Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
-
Size
325KB
-
MD5
d6d60e591fc168d89850fd7f7b0faf81
-
SHA1
9caff4b2b4e7ee106e853cd791f16d0f1512a459
-
SHA256
8958c5ef0084947311bce1141434b5f3159faf3a60631845d86428f0c7aa1673
-
SHA512
b7108377933bf557f76eb1a7918d715b03202e1e73ec63945579de1ce31d2fcb5de72cd14f28a4c1b914d69587bb911bdefaba7c445bb2fcb3dc24a81c67303e
-
SSDEEP
6144:UIQqX0WRFU4uZyY2XKGUun8uTeXZLEHXcpDu6cL4XcjZ9IKZd:UsX0WRuZyfZn8tXZLiUDm4kLZZd
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
cmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execscript.exereg.exereg.exeConhost.exereg.exereg.exeConhost.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeConhost.exereg.exereg.exeConhost.execscript.exereg.exereg.exeConhost.exereg.exeConhost.exereg.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.execmd.exereg.exereg.exereg.exereg.execmd.exereg.exereg.exereg.execmd.exereg.exereg.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exereg.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exereg.exeConhost.exereg.exereg.exereg.exereg.exereg.execscript.exereg.exereg.exereg.exereg.exeConhost.exereg.execmd.exereg.execmd.exereg.exereg.exereg.exereg.exeConhost.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LgMUEkoE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation LgMUEkoE.exe -
Executes dropped EXE 2 IoCs
Processes:
GIocUcss.exeLgMUEkoE.exepid process 812 GIocUcss.exe 4808 LgMUEkoE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeLgMUEkoE.exeGIocUcss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LgMUEkoE.exe = "C:\\ProgramData\\WMcoIUoE\\LgMUEkoE.exe" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LgMUEkoE.exe = "C:\\ProgramData\\WMcoIUoE\\LgMUEkoE.exe" LgMUEkoE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GIocUcss.exe = "C:\\Users\\Admin\\FkQAUwEE\\GIocUcss.exe" GIocUcss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GIocUcss.exe = "C:\\Users\\Admin\\FkQAUwEE\\GIocUcss.exe" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe -
Processes:
cmd.execscript.execmd.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.execmd.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.execmd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 548 reg.exe 4948 reg.exe 1848 reg.exe 5064 reg.exe 4852 reg.exe 4144 reg.exe 4484 reg.exe 1404 reg.exe 3500 reg.exe 2284 reg.exe 4596 736 reg.exe 4428 reg.exe 1812 reg.exe 3320 reg.exe 3048 reg.exe 2104 reg.exe 4480 4084 reg.exe 2964 reg.exe 3740 reg.exe 3764 reg.exe 1564 reg.exe 4428 reg.exe 2172 reg.exe 4776 reg.exe 4144 reg.exe 1564 reg.exe 764 4024 reg.exe 3324 reg.exe 684 reg.exe 1168 reg.exe 1988 reg.exe 2676 1200 reg.exe 4000 reg.exe 3276 reg.exe 4236 reg.exe 4452 4812 reg.exe 2364 reg.exe 4484 reg.exe 2008 776 reg.exe 4268 reg.exe 4824 reg.exe 4700 1548 reg.exe 1184 reg.exe 3276 reg.exe 60 reg.exe 1312 reg.exe 776 reg.exe 3116 reg.exe 4496 reg.exe 3828 reg.exe 436 2296 2964 reg.exe 4516 reg.exe 3248 reg.exe 1168 reg.exe 5064 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exereg.exereg.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeConhost.exepid process 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3304 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3304 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3304 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3304 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3500 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3500 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3500 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3500 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4252 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4252 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4252 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4252 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 1124 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 1124 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 1124 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 1124 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4696 reg.exe 4696 reg.exe 4696 reg.exe 4696 reg.exe 1812 reg.exe 1812 reg.exe 1812 reg.exe 1812 reg.exe 4936 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4936 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4936 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4936 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 4632 cmd.exe 4632 cmd.exe 4632 cmd.exe 4632 cmd.exe 3496 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3496 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3496 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 3496 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 840 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 840 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 840 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 840 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4532 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4532 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4532 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 4532 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe 1044 Conhost.exe 1044 Conhost.exe 1044 Conhost.exe 1044 Conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
LgMUEkoE.exepid process 4808 LgMUEkoE.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
LgMUEkoE.exepid process 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe 4808 LgMUEkoE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.exedescription pid process target process PID 1468 wrote to memory of 812 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe GIocUcss.exe PID 1468 wrote to memory of 812 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe GIocUcss.exe PID 1468 wrote to memory of 812 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe GIocUcss.exe PID 1468 wrote to memory of 4808 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe LgMUEkoE.exe PID 1468 wrote to memory of 4808 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe LgMUEkoE.exe PID 1468 wrote to memory of 4808 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe LgMUEkoE.exe PID 1468 wrote to memory of 388 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 1468 wrote to memory of 388 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 1468 wrote to memory of 388 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 1468 wrote to memory of 1524 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 1524 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 1524 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 1076 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 1076 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 1076 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 4888 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 4888 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 4888 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 1468 wrote to memory of 2368 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 1468 wrote to memory of 2368 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 1468 wrote to memory of 2368 1468 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 388 wrote to memory of 8 388 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 388 wrote to memory of 8 388 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 388 wrote to memory of 8 388 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 2368 wrote to memory of 4000 2368 cmd.exe cscript.exe PID 2368 wrote to memory of 4000 2368 cmd.exe cscript.exe PID 2368 wrote to memory of 4000 2368 cmd.exe cscript.exe PID 8 wrote to memory of 3116 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 8 wrote to memory of 3116 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 8 wrote to memory of 3116 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 3116 wrote to memory of 628 3116 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 3116 wrote to memory of 628 3116 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 3116 wrote to memory of 628 3116 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 8 wrote to memory of 4776 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 4776 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 4776 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 1824 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 1824 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 1824 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 4188 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 4188 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 4188 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 8 wrote to memory of 3480 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 8 wrote to memory of 3480 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 8 wrote to memory of 3480 8 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 3480 wrote to memory of 3756 3480 cmd.exe cscript.exe PID 3480 wrote to memory of 3756 3480 cmd.exe cscript.exe PID 3480 wrote to memory of 3756 3480 cmd.exe cscript.exe PID 628 wrote to memory of 1364 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 628 wrote to memory of 1364 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 628 wrote to memory of 1364 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe PID 1364 wrote to memory of 3304 1364 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 1364 wrote to memory of 3304 1364 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 1364 wrote to memory of 3304 1364 cmd.exe 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe PID 628 wrote to memory of 2964 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2964 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2964 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2960 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2960 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2960 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2456 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2456 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2456 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe reg.exe PID 628 wrote to memory of 2948 628 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe cmd.exe -
System policy modification 1 TTPs 34 IoCs
Processes:
2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execmd.execmd.exe2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.execscript.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\FkQAUwEE\GIocUcss.exe"C:\Users\Admin\FkQAUwEE\GIocUcss.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:812 -
C:\ProgramData\WMcoIUoE\LgMUEkoE.exe"C:\ProgramData\WMcoIUoE\LgMUEkoE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"8⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"10⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"12⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"14⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock15⤵PID:4696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"16⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock17⤵PID:1812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"18⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"20⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock21⤵PID:3752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"22⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock23⤵PID:4632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"24⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"26⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"28⤵PID:3368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"30⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock31⤵PID:1044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"32⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock33⤵PID:4824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"34⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock35⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"36⤵PID:3712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owAYgEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""36⤵PID:1032
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:3368
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵PID:2396
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:208
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵PID:2064
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵PID:4960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWkMkYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""34⤵PID:4392
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵PID:4408
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵PID:864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCgYQggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""32⤵PID:1548
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:3764
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵PID:4388
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:2884
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵PID:736
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIMMoMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""30⤵PID:1200
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:2680
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵PID:3952
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:2056
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵PID:2368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQwssAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""28⤵PID:2788
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:3632
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵PID:60
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵PID:4056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAYgYAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""26⤵PID:3736
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵
- Modifies registry key
PID:4024 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵
- Modifies registry key
PID:4428 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSsIIsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""24⤵PID:1512
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵PID:4388
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵PID:1744
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOcwoMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""22⤵PID:4236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:2484
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
PID:976 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:3952
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵PID:1124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkMIIwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""20⤵PID:3940
