3523a6cd753c68872b2eb2beb45f67fb79d2e0f5bcbbe6b5dc78eb7aef82379a

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
Size

112KB
MD5

075a7b2ad4f8f6c5b36377ee28d16f89
SHA1

29461828281a1f48162d56595a6d2ebfda128634
SHA256

3523a6cd753c68872b2eb2beb45f67fb79d2e0f5bcbbe6b5dc78eb7aef82379a
SHA512

a74d5f6478325398e482169d9962abc71a6b73ba62d6ad9a525932b9047070228e6ac4eee6a48bb77b409fcf306c528b701f5240beabf3253ff4dc5bfaddde96
SSDEEP

3072:R5OIQ43v1T6YhTdKWJlBJHIolzPresrIJU:6IQ4/1T6YhZKEl7rlz/rO

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 59 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 59 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AmcUkwsg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	AmcUkwsg.exe

Executes dropped EXE 2 IoCs

Processes:

AmcUkwsg.exeQUEYUccg.exe

pid process

2580 AmcUkwsg.exe
2484 QUEYUccg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exeAmcUkwsg.exeQUEYUccg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AmcUkwsg.exe = "C:\\Users\\Admin\\AYIwUYIE\\AmcUkwsg.exe"	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QUEYUccg.exe = "C:\\ProgramData\\hAoIUwYI\\QUEYUccg.exe"	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AmcUkwsg.exe = "C:\\Users\\Admin\\AYIwUYIE\\AmcUkwsg.exe"	AmcUkwsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QUEYUccg.exe = "C:\\ProgramData\\hAoIUwYI\\QUEYUccg.exe"	QUEYUccg.exe

Drops file in System32 directory 2 IoCs

Processes:

AmcUkwsg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	AmcUkwsg.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	AmcUkwsg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2420 4484 WerFault.exe 2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe

pid	pid_target	process	target process
2420	4484	WerFault.exe	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2804	reg.exe
3692	reg.exe
348	reg.exe
4704	reg.exe
1548	reg.exe
3408	reg.exe
4596	reg.exe
4912	reg.exe
4940	reg.exe
2780	reg.exe
1864	reg.exe
908	reg.exe
2624	reg.exe
3552	reg.exe
1536	reg.exe
4964	reg.exe
4528	reg.exe
4392	reg.exe
3912	reg.exe
2032	reg.exe
832	reg.exe
736	reg.exe
3608	reg.exe
2240	reg.exe
5084	reg.exe
1084	reg.exe
2268	reg.exe
1644	reg.exe
3552	reg.exe
4464	reg.exe
2296	reg.exe
392	reg.exe
3028	reg.exe
3800	reg.exe
2620	reg.exe
1632	reg.exe
3948	reg.exe
2744	reg.exe
736	reg.exe
1716	reg.exe
1644	reg.exe
4960	reg.exe
764	reg.exe
3800	reg.exe
4624	reg.exe
1860	reg.exe
1132	reg.exe
3576	reg.exe
1748	reg.exe
4660	reg.exe
5092	reg.exe
1144	reg.exe
4048	reg.exe
4592	reg.exe
3032	reg.exe
2740	reg.exe
1660	reg.exe
1844	reg.exe
2296	reg.exe
636	reg.exe
3184	reg.exe
2804	reg.exe
4344	reg.exe
3828	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe

pid	process
1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1504	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1504	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1504	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1504	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4108	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4108	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4108	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4108	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2984	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2984	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2984	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2984	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2112	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2112	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2112	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2112	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2008	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2008	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2008	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2008	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
228	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
228	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
228	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
228	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4380	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4380	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4380	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4380	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2056	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2056	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2056	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2056	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4536	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4536	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4536	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4536	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4220	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4220	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4220	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
4220	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2912	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2912	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2912	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
2912	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
3436	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
3436	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
3436	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
3436	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1768	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1768	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1768	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
1768	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AmcUkwsg.exe

pid process

2580 AmcUkwsg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

AmcUkwsg.exe

pid	process
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe
2580	AmcUkwsg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.execmd.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.execmd.exe2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 2580	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	AmcUkwsg.exe
PID 1864 wrote to memory of 2580	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	AmcUkwsg.exe
PID 1864 wrote to memory of 2580	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	AmcUkwsg.exe
PID 1864 wrote to memory of 2484	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	QUEYUccg.exe
PID 1864 wrote to memory of 2484	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	QUEYUccg.exe
PID 1864 wrote to memory of 2484	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	QUEYUccg.exe
PID 1864 wrote to memory of 960	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 1864 wrote to memory of 960	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 1864 wrote to memory of 960	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 1864 wrote to memory of 4804	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 4804	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 4804	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 2108	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 2108	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 2108	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 1644	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 1644	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 1644	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 1864 wrote to memory of 4692	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 1864 wrote to memory of 4692	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 1864 wrote to memory of 4692	1864	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 960 wrote to memory of 4952	960	cmd.exe	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
PID 960 wrote to memory of 4952	960	cmd.exe	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
PID 960 wrote to memory of 4952	960	cmd.exe	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
PID 4952 wrote to memory of 736	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 4952 wrote to memory of 736	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 4952 wrote to memory of 736	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 4952 wrote to memory of 4700	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 4700	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 4700	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 4592	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 4592	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 4592	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 1592	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 1592	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 1592	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 4952 wrote to memory of 5056	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 4952 wrote to memory of 5056	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 4952 wrote to memory of 5056	4952	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 736 wrote to memory of 2188	736	cmd.exe	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
PID 736 wrote to memory of 2188	736	cmd.exe	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
PID 736 wrote to memory of 2188	736	cmd.exe	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
PID 2188 wrote to memory of 716	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 2188 wrote to memory of 716	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 2188 wrote to memory of 716	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 2188 wrote to memory of 3800	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 3800	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 3800	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 3608	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 3608	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 3608	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 4960	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 4960	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 4960	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	reg.exe
PID 2188 wrote to memory of 1792	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 2188 wrote to memory of 1792	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 2188 wrote to memory of 1792	2188	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe	cmd.exe
PID 4692 wrote to memory of 4612	4692	cmd.exe	cscript.exe
PID 4692 wrote to memory of 4612	4692	cmd.exe	cscript.exe
PID 4692 wrote to memory of 4612	4692	cmd.exe	cscript.exe
PID 5056 wrote to memory of 380	5056	cmd.exe	cscript.exe
PID 5056 wrote to memory of 380	5056	cmd.exe	cscript.exe
PID 5056 wrote to memory of 380	5056	cmd.exe	cscript.exe
PID 716 wrote to memory of 1504	716	cmd.exe	2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AYIwUYIE\AmcUkwsg.exe
"C:\Users\Admin\AYIwUYIE\AmcUkwsg.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2580

C:\ProgramData\hAoIUwYI\QUEYUccg.exe
"C:\ProgramData\hAoIUwYI\QUEYUccg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
8⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
10⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
12⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
14⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
16⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
18⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
20⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
22⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
24⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
26⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
28⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
30⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
32⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
33⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
34⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
35⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
36⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
37⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
38⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
39⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
40⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
41⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
42⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
43⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
44⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
45⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
46⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
47⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
48⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
49⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
50⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
51⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
52⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
53⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
54⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
55⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
56⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
57⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
58⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
59⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
60⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
61⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
62⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
63⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
64⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
65⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
66⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
67⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
68⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
69⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
70⤵
PID:2164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
71⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
72⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
73⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
74⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
75⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
76⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
77⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
78⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
79⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
80⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
81⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
82⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
83⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
84⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
85⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
86⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
87⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
88⤵
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
89⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
90⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
91⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
92⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
93⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
94⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
95⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
96⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
97⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
98⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
99⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
100⤵
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
101⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
102⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
103⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
104⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
105⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
106⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
107⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
108⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
109⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
110⤵
PID:1748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
111⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
112⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
113⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
114⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
115⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
116⤵
PID:1088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
117⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock"
118⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
119⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 188
120⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:1724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsMowAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
118⤵
PID:5040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:3952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwIYgsEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
116⤵
PID:784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foUkUYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
114⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKkkIcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
112⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:3456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEUsUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
110⤵
PID:2540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
- Modifies registry key
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIAwEowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
108⤵
PID:3260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkIoQMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
106⤵
PID:1908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:5060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUIEsgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
104⤵
PID:2804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
- Modifies registry key
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWIcYooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
102⤵
PID:60

