

pid process

1244 fsUgAkso.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

fsUgAkso.exe

pid	process
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe
1244	fsUgAkso.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.exe

description	pid	process	target process
PID 1176 wrote to memory of 1244	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	fsUgAkso.exe
PID 1176 wrote to memory of 1244	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	fsUgAkso.exe
PID 1176 wrote to memory of 1244	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	fsUgAkso.exe
PID 1176 wrote to memory of 3448	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	mUgscsUQ.exe
PID 1176 wrote to memory of 3448	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	mUgscsUQ.exe
PID 1176 wrote to memory of 3448	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	mUgscsUQ.exe
PID 1176 wrote to memory of 4568	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1176 wrote to memory of 4568	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1176 wrote to memory of 4568	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 4568 wrote to memory of 4432	4568	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4568 wrote to memory of 4432	4568	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4568 wrote to memory of 4432	4568	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 1176 wrote to memory of 2784	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 2784	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 2784	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 4416	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 4416	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 4416	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 4520	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 4520	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 4520	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 1176 wrote to memory of 5104	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1176 wrote to memory of 5104	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1176 wrote to memory of 5104	1176	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 5104 wrote to memory of 2004	5104	cmd.exe	cscript.exe
PID 5104 wrote to memory of 2004	5104	cmd.exe	cscript.exe
PID 5104 wrote to memory of 2004	5104	cmd.exe	cscript.exe
PID 4432 wrote to memory of 4360	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 4432 wrote to memory of 4360	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 4432 wrote to memory of 4360	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 4360 wrote to memory of 3936	4360	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4360 wrote to memory of 3936	4360	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4360 wrote to memory of 3936	4360	cmd.exe	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
PID 4432 wrote to memory of 1364	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 1364	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 1364	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 3512	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 3512	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 3512	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 1780	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 1780	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 1780	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 4432 wrote to memory of 912	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 4432 wrote to memory of 912	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 4432 wrote to memory of 912	4432	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 912 wrote to memory of 4268	912	cmd.exe	cscript.exe
PID 912 wrote to memory of 4268	912	cmd.exe	cscript.exe
PID 912 wrote to memory of 4268	912	cmd.exe	cscript.exe
PID 3936 wrote to memory of 1160	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 3936 wrote to memory of 1160	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 3936 wrote to memory of 1160	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe
PID 1160 wrote to memory of 1608	1160	cmd.exe	Conhost.exe
PID 1160 wrote to memory of 1608	1160	cmd.exe	Conhost.exe
PID 1160 wrote to memory of 1608	1160	cmd.exe	Conhost.exe
PID 3936 wrote to memory of 948	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 948	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 948	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 2980	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 2980	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 2980	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 424	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 424	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 424	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	reg.exe
PID 3936 wrote to memory of 4832	3936	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe	cmd.exe

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execscript.execmd.execmd.execscript.execmd.execscript.exe2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\LyUgggEw\fsUgAkso.exe
"C:\Users\Admin\LyUgggEw\fsUgAkso.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1244

C:\ProgramData\IScMUQMA\mUgscsUQ.exe
"C:\ProgramData\IScMUQMA\mUgscsUQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICYggoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkYksYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
4⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
6⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
8⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
10⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
11⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
12⤵
PID:688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
14⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
16⤵
PID:1144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
18⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
20⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
22⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
24⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
26⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
28⤵
PID:3636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
29⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
30⤵
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
31⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
32⤵
PID:1112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
33⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
34⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
35⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
36⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
37⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
38⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
39⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
40⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
41⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
42⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
43⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
44⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
45⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
46⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
47⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
48⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
49⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
50⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
51⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
52⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
53⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
54⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
55⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
56⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
57⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
58⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
59⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
60⤵
PID:3936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
- Modifies visibility of file extensions in Explorer
PID:4916

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
61⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
62⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
63⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
64⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
65⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
66⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
67⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
68⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
69⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
70⤵
PID:4304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
71⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
72⤵
- Checks whether UAC is enabled
- System policy modification
PID:4112

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
73⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
74⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
75⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
76⤵
PID:3328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
77⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
78⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
79⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
80⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
81⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
82⤵
PID:800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
83⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
84⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
85⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
86⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
87⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
88⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
89⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
90⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
91⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
92⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
93⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
94⤵
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
95⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
96⤵
PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
97⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
98⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
99⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
100⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
101⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
102⤵
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
103⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
104⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
105⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
106⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
107⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
108⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
109⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
110⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
111⤵
- Checks whether UAC is enabled
- System policy modification
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
112⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
113⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
114⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
115⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
116⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
117⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
118⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
119⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
120⤵
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
- Modifies visibility of file extensions in Explorer
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
121⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
122⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
123⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
124⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
125⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
126⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
127⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
128⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
129⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
130⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
131⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
132⤵
- Checks whether UAC is enabled
- System policy modification
PID:3744

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
133⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
134⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
135⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
136⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
137⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
138⤵
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
139⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
140⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
141⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
142⤵
PID:4380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
143⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
144⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
145⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
146⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
147⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
148⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
149⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
150⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
151⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
152⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
153⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
154⤵
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
155⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
156⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
157⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
158⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
159⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
160⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
161⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
162⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
163⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUocgUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
164⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
164⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQokAQUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
162⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiUIIEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
160⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies registry key
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCAEQwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
158⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:2360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAokwoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
156⤵
PID:800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcIggkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
154⤵
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
- UAC bypass
PID:1400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMkYIIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
152⤵
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqkwQYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
150⤵
PID:2088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YigAUoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
148⤵
PID:384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSwUAksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
146⤵
PID:4784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
148⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies registry key
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
- Modifies registry key
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgkkMooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
144⤵
PID:5032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMAIwEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
142⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies registry key
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haEIsUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
140⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuAwMAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
138⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:1532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkEIgAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
136⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwQQMUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
134⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:1112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iacgsIok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
132⤵
PID:1636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCAkwwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
130⤵
PID:796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYsgEMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
128⤵
- Modifies visibility of file extensions in Explorer
PID:408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWcQIoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
126⤵
PID:528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dikkUQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
124⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUssgoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
122⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWososUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
120⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwYQgowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
118⤵
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies registry key
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQwMEMkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
116⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- Modifies registry key
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAUUkwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
114⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiEYkIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
112⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:4108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAcokEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
110⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SewIEIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
108⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- Modifies visibility of file extensions in Explorer
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWksoQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
106⤵
PID:1088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcQYMoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
104⤵
PID:2996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
- Modifies visibility of file extensions in Explorer
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEEwAcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
102⤵
PID:1068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEQgwIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
100⤵
PID:4104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:4184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGQYMosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
98⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies registry key
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwcocMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
96⤵
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:2068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUUcAQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
94⤵
PID:4900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:4304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwYgAsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
92⤵
PID:3812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:1852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
- Modifies visibility of file extensions in Explorer
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSgAEQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
90⤵
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYEsgkMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
88⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:4304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOwIYIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
86⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqgMMwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
84⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:2672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
- Modifies visibility of file extensions in Explorer
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQUIcUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
82⤵
PID:1928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiUcMEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
80⤵
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKwEgQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
78⤵
PID:4920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LagYEUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
76⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
76⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmsAUosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
77⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
77⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
77⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
77⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
77⤵
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
76⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyYMkIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
74⤵
PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUQkMYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
72⤵
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
- Modifies visibility of file extensions in Explorer
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmMAksEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
70⤵
PID:4836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
- UAC bypass
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAAAEMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
68⤵
PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcwAEYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
66⤵
PID:4164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYowocQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
64⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PigkoUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
62⤵
PID:4380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWYUossQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
60⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuMAgEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
58⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmoEQIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
56⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwgkQoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
54⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQIQckwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
52⤵
PID:4012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- Modifies registry key
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
- UAC bypass
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqkAEgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
50⤵
PID:1420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcUgoQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
48⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeoUkIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
46⤵
PID:3088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSgIEMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
44⤵
PID:1828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:2088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eykwgQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
42⤵
PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmUIggUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
40⤵
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOMYkMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
38⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:1812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
- UAC bypass
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMIUUgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
36⤵
PID:1832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqkwAkcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
34⤵
PID:4776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqcogcUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
32⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIUAcgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
30⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgccUAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
28⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecAoEMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
26⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies registry key
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISEYEYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
24⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAkMIQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
22⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies registry key
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:3304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqAMEkUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
20⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSIAUEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
18⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSMIEMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
16⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYoYQogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
14⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywgsEQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
12⤵
PID:384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMoUscIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
10⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssscsEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
8⤵
PID:3312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmcQcwkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
6⤵
PID:2436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUEQsgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
4⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKAAsUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
PID:4832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4948

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1712

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKIoYQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
1⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
2⤵
- Modifies visibility of file extensions in Explorer
PID:688