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:1032
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵PID:4828
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵PID:2908
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- Modifies visibility of file extensions in Explorer
PID:3320 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵PID:4408
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:4440
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵PID:4456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵PID:2576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWMsoUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""18⤵PID:3724
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:4368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵PID:3152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOUkIwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""16⤵PID:1356
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:1856
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
PID:1868 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:1396
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵PID:2948
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵PID:1044
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:3948
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵PID:4076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GswckIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""14⤵PID:1980
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgEEoQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""12⤵PID:5088
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:2224
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵PID:2824
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:2156
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:2396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:2788
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵PID:4940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:804
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pokcsQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""10⤵PID:2544
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:436
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies registry key
PID:736 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:4268
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵PID:3744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGMMcskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""8⤵PID:4936
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSMkkYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""6⤵PID:2948
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:3736
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵PID:2020
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:2456
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:2960
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
PID:2964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQkUoAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:3756
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:4188
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:1824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4636
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:4776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYUsggQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4000
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:4888 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1076
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1524
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4216
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock1⤵PID:4772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"2⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock3⤵PID:4632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"4⤵PID:932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock5⤵PID:3792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"6⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock7⤵PID:4244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"8⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock9⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"10⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock11⤵PID:116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"12⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock13⤵PID:1556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"14⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock15⤵PID:4168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"16⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock17⤵PID:3744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"18⤵
- Checks whether UAC is enabled
- System policy modification
PID:64 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock19⤵PID:1636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"20⤵
- Modifies visibility of file extensions in Explorer
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock21⤵PID:1404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"22⤵PID:4132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock23⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"24⤵PID:8
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock25⤵PID:4416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"26⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock27⤵PID:4968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"28⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock29⤵PID:1556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"30⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock31⤵PID:3708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"32⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock33⤵PID:1856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"34⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock35⤵PID:4776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"36⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock37⤵PID:4500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"38⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock39⤵PID:2016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"40⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock41⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"42⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock43⤵PID:2788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"44⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock45⤵PID:3528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"46⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock47⤵PID:4772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"48⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock49⤵PID:4308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"50⤵
- Modifies visibility of file extensions in Explorer
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock51⤵PID:4696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"52⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock53⤵PID:1960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"54⤵PID:628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock55⤵PID:2208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"56⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock57⤵PID:4512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"58⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock59⤵PID:4940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"60⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock61⤵PID:8
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"62⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock63⤵PID:2192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"64⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock65⤵PID:3792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"66⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock67⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"68⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock69⤵PID:764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"70⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock71⤵PID:2012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"72⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock73⤵PID:3164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"74⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock75⤵PID:4828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"76⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock77⤵PID:1032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"78⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock79⤵PID:3500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"80⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock81⤵PID:2576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"82⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock83⤵PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"84⤵PID:4944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock85⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"86⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock87⤵
- Modifies visibility of file extensions in Explorer
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"88⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock89⤵PID:1124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"90⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock91⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"92⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock93⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"94⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock95⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"96⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock97⤵PID:3804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"98⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock99⤵PID:2540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"100⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock101⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"102⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock103⤵PID:3296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"104⤵PID:4396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock105⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"106⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock107⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"108⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock109⤵PID:4488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"110⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock111⤵PID:2948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"112⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock113⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"114⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock115⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"116⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock117⤵PID:1692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"118⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock119⤵PID:2540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"120⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock121⤵PID:3804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"122⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock123⤵PID:932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"124⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock125⤵PID:4304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"126⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock127⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"128⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock129⤵PID:1496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"130⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock131⤵PID:4852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"132⤵
- Modifies visibility of file extensions in Explorer
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock133⤵PID:4044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"134⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock135⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"136⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock137⤵PID:212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"138⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock139⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"140⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock141⤵PID:1664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"142⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock143⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"144⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock145⤵PID:2024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"146⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock147⤵PID:3792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"148⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock149⤵PID:2672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"150⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock151⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"152⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock153⤵PID:2308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"154⤵PID:1468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1155⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock155⤵PID:3976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"156⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock157⤵PID:2940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"158⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock159⤵PID:1332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"160⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock161⤵PID:2432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"162⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock163⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"164⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock165⤵PID:3164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"166⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock167⤵PID:2156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"168⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock169⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"170⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock171⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"172⤵PID:2792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1173⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock173⤵PID:3008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"174⤵