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:1752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foMIYkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
100⤵
PID:2084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veYIwEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
98⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:3184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgsAMwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
96⤵
PID:2976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmIYgowE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
94⤵
PID:3864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:1084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOcEosQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
92⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAUQUoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
90⤵
PID:4000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:5016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
- Modifies registry key
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csswgUQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
88⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaEEowQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
86⤵
PID:2060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwogwUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
84⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:4596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUQwAwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
82⤵
PID:4220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:1408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQcYQUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
80⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUgEwQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
78⤵
PID:3404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCQcMAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
76⤵
PID:4000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksgYIoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
74⤵
PID:4528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQAUIIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
72⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dScYcosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
70⤵
PID:4244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niogkkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
68⤵
PID:4000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuwAssIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
66⤵
PID:2976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwssQMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
64⤵
PID:4236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:2008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwEsAMcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
62⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqcMkIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
60⤵
PID:784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKIUUcoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
58⤵
PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYEQQUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
56⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkQQEkYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
54⤵
PID:4720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWYkwIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
52⤵
PID:2752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEgIkMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
50⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:3032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
- Modifies registry key
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgMQgAsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
48⤵
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSIkQIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
46⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKsUwIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
44⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:5084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgQIQwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
42⤵
PID:4404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaMYQMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
40⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gagUsQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
38⤵
PID:3404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKQwsgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
36⤵
PID:1504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIccAIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
34⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoAUUUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
32⤵
PID:344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqUoMYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
30⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIkYkwsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
28⤵
PID:3408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQUEEIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
26⤵
PID:2976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tioAkgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
24⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEQEAkEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
22⤵
PID:1868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMMIAIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
20⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEUMQoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
18⤵
PID:764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAwMMgks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
16⤵
PID:3824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmYAAgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
14⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUkQEIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
12⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYQQsYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
10⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UusQoIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
8⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqkQogEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
6⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoEYwAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skEUYgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5032

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4484 -ip 4484
2⤵
PID:3196

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv Prz77u0690G11ehFaowDWg.0.2
1⤵
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
154KB

MD5
154109954c4675fde352aa770c850e50

SHA1
8eb75e726073dc2be643e2212e155387dd14f2f7

SHA256
36b3d7d2a006b05c24eb4b2cf6b7485bbbf5d48e088c60d22d22a0513460f0a0

SHA512
fa18615adaa60765f4239ca58f1690f2232031083791c0b31e95a11c14eb0c42298d3ae657dd39747653e2e91c89098cdde0baf8bc616e49249fe91b8277db1e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
238KB

MD5
884534184c0be76e91b7b7a4cb46b6d9

SHA1
7dba0312ed0fad202e7764637c8f8778f3e551a1

SHA256
a2b053e31466c0307b28cc248c4998f69ffdbd10d16578bf765f48eabed0b776

SHA512
08d6be5d73ac9260d664bd0170aa1389141d9bc4da9153dd049c7604d38ce14016ccb7c58dd1ce12a3c41c4541881c59702f7257f0c9233395db49f2d0ea11ee

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
143KB

MD5
7fc99fdec6dc3ed6e36062a564aacaa2

SHA1
1a5f10ae6359fdf3aff1794263f2d6e348387c6d

SHA256
6bd0bed0e1c8ecd11514512f2a0a1c5b98a86a4a755c95aa5e35ce42697a8e73

SHA512
0e1dfde56a997c023126dba86b1cd1915616437d455c88d3080eb1c01eea32469de4534371802e500707090cbebb24a7bdb60e3dd9a68c5e4c96150ad4c05798

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe
Filesize
110KB

MD5
d30b29b72e1349321c53a482b93793ae

SHA1
c13069de0830f98db0645ccf89433c1ef95bd683

SHA256
a0d26f27a48784c51adfe274c1af9af891e79833ff36fe11d49ff5c29c8d2e7e

SHA512
1734e549c5612f552ef56b24698d0e53276676c03576e396042ce211aca94395f13ebcca9fab766f9d9f78103d96376758eaedb551d1236de667b9f9f6716471

Download Submit
C:\ProgramData\hAoIUwYI\QUEYUccg.exe
Filesize
110KB

MD5
efd67e37f845e5367dc4eacbb76c9c77

SHA1
a296ab22bceaa05027dacc26523ee205760bbce6

SHA256
e916a858dc6b70690702b2d4bc76efd626a1edef941a46fbc1ca95a3ba160073

SHA512
1da4d1550448d49c37da011be2f395cd183db0749c66d4355eb3f6f8069d3c5b7921b794198403095122f4b0ca3aa4ba6d7be3294a2c44d402d1cf108c29b4d5

Download Submit
C:\Users\Admin\AYIwUYIE\AmcUkwsg.exe
Filesize
111KB

MD5
a2b5ae4783c16601badc94930f686e73

SHA1
5efde98201db6319c8db19cbf8868749d3ea7e25

SHA256
a2191f68532860dac3b58d845f7e2f6c1609cedb79cf09286a7ca71071cc5a4b

SHA512
95c4e47a1c68a4c69fd84baf24e0ceeb1a37b5eed5185e45ba5c33c11a4b4d8f05cd08fb6ba5fb43d3700afea4314e5cadf5007fdecd8521b46c1352092c6ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
Filesize
484KB

MD5
9feae67942daa7e351eda31260e7d825

SHA1
b904fb10130b54d7900209ec1bc1898d6347686e

SHA256
678a816714d93ed622c01c00c2da22e85877c94c473c9d559b5e63135072f9b7

SHA512
06bd294814b0422e572f252a85d01d4cbc0c177f8b28c994f850c683cd3d942a46e479ab411d7dbd767bf2b4e0f67fcb8c36c2d156874841d4e740e79ccdb270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe
Filesize
119KB

MD5
725bd11fd36bbaa1aba8b3752341a3ae

SHA1
1b5ade79615f1d6d2c7b0335c486b2aa8acbd449

SHA256
ba902ae7c72006e607c130ac227aa45340f953a1b30c482c116f162c0094f789

SHA512
8d2563c7f9a5b001e16e516754c71c17985dd2c724597c02e4729ed8d57468e6609a951c50ae7389cd492284b08ae1e2eafcf201d57db2180d0a1bc5ab5c0dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
120KB

MD5
b7e52f745e63b4649faeb14f8a148266

SHA1
e6da8d0efb40ea19492e05b6cad5841d821616cf

SHA256
009db1933ff9e8dc1a734137a59ad7c6d0ff139da37d2d160f05046795e7bf7a

SHA512
07de1affa1fc9891c875fe9626f43b7a9a1491d53cc5e1e010f47ec3fdbc9c64efa0a9d6099a786de999326ad6a7d2b8f1939aade758cd23731b01127e729dc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe
Filesize
348KB

MD5
18c48a56c8ea0dd03a9d10db98b96160

SHA1
55686fc068dd9851085f3ad0cb0a78523e194004

SHA256
8569b4e81e12f32de7eb4c9de7abd179eba856f34b2f7326dcfae4de1ec1745e

SHA512
ec18896e4f1cbbcfa8574707f6ceb1a1ba50d9b2ab5d9e86f726ae39cc09ea588b7958a7c51bfcbe6b733791853a0d6d4d3587477cfa6c7c655f0ca940978240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe
Filesize
112KB

MD5
13c3427efb2b58bb0ba5aa19c29bc30b

SHA1
edd6e001e6b9e08b6664c52a4f65716450e1599d

SHA256
9fa2d833facf9e942a6d890c5bc2e0327e05c48b1d21464ac5e9f3eee2186fc3

SHA512
f9fab88a53a5c16376edaaf44c5b8c517c93f984543dacd210dbc1a0b6041e6e988ccde50703b15eacf4e854b0530a5c1542ee24d9ce27126c4de2946c26f8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe
Filesize
111KB

MD5
af033f6f78e9205ff9a7363482b72fc9

SHA1
3333f52fd017d63070afcb5992a3c93b54464e32

SHA256
4390c442a3f9a1ef3790d61121b7ebac04c193a7b2c7da6abd7a7b53c51416ea

SHA512
3443e216502853ded04d4637a2be85a17ff1899945aa000f6dc143c6469efacec6c967cf9aacf44a64882cf4739155bd48957904160149e3afdbcda118fc389b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe
Filesize
112KB

MD5
b11b2f554aa625134d702c74836d1bbd

SHA1
3b5b901f1e8437f0bacb906bb7ffd8fe665c22fb

SHA256
8d07c1e207a31ced21826f676be6592233ef897e4ab46cb90daa5eaad0f34296

SHA512
68b6803bf16764e5b7049c4a54f1f0ceb9500dde121f347a5d5499dccb7bd505f183e9088815fe027432080c4d4c6a87ef2d94f456c2494f61e15e86e60aa6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
Filesize
115KB