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
3⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
4⤵
PID:2684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
5⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
6⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
7⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
8⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
9⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
10⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
11⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
12⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
13⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
14⤵
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
15⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
16⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
17⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
18⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
19⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
20⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
21⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
22⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3276

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
23⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
24⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
25⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
26⤵
PID:648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
27⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
28⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
29⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
30⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
31⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
32⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
33⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
34⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
35⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
36⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
37⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
38⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
39⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
40⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
41⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
42⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
43⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
44⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
45⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
46⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
47⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
48⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
49⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
50⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
51⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
52⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
53⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
54⤵
PID:1172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
55⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
56⤵
PID:3704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
57⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
58⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
59⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
60⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
61⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
62⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
63⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
64⤵
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
65⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
66⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
67⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
68⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
69⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
70⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
71⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
72⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
73⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
74⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
75⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZskgUgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
74⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYMMocIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
72⤵
PID:1108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
73⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
74⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
75⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
76⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
77⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
78⤵
PID:4768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
79⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAIUgsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
78⤵
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
- UAC bypass
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQQsYoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
76⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heUgMAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
74⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIMskYAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
70⤵
- Modifies visibility of file extensions in Explorer
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmYwggwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
68⤵
PID:4228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- UAC bypass
PID:3860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
68⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agMUsQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
66⤵
PID:1624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmIkYsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
64⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
- Modifies visibility of file extensions in Explorer
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies registry key
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:3056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
- Modifies visibility of file extensions in Explorer
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmgkEQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
62⤵
PID:4036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOokYIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
60⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSgUMUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
58⤵
PID:212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyIksQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
56⤵
PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pukIMksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
54⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:1808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGwgMosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
52⤵
- Modifies visibility of file extensions in Explorer
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:4328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsMYsEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
50⤵
PID:1364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UogEwgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
48⤵
PID:3716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:3388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
- UAC bypass
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUYgIQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
46⤵
PID:1440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:2940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWgUYQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
44⤵
PID:4108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- UAC bypass
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgQYAIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
42⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuUskIcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
40⤵
PID:1096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGUsAIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
38⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueMEkEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
36⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaggMoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
34⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOAoAYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
32⤵
PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:2068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGgUsocA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
30⤵
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:3184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:5056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkIQwEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
28⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWsAQAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
26⤵
PID:3240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:3860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
- UAC bypass
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWksIcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
24⤵
PID:3184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYAUUEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
22⤵
- Modifies visibility of file extensions in Explorer
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:3704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biEsoYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
20⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
- Checks whether UAC is enabled
- System policy modification
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwQgUQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
18⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYsIsQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
16⤵
- Modifies visibility of file extensions in Explorer
PID:4108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqUUoIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
14⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocgsgAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
12⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEIYYgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
10⤵
PID:1348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
- Modifies visibility of file extensions in Explorer
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUUsswsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
8⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwkQgswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
6⤵
PID:3288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqcMwkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
4⤵
PID:720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:3972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWQoUIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
2⤵
PID:220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
1⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
2⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
3⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock"
5⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWkMQsII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
5⤵
PID:4576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgIEIQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
3⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSsMYkso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock.exe""
1⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
2⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IScMUQMA\mUgscsUQ.exe
Filesize
180KB

MD5
95b337aa80812eafc9e81874e8ad3a57

SHA1
0a59bbab4bcd126dc93440a7c0edb0c761625bf5

SHA256
663a87e2945b8569f7703d154cdb342a2cf148976a8034f4ae3088ff41d33d92

SHA512
75f9e800f11fd047b1a849a2cb5f3dbcd1239d0fc28a1ac97b3824dafe432e9beb4fae2acfec28b86e6a7b5f7582410a1578a26bb47b923f11232b909281c8eb

Download Submit
C:\ProgramData\IScMUQMA\mUgscsUQ.inf
Filesize
4B

MD5
9a34109f6900c2df0489fa6956f96f1e

SHA1
a92e31c97631a37c6e3a61089a202c77ed3ff578

SHA256
db7f1bfb5362a69213d5f42c86e95a8be1e9a46c98520408cbb9a38fa3033828

SHA512
fadf1ac1fc8e5c9d1283ab0cca7316ea25a176635305c2fb37981e8703120e10086f70581b0a01885c9f198fae5b23fa0dd6bcd9e8c844e6cc87883785f2173a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
211KB

MD5
30766dd672944f0120638e39d628b8ce

SHA1
a68143ab2796106be09c490fee9ff7a904687fc3

SHA256
4adae8370b9e7c8fb406504137a99c65d4936834fbd04ba68de9788e3b7059a4

SHA512
dfc76317f9056e0f710044987e20fc1cf4e692c6c56ff1d1763b061e5c733e97f174c6e692674611feac448855256d0d13ede1915388b91c00b6fed0a41cbb44

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
Filesize
202KB

MD5
c3e3a26e24095fdcc5354d8fc4ff705b

SHA1
20bc38fd689f3471a568d7ff0538290f343e257c

SHA256
fca3a9d00654bed292e1cf2e8b1162febac93d23b980d60949388cf22cb19ff4

SHA512
206581781edf8a8e2ea1c8ba9e564ea1db2f6007fd43ac0a7183b5ece8373289fe0aef7de48ddfc49b03424303e8397af9094a5c6cfba174eae422ca989b6b97

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe
Filesize
194KB

MD5
25a457adf41e0bedba98ad63959f8f3c

SHA1
2b80290f90c1f3d2749b888eb1fa17f0f45c9235

SHA256
8c53d78eedf03523aae6f7a1728cf9979c0222b3f125ed67febbd1e616367dfb

SHA512
ae6f9c9468f7583971cfec6a310e5bfa91fc65666cfc362c60c8c1e8b4b70fb5f55cbc834a49ed3a5a45c4efbf26f51c4900249e6d9e2a1f9dd7a30639e750d3

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
Filesize
642KB

MD5
e1fe26b37f83575d5746edb20c2b2a0a

SHA1
c211f94d7f5da66a34053d479b1c6e89592af562

SHA256
31718052bbdc4b06876a914a2d8eba30a3f8101762e5c1add938c63efbe96ea7

SHA512
98e371b005f44b144ad755d1a2b0be4aaeb72a7a4d46340a9c5164c88ab80d7255595a72a4e5f7c16caf108441102461ccbcf2ffc0ad20023e289c4db1270ab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
Filesize
204KB

MD5
136b03d6f984dbf5df08c2dd5c70a38d

SHA1
c168caed94a775c74b7c487a1bf0726351f46c61

SHA256
ae448bdf184682e5cf6d1a57fc94b5ebad9ac45e58bedaf956419b475c7642c8

SHA512
d6f4a7e43cbccb5390da7847214f3639e07b9c2644584fb7ab188e2e2286d38a95707e2a529e478cb8d212ce8a0819270e63919044b205ed3a4455f7debd0393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
Filesize
201KB

MD5
9b43ec770e8c75b7f1a1c0d16e274bb3

SHA1
a2e338919aec42d563c42d8c656457b28cc8470b

SHA256
c69f116a5e4c81b627bacce2ce778237b3ba3ca4f8647b20c1b036df39d5cac8

SHA512
c186b0df349b01e557a676b9bc734601dc3f831d694865d413ad4a6d4d2c1644f6a303134f8e30fc065d2de9edfcd20b2838b082a822dd2690126cb3aa69eec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
Filesize
559KB

MD5
31df8b4aa81e0da5f89e907eda05874b

SHA1
d69b69e8149891e65bd2f8120ff421d06422e211

SHA256
d14cc1dedd5875611c4a30ad1a1d0c7371975475a8caf5cafa621d7610ddb73e

SHA512
4ff7cbce065b0a9e2ddc6e2ff7d7042ba89c22eaa9c938d1e617f5dbca64985f9a3a69f141ae2bf73c0051b64d2467f7a2017e2d8f5602a106a3211b8e134eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
187KB

MD5
25f9b98e45813a2745f484b49dfc1ff9

SHA1
72a5b82a882a36ca247fc6652ff313665da391a8

SHA256
4c1969d4b42442a76cb158e0c9f6a880d85f51d2d8c570a702d3a9bff381645e

SHA512
56a223bfb5927bc4f5575736c980a0970305f28ec018eaf1c86bf44ed778b097387eb364a53bf8e9aa27e75c599bf445c4dccc456ddbcd0653d56eaf3652f01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
Filesize
205KB

MD5
e81378636c7aa46402ae1b4558fe40ea

SHA1
eda2d7c5c7dd053551f6a150aba7af04bb65b150

SHA256
e87f01fd825a7548a3fe082a0d304b6e1e5deb30a0ba1f6bc702aaaf9e196b0e

SHA512
719a328e6f40975e2a4e944361865b824711a5a7a8e70eccc48248093fb99f3a2c3e19b2954a08a5c374fb82d747dadbac90e54285ff67f9c0f70a9e226ec0a0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe
Filesize
189KB