- Checks whether UAC is enabled
- System policy modification
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock175⤵PID:3340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"176⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock177⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"178⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock179⤵PID:3588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"180⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock181⤵PID:2680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"182⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock183⤵PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"184⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock185⤵PID:2720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"186⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock187⤵PID:2824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"188⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock189⤵PID:1856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"190⤵PID:728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1191⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock191⤵PID:4500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"192⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock193⤵PID:2984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"194⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock195⤵PID:4852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"196⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock197⤵PID:1900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"198⤵PID:1988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1199⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock199⤵PID:3340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"200⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock201⤵PID:916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"202⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock203⤵PID:4056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"204⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock205⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"206⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock207⤵PID:2056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"208⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock209⤵PID:4488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"210⤵
- Checks whether UAC is enabled
- System policy modification
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock211⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"212⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock213⤵PID:2224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"214⤵PID:680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1215⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock215⤵PID:668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"216⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock217⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"218⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock219⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"220⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock221⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"222⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock223⤵PID:684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"224⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock225⤵PID:1476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"226⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock227⤵PID:840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"228⤵PID:4240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeQwUgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""228⤵
- Checks whether UAC is enabled
- System policy modification
PID:928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqYcAssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""226⤵PID:1044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1227⤵PID:2792
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs227⤵PID:2056
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f226⤵PID:2720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1227⤵
- Modifies visibility of file extensions in Explorer
PID:3452 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2226⤵PID:4568
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1226⤵
- Modifies registry key
PID:4824 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f224⤵PID:1960
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2224⤵PID:116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwgEkQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""224⤵
- Checks whether UAC is enabled
- System policy modification
PID:3248 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs225⤵PID:1856
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1224⤵PID:1720
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2222⤵PID:456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1223⤵PID:4260
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1222⤵
- Modifies visibility of file extensions in Explorer
PID:3208 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1223⤵PID:1988
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f222⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emsAkMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""222⤵PID:1112
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs223⤵PID:1124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USIEQsEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""220⤵PID:2364
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs221⤵PID:1204
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f220⤵PID:3276
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1221⤵PID:3272
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2220⤵
- Modifies registry key
PID:1168 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1220⤵PID:8
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TysEogQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""218⤵PID:2492
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs219⤵PID:2056
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f218⤵PID:1072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1219⤵PID:1900
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2218⤵PID:2776
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1218⤵PID:2792
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f216⤵
- UAC bypass
PID:5116 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2216⤵PID:4396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkgIYAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""216⤵PID:5084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1217⤵PID:1604
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs217⤵PID:2036
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1216⤵
- Modifies visibility of file extensions in Explorer
PID:2172 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f214⤵PID:5036
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2214⤵PID:3032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1215⤵PID:4236
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1214⤵PID:932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buMsoUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""214⤵PID:4412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1215⤵PID:1492
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs215⤵PID:232
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1212⤵PID:3452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2212⤵
- Modifies visibility of file extensions in Explorer
PID:1744 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f212⤵
- Modifies registry key
PID:4144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umsUoQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""212⤵PID:1564
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs213⤵PID:4416
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1210⤵PID:2632
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2210⤵
- Modifies registry key
PID:1988 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1211⤵
- Modifies visibility of file extensions in Explorer
PID:4308 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f210⤵PID:3280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuYQQwMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""210⤵PID:2584
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs211⤵PID:2968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAMkIUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""208⤵PID:3380
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs209⤵PID:4624
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f208⤵
- UAC bypass
PID:3764 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2208⤵PID:2948
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1208⤵PID:368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocQsUowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""206⤵PID:1184
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs207⤵PID:2828
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f206⤵PID:928
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2206⤵
- Modifies registry key
PID:2284 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1207⤵PID:1476
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1206⤵
- Modifies visibility of file extensions in Explorer
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkQIcQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""204⤵PID:1112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1205⤵PID:2984
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs205⤵PID:4396
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f204⤵
- Modifies registry key
PID:3248 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2204⤵
- Modifies registry key
PID:1168 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1204⤵PID:4392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIIwAMMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""202⤵PID:952
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs203⤵PID:5068
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f202⤵PID:3708
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2202⤵
- UAC bypass
PID:4856 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1202⤵PID:3588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMMcssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""200⤵PID:2968
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs201⤵PID:448
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f200⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2200⤵PID:2464
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1200⤵
- Modifies visibility of file extensions in Explorer
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSIYocsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""198⤵PID:912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1199⤵PID:2308
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs199⤵PID:1604
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f198⤵PID:3032
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2198⤵PID:1960
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1198⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEMIQUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""196⤵PID:1044
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs197⤵PID:3272
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f196⤵PID:1076
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2196⤵
- Modifies registry key
PID:684 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1196⤵PID:4308
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2194⤵PID:4888
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1194⤵
- Modifies registry key
PID:1404 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f194⤵
- UAC bypass
PID:2824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miUEIMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""194⤵PID:1756
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs195⤵PID:60
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiUkEEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""192⤵PID:4532
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs193⤵PID:456
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f192⤵PID:1116
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2192⤵
- Modifies registry key
PID:1564 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1193⤵
- Modifies visibility of file extensions in Explorer
PID:4268 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1192⤵PID:2948
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2190⤵PID:2792
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1190⤵PID:3740
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f190⤵
- UAC bypass
PID:4652 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1191⤵PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKEkkAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""190⤵PID:4812
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs191⤵PID:1636
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1188⤵PID:1200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1189⤵PID:4932
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2188⤵
- Modifies registry key
PID:60 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f188⤵PID:1468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1189⤵PID:4084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcgUwkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""188⤵PID:928
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs189⤵PID:684
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f186⤵PID:2208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1187⤵PID:3340
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2186⤵PID:4936
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1186⤵
- Modifies registry key
PID:4236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKwckQkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""186⤵PID:4696
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs187⤵
- Modifies visibility of file extensions in Explorer
PID:1476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOUUIEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""184⤵PID:2948
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs185⤵PID:2104
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f184⤵PID:4856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1185⤵PID:4040
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2184⤵PID:4412