MD5
b1aef438140c14c3636413bc552550b6

SHA1
f8dfe39f86961c48e9f720d27cee1a65bd3ebbe6

SHA256
5b69573b1e9550b2b1b2864a4f8e73ff01f202f36610c45b3b1c06ae296be3cc

SHA512
e8f7d0cb23c2778056f61d257772d907a89edd624782fe88eb53cf5a4af471901621539e44d626ddc6a81a827b0b67546fb841f163a6d7e2db91644cc4bdd60e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
Filesize
113KB

MD5
aa7837d466ef01114bb10d1020a742b3

SHA1
f3fa5185616e61f27ef8a6848f95a0a39bbe7e77

SHA256
76df56a5b42d396182db8c73820e7ec97b00dd59cc9d3f48704851eac27c850f

SHA512
7b689751b1d3d2d5a1456ec8267390c7eb4234ac54a8c9ea5c3b95e1150e305b1c3a3f5ef937ce3950fb185bceb747fb72ad0810ceb35f722fe49366a0235097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe
Filesize
110KB

MD5
a4726ed2774fab88b3926914db3d36cc

SHA1
27788d87ecae5b291f2a8bc97a6199f1704f02d8

SHA256
c171512880278a8554021a4a819b7e93078171b07e96a68a7d27969fa2708afb

SHA512
961b479d655825bc061de284723aa0539cf3cb6ff1e06c9a863faebac754ae43d6e777626da95fc03bb016ed3d108cdd940525e342630c9abaaf640af5918e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe
Filesize
110KB

MD5
17ceb3f563fe4f3c25a04fbb5d3d3dce

SHA1
a0cf45ea6c70363c071250233d73f51ed78b6c32

SHA256
a551366252412341df901d4700abaa63a88445fd1cfa23b375bd5df180584830

SHA512
e835da658a675c602d663d23c3720655e24ab2055a7e105c6ada2a0e0c7356719b08ca7bbe40ad0fd22a3c4e9c4061f8a15352a4e7fdacdffdc43bc535b6d2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe
Filesize
111KB

MD5
a28aa6f2f0aec9adafd3953722afea19

SHA1
06605152e0d524df6b9bbf666df6bb1ce2de9657

SHA256
5d3f846e924181f60233e8537c2eeca74ab9033aa84acddd052a565d53fc1082

SHA512
cebb6b8e655c76ac889a1d6602b6835a8113ef833ec4f653860e14072fe82ab7c35d614234d520c3d3eea5c35598e0574e21885eaab91d1106b1117f449eaea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe
Filesize
111KB

MD5
d4a7be98aab7ee41f1370e8716fe897f

SHA1
42f5dc216b8eb2e8587e5fe140a8277ba42ac027

SHA256
3912d11c665ff6f8775a996127405ffb83cac3e82852a2088a104fb3419543a8

SHA512
d643aeba3f5298f7211d478b6bf8689561eeec6f62c1e60a6ac0170352dfb22d80d196f306413b52099deb3d51f03ea2c4c80e4e11bc243f5b2b790b9d4c2afc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe
Filesize
113KB

MD5
f571e019fdf6a0d241855d9c2757c3e8

SHA1
2a819586b0fbc0b52df038ed083de37fc0b51b1e

SHA256
267c39dd731c26918d36cd1a0ba123462879f782f03cd6048bcd07a8607b6f13

SHA512
cda8003511738583dbefa2955c4cc94bdf64f8fd220beb1a7f9a2346437a77e021900c4f86452a2c364697753e42a0a222628ab6fb29932fedabc5fb1e9b3be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-28_075a7b2ad4f8f6c5b36377ee28d16f89_virlock
Filesize
814B

MD5
82fcea1a20250c6943e1542f233bf848

SHA1
c4b4be0882d43c9c9f516588177d10703112516b

SHA256
2d0a2fc18aec63afcc8b579b23ade273a2394b9875c35367690b6a293dcd7e6d

SHA512
fd4e160543ce50343be7d1ffe26c8b4d841eccea985f4e142091e1cdd72a724d6d84071a62cc4a3dbae6eb51924ef9f0631a09f4a15efaf4e79d21f3c0f8fd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQkY.exe
Filesize
1.7MB

MD5
60fd5475000b9e8c953aa9b8dcddb0c8

SHA1
fe8d0d002e6b066348baec39f6c820fdead4a378

SHA256
9c8b1e341abe1da93bbe91ed6d64554b16e8234b5e57d66bbc6c2ad565f90a33

SHA512
eac71d0b72dfa854cb8d8cea18a8a4326516a6d04f1a0b9d7d9d31b1b89085e0f3892cb981396e2861c22613a896f1c18772ec671f69e6f79312ae24cdf36766

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsUE.exe
Filesize
111KB

MD5
9b9f656fdd1824ec2b80ebb62541e270

SHA1
c811b9f70ab609db2386c2f6858eea88e10c7b84

SHA256
f74cdf604aeb2a2b8cb3cde860eec6a666bbb93b9ded5a315d9314e95a350e08

SHA512
0cba4d7d772b568e11f5d963e2ac4d94d222a4a82183942708dbd7f8496942a2fdead3ac1bcad035ef1909cf7eb44a86548091279f99c14a49a4f94cfd68e261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcgc.exe
Filesize
115KB

MD5
93826a107391706707ef4a63e6f2158b

SHA1
0c9156c1931aabe702977ea59140457012d3890e

SHA256
702e28b0805e52b451e9cb9f3d75d648d8b8a11edfeaa6596a37c570b299496b

SHA512
36ef3f11d4b923a1cb5f2d5a6214d81a7cee734c6eb066776d4bb6d3d2b88ed6d81837ac1db21880f50d0910f5bc1645d8299c6dc4096c4c41a0752edb5e9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYcm.exe
Filesize
137KB

MD5
18ad925486e185fa7e22e8234f652736

SHA1
8804230939c554ba004da6918207357d9cce40a5

SHA256
f946289dbed7729fd26d2b707deba66352234ed3b7aa83d9bbade8eda2c3576d

SHA512
f7bbb00f681c2c69bf87d2d50e17074dc8487e7940b36ae22d4252b0f1a9afe5e3e3031323e15a2d022405ca818ee874d3e546e1a461ad9299b63c04aee3d335

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcMK.exe
Filesize
115KB

MD5
c68798152abad5dbd9cc7cfb8c365702

SHA1
47fa81b24f3a571f9f45a4eb68b41ea0362a4005

SHA256
d18842b9f9d31ed37efe6282beef1972f8538f72600da190fadbab23a7d47d4e

SHA512
b2908e53acaa8e62c73994a82f1b3872c5de5413ac4a5d7d5478cfed64a1e2346deb8d472bdfdc81cc628f61bb868acf28c559af9d866f9a0dcd474d8bc8a473

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwkC.exe
Filesize
110KB

MD5
3fb3dd54301a2bcdde83089265f99d04

SHA1
42c6db662e65e8365630128a6d12cb1b94bc5271

SHA256
d9c382d12e9970736cfee2a11df666d2d557973c7687ec59d7c0ef2eff9b9cb0

SHA512
226a6a84ea125deb47a65bb037f1135609eed354e38930756b2c5b0452022fb1e6d9291bc660790e72e6fcdf64fbe57e6b82776bc9c0cb9f3afa709e49000ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUS.exe
Filesize
265KB

MD5
ce2d9a28e7e8da489e777dd23d515d41

SHA1
7f1025b2bd4b00990a03e092e0df7af8309cc885

SHA256
952ef9b88ab5fa0a53c0de36c85b732677fdadd994ebe24c2dccf603b98ae484

SHA512
fa68f667dfddc176b1663c63e64747993cd0f19d504f5bd032adaf74c9aabb9a9550ee3864de0c0bc0a0c03a49e0d95424b814598acc5b7b9af59e88fdce382f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HskK.exe
Filesize
113KB

MD5
9f8371d5df8a39f72121ca2b0375e904

SHA1
807abeddd5e6d4cbe6696c78ec66423dfbc53654

SHA256
252963d64708a3b09ead8cb2c2545406a72e6e4d5e0dc8aaa3d2c97428c65e16

SHA512
779e6d2e187d7cfdfef8d3855dc3f8ade5c3b480151739b28c580aa158f28805eac16d2982d2dea04cd46e399aafefbc52f2800c952a45cfdb5faeb4964be32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAwK.exe
Filesize
118KB