MD5
c1f6941b8feedf9ca21ecf470ac08275

SHA1
95f703ac4254f467075f495d72248031cab2cfd5

SHA256
e89cda03b9d2413381e061a30f4c929d5fd43409558f27b9cc240fc32f7ee020

SHA512
8a0da43f03589810db4e6928084be7ac78b0890f928794509401ce4059b47973d8d8d407e1240de68d0f67923873ff49f486cb1d73f43c77ba063c8aaebcac24

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
Filesize
180KB

MD5
f34d4de986fb8faaabc6b8b65bff6e59

SHA1
85fee1195e56b4940a2220f1018ca97c57789bd9

SHA256
e1a7a3af5564a762d5569ebf0c33c1034761f6e502d5f73fa8fba2e55f372e97

SHA512
ed9ca2651821f280c402fb61c59f9a2c37812090325707b5e91c717c35701bff7b6533a4c16579c8a97778cac2dd3110e5b478e2f63a0ad1d452850fd0341012

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-25_a4396d5a9e6a31e5116c75ed8445a710_virlock
Filesize
6KB

MD5
b1d0a5c199d9edc1a273e408124ed491

SHA1
82dbeb87395618e9292b9dd7a414086ae43cf412

SHA256
512c67620d9906aa3db4ebc6839e4a74c832e750d4805c77d6de0e6a76740d77

SHA512
3c3eefcf3679d578fe6d4891071ee4bf2d6e7ae9366affee4838f7a161005035a390aaedbce5527f55fdbd622bcfc47a86b094feeb7f7f454bc71bcdbfd746d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEIs.exe
Filesize
201KB

MD5
cbfcdef39d02cf2aaa1f2699d9ac7323

SHA1
76ba7041f87e4b0b262ccc26fb493ac77b62be06

SHA256
aeb7a6a681fb7722c26ec74298157a4f83294fa52f0d83b56b94d129aed0d642

SHA512
669478e4ac60b36195a7838f5234b59aba326334aa7749fd8bf5bb8c93328965d08969e8666123196c4491d4852e88d6f93e12bcc7782f740cbec3407466fe6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIka.exe
Filesize
242KB

MD5
2c0ddeff6120f5ef29a973867345646f

SHA1
f57143a085ee95958f89d71435c22d719aae0ca2

SHA256
a45ede2ded97932bd7e12510487e80e6c3e03a55f51aa5490eb8c9845ef0f430

SHA512
4981274f921bf9b28db6a30a715f38c3123b8608f1c9d5b6eb35e46fca4010bd05ddacbdb2330754959e7eed1dd4ef709ee8f8604c763a0f9ab34dec673e7f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUMU.exe
Filesize
220KB

MD5
e86e1db5c530497e7858360b497ad9ae

SHA1
e8120f7c33f620fb3930664e1982169e3e7f91d7

SHA256
1955c1d60c9e9c0b600773f729eb5b360f78c334cc967db33c5b3b20e498a1c8

SHA512
cdd4103f12c8636e5d925d892a05896eb1b3cd961267a968a6005cb0c365e94c30fff353c207daf823b98c377a6216526a05889e22797811c54d2dc176abe6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aokm.exe
Filesize
202KB

MD5
09169decb38e7e59d8e9aba58e8cde13

SHA1
31d49bc2b4b79c96711b2191fac11054c41867d4

SHA256
04a38dabed51e6b594e33d9b83922134ed675c500994be23e407bd6b5331e778

SHA512
1db533398da02d2de2cd654366e5abbc6fa93b36e6dcb5b8c8cb9fd6cffc10e7159f0dd2c8fe48bcd7d59262ecb409cfb50a8ab9b6dad63ab0e8ae88fb841cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsYM.exe
Filesize
201KB

MD5
ce1263a4b1e5a5caf9190b4965660019

SHA1
7138516d4793e93995a324a75ec766887db97c28

SHA256
5576e7424b54f62e3a22f149e0b1ab1fec3f1519906109f6989cc82bc6f99c63

SHA512
f7383c4674fcba02232e24c6623be4b2f00a4ec56a09e569a9ab501fa1f3733dd0425566061a8a4b235e8a89844eadeaa10115973db99a5cfda9d48c11fa0d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoI.exe
Filesize
229KB

MD5
c15d40bbbf842f21e4c540005afe0b67

SHA1
9f6ded890ccc30685bde805dad63d311d8dbd0a1

SHA256
1272f43ee13ed4e52e1254489ac7761550bd74d69178d628d37b7857f658a4e9

SHA512
fc794e028e5f21d6f7fd5f76e9b2baeca81cf7807fedd291489946eacc025d5ea858dffdb37f807ecf54549ccc1495f128fc078b1fd7fcf5e754dd66b6f8651c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIYo.exe
Filesize
309KB

MD5
23b1df94e0b484deb9fe01d9c2392d5c

SHA1
a60a3ae4a5df4a21c2fc8d43e6ad53fee089ec68

SHA256
c82e9640a8a785ba8dbf9505ced22fa8a527ab2947f972f758d16ba1a16f7d51

SHA512
505ca00056b66ab24e9a557b8613dc170ba9415f1beba7a0d4e9f2de02daf56e7b57b49915d91bb61c8a439d813d369a8191253451ca87070edb5a284eba18fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMIW.exe
Filesize
194KB

MD5
f38724c32a2f551eb9e2e9ca7c3e2a8f

SHA1
87256407aef35ae84f9202d166ea82567dd426a4

SHA256
2fa07ace43661ff66aaa2f7e418314ff066a1527a3d5b2150f73ba15c90c9ce3

SHA512
dc11e45b462bbd618869a9fd3211004ec96a83e8eaabe937e5d9f663fd9d0613b0033c40e10e76446d29f366a0f1ae9088a29805b416bc7a52ca38d4c57415e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMwc.exe
Filesize
207KB

MD5
1c7721504f3b5fcf743529d44144ae9c

SHA1
d7cff990ba8ecc6869cda5ffc640cfe0022d9ece

SHA256
8470b5eb8d5a52e15f113855baa8c57956639896872a26c13435837fb276b64e

SHA512
ffca612c5007cd33ddf50e06e2046970157f6eead34abc2296855b9c28793d6d1377e33cfb3f8bb85ace1fb53f883207e6e9288d2180db3d519fd3aa79dd241f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgka.exe
Filesize
480KB

MD5
1165cd21f96e26c2fcb942022ea3f993

SHA1
6be076ab5b887713b77e14215b5fcd619640b779

SHA256
6bcc742a0b57d9a7d0bdcf70e23cd1d2001f3bb57a08f459ca9f9750f6ef4c8f

SHA512
e5f8c1f41705c88a491697620fc74c8a928ac57440929ed3bf31c3a8ea53bea62c331a3cf840a1af61e16c64758426511e4a771d3ef97c2c747c54a59170788a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIk.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwAo.exe
Filesize
198KB

MD5
e17833d5eb55493e8ed9fedeb806be2c

SHA1
cb15d6dfaa11b23a81b3519e5f9b0ec722d3933b

SHA256
1ac00b7ef1c90c815d61e84d2a631282495d7e388c55725e322207a8018290a2

SHA512
60cb6b166034e30fd399ab41f4331824fb222b1da8ed6a56e75b5b38e0fae224782a8fd483339b67d87f44b3b6f5c6c1e5029e61a176ace10214315bea97e3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEUo.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUcw.exe
Filesize
200KB

MD5
94d011440bce088567fc39f7bb3a6934

SHA1
ae3a3570d8cf9dae2fb4ef668706244878d5dfcd

SHA256
cd1af3cb25028b1d6ecded958d2fa73c385b106c83ee73b15a831793724c82d5

SHA512
b656469c8b244b8ecc1f436db4af070a36ce517e776975092ff2aa76920d0669b9adc22f125327bd904e6aa31363cb0046dc8cab28c407e28b5dbb2867a9cc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwss.exe
Filesize
613KB

MD5
162817d48b0d847fd850586109733267

SHA1
c7d328bd3440ffcc56b132c950b044d42584239f

SHA256
11499d3574200ee7e2bb24de0701f31dd2dda9a2ada0f915d710aa9568227d33

SHA512
87de8ac7116a84fea26c20de2c8a5e47660a33c47edd90e0428e8d108fd5eacded1dc4dd4af07d7c20e38bcc53070689269b9067fbd314e67a1d103d930de6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIm.exe
Filesize
228KB