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1184⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asIkogww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""182⤵PID:4044
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs183⤵PID:2964
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f182⤵PID:684
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2182⤵PID:60
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1182⤵PID:1744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeMEEYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""180⤵PID:4240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1181⤵PID:3784
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs181⤵PID:2308
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f180⤵
- UAC bypass
PID:4700 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2180⤵PID:4832
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1180⤵PID:1564
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2178⤵PID:1352
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1178⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3276 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1179⤵PID:3184
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f178⤵
- UAC bypass
PID:3788 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1179⤵PID:4824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1180⤵
- UAC bypass
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYkYUIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""178⤵PID:912
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs179⤵PID:3572
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1176⤵
- Modifies visibility of file extensions in Explorer
PID:4988 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1177⤵PID:2752
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2176⤵PID:4772
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f176⤵PID:1472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgIcwMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""176⤵PID:3804
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs177⤵PID:544
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1174⤵
- Modifies registry key
PID:4268 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2174⤵PID:3304
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f174⤵PID:2948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuggcAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""174⤵PID:4428
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs175⤵PID:2112
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1172⤵PID:1476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOMcMwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""172⤵PID:4936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1173⤵
- Modifies visibility of file extensions in Explorer
PID:3324 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs173⤵PID:2028
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f172⤵PID:4416
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2172⤵PID:3032
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1170⤵
- Modifies visibility of file extensions in Explorer
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqgMYEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""170⤵PID:932
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs171⤵PID:1124
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f170⤵PID:4144
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2170⤵PID:3764
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f168⤵PID:4404
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2168⤵PID:3184
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1168⤵PID:4456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UskUAUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""168⤵PID:3784
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs169⤵PID:4932
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f166⤵
- UAC bypass
PID:2940 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2166⤵PID:1168
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1166⤵PID:920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQEMwMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""166⤵PID:5096
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs167⤵PID:2752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcQAcoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""164⤵PID:4240
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs165⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:916 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f164⤵PID:4824
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2164⤵PID:4932
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1164⤵PID:3572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1165⤵PID:3152
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1162⤵
- Modifies registry key
PID:3324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuMMQQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""162⤵PID:912
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs163⤵PID:1644
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f162⤵PID:4944
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2162⤵
- Modifies registry key
PID:1312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsEYIgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""160⤵PID:3780
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs161⤵PID:3276
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f160⤵PID:916
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2160⤵PID:4852
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1160⤵PID:3964
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2158⤵PID:1092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGowQMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""158⤵PID:4824
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs159⤵PID:2168
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f158⤵PID:1684
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1158⤵
- Modifies visibility of file extensions in Explorer
PID:3656 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1156⤵
- Modifies visibility of file extensions in Explorer
PID:944 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2156⤵PID:1352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xokIUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""156⤵PID:3320
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs157⤵PID:5096
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f156⤵
- UAC bypass
PID:2928 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1154⤵
- Modifies visibility of file extensions in Explorer
PID:4304 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2154⤵PID:3428
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f154⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkogoYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""154⤵PID:3152
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs155⤵PID:1960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYgwoYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""152⤵PID:2104
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs153⤵PID:2208
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f152⤵PID:208
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2152⤵PID:2828
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1152⤵
- Modifies visibility of file extensions in Explorer
PID:548 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1150⤵PID:3272
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2150⤵PID:4376
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f150⤵PID:4440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkEskQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""150⤵PID:752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1151⤵PID:3276
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs151⤵PID:3280
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1148⤵PID:4040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsAYcMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""148⤵PID:1848
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs149⤵PID:1492
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f148⤵
- UAC bypass
PID:544 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2148⤵PID:1988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1149⤵PID:2952
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1146⤵
- Modifies visibility of file extensions in Explorer
PID:1476 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2146⤵PID:4000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAEEooQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""146⤵PID:4928
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs147⤵PID:3428
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f146⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaMIYgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""144⤵PID:640
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs145⤵PID:4832
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f144⤵PID:4940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2144⤵PID:4828
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1144⤵
- Modifies registry key
PID:2104 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1142⤵PID:916
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2142⤵
- Modifies registry key
PID:3276 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f142⤵PID:1564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1143⤵PID:3764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIYkwcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""142⤵PID:4192
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs143⤵PID:4364
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1140⤵PID:2952
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2140⤵PID:2928
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f140⤵PID:2344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMUcwsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""140⤵PID:2156
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs141⤵PID:3380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1140⤵PID:4936
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2138⤵PID:4056
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1138⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4516 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f138⤵
- UAC bypass
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYAAQAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""138⤵PID:3828
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs139⤵PID:448
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f136⤵
- UAC bypass
PID:5096 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1137⤵PID:1404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckwYUwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""136⤵PID:1312
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs137⤵PID:804
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2136⤵PID:684
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1136⤵
- Modifies visibility of file extensions in Explorer
PID:4292 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2134⤵PID:3272
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1134⤵PID:1204
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f134⤵PID:1480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIIgYwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""134⤵PID:932
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs135⤵PID:2112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TicEwAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""132⤵PID:3964
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs133⤵PID:3688
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f132⤵
- UAC bypass
PID:3596 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2132⤵PID:544
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1132⤵PID:2368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1132⤵PID:4488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaAgcQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""130⤵PID:984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1131⤵PID:2172
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs131⤵PID:4240
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f130⤵PID:2672
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2130⤵PID:4396
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1130⤵PID:4824
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1128⤵
- Modifies visibility of file extensions in Explorer
PID:64 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2128⤵PID:4500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1129⤵PID:5036
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f128⤵PID:2580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaYYEUoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""128⤵PID:1692
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs129⤵PID:3588
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1126⤵PID:4024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSwcYsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""126⤵PID:4456
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs127⤵PID:4168
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f126⤵
- UAC bypass
PID:2020 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2126⤵PID:4528
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1124⤵PID:2156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵
- Modifies visibility of file extensions in Explorer
PID:4916 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2124⤵PID:920
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f124⤵PID:4656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quQgsUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""124⤵PID:2536
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs125⤵PID:3724
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1122⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIwYEQgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""122⤵PID:5036
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs123⤵PID:2580
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f122⤵PID:3276
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2122⤵PID:2544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCcsQkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""120⤵PID:1092
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs121⤵PID:4084
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f120⤵
- UAC bypass
PID:1524 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2120⤵PID:1720
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1120⤵PID:1744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkcsUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""118⤵PID:3164
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs119⤵PID:4432