MD5
1e49c99aa6959c60ab3350028ed74f01

SHA1
d5f09a176392dd555ccb875132d0ceb6ade9ee54

SHA256
64fccb842df5e811a6a652a58fe04439c67d448a64833f3640c449e65a98196f

SHA512
9a3d1f5784eee4bbb54c576f374982a5de4215fac7d920367f3216d03b60b856745c2fc955c9e0c074fe9da17b88fa2da34b90eae46194c808ebaf987f88a9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIka.exe
Filesize
131KB

MD5
18d8995cf468d2865a1fd731843f54d8

SHA1
c2c76e146509dea789049e4f877a9bb0c4d0b5bb

SHA256
0d78d375a39e18796d895857aaced37975428746a22c9d058e8e69235ff2d09d

SHA512
3df973da032dda6f05015fd8350a5a4b2ea2c2333de53c98ee36fd8a2e29841447b8c8b783a3e85fe173b09d6a9c7cd17a3365af7ab8080faae323632ae2ca51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgoW.exe
Filesize
139KB

MD5
d0f4a5fda49eada4c26d771a725ee032

SHA1
b2b7d8f2d069acfdadfb88c932ec989e4bf275ab

SHA256
1a127716e330fc8fbebcf185acc4e2f1a3688aebbb16898b74ec2edbb92b02e6

SHA512
d8de2e2de4690c4ad12efd387b1f5cd681f34730f9a0babec8a551326e70e7d16f31affe4c93c049489dab7193628bb8be192eb34e52f30fbd875bba9378cc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JooE.exe
Filesize
746KB

MD5
c2ff3a727a381e20aed155b32d632a97

SHA1
b46afd69fb3fd783a21324a6cfcf813c09842a89

SHA256
3430b1222764751bf57f9aa197bb55199ed514f2a74e4fac1b2fc17d25f8c5bc

SHA512
d2c771fa08a48be52826b838d13e8100aed2357442550d3969ee98b306aa32aca5819078bad04569243fc4c39b989eb5205ed6646bc4dbf2e10a9dcbb5b981bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIsY.exe
Filesize
114KB

MD5
715daa10fdd5d9d85fe90a2b1775af8c

SHA1
20e8b0cae214dc74fbebf80e35254c1976fc9ff0

SHA256
b1ac67ffc0923d1401b5e9d1110a71414b956442facf6a6edc977b4e4cf4a396

SHA512
9146ec78151b07c29ac917f3f263378dd788472c45dce4be49902fc8909de96d398a4567cf1f82ef0dc6ec41aaa382bdc04af8a6229485bbf29d621449bef747

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIsw.exe
Filesize
291KB

MD5
0f97ff479b8d89466ae50fefa22bcb9f

SHA1
85f5e24d1c4052964538f017342865466e433ae9

SHA256
d47186149ff2fc0c551d744d40284cdb3d4f66fa4e250237f7c0152ac6f92af7

SHA512
5883220a6849fe696d4d075f3d8e2f571182dd92ff947b520b1123b1decee6b31f5d64d6d88cd9a883b459cb67babe35fd1554829e8cbc3f448d95204b433900

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEIs.exe
Filesize
698KB

MD5
2a9a4bf7a178dea42287c341f82ab2f0

SHA1
2a0e85de700331b6786aba710d3f18e3a3fe2a6a

SHA256
af0ef8f642d718bb1df0826a4cabe685a82044c8176eacbd8f5b8125380ea698

SHA512
d5babcfa057dc6261001d377186b534fa5fb93a9fb8ce8ffa5dbc3b5627d26c9d874b3de0c18ca661280fb4c860141b0f2abdb350295b5e3e30f45c33c60cc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMQe.exe
Filesize
119KB

MD5
4a44f919b0f2028aef07e6337d6b6b55

SHA1
d26f1373ca80e32c52e1b8f3514c344c640e1089

SHA256
483df580dfc3fbda514f289b4e765314e410daaf6eaa2e1596ee528126c0d04d

SHA512
4a1ba2e90e61a64b6b8f69b6977a530b0fa6319fe3644350a657f47189e9354e0b716caee73c51ffd6d9fa0295d0db441b38ce9f5a34a7ed7101db4b58b8a8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkUM.exe
Filesize
112KB

MD5
7b2770db8c9f230c5f2d292053f28a8f

SHA1
70d540088ebdf495e2732aae971924e0a59b107b

SHA256
19074905a66ea77913dc963dcbb48a9f5a44ff65ef0292c0599dc272989f0a6a

SHA512
4047540d95e66366b2d90aa269b5523233ea4aab11f0f9d5913a4b105c1054eea2c96d9b0ce858592d31f227d41652cef6df90b136eb85242d85edf573f445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAO.exe
Filesize
564KB

MD5
87a8a8f1d08bbba68d91121b032f68c3

SHA1
a2342338f85c1b4b11626a006b6db10d361fa33e

SHA256
558f36dfc88f38d7754503e0a084d2129d085c36aa53ee40d21023263ebd5bb0

SHA512
c8b01740d071873cd4194607d589c90caa3916178fa126b18969c0a2a0273fcdd2be5263f2856ebbe743be5521c357a787253dfbf3a3c4dafbfd131f14ad51c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OscI.exe
Filesize
112KB

MD5
8bf9113f448b6bb22f71e2ec1d275c75

SHA1
3bf8cd971b50fbb3d653720d29963bc277cc9abd

SHA256
55b5e30ca091b8c3e8fecb132537c335a3aeddf2739bfefade456827875fc626

SHA512
776dfe01826035a9a17c86d5ceef3fb8d6116582f1928aff9fd829a8be1707b6c813ce35cce21bde24ff98bcf616011f7b3e4d7b2c4bb76b06c3f1fd79311789

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQIw.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYko.exe
Filesize
332KB

MD5
f03cd58571151981fffee8ae5b444358

SHA1
0b5049d228cba11ca67a26aeb0ff1facdda2239f

SHA256
cc1846a24c2bdf906a8400cd69ec4b761ec8aeac4498f7a58e1c6a8eb7e35ce3

SHA512
a389d274bb739aa17c668e8b12448219cb5a2c304fec7b333e2e0678aa4d36fa877ee1c5b398e814653d288af26e0e4a0d3a284f1004145e7d7146a9de58cc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUYy.exe
Filesize
117KB

MD5
fc34405d9125d9dd4a23e84920ea9d4b

SHA1
5e59ea57c5b4957a922363ef87a969fdb7b9c2c8

SHA256
a515098f0caa4e78bdf4a3a075e9aa786c68fc529be9b952ed58183784e4419a

SHA512
7df7185a585cf32f9f55c22145fc6fb6c329528900773db7611a7d3021f8519f941727c3f314baee511c85e1f34eabd0a4bb90a2dd67035a5a98457b47553e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYMO.exe
Filesize
113KB

MD5
e8bc9a0031e345735d86987321b2bcfe

SHA1
2d014239fe96687c48d2a6b1133c2058465ca6af

SHA256
f514db836b92103734800ba3977089039f78171030d832e050e2968bf301e7fb

SHA512
c3bbdfa63605c3358076cb23370c736f0087a2a0e5d4e8cfaeeab1b3b540310d76cdd6fdacc86fd50fca2b2f5b7e8209a9ef578e78016cd3e7209e2e8b2e82dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAUk.exe
Filesize
553KB

MD5
bffe7d325d7dc096f5044440a58046e3

SHA1
5d0b11b462e6a3df20fabeee55b1758d5d653464

SHA256
3a1093b94d57be732d10edefd305b5b4ab9e0f45577add0cf4b8acca126afa46

SHA512
0ef20ce91842202cf7a1224011900f1dd8215b93e1ad6f7a0529e1889a0b5481d37e76855107ddfa75059d38f41808a4f4f465564358f6e859f7b7157d59da06

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEsE.exe
Filesize
112KB

MD5
d6c2e14bf78e1764f2429cae9c27be94

SHA1
60a3d4f2c909ff03770ee30fbc36888b7047cea5

SHA256
05e0e820b0195bacb706cda9f8eb2c804adda6161517a9f267eb58624690a9cf

SHA512
b331471a7fb901c0f9f1f5bac1e572b371fa05444af7ff6ac26fd5c787a1e62535f5f6eb9835a6891dd5bbc7cbdc5e3d0a8b6874c78aa1217e65939704d28841

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcIu.exe
Filesize
115KB

MD5
7e2d89bb0ca7e8c768cf60a13d0042c1

SHA1
fcbf8d5ce1733c3d33446a16d19ba7a4c861cb09

SHA256
2b43e5fff6d62af182fadcfe8e0270a64f931fb675ea24354d945075e4c4a6e3

SHA512
52eca2ebbeb3e31fab47f2fb91e8ffd552cb26e42e7e15dd576248931ffb2076136cb2348bdf25b7ffe0ceeee88c2af36442948f9f4d5651a8c193e6be60c7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToEm.exe
Filesize
699KB