MD5
133a58122ceb4f7e2be568e875805230

SHA1
80d435331fe1c2ad9a96bf7633d5d328b957ee0a

SHA256
1e03605bb51919bcf4937933d9230996a79e508f5767f64b499a0c9229750c79

SHA512
847abdd7aa4209d4fd45ec519281727550e5a515266dc8165218a4090e08dcf27e8fc5a9477485a6ce05ebd13cd1d32b6a57f4a7d8f18cf594c81adfb76ca2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICYggoYk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIkk.exe
Filesize
201KB

MD5
b2e0214d5c67f18e184e6670de91be73

SHA1
b82a728863625b528fdba1a99a829a49571ea4b6

SHA256
b5bfcdf6ba1063de8905adc634414adb71d03e5e3e54aef8d42f118386076ac6

SHA512
c744caaa738ee37f0374391a3b5fbc0aca98d1d66a84a808e30db6326d27451f8fdcea5bcd751fe77eac7049563d0f74e0cd5903d641b29bd21fb4ee60e6047f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQEy.exe
Filesize
1.2MB

MD5
45237525889184ae0e4ec2d488c3e908

SHA1
30c5944e74cee44eb61bd2f98c9386f4038900b5

SHA256
6cedef38fdc431747c68bbc2b7453f0dd07e910256287ae0571c754101de14fd

SHA512
c3973e12aa859bdd31669b4573a8389d538bb2995dc1277879c9f2662594d916e3d4389bad37d31b3a8a2d59aa6949c39fddef05a333c04838d7580b5f3ff0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEcu.exe
Filesize
311KB

MD5
1d52d4ac39ffb88b80857ab75fe5d984

SHA1
81163a51f35760cf1f41cf14a817aaa50812b014

SHA256
c3db0050dc2be62f5e7405d925cc9f18ca5196b8eb7082a6add5a76ee42500df

SHA512
1ecc3009a3fbb32419b2405876aa71d18e12ceacfc7f2aa1261b6fe1f4b9de44faae2c8e109c122efe178596607bd2d07ad8b557a9773b682d32db711adc54f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIMA.exe
Filesize
327KB

MD5
42373454ed08a5c12ff5ad3be1b4dde8

SHA1
5aa379d7f413a84571318d3a9ee0603284c9f90d

SHA256
c0cd5e54e4de909074fc5dc882fbe7d218ed0638077952f681294f39e9349163

SHA512
0cddb926e80110164fcab124f43d9581e9652850df5d371ee43b19d9a995c574072bcbc3c2451d75b71157a55eddc2e8dd615263df754630ad21e35db509cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAAi.exe
Filesize
208KB

MD5
69a944710128b58480601f9fbdcedb25

SHA1
5072d77af0fd12613be92e7c30ff11928e7774c2

SHA256
ca0ed60e2d1893ed6b36be834c4dd0135f22002308acc56cf6941258cc19ba48

SHA512
b876758c8c8ec9cf79c2d7430ec9e3169a3dd684138aa1749a189c710d0fa5d9b954e8234f6f3aa6d7fd876d1b61bbd5f268ee2d04cfb4c09ea7f173e058b1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIke.exe
Filesize
5.9MB

MD5
3d6ed8503e744329ca072ec389c2b234

SHA1
219b8f5c272b86900e65f44cf13cd6e8c985ee96

SHA256
549120f053ca779f00139a454f03bef6ede6f192999d4b1244c2ca48832877c5

SHA512
cc9e0cc90bca70f2cacc46bbbb349a853e525f6ae128712f938a0da6c3f4213b64446b3937ff048a5359220b3f8609509e35ad57d22f843c8326a34f7cb3bf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\McEY.exe
Filesize
188KB

MD5
fa121116480d1a3db3bf799d4349a489

SHA1
003185b6f14f3485b668478cd8b8ff2f436c2a1a

SHA256
7850d7d9534bf47825f7589ccc25dce350a77d09818c00269d6173279f56c37a

SHA512
a786b1f24270c01319f1f584461b999b34962ef5df33ec838ad36c6975559c75ee8016db4fd92cbdbb13d5d0e45e991fe2d053c7b0fee843953958b67df3c63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgsG.exe
Filesize
875KB

MD5
4834c6e2bc7494f0869400402288fa62

SHA1
0e4c06cad75ceebf78e162392378c6b1c2b514b9

SHA256
8b6a390045a89bdbdc4a522d2284898e5aabcd6f078a970e0f5ee5785146d8c6

SHA512
8242abefd799c792448c4794f8c6695a8f34b9c845bbc94526df9ed7e343d9a95953b09e087cbb8a58c48de84ab88de99167ccbac960a41eb997f0e7f4a88ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwcY.exe
Filesize
310KB

MD5
4fa7518012a00e627319ed7e16398fc6

SHA1
3c54f385b26b9e09146a6750100a2263938ac829

SHA256
61d8390c22b08af31cdc58baed9ac8ec6592cd89d79e14ceeed12ff06f85bbcf

SHA512
7a8cdd0f717b7105e4be487dcc3e557365d3d3feef9a0cce30ecff4a55a447effad631d4452d68c3641d05b4d11cc8e59cc551f7c3b53a42a7786eb0b7fad55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAow.exe
Filesize
786KB

MD5
cf2886ba4d351ab412aee05668128811

SHA1
d6fe643a9b8c138e6d53dcbd3e136fcf65c4bbf1

SHA256
dd7bb76ef8d5b82c29870e2d79be323ce318058e3ea550c1eeaeb7fd857fea23

SHA512
ac17c0881c94f5b034527be5a849e59e915208833860f6fbaf9eca20eacba978b8a67372c281bd21c999a091f4dfdc62eb80c4068a1baa166a84a0399be5254d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMQc.exe
Filesize
694KB

MD5
d399c33de1aa9c82f8d1f3960fdecaac

SHA1
795ac8ac1eebfea0fd9f6695ef980ad050605d39

SHA256
58fd0c0ed8b42d19c09b0111f5998431620759f6920e78bf5e3d5948cc071091

SHA512
740f7e45cc02e562788f0c33c00960ff76bcd56c7a38b6c782580de16d4d243879adda392289617ba92f67200148e1e71bdb6ff4f4c295323a4642cc4079ff54

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQMm.exe
Filesize
648KB

MD5
273b099e1bab10eff55a2dac0879160f

SHA1
b8fac7649b7221865a0e0e6140161fe204d10e2e

SHA256
4ac176b90ca603884bffb8cea41d945e732d77cbf4460797e15a0382e83c99f2

SHA512
3a1e9fe6c3a032c799286826607f6a9b32956c9a61195e12373083468f634b1ea0a7fd3b2008385f9855007635fada5786c100c6ab42674758026f6a3fc0f2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYAU.exe
Filesize
202KB

MD5
ceac83641bbf3f805504fe268d071426

SHA1
53f9d7f5faf52143d7bdfdf22cc3a4533cac04ba

SHA256
d40c268f90fcfaa9b57f501f10a26c935b5a97cd865071ea00f3532f411a6a8c

SHA512
f96cf29e2610d210622cf481a5478828b62c434c936dce29eb8cc81d34ebe7a24e47a020df74e39864718c94aec238d17e1770e358e85f3fe4247a72f6c0c52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwEI.exe
Filesize
536KB

MD5
a2b513ad27167791eadb68779084dbbf

SHA1
7a0ae202e69bbeea3545e60f1f37eab81d1fff70

SHA256
e3b1fe51c10fe0907abce74530e566ddb3c8c12fb37f95b8ce04d675ddb3731b

SHA512
13d84d9c3ae9f6969e5406472090439d2c720ade9a5716431ae2ed283308b105ef1985e09df87e34566a4102a483dac21e32fd6698e73292bc66fb4fd89ea680

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEgw.exe
Filesize
201KB

MD5
289f39267e6c2b2fdfbde5880643d71d

SHA1
d8493849814455b3a85e51bf48dfc1c30b197007

SHA256
0bba882fcecdec9abb33812c0e12d541504938d98f62a93e39ff27861d27ea64

SHA512
174a711de999c4de9dd3e7db2264997c96fa1dca05bd9fa3a5b26b8f8d0b473714ef880b74b50b7dce02c97bba96eacc56089e6d01ebefb81db9ffac38b1f332

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcsw.exe
Filesize
199KB

MD5
8eed99f501adbd2feff300dd695fca7a

SHA1
390c09fd32ec13f2da9df18e902b93bc3606c02d

SHA256
5fe4fd316818535ad8271aa36bf7c3f1b07dc6c1b411f0e94954e6a4a4324d55

SHA512
4229294a7a0b896fccd064513f6253ace0cb27f12144a4b727370e9ad75d5e161855a0cd427114c01ff6fe3d224f9e9dc13b6aa67464be728cd88acb4b01e4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoAC.exe
Filesize
192KB