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f118⤵
- UAC bypass
PID:5084 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:2104
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2118⤵PID:1204
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1118⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSkcssgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""116⤵PID:2016
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs117⤵PID:2368
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f116⤵
- UAC bypass
PID:3428 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2116⤵
- Modifies registry key
PID:2172 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1116⤵PID:2964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeIAQgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""114⤵PID:3380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:4632
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs115⤵PID:4388
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f114⤵PID:2544
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2114⤵PID:4704
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1114⤵PID:4948
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1112⤵
- Modifies registry key
PID:5064 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2112⤵
- Modifies registry key
PID:1184 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f112⤵
- UAC bypass
- Modifies registry key
PID:4852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQUEokso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""112⤵PID:368
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs113⤵PID:3612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WegwAUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""110⤵PID:936
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs111⤵PID:3336
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f110⤵PID:5084
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2110⤵PID:2104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1110⤵PID:728
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2108⤵PID:4192
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1108⤵PID:4208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:1636
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f108⤵
- UAC bypass
PID:752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAgAwkMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""108⤵PID:4604
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs109⤵PID:2764
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1106⤵PID:4632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWoQIQME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""106⤵PID:3752
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs107⤵PID:4364
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f106⤵PID:4812
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2106⤵PID:4968
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f104⤵PID:920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2104⤵PID:1184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nugYMkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""104⤵PID:1116
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs105⤵PID:2224
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1104⤵
- Modifies registry key
PID:5064 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:2156
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1102⤵PID:2432
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2102⤵PID:452
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f102⤵
- Modifies registry key
PID:4484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcAsMwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""102⤵PID:4568
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs103⤵PID:4512
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2100⤵
- UAC bypass
PID:4776 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1100⤵PID:1636
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f100⤵
- UAC bypass
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQUcQoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""100⤵PID:2056
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs101⤵PID:2968
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 198⤵
- Modifies visibility of file extensions in Explorer
PID:1868 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 298⤵PID:4308
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f98⤵
- UAC bypass
PID:2672 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewIUcEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""98⤵PID:3788
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs99⤵PID:5116
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 196⤵PID:2156
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 296⤵
- Modifies registry key
PID:3828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmoEEcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""96⤵PID:2020
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs97⤵PID:4452
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f96⤵PID:4432
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 194⤵PID:2432
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 294⤵PID:4568
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f94⤵
- UAC bypass
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKMgYAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""94⤵PID:1464
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs95⤵PID:1640
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 192⤵
- Modifies visibility of file extensions in Explorer
PID:984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUoAsEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""92⤵PID:3740
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs93⤵PID:2192
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f92⤵
- UAC bypass
PID:64 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:4364
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 292⤵PID:1072
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMgocggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""90⤵PID:4080
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs91⤵PID:3496
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵
- UAC bypass
PID:4208 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵PID:3780
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:776 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:2384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUYoMIQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""88⤵PID:4244
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵
- Modifies visibility of file extensions in Explorer
PID:1720 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵PID:4468
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵PID:4948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcAkYEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""86⤵PID:4260
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵PID:1548
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵PID:2432
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵PID:2192
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵
- Modifies registry key
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMEAAEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""84⤵PID:1636
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵PID:4364
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵PID:4776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:2632
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵PID:1312
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵
- Modifies registry key
PID:4484 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵PID:1720
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵PID:4552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:4812
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵PID:2676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsIwIYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""82⤵PID:2540
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵PID:4412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWMwwAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""80⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2080 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵PID:2384
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵PID:1740
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵PID:4512
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵PID:4236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiEUUEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""78⤵PID:208
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵PID:2544
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵PID:4496
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵
- Modifies registry key
PID:3048 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵PID:1824
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiQsswgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""76⤵PID:2964
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵PID:2632
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵
- Modifies registry key
PID:3764 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:1636
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵
- Modifies registry key
PID:2364 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵
- Modifies visibility of file extensions in Explorer
PID:1900 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵PID:368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:1308
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵
- UAC bypass
PID:1756 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:4940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcAgMEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""74⤵PID:1076
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵PID:456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWkAMUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""72⤵PID:4936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:1868
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵PID:2240
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵PID:2080
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵PID:4832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:116
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵
- Modifies visibility of file extensions in Explorer
PID:840 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵
- Modifies registry key
PID:3740 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMgkgUQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""70⤵PID:1640
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵PID:448
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵
- Modifies registry key
PID:1848 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AosMMMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""68⤵PID:4484
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵PID:1636
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵PID:4260
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵
- Modifies registry key
PID:4812 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵
- Modifies visibility of file extensions in Explorer
PID:2056 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:2964
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- Modifies visibility of file extensions in Explorer
PID:3724 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵
- Modifies registry key
PID:4428 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:4560
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵PID:1988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGssMIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""66⤵PID:1308
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵PID:1076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmEAYoAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""64⤵PID:5064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:4308
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵PID:1868
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵PID:1472
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵
- Modifies registry key
PID:4000 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵PID:2224
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵
- Modifies registry key
PID:3320 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:4772
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵
- UAC bypass
PID:3496 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:1512
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQkkksQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""62⤵PID:3008
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵PID:2168
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵PID:3660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VokckAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""60⤵PID:2012
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵PID:1032
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵PID:3480
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵PID:2720
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵
- Modifies visibility of file extensions in Explorer
PID:5036 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵PID:116
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵PID:912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYMgIkII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""58⤵PID:2776
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:4560
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵
- Modifies visibility of file extensions in Explorer
PID:4776 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵PID:4408
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵PID:4388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgAIEkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""56⤵PID:4824
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵PID:728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOAAowAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""54⤵PID:1640
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:1944
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵
- Modifies registry key
PID:2964 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵PID:4484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1200 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:1852
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵
- Modifies registry key
PID:4948 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵PID:3724
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵PID:2752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:1184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqAgcMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""52⤵PID:2908