MD5
cfb51e6d3625bb3544510b806dafe678

SHA1
70cbec9714d2722862df6dd55dff0f4b35049d7e

SHA256
ee007c2e8cdb95240258333deb664e3b2b7c6c1a5ab5fd85663e3b0542db9bf3

SHA512
96d7b835280d267c0cd6d9c81410f43fb9b675234a20fa26230ee7adc65f4ddeaeb4d247386b7fd6568810c7c4675d91940f4e459b75b50ef670c2a61ec8254e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYcC.exe
Filesize
577KB

MD5
824a50bf8841838f6833d27c4f6ec751

SHA1
575deb3fa11f311416348f9d632dc48eec5cdf98

SHA256
8fd864296eb67bca95709db7cff25572d38fdc0f1e052e39faacce61f1d7fc43

SHA512
904cc2b7dcfa3dedd0b01871abf5d1110925becc16c7a8ffb2b97a614ce3f0c46674d9b5e0626957f0ff4138bb6d2cdabc213973be684a68873d75aa87bc2f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcMG.exe
Filesize
110KB

MD5
56ae217de18870b61ef98b8682374196

SHA1
9454b01cce6a595c7d1cda7d4cd8c96c093f8127

SHA256
a27cc309501d59ec920368e328d0af3a8f7121590484ec67526233e0dd90578c

SHA512
7ac34706246b5fdc35d3b15b4c658af26b03276930ec25314f026f4d19dfe09337be619ae0b5c36bd5c925c9d0e0d5d2f08804c554eb0872b8841faf41bc3670

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgQA.exe
Filesize
113KB

MD5
d4059b22e4a5d6e897c291a1453b24bc

SHA1
540e8edf9b9fbd947acab25cd9f7908f496c3b16

SHA256
89632eeb343e9ab9615fcba4a037809c26815980feee8568f109bc882cfdb006

SHA512
630bb11807aac45417bd953dd7102780cf15e3c733f6baae6ea94ef7a3747d3f5bd8a13de63076d5a037f41a885ac01477441c8bcdd43824a523744c94696947

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIkA.exe
Filesize
115KB

MD5
673a8fd44966576373d691a85efb893f

SHA1
41a6734fc2e075e8efcf9789d90393fcdb0cba4c

SHA256
554bb609430c118fea254c71689166f516a42a6328a88b7e55d6a03e99f0c9f3

SHA512
111cf25b94d171b78ea2389e7e51a5d797a47279fedb6f01dcb74b456ccede9a9a2770079f66c7d22e731d0a3024f9a57925401fbfeb1e218c5e6f625cc2ec22

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIYO.exe
Filesize
490KB

MD5
e4ef49c8dfe0c25b162898dda50067e3

SHA1
e4ecc6d165a1d51b0260ef66ba3eb58fde9e3c4a

SHA256
0489317857c0d1fe27316da6e78fbb15e40d5d99e51d1d9dc80d262e9dbca269

SHA512
3576dcc238b1b675eb5bc520fb16ed0e0d98ee445d0d8545ac169cd045406542dae05c29ca2912aea3c2439773290401717bb4211c2862aa0c4e8d9fce611ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMwm.exe
Filesize
111KB

MD5
66d907c124d9799da6cbbc16fd85f561

SHA1
60ed8ca328f63387475ca82fdb938d38821305b3

SHA256
7ed3e83af71ec1d0cfcf5a1c460a63beda2d4d69d15270bfd70d0669e3a1405f

SHA512
e750700e85ec62b1a1a8f53ae47d4b2c77ac3ba0977361c7a1d36765da53c3a08acfa843b2e70ad8c841e05c4b38db027355a74ec73915ed8cc4cfa25bb0b058

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQgY.exe
Filesize
238KB

MD5
59b0f37d8eb3545c61f3cc94c60b6119

SHA1
50b334f59546c272ae3038396ae2a492dc8514f5

SHA256
34410de5932d5f4b3585a6d5405a4d7bb71f8115aa6c8ac5e17ff67557723b68

SHA512
60af10ff5734acddc9295742cba5f7af17906bab1588d17fb7e67215549dd74f3d9a2e01f88bc21abd102210f4f19645eac83f1edbbb4af93b556823cb2fb4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwAm.exe
Filesize
564KB

MD5
60b6271b68cb1a0a5d4769e2d49bb5f9

SHA1
16d01c06b271333ac74f61e26cc97b69453cd3ec

SHA256
f3493c507f261394443a27140c2dd5e713b7536e3b5222f9dd0e1f642dbba4be

SHA512
ea5e2cfc04f70e9c53b3136b8a542265d171fd9ccf7a96330d9c55786e9121ce9e6dafde5c335591eef556f26c4f1d741ac6690d6b3810b00994c376bff9e4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYAG.exe
Filesize
556KB

MD5
2e8c1a896fa10188898ccd3928ae0248

SHA1
a1a063216072ceaf4240b983d7ecb4cca111792b

SHA256
40903bcb3b67cbee741ac4ed7d694a5436d78f4c1d78c932e029c0f58856f470

SHA512
904221689a848be57b7c16617c35adb704542f13c7a36356ee78be8cdfc00f1947f9f7fe6d5b082b761402f98de7d109341247cdab6e0a6d2e8f3392c03f58a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYwe.exe
Filesize
118KB

MD5
2916885a10e87ca79a8a4786afd84b8a

SHA1
7142e7e910ca59b9a6d1e8e69587cf9a4674ac0a

SHA256
66a907176bc3ddb3d5774151e3d8f0a33e4f3026ede12ac279494335d1267fe9

SHA512
2a505b8b71b57da80afd37443d7b00a4787f27141be831d405981e4215f5f8efae01ccdb632a3568289ea48d02e3426c66a328682b63bef3406b09bda59eeeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEUS.exe
Filesize
114KB

MD5
b420719622ab5a4b4791481151070abc

SHA1
13ec5b714af3e207a05d5125fae0afd1daf5a2cc

SHA256
ce286ba120000e31fdaf493d08779d3c97caa5ea85e47452e0466b3f26e3daba

SHA512
02157085d2f607f6b3ca5b525e3f81eec3d031f523bf3b104769609c2fe7574a1dd65932431a9a968f7e83bea4082df336758c874d68ab512043cd9128cd34a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\awwS.exe
Filesize
149KB

MD5
0e83768463bc8e740317ff75146efe03

SHA1
3138f4ee6ab4daeb4703a8e27045909e42449661

SHA256
3cca4dded634e4632c95ce04da5a4355f6ab469cb7ba25cbf39e1aed3b6138b1

SHA512
fd2c3b45fedb9679b0ece907a1448610be8d874b6d4a78451f422b230cddcce3b70b69c4a54e13322eb413c2d076c71c68e1d9420914eafa01e53e91939bd5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkYm.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\bssO.exe
Filesize
112KB

MD5
6c157fbafd82e0898d0287e1bd186eae

SHA1
7d6f04f01e81d0753d600b43dffe597037c82067

SHA256
529fa6ad970895e072d2c7540400f22d5767bcd6c40a200c92ec174a892e73d1

SHA512
0d8b791d4a334c5318461f31411f9668acebea9a5632301b7cf5783c23dc0bc5115d4c148678edf5f5502eb94801d63b2669e22cc1f7ee3186f57cc3ec22b453

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwEG.exe
Filesize
112KB

MD5
04c85d23529c9cc477336fcd1a9adb70

SHA1
626c2a6391fde496ff08db0920e96117018f3294

SHA256
6bc711ffb40e686e32a1a2458a04b4b32ebb2d52d319ed2e9e2135780c997770

SHA512
3b6ee1b8c33cd32ab01a8b03bdecd99cb42fe073d18143ad403536dc970f384088341a9d45460d101ba9aa30a5a36db53a7d09e7ef4db24c7f08c0b3b3773817

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYMO.exe
Filesize
5.2MB

MD5
e584ace37f45bd5b70abecc8930bb4fa

SHA1
4923d691bfd4c83692f4f51fbc04dcd5b2fa5e4b

SHA256
38a13c70394f526b283c28c1706ee54fac74176faa8ae079efbd76f1046d22dc

SHA512
599c8c2879fe672b548f0f59f6f154ee7394aea543239eb32e37dd7e0cc416331ffdaf55bee73332fb249f007e003601f2bb2581502fa31538be7266500319a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscI.exe
Filesize
116KB