MD5
2da313fc2f90ec19c60ed525235fb371

SHA1
04ca92c381e2dc600bc1817c7cbc7e9a302998e5

SHA256
ed1d0d97421cb0792a15e697ee484d891fa5721ba191466eb04dc3fa9038db49

SHA512
3cca13282fb92dce7f1d76013255861e373f6056030651597bfcefbdef456094a66d7708e809103d4513adb7642c2b4376e1a0de0085e2f404946f0bbb2c39d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUUm.exe
Filesize
203KB

MD5
f6d1c3049bc1df4ea0db8568485c6712

SHA1
7788ff94252e0a18bd0d24464b267b774a946880

SHA256
6a3f02de00011dba397ced6474497be1de88afab64452c6413d1f77076200b6f

SHA512
c0745e46acf24b2cceb0ab20c734044d5369e76e066b9ae7c14722eb2b2073c529b442ee622ccca0e430a16d70fe66ab2b206a368854fb567ed52df42c7b0947

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkEe.exe
Filesize
192KB

MD5
60e02a36052b9e4de5df9ebd18de0823

SHA1
476f5d074bc6993098db2e6d9fe8ff938fb99639

SHA256
1027422ceb02fa029c5c877994485163c9e84ab759b8a425cce0f5303a1db345

SHA512
440fd3458a237049dc73049e553619c5c905098d6fe176f7da6e1ff512020992bd09c0721d0ac0a2d4ca9052d9a3fe9f27ee4f6c9db7467f1202dfc5531c1212

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sokc.exe
Filesize
191KB

MD5
992798b86fa52d141c4feaf73f1773f8

SHA1
c3ac6c0b3062030687e9535da58023f2494bed95

SHA256
33a0da35b17fdd5575a6df930576548bde4ba4d0278a916d513fc3d1a598b25c

SHA512
18140e22271334ecdea053b47cd174e15538b39a33f482c931d21ffecc9d6381d8f85414baf92068fb8161159c642a0642fd22c3defcc0c4973ec8c9f1e8e119

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEsu.exe
Filesize
745KB

MD5
52ee09a414af1f3cb4ab74b5e6a3946a

SHA1
8d04d148d83af456bb1934ef1ef7fd9aad54e1b1

SHA256
aabc7d81946fea0fb781cd3a7b317dd91dcdb60996030f19902896b92cd93ae4

SHA512
a4957477c2a170deaecb1784f1c2ae3449fecd3c24baccdd487ea5cacd74b976c46b47ffa7f5b341b7c17ada76457d4f3936f0305fe45a3ff9236f797218e7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIUI.exe
Filesize
189KB

MD5
602a02cb52f61b5e6e443c6d0b1546e8

SHA1
ddc8fde872f64f1fbf9b6ad2fc8ab8e73dbf9dce

SHA256
4a646122edeceb2991ca55129af6f4591598b2b7625fb6063930b463cbb7fe7d

SHA512
3a35bafe924b781dfd962e0cc89e511d259bcb3cf2d6e1e4c9ba2bfe20175c705647624cc3a45b4456ad8bb46c44c835d771a671b14ed39d471fbc6dcde57b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYYS.exe
Filesize
200KB

MD5
3691e39671b1c3adfe0aca8a853e6b7d

SHA1
7fdfb836464ccf4336bc23404445ccbea986c78e

SHA256
99d7ca8ad8c0d8e2b885291789ff90ae5e5ed299bca3be7206dd25647b69271c

SHA512
cb3be8eb14b5da3275fc31c90c86461fe88743bb0e00d13b447b70ad43bc36db5ae2fbb9cf4478680d67b973baa88da5aff70340d1a57f98df1dea7d1d106b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgAe.exe
Filesize
234KB

MD5
71cbca9690e9777fce3f526c3c385554

SHA1
d852d8b5d9558e1f74acfe721fc3a7db626ff416

SHA256
d6bc7b19cb04f4d62b0676c2ebb2ddc85a9f030ee5c63647d3b0283322dc0b80

SHA512
98abf0324599a19d29a72d78d1c660fe0f96efb35677b497b2829a65949b3b23474216b33ae09b341e1a5cd2ab60d6d8fee01dbaea42be24d779e3e5d3a37165

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkca.exe
Filesize
202KB

MD5
aed1be3c6dd080e3e340e86859405275

SHA1
df50a60658b9c32f0b930758a99f90ac4b296fe1

SHA256
34b1fb01062147dabbbfc093e2cee189a953fd247be60b20edd9337343d6fd06

SHA512
2e7c6cefc9d38dec122c1c3e1d3a8d2a9e05c7ad5492a6cf38ec93101b901b2cdc079116dcb0ca21755a66f30611f81b1bd921c28da9f75690442044db75e8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WosA.exe
Filesize
196KB

MD5
6b0c82cb129f8ecf34789af9ec5b7081

SHA1
49adab735b8be347afc03b15070d3d98fa67d16f

SHA256
4d927a144664e802eb645ac6bd304be299da72408838b7d8be20837d1cd74468

SHA512
cb51fa0168ab6afd135fcef24eee4eca6be0c14b6470b7fe5ad25c04f1c65377435bfb3dfb19cbce7500e9b03a91c342df338091c2085e2be5e0d57fbb10cac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygsm.exe
Filesize
194KB

MD5
ca9f81853fea7f12987fd05479b7cbf8

SHA1
9dc1d16da41a8d66f9a568606514f65fd01f2565

SHA256
51aac1e3e63a55f8f061ea02761458201a97e7e2ad62cfda342000ac5f73ed84

SHA512
7cbf5636bfa8d52c89afc100df22d8594adb5a63096d2b7bb56b77a108653b44c23e67931eef960d35d9cbae3083ae2bef9b5948629dc104aa38afbfb726894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAO.exe
Filesize
183KB

MD5
2c22dadb79836bfa204901fdef448fcf

SHA1
b11d450a71282848f555a7995cb79634bd697c0d

SHA256
76cb17871b4427dbf4140c924ec2853cb89075493fa37dc4579ee494ab03f28d

SHA512
0fb5ff205a65ad60fb57591050f11d7692f73b3a5b582b6532013364ec9e3fff4aa05991538592c3ff5aa77ae64663bafa60b402d00e9917d90602a3016840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoIe.exe
Filesize
822KB

MD5
d775385119f3725c02a69895818d7d7e

SHA1
4327b25e82f228b3ba55b1c5fe91a3b67a234baa

SHA256
4c5a045a21ef389e177e69f49573fa837763985abc71b71abe10943bb55eee2f

SHA512
d9fcc3bae494e8782fe7405b8989b538c8aba3ec5b54635da4d6c62d5b457a76b6d6d594df9764781be06b460fe28b16b1a7b48c147656e5ffce9437f273f34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwUu.exe
Filesize
198KB

MD5
c7c71f7462c254b5b21889555336b09c

SHA1
8a7a54bea4d915214d86dfc89e168fbb8d0ff31c

SHA256
e56ddab00ea8f68067e43c3b6f03c4111b639ad091c309131db9a6e9510a3acc

SHA512
1237a3f2d16325ca70a659f47b46d05f1aca5a6d5be473e72334d97f2f635f25ee7ab848c5419694907bc681395316b001974f99ff1b3348575f73400ec6171f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEkY.exe
Filesize
635KB

MD5
84e87d8234dd3a025b247f7ac8ceb84d

SHA1
afef0b27de2c9100584a9d0ca643c5608c6bb6e2

SHA256
6f94c4634d76794f8ba20116b0b80ac4af96783bac0fbb2935319737e5687a09

SHA512
7d55b26e4fc3785c6985c02a071873536565e2f6657cdd545fea7c62d105389c27d2353432033cbb816db669ebd2f9d122679d373180ccca78966e89cd50bbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cowq.exe
Filesize
191KB

MD5
d2d883d7a76c96fbf7e92f7bd8ceca0f

SHA1
db3809f2c3219b4f3651168f257fcf809992d635

SHA256
7ea1e4f9c3ea13bb36f4170b0ca12baebaab7043f1d7cf46bb188e225e6bc561

SHA512
f4f913cee8183b9fac64f24a37b6cda27de8397cec6f377fb61aa20536dc35ba5e2ce15bb7f8ebb8ebdb6912216ad0d42a4dbaf7c75e9916d7a7671de9005f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwQG.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAco.exe
Filesize
194KB

MD5
c6615cfa0615d580248ff59568121460

SHA1
1352c1683c7f847c5432506a8d8240f260a2ec0d

SHA256
60f3ffc9fb99916bc5b13c6777e9b4b0d9efeca04dc4d4fbd25c7fec15baa5d5

SHA512
d0710402ba649e573ad574a99d00c3df54ff2b28562253ce598c86a55eddc788b171aaa13c470beca9f6e7063a6f7a8a80491dc3a7c73791d60d94484e9edc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMEm.exe
Filesize
203KB