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:4744
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies visibility of file extensions in Explorer
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmUUYMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""50⤵PID:436
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵PID:1364
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵
- UAC bypass
PID:5028 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵
- Modifies registry key
PID:548 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵
- UAC bypass
PID:4552 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵PID:368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:3280
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵PID:4056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgcUMQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""48⤵PID:1512
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:4516
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵PID:680
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵PID:1124
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵PID:3660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAkAkMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""46⤵PID:1496
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:1852
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵
- Modifies visibility of file extensions in Explorer
PID:932 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵PID:1356
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵PID:804
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqgoYkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""44⤵PID:3756
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:2908
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵
- Modifies registry key
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUAosksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""42⤵PID:2384
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:684
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵PID:4604
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵
- Modifies registry key
PID:4084 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵PID:4480
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵PID:1428
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵
- Modifies registry key
PID:1564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okgkQcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""40⤵PID:4916
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵PID:1512
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵PID:3724
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- UAC bypass
PID:2456 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵PID:3736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiQIkowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""38⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:544 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵PID:4044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYEAwwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""36⤵PID:2792
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:1356
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
- UAC bypass
PID:2192 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:3572
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵PID:2968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vosQAAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""34⤵PID:2828
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:1092
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
PID:4812 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵PID:2488
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵PID:3672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵PID:116
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:736
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵PID:3488
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies visibility of file extensions in Explorer
PID:2576 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:1032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCMEwwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""32⤵PID:1980
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:3280
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵PID:4484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:4496
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵PID:544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:2536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgYIgYUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""30⤵PID:3596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:864
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:4620
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵PID:840
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵
- UAC bypass
PID:1540 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵
- Modifies registry key
PID:3500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWswYcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""28⤵PID:4944
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCcgMQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""26⤵PID:436
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:1364
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵PID:368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:3232
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵PID:4812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵PID:2964
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵PID:836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵PID:3632
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵PID:1956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵PID:3664
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵PID:4868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵PID:3368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmMUwUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""24⤵PID:2580
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:1392
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵
- Modifies registry key
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCEswwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""22⤵PID:2544
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:3480
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵PID:4040
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵PID:2536
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵PID:1540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSAIMAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""20⤵PID:2960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵PID:1356
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:1556
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵PID:2192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵PID:2960
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵PID:4500
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcEMEYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""18⤵PID:1352
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:1512
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
- Modifies registry key
PID:2964 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵PID:1044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIQcsQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""16⤵PID:4016
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:1564
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵PID:3748
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:2580
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkEoYgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""14⤵PID:3708
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵
- UAC bypass
PID:3052 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:2012
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
- Modifies visibility of file extensions in Explorer
PID:932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAMIogMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""12⤵PID:4376
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:4696
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
- Modifies registry key
PID:1548 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:2088
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:1540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amcYQIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""10⤵PID:1308
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:2380
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
- UAC bypass
PID:4268 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:1372
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
PID:2428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUwokowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""8⤵PID:1012
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:4480
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
- UAC bypass
PID:668 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:4544
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAMYUgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""6⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4456 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:4436
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:2296
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
PID:4144 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
PID:1276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMsEYAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""4⤵PID:3756
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:1876
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:1356
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:2088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4516
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEwgoYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""2⤵PID:4552
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1200
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:64
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2024
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:2396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4392
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:840
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:3744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4412
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv uxCLKlW2z06qm+DqSDmTag.0.21⤵PID:4852
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD57671456add01a464db67e06232c94e31
SHA19e28c2206a93e80ca2151a3bcb942e804e07a3bc
SHA25660fdadce0bed6225c23424c9f8cb66210dc1a7c70c2f5bfa23c29c8252d8f17a
SHA512f3663913e2fa6e4b3f3d78a25d463abffaa33b8d78e2040695c13a06f18c314a6ea81854242ff442a49d7de664f741355ac7c15bd63b293f2418799edc517019
-
Filesize
638KB
MD55620b88b71da37271a54428afe4090d4
SHA164ffe6df6d04e0e3e00b3c4cc84ab71c0da5673b
SHA2569021fff046eaadccc75ffd8534b0025fababe069e59926ef5eebff623406c1ae
SHA51265c1e56b9f12bd69c28340377cef47a25475c998e8919d38647b330d37ae56831141e691c78d5e21c9813dec1987d6b99e8a27d97bd7bec4d305ff750c4127f7
-
Filesize
181KB
MD5baa2ff1d614ee330aface8408fec8995
SHA155ed08e2712151ac45cf1e354cb9aad8fd19d821
SHA25663eb82b906b833d861865f780ea487f357b07f59b863491b41546ff20e49793e
SHA5121e5db1cb27e120d4c9ea9be072d3a39f6c37ab7bad1dcc980e57dacf3549acf4a4cda5cfce3ff5a2cbd18c54e8aeed993e1c31c53254975774436d1166436b84
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
Filesize204KB
MD537c4646a64334ed5a3faf9517c182cd1
SHA15f9946278cd6b2cf46769ca8f5fcd0be83ea9ebb
SHA256f82cc289b866307e07dd89cba94635e4ed13e200968becff6bb4fd57dec7a8ab
SHA51262ae0f6a46d633fbe20d60662312359f5cb1c37d1127565bda1e873d51a871b4ad0ade0066b30840dc3e0ab5fac071043c52315be41be24242603c19f97fb26a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe
Filesize203KB
MD57860eab1f8717e423c72c340e5cbf719
SHA124b1523336159a55d2e6672dd494bc20b696c2b2
SHA256dac029cec424749e58caa120194f73a88400c5077b8cf0e52c043b61a83e8e8b
SHA5126369244fef612059659364166230181a2c81dbd6aacc67367c910df7802bcc2c9898e22d202ad8bbb6c3077a5e15e1dcff7e8b27756b640929e003e1719efe4f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe
Filesize204KB
MD572c232943b6c79181a3971a502692963
SHA10bf6a3c7a0bff320f83b44c5dfdceadc8abbf280
SHA25684052475de9d6f309967ed10e6d437a6b25e05e0c034d1d57158e7cf239561cf
SHA512d4327f35e27e35260be36b54ceda67afcf600ef65594911f6315e70265cf5a26dc19cb94553eddc578d9d23a6bf92c962a5cc14115ecaeadbad9d1f21a995929
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize190KB
MD5535fc98b189bed5b71153aa9469fa8e1
SHA18da3ef8c90d7625dec60afb478ed3bf4e04bbdb9
SHA256c9db565dab322ae2fde1679fd0f1c177f9dd6f7b8b71eff7142ed733c9c44f59
SHA512782d37d8d9abcd5e6dd1f2e5310565ce824462ecac2eb8422768e726b8e71fc32d707bfaab999db030cc304bb3ed8e6cea6904b036b4bd04c547a3493ccad55e
-
Filesize
194KB
MD51365289a416533cfc8ab539459288689
SHA11af219345e0db4e7d9e62580f2230ced3d1c745f
SHA256946ea57c740e73faa3b2a51b15d184a77ff88e60af1b8c38729b7341552f3e0d
SHA512d55e00fa1419d65e90a3d34de82efa09752d34e4a6c90198aa9e871a90bd2c83ebb64fc0ac7f38057b93c1bf8587da0780df7f96c94cb58cdbebe6fec6505f3b
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe
Filesize203KB
MD52df2443d8670d89f2e89ba8c4300d07b
SHA1e4ac95fb354fb5249959c98d7c5dd39a3576462a
SHA25642eb650301e0e18dc3a285a12f86662bc8634d74361daba88b3a382752bc21c7
SHA5128b0fbb3843c7ebac5870956addbcfeff04d10fb79be7585d4b092fad1e0676aa561d4de1cb32d1cbbf3f02554bdd1f6adff20492379ea96fcea0a0f4b5a44f97
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
Filesize187KB
MD503a66860d254735e0d7cb2e7b9894553
SHA12add6a1633f72b26b370835425834381124446a8
SHA25627fe629b365f1a3923df5e59ec527ccb3da39ef13e550f0888803d08fbb17015
SHA512b1457f895b8dd1eaaef0436f8708b927211f4aaa78041efdbc7621278694b2add611e935362bc36e85bda0a2a2b37d9e31e1d51dbcb8cc654d0df0487c2e743c
-
Filesize
126KB
MD59adaf3a844ce0ce36bfed07fa2d7ef66
SHA13a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5
-
Filesize
651KB
MD5e8565d41d064d9e603e26d1bd6459b33
SHA1d2b154c1a07fba774cdad8ab225a2b7bcc9ec3cc
SHA25693d8c02f515c0b5866af9838a5742cfbc702c0ee3c8aa4bc589093f43e9e7269
SHA512b0c6bc105724b08b25464b847a01735c6192bcf1e71d188958065f780d2c7d561c95ff22f33ca1ecf7827792be879bb840eea7f9ac3a111113fdbe85904b1083
-
Filesize
567KB
MD5dcbacf457ad5ca3f0df49cd6869d870a
SHA11fcb5b4ee07a23e622e1ce2ae2f3eed078a2bfc4
SHA25611a40c4c32276a38b7caf858124bdfac683892f1a45834968e096e4f19092ffd
SHA512d51aea6764224b51433d754936bfb64fee3ba3392f688f255f3c36d0d62ce72007db91713b72e4dbaff45b838133920f1a8312234e37b1283a829e5d99c6a447
-
Filesize
189KB
MD5ede609fabdf03d562dafa081c10bd6f8