MD5
36b9019517e0e848d7c172a1bdc8de33

SHA1
07fd613ebf5475576cc4b26c4341d1bba4f638a2

SHA256
42023c835fb885a9cffa8accb9c06c8aa8d85e033798da1e4adbef4fe817798f

SHA512
e8a7d9de715d7dcdf32bc0033727f1d4eb6ad9902e1232f8a3f3e35663330959dd728a577f95b62757ad2534b18a4818c1c9a9dbd68e02560b911bd5da29f43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAUG.exe
Filesize
112KB

MD5
ab2c597ecddc1fd92e60dfc7ef1b9069

SHA1
0eb5e5a108a0176fa99b7010a1c1893255d05d2c

SHA256
754dfa71b93621915f876aa524a5548d7a9457633244b6913cfbc14262ecfdaa

SHA512
39003286a654b5e8b59374c12364b0b51c7825cccf3261468e7eb08a8e1b87e2e78416822a1343645b60abd59a02943e0023b53a139707886e94bfff83b91b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgka.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\doMe.exe
Filesize
743KB

MD5
ec8b2cbc1d3197438b934b76a5b351fb

SHA1
62e485304b70af59807ee45ecf52fd10d090c819

SHA256
c4ba9a2981254dee47f098cf222b295d7ebb174845b7e1b4c235044811148bf7

SHA512
7b247ad05a5d1f802679cee4f847d92469358a8439d63e6094f7e5b8e6e3bbf5cad2dc389adf9f4841d46d17dd74cb5727fd3babcff7d5fbf1b6a018ebce65fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekIc.exe
Filesize
119KB

MD5
4d3a43c031d01ebf05d82f33df197df5

SHA1
8b14de47f0e083d234f5a1f5e4008a3e0820c078

SHA256
e114e3548870fd208797abd10fe96d88a5867586f0ee901e5f6bebcb447439e8

SHA512
da61c2d48c0cb7929297f7145b8881b9b728df44cbe232efaf057ebddee202788c8df1d0167527c89419a795f1ea1e2bd5391d0862fed66896c81e6e7e13923c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYsa.exe
Filesize
445KB

MD5
0ceeafec59d8717c695d3b6392e9e582

SHA1
ebac329b9de0b54b0c25533c4e81418fac3c846f

SHA256
4bc87d8a39023efdde69fa0bb56cf55e555d7e67682499bd1aa1a5df1ac07dbb

SHA512
23caca1747df5edfcbbe765d4faa11d2b061557ee27dedae863f45f46a63485b773965be0fece19144152802edf2a7626efea7c21f10e0d4b8401dd066b74207

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsEO.exe
Filesize
114KB

MD5
70ee836da9cebfe4d5c8a1a9583bc06f

SHA1
454c0dca3b8688b1c2bcc390a82ff103a13b444d

SHA256
94cc22eb3afab83b7823af0dc1886a90bdefd70da71460e979e8825a5af4cff2

SHA512
2c055cf7c94082176394a354c098957e2f44b14521ec1f4c0bdfd72121eeed63e35417bf7c7e64699af0fe4ff5d426b38a3b4bceb82eb1e9fc0180adccc58616

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEEI.exe
Filesize
355KB

MD5
6f3b0eedf8011f34044bdfbbf075cf06

SHA1
09d135aca1c612c8e9a8cb533ed77d094e7a1a72

SHA256
db10fddd94933902ae24ce60792a21380cc8930dcc5deaa7500b836baf3ade83

SHA512
af6a69cfeb72e2ddb03e5fba5b7bae7c38c2efe4b35202e3ae7130aa902d7d0848cdd6bdf09f44657fe643aa8d29c5fbb57c213197fcb4c0e269602a7a645136

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQUE.exe
Filesize
5.8MB

MD5
46ce7d9ecb898358e21c020c0ac7690e

SHA1
98a5f3a92c23090bccdeded58e33bb27bbb83eed

SHA256
f28bbf5db4f954a1e75aaee99b60b5751ca25485ce2d615d33818509b9f830af

SHA512
8bf6b40d1a879a4b276fc0eece9098ee9be88a5a09f5fc228550ac0af79002b4a0c4f5300697c6ec84627c27244f66ee4dac7c7d64437a680c5db873acda4ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIUG.exe
Filesize
367KB

MD5
c36713b7aa4f7d9f22b0b742a51a505d

SHA1
e18c668a6973b3ee68330e5a15e61a9dea614749

SHA256
25962311ea0045879fc8f81621f04321936cb1ea11fcfb92495125f8f439ab8a

SHA512
950aab84f43051aedcb0e343486ab6f120d50d5c4d346b9efa7c78b4c433779cc121399b17c3640930ff4f0f864d0254e8b5432a55edaa6268115794abd24fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIYa.exe
Filesize
266KB

MD5
40921eeb635f21bcf187002e2ed5aab0

SHA1
74b85a63efa1ab2f8089042442ef5aae35b83dc2

SHA256
8cbae1a79e5b6921440ca9ebce86970d2df3991f5e9871c6466ea22f91878a28

SHA512
8437a606d62e0d5920187cf61a78e5f0deed2a52067920d5092de62ee3ed91fd65391c7745c3e12dc8f3f6a2579ebf2e0c875d4385d6c596bfd3676059971a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIYk.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwAI.exe
Filesize
119KB

MD5
2e52034bb2e73e7c91e56a053d3d2ecd

SHA1
e497d880a237ef4fc454a4c5b0d986654efff745

SHA256
e277f37ab89ad0959982a748e63f0dad258856d0009ec6e43890be0a70b48c27

SHA512
1c6b83005178a974af1fdd82f8df225b367e32e46448336a85298ddbea71e6a8f2030710353cc4cb54bc90be8f3177aede0ce402350e52ba1840dcb3556e9ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIgi.exe
Filesize
122KB

MD5
b2633196e391c151cc2f58cf74ad0446

SHA1
28f78d9010bdd8a26e2f5830ea3c5864fa02d617

SHA256
d3b5ead910b97e9f6ec36e98776556370d5bfa025c6f11012f94794b7ed43b55

SHA512
921d47247d22bac6162e77098e0b1cea834c324782e090f35920405ba3aea0b12fac6c6f7443d8ff9de6b7be0bc8346d4263e8b8516c33a7c972f10169c45ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMss.exe
Filesize
118KB

MD5
b3ee0723c0b6935f56f36e9db33bec0d

SHA1
0756d65d1e78ffc217d622e7ec3c29c459671745

SHA256
08d917cb21df9f2cd97dc792a94835ad3aaf09d5d52cb23d20d6076ac174dce1

SHA512
0ba39e977b679460d5e7c1b59c008672fae6bcc9bb708fafd58b24bb3ee3d9efa6d7e9eb9d87b1da664330a7f28dc7fcf4e25d167517fa34cc38efd8b79154f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQMO.exe
Filesize
113KB

MD5
1155bc75e020a2926ccf13f41c9b6cd0

SHA1
cf080b2018e7abb376027f644cee25b46d1d6e17

SHA256
0a0e600150f39407c0a2050de69f3fa71782c28bda6575ffac7c1bca99d8f6a2

SHA512
d1f2c9fdede7230207dbeea81d5d66f13ffb6a34d58dcaf46548adb2174d6e652fa64b456ff0f8aca4841c71cf4468092e7bf9545e2ea506b5078fccfd798a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMoI.exe
Filesize
566KB

MD5
3ed6fc8448ed271e66fc5449653f3097

SHA1
8254141501ce061d9142139cd03b3a6db257469e

SHA256
0588f97a19cb6c075322595d0b63911284a471f4a0400e772c2dad88c23e5e0a

SHA512
f16bf59d73a4255ddf1e5f440775ec455ad06650e215f8a52d001367a7283028dd70add3526ebaa61cfc9d06845a6fde461b29ac0a6e27aa826feaf53aff49ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYAg.exe
Filesize
719KB

MD5
1cb543e2ebec0ad84d386ada31a3dd14

SHA1
85ebbed3a8eaca51e1d4f3fab126c8000ff44afc

SHA256
83b7884c6cdb1e540e88dd8d75a6e55a55721164fbbac2a76bd03000bedd9c14

SHA512
74320916a29c3de208062e0726edc710ee524d4c713bca3f04ffdbabc3707effe1e7ef30ef93afec715c1a42cc739c86e12ffbf2756fb58d3ffae43d3a3b4d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgMu.exe
Filesize
118KB

MD5
df0051f89a25ada20e0a5fc1da635e0e

SHA1
41269ef259d212894bd63e198f0e695a811124bd

SHA256
fac621b259bdd7d2b5fa2d37b8ad8243354e1619800a116f46b0aaee200d29c4

SHA512
0ec33dd7910f387b8a1a1e9249c3822b6c2a69e45c13aafb9aaed7fd4398a6c4e8b52abfe9ebc8bee664912776f55d51f88b7cc8d9495541882cb4b9988389cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQEQ.exe
Filesize
154KB