MD5
ab8408eb135ad28561b620d3ccb270dd

SHA1
8eba2e29e38134e129315df5dee2832c7ce092d8

SHA256
5867bad29a8dc4cf4eada92180748e88955cd70f0f4524227429110ed9f277ca

SHA512
052e726e82b4f0b544bd64fa8071da7dcb44c1f150d29e20df3dec36b9d7c3b411093c8aec8a2a2383e2af5ef48e104067312f9a27082a49ed94d1a0348d9b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQQS.exe
Filesize
182KB

MD5
16838c12a15b65aeef6e177acc3d560f

SHA1
a78438daedf6ef777c75aa72ad7f268b338e0441

SHA256
51f8b8364b383521d20acc1b1b7419df07a57756ffbe60600965941a1cff7a17

SHA512
1d9f3decfb10919b506018a50b5fad909b7593631fb67ebb50e6b2ecdf2004ce5374559ceb13dd7c110654d51692224d71925b2b79164375b2037d292f26d1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQgW.exe
Filesize
781KB

MD5
e136485ae0c0f397f4839c85ffb8565c

SHA1
fdb037b5b1f432365382d3b5a7fcc0ac2888883f

SHA256
6a6628e35d6a251091f5713e12655ed5f6f157fde5c9d6916e15699577258ca6

SHA512
5a90a418a3d4f03c151573184e09f184243d01a140445f9c798491b84b5f7116c1e72966be9a4fb28a03edf06a8c06281ad57f4aa64588807b596d858b3cf714

Download Submit
C:\Users\Admin\AppData\Local\Temp\egky.exe
Filesize
5.2MB

MD5
508775342f488bf3d98731bfd221d131

SHA1
8e58525c5ba609d8f0d50f8f35641223f92ee317

SHA256
b9911bbdb30fc152fa13c9932dcc000f8e635cf761217723ce8f581fb448fd6e

SHA512
66fb2254b21f7ea6d817a40cc54c8d1a6b792adc9bc77d1e5953d4ea67b10a7596690e4331ab02e0264026558d254addbd8ba7a034b151d3284bdf2f2e245636

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsAY.exe
Filesize
194KB

MD5
a9367e19e91714b5d0c0a346b9a512cd

SHA1
ff981affc223c52e3597d5b6ed15cca219009f67

SHA256
36bdcc520974ef5b906b8d0037077fd2c0b08cc7e8eb7dc520d50e136eb44e2a

SHA512
fac9376307aca79fe3931b7f81232962fc4787e3720528f5ebca820acbcb1c39a03d0965a261d57393d25bf06e7a99ea717ce1d7f1e7af9859ab578dcc0094d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscQ.exe
Filesize
203KB

MD5
53ed10f73945bd7350f2674e821570ee

SHA1
04585e57d644e6350f6d981dc48eeea3fba44927

SHA256
d2ccc1dfc6fc0aae6748bec727b40684bced9393992fd9276c1df76aeec008ec

SHA512
895ea22e46a46a8181410248ac6642aa0dcca825cd8754c355e069958317a8aac8cb854359b0e67924d334d235cd8c0ae379a0ba1faed66396129c50cf0f6a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQkS.exe
Filesize
184KB

MD5
bc3177c8c8f214d7b1a64255ce2bd2b3

SHA1
d30f5fb2f0bacdca51e66136e4c4537f85d9acde

SHA256
2e5e1d26919f84f38547abf1e98d7bcbfe1b07a4fda50f57bab90cc321c6513b

SHA512
8a325caa5d449b1b599c8c9535269bc179209c927232d1e66b1f002695543f623ea8ba2aeb1c6b1a75d472758ff6e6dbe06cd5d4f2325ca578639cba119e50fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQwo.exe
Filesize
1.8MB

MD5
dc9d196d781e3beb9db1555f853d3bb7

SHA1
1e5a5831dbe6431680141863423f95b2edfd39c4

SHA256
27f0c76dc81c21b8593a3cfc37908a1912e3a1b865e78ecf2447acb9264679c9

SHA512
96e3b30d146cb5a3f2b9c98c2a413c1680125af40c4b919f9a01704f8b11117036a8593c6c5e041e8c732b557e2fa32e43587bb41581d20258285271b5e8b8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\igou.exe
Filesize
503KB

MD5
2e97802d70dc67a5e2437f0811a5ce17

SHA1
437c5e10f21844ddc8c883c0594fc5165e677039

SHA256
6155aa33d49e649b3315eb91a22bb36182abaff118d5ee910c6598aecccfcf76

SHA512
e071b1f71c7ccd1bfc0022973f01cf3a2a1f96e96437b02840a603b59c9a6fdfa783bd71cfeeb50631b0615d89a557edf51265fd12493f7f2eb9a006ae2b6a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioMo.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioYE.exe
Filesize
238KB

MD5
72dae3c84a72e0ee2fce9617e073bd4e

SHA1
b141d6b4616f8e66ca261fefe0355e78c6087d6a

SHA256
76a0252898de98cb66e427c03bd7262144ec1d54b1928ada559c920e3ca3816e

SHA512
f1cc882bb52cf38b2a90e4a52bcb6cf3725a4ab3ae91c4918880144c0889a8a6a9cf9b09bf62e91447aca9c027903e8bc9756bbe0cd5bbd17e3e222365a31f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEoi.exe
Filesize
427KB

MD5
9a7fb0ad0aa70b310f2b06c8852b2f2a

SHA1
bb612b57a15e944aa18e3614d304af63406ab527

SHA256
c8694bbf9e0ef06e9c2e46f0038b3d898c29c7df47310442c6e3124f3e56d45d

SHA512
a9596b32c734265584b3aa6ab6afb07eedbaa84a02a3d3ccace665907dc106230630ae614155934397a7d497b2ef8838d54ee0f69635616a29e9c2b2f415953e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYME.exe
Filesize
495KB

MD5
534ea02d6fb5401c42cdc57e7b163980

SHA1
099e45b4266e407100a476bb55914d7cb1affcc1

SHA256
a722a5dfce2eb16d0f57b05a9efbfd436b92d0034acc9ab9cd47be9bf7a60cf9

SHA512
12414c12de883a9fd72d466f4bbdd5f65801462392aacdc2d57f7e880d62bb9072964da9767d2df9a3eb78f9c6d1dc0c960514da7c50a700c5da5a1020e9cfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcMQ.exe
Filesize
228KB

MD5
9dd5f4349a818cfe258c54d7dcde1910

SHA1
bfd6762dc01de294e1405dac47e954a217692e9a

SHA256
f401a38b92a764991e1feda4fa6a2ae4bde07afaf54cb046e0dad0d6ea3f84c2

SHA512
609bbab3d2a0cbc02b4b0d07f3b23000a1c86ae057ed35a6ebfad816772ded0af6242249be6816cef20246499a31143d5a7fb8dd89f952bcd733ba984497070d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kooK.exe
Filesize
194KB

MD5
1528a3b7b00817b6138d61d049f3023f

SHA1
aef486cc1114a7eec5757d17715609af1a23c9e9

SHA256
e24aa84c745cef8cf1b29ecd7b6c9863dbf4070489e2b9841e5e66ad42a5b8ba

SHA512
a789a427cee44b8872b40d0fc7242fb3c68be99caf69025ec9b9c0955e72e6dc7b0c99d5ed1d883ea0c0f90df688dfaf0b5b3e6fc421815430fe27aa16e75a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMUu.exe
Filesize
210KB

MD5
5b08c8a1e16a30478fed2d9f62f95f09

SHA1
45534f1472dd739ceed7961320ffeaa1418a3d89

SHA256
420d578aa0ec222cb6ccc89993c952a6d0fbdf8457b5edbf6a120762ac7ff031

SHA512
5606346f4f2eab8e7445cd5d03bf35fb401d60bf4192ad3f61c396663971914148fa074851f9246cef1c6d34f7166fa6c539171430a96126de2ed55bde9722d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkgk.exe
Filesize
183KB

MD5
8022dd5924d7726b19dc4cb34de4ef84

SHA1
56c49c880c619d0d05c5e2eb1cb054c833be523c

SHA256
70f1a59ddb914740b54a704e071a51a19e5977168564892d818a9c4d6bf0a3c6

SHA512
7a83ce07ab276c93cd873547ec923e536f6f03658e663625db534f693d77b5588f67a80ca33c44094f4e328ffa44d945a3c3cd0af36c551e610d1a4c83bbd2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwAY.exe
Filesize
191KB

MD5
0d7ab6964b998764f0c24162b1245929

SHA1
8db39c99cf656f52316e56ae271665a7e3a79974

SHA256
81bac2e6945a2e78f1aac0ccd1ec09d6b7f064e41633eab590c9337453d87344

SHA512
8e8f50e480677f98b9a6f6cb940c563b6c55e8d1c9b253feac72504ef3c347fcf6dab3dda86239c1237888c69916f9acd04a10ed21c77143d97d4d829f17ec8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIS.exe
Filesize
194KB