SHA15dee8c931c10e997b6694ce6b643338c859160d3
SHA256298c0509768c7549ab70a071105217302841991a2755184f387ddb3f52454f3c
SHA51274ee72c53d715e676b947363e3902a66e25413d887dafc52dd5d6a65d362b3f89d2362bfadedfa582129d8e9b1439b1fe2e2a4183830b55efc4a79015f370cf2
-
Filesize
820KB
MD5f96920e6b995efc764cbe3dcb7ddf3fe
SHA13c6e5b2a0c60809442a51e2044d9df4d685f4aa3
SHA256b3df55e154d664ac679c9ff2ec14bc2c1b09b5126bd2d37875269a1800b2253c
SHA512da4c8c2a585e9310c55938dcc29e9873ded6f2d7bc1039c1c069b959588a2e5dbffcbd58a58cca66a44d1da882b47be549b63f43d8ff9436dc95a6d0439c2bb6
-
Filesize
196KB
MD53f5158a434bacda61eed05e2e65d1656
SHA1a6862de8ba6c2362236ec8f786279af2a3beeeab
SHA256883769e39c7ce8675e3290a29aa0a2a1d31402fdad3c83ff0024e24b1ad2b17c
SHA512f0262fb075fa75677f6beafab754a64d0ce47fffda9887ab2827b54f9109bb036f1cee7eb7c65829f72a8bf9931ee346f918620d00f7c69ec7e4364d5276c5a9
-
Filesize
200KB
MD572e05eebbdf9221478dc2c90c89a6359
SHA1898dffd83684778bee368f24f1ba3b4def99447d
SHA25695a46f7288d9f5051da47822f5f4b97493e6bd13a62c70cd37a0f6afc2106860
SHA5124f53433add3d53822b76041b821fce1808bb8e344d07cff4f5d5cc55e0f6ce4518a5b645f27bfc10c86a3cc9ec64013f2bafa40a199218834a944d7892520cf7
-
Filesize
530KB
MD541c8ae6318293168e8d76d6939d47ae1
SHA1dfac682d99b6cffcbac12deffffc303d465448f2
SHA2566b18d674faba7b01bc45b7a0c53388897e3b33b02680644b0e66f81ad9353a90
SHA5127ec09f82f84e51c3cde4ad66d40c896b69fa5c1ad96d549b8662ddf831049ff1913f3ba56db3b76890b585e6fbc9a9198e2251c40110da066aa019355fdb7501
-
Filesize
219KB
MD53d879083b85fd312c5c16b6eeb350775
SHA14a44b597360e02cdc1632f9c6019ae7a66758b3c
SHA2560d55c19bdf617dd7db14873441e8d26986a761eb6e671e1c6e01052696ca93d0
SHA512c0f5daf2d25f00266ac86d1931863aeec1a5a0de9c255f3e893ede1c083aac612db1b214fd1a1b345a9258de9a2ed9af225e590ea9ac60217f55def5733bb8d8
-
Filesize
200KB
MD552c6fa501e69de5b2a65db0e70d848ba
SHA116b03d873f2ed555c20b942ef7c9133ff1a6e2e2
SHA2568c396f23439264d82b8cd1f8c2e699c5052126e476d0a14d102232b468d6f445
SHA512137e2928dd62da354ce5628ae3ccabd25e8d5f558125fc3805b46913bcea8547bb585c78c46d0d512da617b70f478081ec374645a8663b89b7fdc6744c281806
-
Filesize
1.4MB
MD5dd9124871691d8fd79523f2fceabba47
SHA1d3661daf590ad915e45263e27e5ac3213fd45ce8
SHA25628da08b465f2698e2cf1411020428c11338e9a1c4c7d4efa7587da7fdba6c1b0
SHA512e91f24ea7d9def67e75113acafd3192a5d60bbe422fd6ca84594c4539f1e95377062b77621a094b39067123a82bc21b968bffebd2a19b9385b603e311306e0e9
-
Filesize
304KB
MD5d92cbf58086418b8c8109662d13113a7
SHA1598eddb0f929c8de107c0562305260fa4a765a76
SHA25620516ab7db5877011db5c0258e5c7ac6bdf3b7a553db731fdb069d86b8ac374d
SHA512de96c7dc70900d597e6ae5c850c4292a2f7f7907ef074b85baa5b02c0bae571f72e8e1ab18e88e9fa6e7d148069a595cbdf19bc287331b6b03eb122f5cf3696f
-
Filesize
250KB
MD58be84e85399c8cb3092266e85d880988
SHA1c8ef2dee21bdd57110dd65ff996e5d024c789fca
SHA25643f1d2083bbc3a0e07f7b09a2f1be0c6b8172d53d13d9e8acb401dc33120a2a4
SHA5128a9ecbea49751e363a54b0021f6075635b6058f8d702589fc9f6ec154e911a568e3e2c083688577772dcf973891728840b3964169d8d3124b626db02cdc108f5
-
Filesize
197KB
MD58dc958d90959e1b69413451de2077f33
SHA12a01a48d2afff94f80e61359ab0c61238f366529
SHA256d57a7ef57869ce38b34b66df511f0627402987809e451d4eb6575c68ab5ec2df
SHA512da4768faffb8a792625519ca391afaa97417138cfb584bab782241d5e35079985e9f723f90ee024633c26fd0ec0f0271e535bb6e1469a6add51ea7df6f2ca6fe
-
Filesize
866KB
MD5e94085bba6b002db96ab2ac1d5428e55
SHA1ca68437edb78212ca7f479660f7562a038989687
SHA256a7d52ec2e36ef69c8c6a3f1fb45a9cab1966cb5dcddb54820dd9ba6c98a4d545
SHA512f511927fb50fdf71e017bbdc6874f08ed43298133a47b63362cc6db13200b02a2805b992e1783ebbbda0fbe4f72bc257c7aeb21bd766abaee50d43f9fa72b718
-
Filesize
207KB
MD51fc43b06c79a480b0c7ca24e9d9a4bd0
SHA1af5de494dc526d3e45fbb646a3a9094856c079ea
SHA256207d6db16b6f6a85f1acd60066cd31daf8c24f8046ab37b2fc5619b0386c6517
SHA5128cbace0958b8c9b89e47cf1cfffe3f6d55870bd193819edc59aba8bdc719312e0dc4f06c2816fd7dc47c45d8bc4b9012f81132c1aafecf1a0747c802ce256f0e
-
Filesize
775KB
MD53c8c60779a9de8e468f745c166c292ae
SHA111ccbdd50758b8fbae3d93311b20d38f387704f2
SHA2563a1bbf23f35f4489de8ed19205b65c45120e6d336f3a02c817a765aceb2085f3
SHA512b8f02ecefa2cd9fcbd907c80a1071235ee2d2504546f40cbc61f1db703a8080cb3418b90f533def9f26b6223d08e8954b46f634bc7527a2c4940f4d20a12b452
-
Filesize
801KB
MD54f199d9b013889200b6a90420ce5011d
SHA19f3277d0d5d022c9ffd86c7052dd626612b0dc9f
SHA2566495f098bcb9b74f1f4dffa94d396c5460d0cc759130fe41f762a0e7bfdd502e
SHA5120376fff85273b20b40dd2d8d32fbc6efd72c0741bfc83bc8fa95f9e83ddd5a306014ddc1fa2fafacb81f4976be6ff856d5d2934a6dc8f24b8fc3ebfa218d1358
-
Filesize
198KB
MD5a5fbe1ef332ba261f8d2bf8ea298a9b9
SHA186a069c3ae612ec8483b87f0921d87a17644bddb
SHA256c5531119c617a02a77d08f629d7eadacd5cbf136517984aaeffadf113dddb7fa
SHA51231936ef6885b91e1c91fe9b7087e50dd001e9b37b22ba84e51582f453df243984d188de4fcb0fb2fd1d463f38769075de948803751e5a496a53ec681770cd155
-
Filesize
207KB
MD570976f6f843167c2680225d8c56b1aa1
SHA1e8b1b1a1487890a8a802da188a9ba56bad8760e4
SHA2560a5cccaf00e176463660750ede912de3e5b1cf7cb9228d6e8230af85595a75af
SHA512a126400652e27673d1b176526763f4fa56d89235bb65f2c9278f0511684792279c05ad42018cb022ed4fa0e7dc61c080883724d9c747730e43dc03ea68de84a2
-
Filesize
205KB
MD596028fa2e10863934160fc7ba70c4438
SHA1798f1492d1b7d5555eda1d4011593920c72e501d
SHA2566da095eb72a3211b99c2efa1c1ea46547eb4bf80c8161d26248075a6ad90e69b
SHA51296072dcf632df4551fb6b77d83d7fd7f6cd0ddddec9de9b1c583cc08b553f796eddf6cfa2c5061fcd3d59ec89bc833163a124d1da8e0caddaaf31d9825cd4237
-
Filesize
204KB
MD55e06bcf4994ce4c7232e82e23910d484
SHA10ab379b821675730ee28b374775f465843b75c6f
SHA256dacaa1dca3649ceacfa04e0521bd6492859516da6ecddb4a3249abe66c0a652f
SHA5121c2f4eb0f2a7bfd2bae88ad02f51700bf7264cb7461bb97c57284cbf430bb5ea142cdadd9e6b099a50785f5dc7949ef5cc819b0df4d201e028286542686cb796
-
Filesize
197KB
MD54d0f969c38d42c1f974b2dd5a44651b6
SHA1a902ebf27841a09fc7404d0166286c5b545ccd3c
SHA2565d158f1df954038183c1fb1d2462fd81ba01adf820f0b8c393a9ba5cae06a967
SHA512f81726e34ee1c03113e1303f20c05a51d33044ac8d415222524ae69121bad168837d768474d3781bdc417e7bd669694fa8334fd56b6bafb7019a31ad6c2b8717
-
Filesize
205KB
MD5cab95a432902074e8df652b7e927d59b
SHA10b5f6fd03a702cf17c8a32858bfbe46bccaced82
SHA2561f3cbd65e321e2ed5a2f3a9cd9777849edd0c1dd966cc316563f16992deeed0d
SHA512704708776efdb56e49eb486b2d518c6e31b835f888e9b1b79835283e2dd731e3558bbd980c440d7642f0e23254afa5bc2985b3e26b2be90e0b18906f4aff6bde
-
Filesize
196KB
MD5a2f854c31a7c6b4c2d57a2c3ca8b0490
SHA124116c59ba3adba7bcccc908aa76d7886885f664
SHA256e4ea100a34cbbd1e76129ef39226956ada094088d9db7b5c7db84107225897a0
SHA5126ead955c710bd380948cd1ca20a1ef026f2d7d8d218d2c3e652990ded5f5be7ba4563421634b420388a6c4e44e63cc352b3f05034b5965784e84d860c88f1d2a
-
Filesize
202KB
MD5232da2cc8ad09f44ea517c3fbdaeadfd
SHA1f45df1bde8d1d25231719542fd0b681558740cc4
SHA25609173f93689d78fabb92b549f68d777cf73f838333b53e0c1d2ae12a7c3ea7bd
SHA512b7d7c53aaf4e65a922a3ffb9164d75638191ebda0deac5fb44ba337726e440f0921de5cbd5789fb4a66bbf4ac352692dc9835bf5754e91d712f9e0281033a5b7
-
Filesize
209KB
MD5f03713ebafbe9e356c14f87416ed312f
SHA149c03d112a670bad9e8a019068f131efb1dc04d0
SHA256ed3c528457592519ea68303260330129e8147ca3902607dc01dfb687938c4627
SHA512460e7023ce6fa0bf5b95e5609168f9623b24276892ab115d5d9e8218e42c7faf4e59abe9ccc30a0ea7a7aad20c9acf7286022979ddda447b5d71f6138ae5c819
-
Filesize
221KB
MD5b1b1a914c5e858223b1dcfb6b3314ed8
SHA145c6dc44df765826bcc773366d28aacf5964c966
SHA2563daaa77189c70232c078bfa1d77d14318117287c7d3cf21b8266c940d546da56
SHA512b1a543d8335932ec838d4f5f415b0962421cef9ad1020073a3be56d1b82c910f73855ae827939086d5ad33a07ac3ca88efd92a5f362f9e85d0d36fa21dcd8e77
-
Filesize
437KB
MD5f9651d138232d148219decaa25e9ddb6
SHA121822f4f190e015a23b4018c0de4e247f1cc4f21
SHA256bcf2692c0c37ceee249df97669000a09caae55206f4cd900c103eeffe4cf4d87
SHA51213b454181b5ebdabec01ac02d74a6f51d43777804ef17de0d7c54d52924ece17c008caf62cbd7ea28a2a8bb6a30d5d5ae81615e7e5f67b62734794581a9edf3e
-
Filesize
185KB
MD57b4264e8724857aa2210e318bee0318a
SHA160f2326eb292b29f96d85ba7b29dab5e7660beb5
SHA256e83bb0f73ae06e99d02187a4882f46fb082cb457626750e942dec471e0fd914d
SHA5122703444a8be37377401776d9d3c8a19b087f73ac3e2da1a871fbdc74405c38d15c5923e5d26968b4c778b323bde98a0cc5c9236ac41818ad24dd63191b76009b
-
Filesize
185KB
MD58bc6527259dc6075640609cf15d674d0
SHA140d3e579dd1443f13fe3680f03389a8f0d42bcaf
SHA256a07a4412d58bb47a3a57f098339f0fc5d22afd0252e4a5b5fe617cfd3ec02fef
SHA5122368f918278a42751e3dcdf487b3e488873795311f28bd9e447b67c90b3347c5196a9fee4db9ecba814fe378ea68ff28818fb33ac3293889569fec4bf088f3b4
-
Filesize
200KB
MD5c680313b10db60286e32adec49304c86
SHA1ee73bdb72713ef0a8fa9e5345aaeced8f60ce560
SHA256ec1e2a7c8c8a2ce4eb9794a0e81b8fe709c0ba597cd8bffff4f7d7ab211ec78b
SHA5123455081d4335a57d6ac70ca781e9293a7bec38e47189b664cf23a108855948e1b9229c1dc75898215d434e17991a98b9759f674b63cb1c53e63a506014ff6c1e
-
Filesize
207KB
MD5378e7da43979781e35e9dd3d3f9e1f62
SHA16969e218927ea7229322cbce51152a72c0934a1c
SHA256abd001a396885f0fdf39a28360574d0eb051fabb6c897c5f6889e7246131c25c
SHA5120e8f367ffb194bd64c0f1e7590048ebd1c90dc116f0e166380d2db0f3664b19dacfe24a6baf67d905124ea691cf9575f82d8af4f76688c32111d5355a707299b
-
Filesize
193KB
MD5cf36e434d83daa65453a369e53f92cb1
SHA195f1a85f4618ba692bbd63ca3cb30207e93545bd
SHA256d1a050ee62ef8cbd45132ec37cb02ead486e71151b44f12c9576303534c83deb
SHA51283ea4a121274adcd46c932875816e514b96469b885ac406a0a66768ef3ac3b11f4cb849e9a70516bc46d96b35696816d7a5d40a14293666f412ebd7be4b40018
-
Filesize
641KB
MD5a2ea56681c19b9bdf29e5fe4ea4927e3
SHA1c40625a2f99961c3fc11778ecccd8acbba59ea00
SHA256a852a0fc32d362dbcb73a6d90e73d8b41221b28355c448ce871ef0990210bf82
SHA5126e99fc3d2624dd906abb2e8c7c6c031e39408db84660a064bade57ac7c3e73afd718604555b72a96b59633c7c23bc9f92c54704fd04163d718cd467ba2cd7382
-
Filesize
200KB
MD52ed1001a8c05766c759bad1fe0ef44b8
SHA1a9668123a6c856372fcb749635e84668e61d2842
SHA256dc58993089d4717dc9c94d451c2800dacf9bcfebdcae0814092b4205db7ee9c7
SHA512a6ecdd0324e2e7dbd8581108f13b81dfb409646a0e7a9061cd535cec3fa31fc26b5db4b46766b495f0f5e12221a09ba4fa8414bd6a382d0b6dea3810ef0a323e
-
Filesize
307KB
MD59bb630bc40f236bfd896cb9e6b38a64f
SHA12ea70712f2cb5e40eb0f65bb7eb5504968bf8560
SHA256abc05a18d6de86af07beae3544ccbdc1b6752215c483b4477215319dc428899b
SHA5126636945e4da22c2d19c1cf2960b2dfd89afbca7ff7645bcc22271e3a5b48c3963c0959d3b7490a888fd40f6101028205d3041be452ab24b4a9ffe8395f8f849a
-
Filesize
540KB
MD5b470709e97830ec61528fedcfda37dfa
SHA11ad2e04674a70dbdeb50b71ce3c45346a6412fd7
SHA25602c874de904b4a5454f88e1f22c646c8c8fe308aacca48bc57eb2a528c3d6e8d
SHA512aaff532545b8ba36fcdfa3b1c33e15b0d70b309ec8754b10f1c550943abd3f1308cc40918c2a535608e756b3acc7caefa9bbd576654653a199b93421e3607af0
-
Filesize
200KB
MD5e08f1c108ccb74f5109e3f0cae465832
SHA15d2f04d4c84b95c7b7e77e2a69a77ed6bdfd5d1d
SHA256ef626a75e0ebcde8b5c3ae29fdbe7b3bcac1050f693872aa48fa94383738bc6d
SHA512bc563bff42afd55edfff17e25d87a4deb84d74ae14219462d4dda58068a9d81f3b5543e65ae402ac8d9717de8389c342141a8da1875d6c55657ce7b1e0606e72
-
Filesize
898KB
MD53512e188a1d49cf7aca2df3c99a31a9a
SHA1065583559882a176f5f7e1c4699efab6a802c341
SHA256369186f02bfd39b140d289926233ad6b40a0089fed4e7dc1838ce63abb384076
SHA512d91dad117a0f851a7de0ec13fd8ce24d1f970465175c0fe0a1dcd72609aff432d3533ff3c547eae4eccff72f693add4e4571140e0fd1da7c1b44d3b636dbc492
-
Filesize
499KB
MD5949bac7b3b840cf1fdb8bd94b0f951b9
SHA1fa247f09a58ff9bbc31eda48dc4bddff68d1dd51
SHA2568dafd473f6fc1f1a98bd47b6c2ad7d4461cd4d52af83a9a2eba091f6b2bfcd1b
SHA5121b9652061a55e6f1c0f01837a847cb6291ff262361ed85555aefdf0a553fed12d495e8d7e69036ef9e95511ad25784e2cf76c88bcc712e9a0faf346ef2725135
-
Filesize
4KB
MD5ace522945d3d0ff3b6d96abef56e1427
SHA1d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA5128e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e
-
Filesize
961KB
MD58b82f18c130882f3454851e22c6186dd
SHA121bac2091d37417197997c53bdd35274e91ae481
SHA2569d679cf84ea65663f3c76de40fad4fca8d838da68eaf6129d4f2b76b3abc41b2
SHA512fd1b15ade2448f1e449f65103729d642da65887963994369622c6de161701f5b62de646d6f68ed99be61d16efefc47d85a694043bb75b51904645b3aa30d6d6b
-
Filesize
207KB
MD5c362067937101b1dc0b5250f6b7b7b8e
SHA165378e05d96bc0cc2d6f1059f2d85531169cc876
SHA2564b8882c883c28cdf978a0adee7ba7f344d58aa8c1e79b00324ed283a952cfa6d
SHA512fb2cd45a6941fe3b24d31d3b0077667cda77071b65c2a6a578341e7f28c77ed8ec6cd8b39f0ca1ab5ceff061458b8ed5c10c1c2f1bd515559838545cbee5894d
-
Filesize
231KB
MD55496fef629fff4bf66f731b9c2420165
SHA18bdf3060424c608b12079fd3514e56a18537efb1
SHA256dee243324f5e7b3f758bb269dd8bd6f4f5b20cdde90c210c44ef05d2ec063838
SHA512f0af383201cd2fe75d1682371239d27f36c42622eeb5bb818a86929b7ddcd65dc877ba8519094891550efdd797c4c425dc31923a966d068db0e81de9edf91155
-
Filesize
214KB
MD50837c485cab608d22ff52a0439215551
SHA10eca30b7e1bab3c2b863b2e2924d756ade11d03e
SHA256e66f4073debbe50a85c8877e9223b906539a208d6d9f61440493d153deee2fa0
SHA5129e9daf374cb2cf72b53c0780db8e3827cd20eb5eea1508dcff2129bec46893b5bd6ab008425226a2ff0198b95f932f1ffcdff64304a0b34bd6a97d99e7a80104
-
Filesize
314KB
MD50e3852e160bf60d54c3bc25f1594cb45
SHA178a62c52fdb27ce040d85bd745487964c1faa557
SHA256b2fb4d82e6ee6338f0d70be1b18062a1c1423fb4c05af471835fc3a043d77571
SHA5120f7dbe53068695af4ddbcc3618482ce38cbbe5499c5b20df8d31a63dbd38b0a77037c5f49785168b9c30574b3d959b173cfd3d0dad1df0200cd66ee2ca3f84cd
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
632KB
MD5b21450f68cdd9a9e5c684abb953bd3d0
SHA1835ee63bf08cd6d254ad578438f13be323dba1fd
SHA256a26cbe9649a3a3e60757f0d7ca31bd9a470b46aed82ff98a674c027be7ed9e70
SHA5123db54518d7c13e440e1267b2acde00c38739c7bd2a88f8f56b723b9b63ba0c567b889199f0fd8c4a8cd4f2d678b35376c64e618c59ca1b505db215e8b5111d80
-
Filesize
201KB
MD55463d9f4d0f8574456885338113dbdbc
SHA13d7edc14de2dc80bc7c43c5340c64879490cce5c
SHA256adcf968ec2bcf9503ead5d47acd4717ce28ce1c8167606deaea46c79417d650f
SHA5126ddd84b281e1197912046682a2706ba50500fa45be3c735bca79a7e425ab4390ee816251c5f31f9e4b92ec4177eb14df7ebea4ca50c766620cc6ea02da75da0b
-
Filesize
229KB
MD57ca056671b129ecaf5e467c3775724ee
SHA164dc92d2b84451efb92dd3fc58fe53bdca2be1ed
SHA256e674cd548810d7746886063a0aabac6447ba26a5767aed5689748b5083498594
SHA5127d29827a1f826145ca7aec904f06e5128a7878a9ea50b080f8013e1b0216eb3043befb687378643cbef9a033f8fdd2e48e680922570e50f01037673ba669f303
-
Filesize
188KB
MD50197fa13fc9274f3929123a4d5b9be0a
SHA19797a724f4842a93186762590e150e8f52557e76
SHA256196b986008e5a873ed48bfdd4ad0e751e9ea251070e9802ce6350f61c8fe5724
SHA51256d32933411ac61cd88caac3a6bdfcc98c772a582a56fc041ed431e961046d7e2fbdb9b857818d71bec7c54e9f57c7a13c64ce6e9c3237b98582e0ec78ea043c
-
Filesize
636KB
MD51035ea6df342eb9fd20461c8124182ff
SHA1102cb9bb8b6e1e92c8138d439b39741488078e9d
SHA2561505df6990bd5112be9e9711cb3b8ec60c68608966464e90e1d93bdf78eac64b
SHA512eee24085b8337b2b1bbdab36ebab265d5de4e56a900cd1c558de45f307611f67f906d70e56627398f27e79da955c5d084637ac86bd56a6c25f2aa5a04d6660c0
-
Filesize