MD5
6459e5af4d1f31823b08a9157fa3b333

SHA1
295394455a811daeceaeb3c0007952b0f08e286d

SHA256
e5388171ec742f2981253e032784bba471456257756a44e8abf163f5420dad71

SHA512
395ae8812f1c8652314aa01a858cb37625207ef27ed27a8609daaa20a70cc0e0feb1cd0a4aab41ce22d1fdf084f38ae2fb40bf3bee5432ab44f4776d4c4a07c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgQq.exe
Filesize
112KB

MD5
181d9492e3468b6acd6fe7d57297ce07

SHA1
658800e6186634606d28b1f8a3c47adf8691e05e

SHA256
fb295a3f9a9e60569242a1f246cef07f8e54379f40a9eeff79aede07903ef1e9

SHA512
378fe1dd920ebdcd96e45988959059aaf5eff4ef30ad19aa406b2536d495483188b145d02af362221fee8e59644a65c55719eff38572180bbe04e1ccadfe21cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mosc.exe
Filesize
110KB

MD5
29edc5e49fc79e34b4a3729413825456

SHA1
4f4f79b46f6724d9e979c512e8aaf072613a732e

SHA256
a89208a1de6c59bf88d0e789d916f8eb66cff4368dc69b4d49d02ae3caf21794

SHA512
0ea47d94388b9089d3bb993a830eaea6fc8755c6a6c1fbf18ea4e85a80945d1ce60c8240f285020189c32bbee3e6a37aca7d603f1f85ea0a0f5005794d43ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUcc.exe
Filesize
116KB

MD5
5392e99a561dc54494236457298e45a9

SHA1
7428ed14400a12642da93e95f5d21687682d988e

SHA256
73cab6b9c5055332121998edb9e5976e81bbf51c02db23aa855d3df766397093

SHA512
a6f0f79594fda623391a83824684cda6f7dd91da807f8e6839b79a2b02833db297a4b298f9118c101fbbe0ceb0ea28a6c71fd3f91d31698a3ffe38880ac9f58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\noAG.exe
Filesize
121KB

MD5
98721772694f546d7d2d9ec3b29840ff

SHA1
b5aafca1bb94937be77127235716d1511e698f9d

SHA256
1578a39a297983f5ff7b56ef6341713edf97f2554f6289ec3f7d7f7ad03cbd33

SHA512
104a9c0273e89f4de132964cdc56dfdc2a4bb5ddeb78cda22a2fb98e420b62f6cd57930f99d4b202460695991fa9475fd63390987237c036911127bbd39eb249

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMgs.exe
Filesize
719KB

MD5
57803ecaf2f74ff781fbf08caafe4e9e

SHA1
c440c4b838031fc14c2f2d498334c19917402ce6

SHA256
3b349c9d85f7ffcf5b1b5b9afaa115f843ea2158fa35a8a02789450b8ba35aa1

SHA512
b2224265afe29573e33d4fb579275efa807ed57c304ff2725629c519a72ba4d2f74e7ae76691b44ab9ad75d04caccfde3c825a80ad77b5132289122304831ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAkG.exe
Filesize
556KB

MD5
a64c9a8537cbfba9738f8265837bb851

SHA1
0a6ee9bc7864295c3f90c5d8528b812c9d47bd70

SHA256
699f4f99a7e6cd44195dfc6a1c54ac44f8b03b1062b9eff04fe1c8334b6394e9

SHA512
5a80fca4bb4e9dde52556cd81d6b9dae84815e26ee0339a8df037454b52e225a5e100413dcd64354faa09f3b706d303dc36d684f6fce186fc5814ed97aa7669d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQq.exe
Filesize
124KB

MD5
241efa89c32c40adb3ec8140945db894

SHA1
8ea18e279f8cc3af0bfb609495513e740ea02862

SHA256
9d20ee719cc41218d889a873de30d75cdc8f8d9f4b36323e35ddbb2b6f2563fa

SHA512
b275ccb52a3ca71e55dacc7c3dce51e9aa599f69a9d489febd7c40a183285ed18bfbfc83cf5ff7a5e57acea875b68d94fb3a9f2731ab1d14410ae95b3a738e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAkm.exe
Filesize
348KB

MD5
9f9492d0c268dc4e06bd514f1638f23f

SHA1
0cd10a3372d72853ff371bb345b99ab403e6e72f

SHA256
5764f2c3efa1df7444e59fa929fc35771084d87da32ae93967ef916408966208

SHA512
c7710fb555065707a55606606275dfe636e45ce627b8e4a8b5a2913a2288f94fec99b607639701e09aa6619e2b43a00025afeb64bb3c1b3f815067632c8b6031

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcAE.exe
Filesize
119KB

MD5
a1cc622dc5b28265fd74a53583db2d9b

SHA1
8940e3438fb73fa309de4b155e492105c3196db3

SHA256
d08251cdfb9bc072aed26b87a4a61dde96a27c6ef5951ecb03bb910082a2d5c6

SHA512
8c922f6019b11b0fb7495102f5c48732b5c7839314141204350cf6945a14fae1e1c4bb22f94dc034ba273c1fdfec7a08e6ac516ac36af6f9a92c9ec47d83cdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkos.exe
Filesize
5.8MB

MD5
45bb65546ca52c061f60829b9396b6f8

SHA1
0161292393740fb8903edb964147edcc4f528866

SHA256
3ed8da1492610241730eaf449a89605e831c7d88fc8b94f585456528bc4eb547

SHA512
d68323a5ccee13f4a29dd6c309701bb74dfda6bf5aec26ef4c10db49a8edf6c323567f3afebf6ff5032bc40c34acf81a47b9da945b3197838391febc7e348e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsoQ.exe
Filesize
113KB

MD5
5467bdf362de13820421ddb90f3d1e00

SHA1
dea20f1933bed858a5ddc5760289a8427fc121b1

SHA256
d65e2a7c5c500b071ec8d94b74ed13e496ed200d9bc456f9523dc68aa6b3403d

SHA512
512f830f3a0098f45e296205e05170bb35a14388a2b31c7ac8dd0ec597f09e0f50a29d0c528b976b3997b1f72a1bbe58e93a1519e9e68a992235ecca94aa1ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\skEUYgIU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwQ.exe
Filesize
149KB

MD5
a2346b7028c01314b36022d70972af46

SHA1
3cde15b4ced262963fb2483ad989103aaec6863d

SHA256
3f34d7dabb7281f3f792fc7f16a0509f275b8a0af1030e713e247ab4d2ce1fc3

SHA512
28ffc685791c50494df60ab0827e9068a847e715192a288009f792d07a65f6169c3fbf73376b18890d71a662e5ac191fcf0c23e12bc32311903c68f108450ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQwu.exe
Filesize
139KB

MD5
ee66d62af9181f11a951419ae1bc601c

SHA1
4a5f51c35eafdac425454fbc48317f9c2c051106

SHA256
08648d6903991d54791f5efb3f74fa4d637716add3d72c665b98fa85270256e2

SHA512
0397dcdf0993183cd82a98599a63708baeb26bf8e58bc2eaff93d7cb8a7033acba7288a7cc1dbaa074aac797f9b3ed761f2150b3b4e6c883ab811706e6582307

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukYc.exe
Filesize
1.7MB

MD5
f4f2c20784b418d25cc96518f4db6abf

SHA1
e43acbb38d50b22b2f6ec2d198f68c7d63ae0f71

SHA256
ad36c37a7f217893ad8314f36d8b0e760a9eeeda787c6989a0662eb0f730f185

SHA512
65633d6dbd71bcd6c1859981a8a349f615c349a0ea260e93d723233ad83d902491a24efbe77e26a6e5228175dd887a77aca4c46ac75a10f9e9dae689d97aad4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwQK.exe
Filesize
113KB

MD5
439fee071afea708615516edb401b740

SHA1
60f65a8678d75b1a82c25acfa6327eae9c06a2e4

SHA256
0dd766013a9c7aad9c18b4d8cf33577df5720565d838b5351bd98c8d84d4b6cf

SHA512
24a5c46b68462f945631e6819262c53372ac8e651aec6257555179003f56ba366dbbaf820c1efb9c684bb174b5f060a7c4055c05da391068a810ae50a3ed6a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIog.exe
Filesize
115KB