MD5
d596280b48989db82653b2371bbaf4f8

SHA1
57aebf43ddf3c53c4d3e7bfd45d7f955b3d10326

SHA256
850fa75ddc19d91f07e7d399ca0968b8cd6cc7ca2ee5e3a5d008bb3a8dacd0d6

SHA512
911e0f5f3f3bbf58d2491eb415d430a48e22b090c827d76fdb27c4f9a361481fb110f557089033130da31627ccdee1f5477bde4677fab68da85d2fbf214b6e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEYg.exe
Filesize
656KB

MD5
062696ea89e31e9f2f34ee31f3c1ca30

SHA1
52b86315efb08562c3d3f9c0c7f7dee451138f90

SHA256
33706189a2b1490228f5f8e5712a644acc2f1a3f25f8b06f079924b9f3db94ac

SHA512
71bc12c598787dd56d71c0faf9493865478881f3b6b49868428e9dda6dd6514c9300c92cb3ef1d7c1ca04bf2da2d3868d2ee9fbc9891d3b58cfba34a1577a063

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIwc.exe
Filesize
195KB

MD5
041619356cc9cf9c5c820e2c096242f0

SHA1
79b215dba6b9d1d1e561dc5b094ac6b30033f7a9

SHA256
720511d1bf02ccbbda7be5f0cca18dd319c6f296962830aa39e8d847991385a1

SHA512
4a35adf20b4511ea80cf65109e624511f5f2193ab13961ac28df35e57ba13cab9443c0526837315b40c02c2cd0a989ec6e7a91f451fdfa4f35d6bdc3842d79d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocUU.exe
Filesize
5.9MB

MD5
76c7f71556bfafdc09a34df4b07c0bfe

SHA1
26d89aea6ad7f7d53cb8a48f62217cbc0b8057db

SHA256
5a589ee430351f6a7e221dff7ca1bf2727c8fa025417d4cb87f0b78ef498efe4

SHA512
33462b141ef79ba0c76e8013141659840e297818148a660db6fa14d757c318bf9db561b9b6959fd0891af2727e031a56153722ba37b36dc729038f0bf3d62778

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooEk.exe
Filesize
1.7MB

MD5
22f9ee84fc63e52bebd1dac4f8df748b

SHA1
efa1cf826a9849905bfbfb159c926d1adbedfaf8

SHA256
b6457ad4fbb5018fff7fdc04f6885670bd759fce42930df526a4eb8b356dce66

SHA512
a7da705df9c8b8c0265cd0929ce927d4e75bae77698c324b573776a5142ad328aa31687fccb2dc66ee84afb565b810c3cb675bae1297db0ffb65e3d901babca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYUm.exe
Filesize
795KB

MD5
8bfc5cf4d406ff49db42779aa55ffdc4

SHA1
07a70ef5364cd56aadcc7fb5e4a42c5d1d0b662a

SHA256
18f59088fa015e7f17acd47e911227152478a060bef49d45a12034e266bb3a5e

SHA512
880281309fe6f4d186f6afc5817f4c73a983dbc83f0705e6a16d1f8774ed0cd4aaccdc8a669fc5bf868cd639ba22da705b6a20ce0501e0585f961bffd04a6879

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYkm.exe
Filesize
205KB

MD5
ecce57053c3ed0ff2a78d6dc11c5c222

SHA1
e47c5c19b79dcac3f201d964e7fdec07ee98be14

SHA256
bb50a6fc5945965b1b1044bbe8424caac9f85bc799d7dcbdcab5721b0a44a1cc

SHA512
717356b8600b8c90b5b931543d0a84653bd0a2fb096b2335c2ab7bb35ae05bb93063c163e8e627f6835cc70430f7275d05d6404825b425338e8f8294fce186dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qksK.exe
Filesize
195KB

MD5
242b0829a3d52b7dc01db6f2a288a533

SHA1
26611f42f87291499dd7a18f8424ef8c9cfe2404

SHA256
34d435ae19ecacaa7f31c4e71593420954036965261c3d7b84f00e52542e57e0

SHA512
8dbcefee29cfd12e636381002d324e54faccc8d9288239bb4f89dbf1be7225205bbc8954e1a3120f28c78bee09c8e4e5d7fbdc94380d2baf6febc8d7fbb54454

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEgW.exe
Filesize
182KB

MD5
3ce7119bbcc57a5058b58e96b4399500

SHA1
18ec78e76e8c713853788b5bb14309225c4c334a

SHA256
f208e6590f65dec26993dedc6e6f1737c2b8d94fd9e5ba09baf9d2364554f72d

SHA512
4c23431536e25425205e7da913abfc76fea394e75d0a1ba4cce4ba2b3903cf8a061dd52593395fc50392df3452b2f89992b39e32b2aad22113b3c0f214e12b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUss.exe
Filesize
207KB

MD5
f5c4f7413b8f83d0ffa6508a0d962203

SHA1
52d51f162fe127d605d22e49a3f286233bffe1d2

SHA256
485ca8b499685a1a94a139355d902729af6ced600dae5a20ac098d04d466a240

SHA512
136d95e66e96d3e4ddb84edc465345d90f75dc638cf01b9cfe1519af5e495e5082affed586f0371ce460ce4d5a2269f7d629db5ff398f3ffc997c9c4d5115719

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgYY.exe
Filesize
186KB

MD5
b738ca0655f9584ed4e9321c274de3ce

SHA1
c9d40c05440821c40a3a7105df15f67b090be0a1

SHA256
e800fd7efea3fb4b1d2b5e546f8aad1a696e76f4ee0b648a3cd3f93610715cbd

SHA512
668b73f7e436c9c83e7d5ffaf626fb17f0b7987b5f4b315d4f5d51d92c663e434c90166ae8c9bce1cf9b4089d0fd6bf70111e5f901b69130ed44c1817573fb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sggc.exe
Filesize
462KB

MD5
d93d29b176e99797e5f8a3911fc974eb

SHA1
4f70a07d06008b33fdc12ce4ebcb69910ec53074

SHA256
4e6af5787eaf9c4e030539464daca04aca5924aac873b802f3961dc2fa5f8bfe

SHA512
a055dd9d1835386ac5666339933eefa2f24d9cc1a1d84f776d439570a14a1c46950206ce269e92fb52db4fb9ed681ef0f61671ada185975076268dbc9649b8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\skAm.exe
Filesize
193KB

MD5
bf7d13489295b74e47231303232e3896

SHA1
2396d0038ac646056cd96138da69343e976ee997

SHA256
565d9045e5db9b1e3c0643b13321e913e0c52f3ba10ff33e1fce9a97e3a6ff4b

SHA512
58da8b5c58eef7df6dc8b976ca557bf12edd965ee3d5c8aac6738f0e0f370c43775a3c8339349b390a5ea9958fa59f6a1892f3d1d137abc725f62d8a8db7719f

Download Submit
C:\Users\Admin\AppData\Local\Temp\swYa.exe
Filesize
195KB

MD5
6bddb60dc3b522f391a8225a6957142e

SHA1
36ff0aeebe9fb38c166159194f01c64621cf5afd

SHA256
b16789d0fbb84d48ca2c32546857a4116f9c8868f8a1614294155d37649c8c67

SHA512
f7ffcd62b1d0a46c76e83649e86625911f722666bc2c998d337bfa79fe830ec98b1b4348b9b229edc972c493670e78b62da80731604de74e8a9212006109bbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\swoC.exe
Filesize
436KB

MD5
eec157313c15f0422fa2604fb09b3f7b

SHA1
53635e291a9a37ee8e67624b2bd8b2710bdb56c2

SHA256
4ff9d73af26c710c86b1e47647d0d3dec74d468bcad453ffb53de1b1a408b20c

SHA512
2532a14dd8238f1e9fb832313be01ca7d2f9e7a226cb4cae0dea9430e5a6d6e2be6f386b3dcc4fd17bbec31a5c82857bc0e605307e58f7c7972b17cd0fa761a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucAQ.exe
Filesize
796KB

MD5
7b39db425645a822266f741eed52f4dc

SHA1
c44c63c5824b10fd374f67fe4a842774d00b0211

SHA256
99caf0b0546075acc93175f03a7649023457ea1e2fe28f51f5a4eb35f2064729

SHA512
9714bb09db6d4601064ed5252b505377d55c3bff54ee384fa97e05b0251958a82c2e136d2209e9c9042a40fefd1a5456ddbd446bb754c39ec7ab5f464d6413a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugcY.exe
Filesize
193KB