227KB
MD5fe3949424129220be8aeeeae19fe45f5
SHA11ced2c9f4b9672f26e3689319512a193bad80762
SHA256f66536b7c6edbe0f090bf3e7015e66a4109d062bd832a509d3915815e299b4dc
SHA512029540b54b881513cdcf50af1215cd67c6aae7d73fa19a5c67764cc2cd0c2e3133690af75e50c5e562e340be6e05ba942ab0e5737ebd9c325d25efcc0eddbf8c
-
Filesize
190KB
MD57eba3e19fd1c5f6999f32b21834c9590
SHA17c959d3fc0104adf4b8a23750b4e8a96bf85b001
SHA256bb5a5e6ff516c5ab47f9ad0f4738776af07d850016cdf85848ff59dc2bf7cc5a
SHA512c620a42efcc207c14e1a1af0c6186960efa5180f4c70616c85a403f7cbe9b16c818c9fd6e080cf3f3d5d310e4ee8dd37ef71a001b181caf8de3ad9cacdd0e572
-
Filesize
203KB
MD562581923075f6c221e92656aa794c0d6
SHA13046c41737f9dcc31817d4c255b77783407c63a8
SHA256daf631c59d33a227245f925dfef7bd1e4704f155d93e390421599a29d8f4f124
SHA512b6b04266511f0b9cbfe2a4e900b9c8b2458fc210d31ffdfab33c191e68631d6e9154bd03fd8bd7acf3c43171326890de3edbdc43894431dcd8a40a9f56e6467b
-
Filesize
185KB
MD5055231bcfa38d8319dd07a0fd321e689
SHA11d5a24a0f57079b5fad8998afbd987a087408cb8
SHA256c52654373980eee23687b2cb0bad7a5143f6c24c7ec8e7a15c92a0ff07c81a1b
SHA5120947cc326edf0214d1c7b728f2e80a14169f6fccbc538ebe830bd0f71af87800b2381d9d7417a45de60fdcc18a75fa78f240e9837b41f065ae77fce8f74a6335
-
Filesize
194KB
MD5d751f0efb6ea1a6553ff6487f3f662a3
SHA124ae6c0d87cb129fbef4410814d136115ef9849e
SHA2565e588c86d9fed0c31974afc19d728529dba3db5c5f2474f263cde4038081fde0
SHA51249ea8ef3eb7040c6d65a2f2fb90167a3bb791e4592b6fd7abeeb8568b1f33da1ccf303d5b427d4a33993fcde33871e4694ca44a6e664c7b1cabc7687f348407e
-
Filesize
800KB
MD5c0752b19c7e3cd8806b98de64cbd1034
SHA105eb4c7e26fd4d1ff7379fe3951f527bbac27139
SHA2564dc938d4b7dba6f1b436493f6bb50be3f01a534e5b8c33a3b7da4b237a7cf446
SHA512bf1926700f960f6ab0423adc65f21de61174e6ddc23d515d68eb91c1b92529e3238984f2161507f4007c04e7d01c3597860297da5824fec04dd6aeb0638869a0
-
Filesize
185KB
MD5c36969f2a470d5ad6e14a582c8bd02c4
SHA1bfeecef8a6d7f8d05d99d3aaaf52844d4a828f87
SHA2562986fc855db1f922c4e247c89a88bc46581e5e09742e2af1637367edb540a9b0
SHA5121d2cc1c61feba78cba0d2b0be0e9c5ad20f939b946ce2da528776efb97830e564b96dc5fb98e6d6cdb1a44153579e7388a4f843ed7e2e8f3becfc4a8ce5cfe05
-
Filesize
839KB
MD5e88bb9255f806c48d558d8569e6d055e
SHA1327cb9f03cdcd7c4764313f01c384389ea172bc3
SHA256ad56148a963d5b89a283c061ca3a77080882df5a4c8cc296aa71a2fc75a52c95
SHA5121a8fb0d2f3f2ad446b0a6cc412fdc0e367b78a9d78797cc90e99fe0646363ee2694dd490b983be8385b33978e3826beedc1fbadea4e78807060f128e5578dd5a
-
Filesize
196KB
MD578e922c76e6ad582b428719593dde99e
SHA1ce0c8b1cf3cbf10b9d5efe52fde993cbad19bb69
SHA256ab921086d39dd6675b40ab5b5bc86516deac10e0082dcee18a984359fe8fe3dc
SHA51273a0abed624d25731cd84adeedabe0794dec95061bbd722c4fae5fca5c833d05acca2ec77d59183fb13484e91b54fff1cc15ec9dd9249b16fb15cc03366a6847
-
Filesize
193KB
MD5496f9e85fbe18e4dcdede016551cbb53
SHA166d46d8dabe1ab6f50588c1bd6a6a0b641a630d3
SHA256577c8a9413160eba9b3f13f89159581ff1a9af46ab3e2e969504ca43265d7488
SHA512fabdef5f395e18b914879e49f273c786273257bef317f92c83d0a29baeba3ab0dca29ee307bf9eeaba5d5b9c5978752d986174710f3295829b88f4be7ce5ef6a
-
Filesize
224KB
MD5358169dee32b1ae05fe78e3f7075f5fa
SHA1204b15146eae9a6afb996d9fec36f573aeb41562
SHA2566880147c72c177ea6f396b4ff40d9d4af8b6ef7c188fd7f51d30f5c9d565090f
SHA512053ebcb046693548106fde7111e8173d9d818b1713eac7fa14fc9225558b93c65e73be079a794369f026bc7af281c3afbcfdb15f3286a907448427700d9a4933
-
Filesize
184KB
MD51ef4861e149fa030f96e4c4c875bdd9b
SHA18426a4db4a61e770582f1e4825b0a421324f59ca
SHA2562d71f89f02f33b0512786dd2d7616a2ed94930a065bf2cd45be5edc2cf6bc9dd
SHA512348f93b08b34999e7c55c67350b63bbdfcd5d2de966bc54941a05ee2685cc6c5f763e96fe6fbe5d90b7680c380e83900f2b0a90c6737ce31de90327a19668bf6
-
Filesize
187KB
MD5b4c4fa510ef474e33c581742906f2b01
SHA10f90d32d4334d87ae3166be7ab7244397812cd9a
SHA256ecfc6b2e7a09df08d22e8400439f533311213ebc7800d1579d3b4bb89dfda089
SHA5124a02644e029359b9ca68c9d72c7de0f40e9bb5975e3180d1179221dd04b8bf3705d1394026c0afcf1facffe16e6e9d547baf726e5aa1b5d07d9a0d634482e80f
-
Filesize
307KB
MD5fe5acc5f7d7f96ae2c0062bdef02693c
SHA16255fa045e217fec406f332dd6061a0f354e78e6
SHA256ebe10ef698be975303890f151a0c60c270cf7c15e743e4de3f84374b744ce2e2
SHA51290e306cbdedbaf33c29d8a11b9d50ba5b9d8c84baf4d374ac724486a71ea46f1ea65abcce709d122d4cb6c3558b8aa59e74b764adb8fb7c75ffe80c8d05b3d6d
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
200KB
MD50bcf8e460b1eebeba25f6e2b8a04c6f6
SHA17525ebf1e39c580f92c0d0239ff38f8bc3fa1ba2
SHA256c16b88278d8dfa808c7e3c2ffa5b83111f512b18c8580684ab9e17ce20ca8ec2
SHA512832dd776df45ee01b1c2798d0549dae5886fa91117a122fcadb2d6ce851a9c87b1aaf70be8f44790d0e28f6949bfa6227ae327018086899137a663a41c2d717a
-
Filesize
191KB
MD504289a55f0d2ace587b04f3b070ca439
SHA197f4339afd8919e7e60a45b11e848b982c70203c
SHA2562d00bdde507d34f4709fe308dc23622b89bd0795a76ca64673dc7cdeddd258c5
SHA51226f7b3939117e33d8f0b77b24f94bd6e9c822fc35020623018ad182b5b97b0698ca13360d52452da72e9ca3408f5905038e580fe991d9099e833d0436af6fad4
-
Filesize
1.2MB
MD5a136ca4ef3fa80bd06520dd1fdbcb4f7
SHA1705a837d4a46d9bc395357d43f3b40a867b42663
SHA25601cfda96a5ccc1acefc14368afcce48b3d876582f9f55822927089c96ac5fe0e
SHA512604e4403858f0b7322c0d0a443180f5882c29101fcbbdfa6f1609c12a6e7c621ff88d4c75e610da60a4f42db5f6f750d7e755c227d3f69ffa28d7548d9829a1f
-
Filesize
191KB
MD5981835fd3e37640bb23d27896302ff74
SHA17bf5ca4f0d927caeb25fed489135b8c05e25020a
SHA25628aded3031e85b441456a116d3deca714bb1ad858c425f658457dfa25d509cd8
SHA512fcf6b9fd67ad069a180a5610ee38431d8c856c4c6bd8976f1268bbcc60296b1ce34d6777cb2ab6424ca198397ca5638cb4de9f74c197177b8e4a6288011d698d
-
Filesize
206KB
MD58d8a5aa3469e9ac9a900fd6513681d5a
SHA1d1d2645c5d2cc7d2d98254186ad36eebe3f63caf
SHA256951e3ea004606920cb88eb79e6512c0d9f3aecd60ef80e75ed6a099b9654f229
SHA5129d2b3d4261b4c6c00955c3a76c261c44ff6571577ebefbc788b32a877804fa767ce440b7671f65a78597f7f4b4c86c7f4f16221b6c8ba00a283cbd0ccba55a25
-
Filesize
1.6MB
MD54d2c34f3a474a49974377bc4f327d812
SHA163ec6b1fee0d1cc0f2e99bd7a8fa60508ccf868d
SHA2561e1d4d9f5418f32589bd012e448787cc4778fcaa8e4dd7359e92c81bfe1bb20f
SHA51244ab238422535bf303dbbf149d3c7b2ccff37e95d171b0bf3d8b339143b1294d1b2c2aff6832d1e0b5c491f6ba4946b5c6a725b84b4382f63d63ff3d210425e1
-
Filesize
5.2MB
MD53cf3f6cb817acd082dbd569034782562
SHA1dfc3ab3a77338f5399a6b7de37874fbc2b6e3c00
SHA256c87d881f4ae87a9be069d12318d99963778cc20bd1537c54cbbb369cdd0030dc
SHA512cf3fb57abdf3d086d3034cfa3f41a9f6ec02b9ec7ce8301badb6f91d5e6aad8943f595edc7e93dead851ae0c6decfcd455958c2602b1ca5d8b90f167aa02cced
-
Filesize
185KB
MD55e73c33678461ff431b508b96939e90b
SHA13190a9e1c0e03014587c49cadddc06be7a25a6db
SHA256d80095f981ca0fd82d0908bfacb38dd789872664e20839da7cc6cd8945ba783a
SHA512081e7d603877f49d6de7ad92fc0882ecc53f28a419baa8256bce5d000d14e8c41a368cbf36433489fd08622f4472e296c7d9998629b9c0c05e62ce5817828f8d
-
Filesize
655KB
MD5e03fe6b54833c6f63c88a5ca27c2d36c
SHA129c553466aa7d1fc428b5bc2774910fb27d41035
SHA256a91c460053fc9321dff4cc7d39805e81543189d2f76544ea657ad030cda1ddd4
SHA512576b93d4db8f154eda6aa0b53eb0c04bbbadece417fbd3a70a06966d914bc15bca31b546b619b0010294088b6eba796e0ec6053019d5c1f7fc83336728277148
-
Filesize
209KB
MD5d6c840c638fb27ad136fe2e6bb3b9bb7
SHA12b204f1109812ac1472d24604e97163547fd9773
SHA2568bb58446aaa4a076be38fbd4616124d4b29370aae805c85f3ef6101b99fc41d4
SHA5122d49de6d249f6911cf140e0e8a54324c69fc441c9affbf5b3da761671bf81269fa691c3e75049d123aafd7bd7718eeca9a772e88e36abfc6090912c8519181dd
-
Filesize
208KB
MD5c7bcb0416ea2d3fe85f01b4a242636c5
SHA1d217feed2e5ec427454d78e24b78c99b80c955b9
SHA256ef7f6cc9ba9d6d5d6f119414cab67fbcc731917dbdbf7fc07a74b20982594bb2
SHA5129adf45b765d5b5c6d1071c22e7dceca4ad9a579d6ba724cd81832bdeb3451923db732b7278529963dbf2b6c323a55bf16ba3abcff0cd7c3e5c75200753dfd1a6
-
Filesize
182KB
MD5fcf22d2791b4d2f5d5fa6b0244786ac6
SHA1e011f637c1f13daca65911d5e46d56060b6088b0
SHA2562e6c4fe1a48dfc030e6a0a7a95a05ca5b910b4a5537d4d177a5752e02e8cd4e0
SHA51239d0c7520f3205329edfde81cbc4222df5d309441641b7015636e8b20a07ebdc3091636f8646da9da0c004b025be98d50eeb06395a3bad41445b300610e2e0f9
-
Filesize
611KB
MD5810d6ba9215160907e40cba69e3bfb8a
SHA13e71d5ea3db3b8bb718a708ff91a7a4dd3f27a9d
SHA2560fd8a34355326fabcb5b00f98200c647ffe046c5da38b36ba55506a56d954389
SHA5125fe9d491ddabf8b7b93d2dfcf8cd16dc29f20f82368fe18460d9579e81161d675eceddb8e0dac06fecd0baa6839f0fc2b29d31e359e0c5d3cdfcb2e0b021f08d
-
Filesize
4KB
MD5ee421bd295eb1a0d8c54f8586ccb18fa
SHA1bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA25657e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897
-
Filesize
205KB
MD5e9c7bbdab128cca7d79f67f62590e308
SHA1304e2fe096c358a278766c68ab50d6eca8751106
SHA256d490f6e349f272f835baae94240f5821cd4a4e270402c6b1dabb579e63bcc22f
SHA51235e7c3d6f432c32f0a569f9a30669591dd414779bbe29b2afe85e89a145e6c47e6bccf6d674683b4d0a693eede84ade6111bc0f5a09eb667a5acf2093582d22a
-
Filesize
651KB
MD58fc6c63f9456f444e6cc521bade4dd32
SHA14bc01dfebb2d7b422440f244daec2f9cf5e6ff8a
SHA256e0b1ab526ecabbf68f951a0f7a8076d300d31150b2d25b34f904b6e7fbc07365
SHA512fd326f359d8a80458c48ccfb11118f5c721b24c89648c871541d3e32ff7493fe87a01f8c13d59c2bb351de49297493ce5ef00517df3aac4c255ab899f766f26b
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
192KB
MD5ecaf579643d346693230f7a1175f4705
SHA13ee04b234176c854c4e41ca060a304f3a2fb3dd6
SHA256813286e86d70fb469a6437f62c37a9fcd4a0eb5283a5aa973616b114aa01fe29
SHA5129f8f640c3a9c7a4768d900fe7f66c5a017c7d7e00ffe9acca22ab93bd4a04972642fade37faa2f9f38f87d43920d6a46b32c6b69af7a4c9ef437b13116f38f05
-
Filesize
759KB
MD5f154b9a4f0a8422f4150e230cb6fc362
SHA115a9f7029f91b8ca35494be7683ad2fd0a623e80
SHA2562ab30be380222d96df35fb15d8f3a82069c5b716875033abfe835c72eb2028c2
SHA5128304fada0d40ff777e2ab3ec004c9a92212efd4938d638f64ca405feec1898b5017fdcb863311572ab31dee9cae159cdf7eb0d8b595370f0c8cb1cbd2973ad42
-
Filesize
205KB
MD581fcbbf1cb6b293d78cae691e7c7ac15
SHA18fd9dccf94ea26712ffdbf2ab1d7ee97181df12a
SHA256deea2a0100a285c72bcb1f3a6d4486e8dfb620312a33273d42bec5c84558c8af
SHA51265b487d966b3b431c09f3e080164048a0df877a5567fab506de5d7f3f29e14a3dc098de48c097dea711287068b2bdcca9c334d682bdf89f35f679993a84089a4
-
Filesize
189KB
MD565ec0c0a9642d7185d533fbc402d0527
SHA1c29edd560c32129f930c4e5651906869cd25a3a7
SHA256a3b293b333f5cc89e6ddb12dae57eea1bc00280752482d1c0a811ce7ae94bc9e
SHA5124df05ebd84b9b39b5994f83dd3649fa743aac04f6f90bc67d7dfc9149c937bc133ec50d097fa1bbc9baf4ce7ce61cf6f012b798435a614ab0feb150d8a393013
-
Filesize
956KB
MD5b0a0c3e152b1f80cc99ba52cb17a4fd8
SHA10d92dab840b2ebf2787dad570b0b804251f37cf0
SHA256c8fc7033adb48a8187a4c2e6332a5b69cd0f117a5ae12fe3cccada5baa253e10
SHA5123c20c6d517503bd50a255edbdaa02f6edd7dd6dbbcd5ba97f410848f0eceff8ed1b1bb8f19966f38d459f935791f8b97bae5ac88fbeccd81a3a0fd080bd8ea88
-
Filesize
199KB
MD57bf949dfe6cee543261cd492d1b0c729
SHA1fba15b3e7e8f22912c4e7b8a390e21082190124a
SHA256bbc58dbe99ffb54ea6ba22e814816b50a033b420c9372e689ca2a0c48398f9d5
SHA51213a9b8bf245077f1dc20f4490bb771d890909c49d833855cc9cc53e11625531ec34f80b2f67c3796fc9487c37f1d03f3f9c90422381557b094a0315b9940cb4f
-
Filesize
204KB
MD51ece54c20afb029931e7877a0c0d3da9
SHA1f15ca562ab912a05367084fd1923c1406f18d796
SHA25657f60a0789bdfb4428464c7d0e0a74be659c941e0990f18b3e9fc6b8cd2fe872
SHA512b3223c9e0af9527eed7df20e8241f6c254ab10ad0e9fe25040dd703a556aaf1d95f5d8798e88d35dc68c34f28032afee7a2c998c5050b91bb22d2a901dcb3fef
-
Filesize
1.8MB
MD51965135eaf9628f15bdc0d355c6f1302
SHA1ceb9fd23a278c535b14981871e287053a62c2049
SHA2560953514d88a7dd097fa7c5c680cb999b9bf9d9129f1ee314fa60944507426214
SHA51217be1a382f22f2a2c041b9cd2c6a6575856704c7817a52c9237eb8a3259fc05459496b2500a092815eea35a8cdbf78d7dafa3d6bca60d099dc454149bf9ff150
-
Filesize
4KB
MD5f31b7f660ecbc5e170657187cedd7942
SHA142f5efe966968c2b1f92fadd7c85863956014fb4
SHA256684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA51262787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462
-
Filesize
202KB
MD53f0a7c269ec4289c208606a14d0c3a78
SHA161b8693ad2221ccd52ce4fcf1ae520fbe1b927a7
SHA25660954b0358d64db7c38bc1b23d4699ce3359fd225b5b22cfaa8df8ec8b82a5d4
SHA51209a7257c65b78a2e07fd5fbb9c697a478d35bb3b764e8c2e26d25436c93f66cc8bd1e69286e18a847d60ef4adf26157fc1db50f1b84a159e84ec8146a25ac58d
-
Filesize
779KB
MD5cb67e3f2a2b1dbd9c900d92824329985
SHA1d4620bb1e5308a0c0665ac0338eb2d196e1ede25
SHA256db032515ec0d7ba3d7885f86a03c262cad98e02cd6ffff3c510fa9a6866d7113
SHA5120a46fcaea31ebb9e1622ce01f70887d991a73388767de58245bf8f92256cf54b2942772d58d05219f382221c177c09115d7101dc9c35cf88584b63c99daf4612
-
Filesize
203KB
MD57b77c525fa7b463f87b1b1bf45b06f84
SHA12c2d981bcc92946fee0f58cb790889690a82a71c
SHA256174f9cfbecaad8b77a83dcce35d412b33b2be593a0df0aafab422ba6f0430858
SHA512de155182b0c7403faa8f30f3dc859413dbda1cdd46c9c7618712d2209f59005dd86c4e0a84f8b41fe5e49b0bd2032e755a758292f2b275a501dc07bffe2f52e2
-
Filesize
201KB
MD5945d10977f89a1cc922fe863737981ae
SHA1259c7dbdb6e36044c4e7d551d581c7f4be216dbc
SHA256f84bc71a91d080ebbd085befa48fee6acec68fc04561d5f4f0d2c7d3fed4b129
SHA512cbda93e365992480b23b9632f7b76500bc3d7e2dd22e7aba760c310d5490a44c9dbfdba7dafa39333676796f62326f6b9511ad8ff6f80cd851c8588496fbad93
-
Filesize
193KB
MD5679b007cd9f2e68949493019020084d0
SHA12d551d05eef45b087c7579cb7c8e3f9b0b3f53fd
SHA2562ea6f3ac62dd33ac8e24accb128806847d86f4ed9bd692b2a1721f5dcad5d896
SHA51211d6bee9346af50333951584574f1d1ae57a92bd897a192ef466d114a716cca6cdd65c6dba95c29fb58133dd7abf7c420658ecf688e58dfdd2c8a563feb72b9c
-
Filesize
380KB
MD5f552bb069653e2f0153c2013a1d914b0
SHA1925ce96e910cbf2213ebb334714e327dd1bb3e40
SHA256128e21e8de5fd829311da1b453b4e646f49614157bca105b9bc78f83985ad570
SHA5120b2cacf639351f818498299f6d7c43db2227daf027b0bcdd5de67cfa6c37e62ebfe9226206adfcb85e636755db13ae646aaca95047316fec0c231c9a622d7744
-
Filesize
219KB
MD5361a62885b9d72b01895dd64c3257aa0
SHA1351b6ebe422935d35533d56e595b7a0bfce85de3
SHA256054c478c48891f6f76b5c7595e82972d8aea6dc348e81fa3b2e256619697ffce
SHA512510934c974c448805b338e5a7083205bc5f67cff006d54c43c22cad833c5d58039ecc6a703054f2f032d7eee17a63fedbe783dc9411e7de6011e84cf3c72ef3a
-
Filesize
935KB
MD5496dd926a7e806319119aa0d6d64d5aa
SHA1912eebfa0437529b92b9baaf4328ec9db2704e4f
SHA2566223bace5ca91c324e8a6f02e27b3d09fe453b21c096c19a6a3b015cdf715c46
SHA512dfcb4158c4910150b3b792a2dc9bcd17e6377bd97926dc6a139b6e961e23d0251f5ef07f2e20cdfdfd91cc534fd84cdf0408c49f0f78191fb10134e434021722
-
Filesize
178KB
MD5392bfc2ee95d0256dff31576a7d4b776
SHA1a80955a60f886ebf66b4feb56634c2309fe90745
SHA2565c9c953b78179b46d1e3f1189ab6802e001521c0bd1c181500f88db00457f144
SHA512ace4f632fc04de688e9a232a378b6649af38838a4102a792efcf84a74d0ab87987b6e8914c26f894610e9884fdf153876a4120c541539e160dd47837b35dc88d
-
Filesize
4B
MD527146e8092ba01f097e01503cbd0f5dc
SHA1e5eb9a5e4659e7af2e2531f1305978be0a5b0d01
SHA256d955139199d95fb0fe4bcbb5edc1d6f0a3dea94ed03ee510491939e64f953f02
SHA51267cbe819e76af6bde0a4764bbcfb51f9b5bfa12243fc54ac952401c104610a92703528a7e455e8ee08d95f34a9fc844af26d1a6fd0dd5c29761a12ba86dfcb52