MD5
ff123bc816b0e0c06c90f011d3d0d31a

SHA1
4de99399f4becca055d5a71a0c5edc91848429fe

SHA256
b772cdd3c72a625cc8471276f74d7928cd29841cb308a00263253209ba6221ae

SHA512
37b49438a3d2dc7adb32911771b3d9a0deece06b31c7db07874e7bb3cfa4c32164487200a8ab9a0c500c991aee65726e042c1759568739f929f7fea3ecc5a663

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQwe.exe
Filesize
120KB

MD5
0a959d37b3d3c36965f28f73a27f2ff3

SHA1
5d91af96e7e00a60ea32670e5af3ecc12cab6603

SHA256
114ad7636e0914fc83b38099abab2a45f25bd31a7db924eb6b02e30c752e8488

SHA512
b43b90652685ee0a316aaff3acf2d7f190dd530810870f457a03cdec9ee47b91b85100f3a9c956ad0703291e20558731b9a04f8d75237c553fd3e19709c5d0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQO.exe
Filesize
112KB

MD5
5dfb350ad940e5c608865ac4d5a90b05

SHA1
03486d95c76a720ddfae1d782f2f629ae7e96079

SHA256
ea25fb3ddc5edfa9b1dc7a76707d66d7f4eda4630a063edc4aa18ebd14fbf940

SHA512
61d6beb84b456100326ea58e7302c341148a1bec81c17fa1791a0adc80abbb31f95f834a5ce6b572f2549b94df1ee70f2c809d93935633ff50b5a819b2e3b089

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAgK.exe
Filesize
145KB

MD5
9f802f218b012aca2d6a3e72d78ad54c

SHA1
f4ff4fab8b93c02d4f0be5daefce7bc8a52a751a

SHA256
f0c5d1e13c86537fa325c0c9b6f76d77e4efaa754a02650c578747c2d947f833

SHA512
43165ccfe471474f8bf673c49484e808a6b7b1284bde168a132361ad50f867b3b979e68d08261d9b7371003c49aaec9bba67374fc33724788b0db5f7232760c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIAK.exe
Filesize
110KB

MD5
af232c142ac3239408de9cfbdd85def9

SHA1
36bed3a3c4fd5ce6055526f7ce9ab9c2afeca42e

SHA256
5acb6e2af721dae69182fcc6f33a3b10ca1faa6a1c1316d451ef1e342e742b79

SHA512
5335508049c5f98c8c7f9e1b1f3c2240a15e4ae0d3e701ecf32e86fe52e21d2fd0dc3d7ea9b4709968b4eb5b5e93a659874b4e88b39dcd0e908ff52668ddc6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQIO.exe
Filesize
111KB

MD5
9889a58f66e085abcedf5b4108ddd7ae

SHA1
81e923da2b6c45ac3bf441e33c481c3fb5bedb73

SHA256
20a9898b612049a7ac78327988bc78a0e776c34aa4aff8aa75ffe2de3c2268ad

SHA512
7de9ae21433beabe509aa7928a75a80d4219eaca145fc85b3ae6c8b683e8572ca669d74735c2dfda086636c6078ddacaa3e8321f16452fb9fd589bb4c8c38fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xswS.exe
Filesize
114KB

MD5
ad50077259e00e9668b0b86e97b9e4aa

SHA1
544bedbf59763966263f1306eefc6da3a639178f

SHA256
5e0486d1d340197c59d705ea720da6bb1fe8d974520ee1167d6dc364e1a1fd2a

SHA512
91bd22f52c16296d8eda9f9f21bcb315ec910e08000136966802d8d956c6156d2b34ed982d8e45ecac6e375b5583305f380167feb5611cba4081aec5eb5463e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIge.exe
Filesize
119KB

MD5
f583803da6eb4271bf5ef6d0545ba75a

SHA1
78fdf2eeb27a5ad448f2af6eba03653acb216bc5

SHA256
812b89297ac8322e12b9bf1d2062436526186ee7dbd4dc66fb8900997f773af6

SHA512
fd7d9125a11a14b8279f63abd23d52b2322d15212108ca5308f5749c91085a9390f03dfbbad54ca4c4c38c6b17a8e40cfa27d726cffb44ad453cdf2d328f8e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMAS.exe
Filesize
115KB

MD5
fdc5ec1d3eeb39ba61635618eeaff12c

SHA1
77533600487ab7f0804e4958a20ab2d18d333b2f

SHA256
077662e816bbb038c180bdd1cc653201590101df88caa09dc9f843abcc457489

SHA512
fc274febe421fd25961ba7edb2aa8693ca1d9c981ad7f4a3f11250be13848e8c4686b6c903b5eb982ce7324df02eb86d44b9dee9df27db44ffda6afdc39b6612

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMYk.exe
Filesize
239KB

MD5
a4e0f7201139c33e314eddb1f20e3169

SHA1
6135416b5d8d9ec02ea05230527268abdea4cd12

SHA256
a28681dd0885b20043da88261da0fee001d3aeb672aa67b33aad9dc9a3477df0

SHA512
b937a575583d47d66b486a23c72047cb3bbe05704d6372cc2a155e90e859c93dc8704c0146ff775107675c51bae7d38b35af7299d111ee577dc2a82c008c69d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysUW.exe
Filesize
110KB

MD5
0a23490f356313703744db4da9c55045

SHA1
876c8d35aa259470ec600ed5cbbd852c2e5cd9c1

SHA256
c76a58fbd70ba20dbfb013d777546be14045cde4d0bc1322283e5cafc2141000

SHA512
72d058157711bf4838f81ab4bfeaffd32ca5fd639a33f6ec5b4629f96c70931b0ce0d4f2793f62a7ae1322a9131028acf40961cc65ffbe98553e9f0237338b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEMA.exe
Filesize
603KB

MD5
90d62a00767c664998a16ebd1d8dba55

SHA1
c527f15b9cfafbacc678e119e9213bee399e122b

SHA256
66809136456af8cbfddb0c251db3b79cbf865f86fe849f2b1860ce164ec673ee

SHA512
98d284dab88641732643909d483a45163274aee79d7904ee1268532bf0ad5325078a8047df7fe2864568af261db6a6c308e526e5c0ffa2f2c696f170a3aa4765

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIQC.exe
Filesize
237KB

MD5
7c15a5e4c98a532d4c3b409043dbd313

SHA1
70ec77b88eb658e7cbcfb87adc1604ec8d7a83da

SHA256
e1b486a301babe22ae40293e2878ee808529cc223dcb1bcfce11df48ad6ae631

SHA512
587d8175e6474d24e363312756c114bc86cd2f4d16b795898ad16c8b1f0ce0bdd2bbcd9134a3cfeb1bbe7eb0d0d15a95dbb321cf4ed77c4f394c1fa983f222f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwkq.exe
Filesize
113KB

MD5
f221ac240425d7f1f027f0fc35d71e0a

SHA1
b87403238c04b8f0117efcbdd62750d5f4c28264

SHA256
451e317b0fffff962fa3638ac19e9a3e0bb200a9569eb98469ac77423014cee9

SHA512
0d8ef6e5e37848984a95b0c339d3a23f4025b32f7be82c05c331384f23a662ff9d7a21fb465d0ef6e1e97dc407605fa98e2713ce77289dbcf89711dcbf7c7690

Download Submit
C:\Users\Admin\Downloads\AssertInvoke.mp3.exe
Filesize
781KB

MD5
fdec017a7b1d562669590abfee333ca2

SHA1
65e70361c00f7a4128dc647ea6a7e9189dc39746

SHA256
5d7ccb7052692b4f7501dbf0b414c2e6a9b6d877c589ea6ae7ae9814feec29cd

SHA512
9d05376f00d6c02bbb8559b7771e7e48447e36ca885ddfa1bc368e2f77c2c0ff70b749f827901ec6f56735b6118a4d7e5be1791564c36bec54781dec7ecc8683

Download Submit
memory/228-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/228-114-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/400-271-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/400-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/404-323-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/556-357-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/556-346-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1268-285-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1268-297-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1408-358-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1408-366-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1412-367-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1504-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1504-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1580-214-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1580-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1748-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1768-199-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1768-183-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1864-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1864-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2008-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2056-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2056-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2112-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2112-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2188-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2188-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2484-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2580-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2720-239-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2720-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2900-339-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2912-175-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2912-160-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3012-314-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3012-306-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3436-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3436-171-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3448-349-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3448-341-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3504-331-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3504-319-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3652-227-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3652-210-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3948-250-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3948-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4108-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4108-53-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4220-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4220-163-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4380-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4380-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4512-263-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4512-251-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4536-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4536-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4600-305-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4772-289-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4772-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4952-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4952-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download