MD5
c9b2ed239e380d2e6cc044c7e71790a7

SHA1
f33bf197826c061904c726914cf8d1a5d2946409

SHA256
76ad6e65ef8256e90c095af2f33d23fc3d6ef549335280acbaf40a35fa8fa3e1

SHA512
6c3bd1bbb43665d2516a47723d7b59507cede60039f101174027ce44a7223e292fa4e3370acdace72cff0c0e556f29758ff5043c76a1fb774bbbc5caaa5315bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukAI.exe
Filesize
956KB

MD5
741b0cd651c66967b4a2289129b64527

SHA1
8f94e173fc6e3bf9012bf67e0cc62eba3059a801

SHA256
62900d4112a8313c2d86b280b326c703662c1e38370b5d500c51907211c19278

SHA512
2cfdea2f01405810ec2686f161f3b57c497872c28ac1ab2d9392fc2b240880ea8900396f80999e1e184f722365710375416bb851b1b698819338b24602998ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMsK.exe
Filesize
260KB

MD5
710a915043dd7fb1320f1c52c5ea4e12

SHA1
7172c0e010485c475a91613def3e1655c0ddb7b9

SHA256
915e7b723594fb2bf17fbd2c792ed774085ee307b4c1e57cba0cb8720844b7e5

SHA512
7b219eb9fe030ab3c55d959ac9e1e745e46c543a673099ec7bd83a93a6a09cc705e1c8af9b65494eddbd547ee8eb03d4b804377c0ef3f17a30728acc2e43fac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUUW.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcAK.exe
Filesize
198KB

MD5
f439137d3c21de44a0b147d9cc885f2b

SHA1
de8aeda7d03cf170c8585984c1b678d17c23b8df

SHA256
4481be86ad29c7c7ddeeaac3e89dd24cf015b2a2b0e19db102ff6306563deda4

SHA512
2bc9968cf8d32e8463f079ed36261dd61ddc125daa7e838e9bb9aed2e897f719fb0993002abb30b0c15bd79f481cc4dfcb635fed869a869ca562c535a07c7083

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkYY.exe
Filesize
183KB

MD5
e901153e81d1d15a38f151fe48626fd7

SHA1
3fcaa4ef0e858a1ce67222f23db7a24796e603ec

SHA256
63ec5f086eb594b8db2e1e7b939b777c4e8377e7724e338c3b47181ba090f5f4

SHA512
96be75d9de29f519a3bb245cc87afc6e7bd586a207c6ca91ae7c0af0c145ed4d3d2a4fa251ba062a1e9c44678a20826faf1b74fdc2c7f149e9cb3060f8e96484

Download Submit
C:\Users\Admin\AppData\Local\Temp\wokI.exe
Filesize
651KB

MD5
f70b4be116ea0677e819f703c6d8e83f

SHA1
c5e8861b80e18268eb2192c96046a4db3a596a6e

SHA256
f87246a28cbadd1b1e108cc30441b66ea38fa72a797bc57fac1851ae716356bd

SHA512
70021e75b8c2e48d9b9017c918c4e70b1f343b21a90ca26542b3ac433a4f53961620df3cf46bb13ca6ee1dd0099d74fb26f35addf0860b3ad2962f9a5665a3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsUw.exe
Filesize
201KB

MD5
8ff069946a77e6e4eb39489f92267745

SHA1
df3c33c94c7c4b0046d2c67017a3d0d24fa6e274

SHA256
e82015f01df46d97de044d87a015c6a1da784a78e63f79ad926893bc43a909b0

SHA512
c4029a825939ea8599cfc71730755044ced71e2d839a6bb4479a91223aea6fc784320dc5db03631e9d5602bc4237b5eaf3be2a971d0822be6b7787a4cad798ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEYG.exe
Filesize
187KB

MD5
9f7518030a50ee0b32d26971483d3adf

SHA1
7dffca1e5cabc67e879eb4695ac748872ef8e3eb

SHA256
1a4b46fe979384f61fab7a6006f5ba6b5be6ca9c537be7022e0d6e11ff305b9a

SHA512
4f352d6fa5666d16dff05d28dd7e6cbde1f963bf904bae1b65c555656811577fb7ad1df47ec047294eaca520a8ccb437315640f281625f8e4102efdde2e224ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMAO.exe
Filesize
826KB

MD5
7014609405cf0d510ed1c5d4176c3f9e

SHA1
0f9b3690e3087b9b21964dd5c85fd26453200464

SHA256
806cab95c4e35dea81e26396ea3d27fcd4897281191c3d1dd7324c3cbac35c50

SHA512
0475a332d08d5e664d3082c1e643bceb150eb6c2be408815ddec5206fdb75093c5f4b01d218f1b448aee5c06afa6459e49230a5c8d97bacb2814c7488443f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQAy.exe
Filesize
200KB

MD5
528bcdceae30f0f99d98bfddd81942e1

SHA1
2f19beb68e29c5a69a2d649239cb9fbbdd386e1d

SHA256
9fe38584663a881858be06bbcf566f03acf08339df69f842a666597520860fa9

SHA512
6685a983bd88036ebedc40ca5fcc2bbe9c02e0731088fe2af1657a377868af812755331433be23e67479bd8cdd76d857b22e17fb3f3adb8f26112ad232d42d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykwE.exe
Filesize
183KB

MD5
2393cb79460dd07d4fa16a606eb6d048

SHA1
350ae650775c92cee22e2047990062f313fc6b4d

SHA256
5e0b9c09a3a37fa87dab0797f67296164c2e878227a46c93ddce5ca4e029d26c

SHA512
e37df0e3a8c0bd7383a229728c7011590f45c9d41d4866c0599187a43484158f2ac5b391507a86d785b84603dd8a71f20bb5e5b96e28762d89eb86e49fb1be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywgO.exe
Filesize
183KB

MD5
f37d0c59278f664d27473f81ab73ba6d

SHA1
b917990e9a196b3148f737a82489f53b28116304

SHA256
90acb42242a261690ae60a9bba8dbee9c850adbccb3e672fb83498d10eb4a848

SHA512
5733a8238b255c45fe8ce609ff08dc2b96820698e4e59b930c4117e7fed54a55d7082324eda1eeec39e759738d8610e0a387e1bede3f9f62b8597527ac5b701a

Download Submit
C:\Users\Admin\AppData\Roaming\UndoUnprotect.ppt.exe
Filesize
893KB

MD5
06b1c47029bda8a7946f328939ff3759

SHA1
abea4df5df6d4f12955d24404691392ba294893e

SHA256
a62d5c4a1443b0c554533b4ed09a5f00a2c03231c416dfa6c13a5052d5f23fdf

SHA512
686118fb551528918cb084ac1bc8fd0662bd229d62d759af02cc2e321dcf3084fddd9c83882d5e58677141da30c595e830f4cb4901f84f9de8946fbb97aff143

Download Submit
C:\Users\Admin\LyUgggEw\fsUgAkso.exe
Filesize
198KB

MD5
7a6c998b8cd74a2f13031a4a016138d1

SHA1
f0728076daeac2b1ee95a3844311e8b16c359ab2

SHA256
f983d4fb18f01b35e778afeaf56f1cd8531f98c2f4f898e5e59528ea9e17dc4e

SHA512
b324886f87442b23fac414409891ade30473aa8905a718bfc6b483fb1d832188bf93204ea4d1c247a5fc3b5b10176d6ea5f83e24cf1239be2e6df9e6a7492b1b

Download Submit
C:\Users\Admin\LyUgggEw\fsUgAkso.inf
Filesize
4B

MD5
90500fde514d3f611605dfc0e5b8124a

SHA1
38894060432918e7a1a8c08a7efd3e1d9360aee6

SHA256
08bb23b79da985262c2e9d085728cdf88ce679c32a0ac24bc3cb9fd2cb8a935f

SHA512
ab91a8ce971e75ac6b28ca0bd149de9161379e084c499370b405ffe5d2e363238cd3552514de4d319a13ea928fa19b0f748387344aabb29ed50bb9a1fdbc562e

Download Submit
memory/400-311-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/400-319-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/464-182-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/464-193-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/632-221-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/632-203-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/776-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1176-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1176-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1244-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1256-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1416-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1416-290-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1608-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1608-42-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-363-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1812-301-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1812-309-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-107-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-91-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-271-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2112-367-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2156-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2156-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2360-281-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2360-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2512-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2512-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2576-83-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-156-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-140-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3260-169-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3260-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3260-181-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3260-69-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3436-261-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3448-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3704-350-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3704-335-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3936-46-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3936-30-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3952-132-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4128-386-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4128-372-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4164-206-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4164-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4272-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4272-329-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4432-34-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4432-17-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4508-331-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4508-339-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4556-235-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4556-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4768-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4912-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4912-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4992-131-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4992-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5044-300-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5044-291-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download