5d173a30c7cb05c2e978b933a355cf3a491c33aff0e29c25211de8b1797f4577

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
Size

853KB
MD5

86703d5fdefb4c37d51ca89db3bd1f93
SHA1

4ee49695a510638c8b7f2d8e02a91b264e5153d9
SHA256

5d173a30c7cb05c2e978b933a355cf3a491c33aff0e29c25211de8b1797f4577
SHA512

6b00618423e7fdde958832ebd3513a3288b2be7fc09dd366e357944f185e805c7bd85336761277b7f80ecfb1572ce015222b3dc672e04e50820254c605067f67
SSDEEP

24576:4G93vqGrvHTw084r4LTmVP1u9kqzw0RRW3EeFmzP:Bc6r4LTe1IkqzwkZ/

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (90) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

GOMIAUgk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation GOMIAUgk.exe
Executes dropped EXE 2 IoCs

Processes:

GOMIAUgk.exejIsAMsUE.exe

pid process

4564 GOMIAUgk.exe
4684 jIsAMsUE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	GOMIAUgk.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exejIsAMsUE.exeGOMIAUgk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOMIAUgk.exe = "C:\\Users\\Admin\\FwMEQAgQ\\GOMIAUgk.exe"	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jIsAMsUE.exe = "C:\\ProgramData\\SSkIYkAE\\jIsAMsUE.exe"	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jIsAMsUE.exe = "C:\\ProgramData\\SSkIYkAE\\jIsAMsUE.exe"	jIsAMsUE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOMIAUgk.exe = "C:\\Users\\Admin\\FwMEQAgQ\\GOMIAUgk.exe"	GOMIAUgk.exe

Drops file in System32 directory 1 IoCs

Processes:

GOMIAUgk.exe

description ioc process

File created C:\Windows\SysWOW64\shell32.dll.exe GOMIAUgk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	GOMIAUgk.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2096	reg.exe
1764	reg.exe
4088	reg.exe
2524	reg.exe
3828	reg.exe
4424	reg.exe
1708	reg.exe
4384	reg.exe
1464	reg.exe
3000	reg.exe
4736	reg.exe
2100	reg.exe
4228	reg.exe
2744	reg.exe
2808	reg.exe
752	reg.exe
1168	reg.exe
3944	reg.exe
1236	reg.exe
4896	reg.exe
2200	reg.exe
1272	reg.exe
4192	reg.exe
4512	reg.exe
1792	reg.exe
1568	reg.exe
1584	reg.exe
2252	reg.exe
4588	reg.exe
4504	reg.exe
4344	reg.exe
2416	reg.exe
4384	reg.exe
5108	reg.exe
1076	reg.exe
2248	reg.exe
4648	reg.exe
4248	reg.exe
3264	reg.exe
528	reg.exe
2256	reg.exe
4972	reg.exe
4080	reg.exe
224	reg.exe
1380	reg.exe
2700	reg.exe
4728	reg.exe
736	reg.exe
2092	reg.exe
4724	reg.exe
3224	reg.exe
3196	reg.exe
3048	reg.exe
1736	reg.exe
1808	reg.exe
1892	reg.exe
2244	reg.exe
4984	reg.exe
3588	reg.exe
4448	reg.exe
544	reg.exe
3644	reg.exe
2968	reg.exe
820	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe

pid	process
3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3760	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3760	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3760	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3760	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4592	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4592	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4592	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4592	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2700	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2700	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2700	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2700	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2676	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2676	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2676	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2676	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3388	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3388	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3388	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3388	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4952	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4952	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4952	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4952	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4928	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4928	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4928	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4928	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2416	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2416	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2416	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2416	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
408	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
408	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
408	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
408	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4100	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4100	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4100	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
4100	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3932	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3932	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3932	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3932	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3368	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3368	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3368	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
3368	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2228	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2228	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2228	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
2228	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

GOMIAUgk.exe

pid process

4564 GOMIAUgk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

GOMIAUgk.exe

pid	process
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe
4564	GOMIAUgk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.execmd.execmd.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.execmd.execmd.exe2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.execmd.exe

description	pid	process	target process
PID 3832 wrote to memory of 4564	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	GOMIAUgk.exe
PID 3832 wrote to memory of 4564	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	GOMIAUgk.exe
PID 3832 wrote to memory of 4564	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	GOMIAUgk.exe
PID 3832 wrote to memory of 4684	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	jIsAMsUE.exe
PID 3832 wrote to memory of 4684	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	jIsAMsUE.exe
PID 3832 wrote to memory of 4684	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	jIsAMsUE.exe
PID 3832 wrote to memory of 4724	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 3832 wrote to memory of 4724	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 3832 wrote to memory of 4724	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 3832 wrote to memory of 4676	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 3832 wrote to memory of 4676	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 3832 wrote to memory of 4676	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 3832 wrote to memory of 224	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 3832 wrote to memory of 224	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 3832 wrote to memory of 224	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 3832 wrote to memory of 3240	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 3832 wrote to memory of 3240	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 3832 wrote to memory of 3240	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 4724 wrote to memory of 640	4724	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 4724 wrote to memory of 640	4724	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 4724 wrote to memory of 640	4724	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 3832 wrote to memory of 1672	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 3832 wrote to memory of 1672	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 3832 wrote to memory of 1672	3832	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 1672 wrote to memory of 4088	1672	cmd.exe	cscript.exe
PID 1672 wrote to memory of 4088	1672	cmd.exe	cscript.exe
PID 1672 wrote to memory of 4088	1672	cmd.exe	cscript.exe
PID 640 wrote to memory of 1988	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 640 wrote to memory of 1988	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 640 wrote to memory of 1988	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 640 wrote to memory of 4212	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 4212	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 4212	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 2208	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 2208	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 2208	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 3888	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 3888	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 3888	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 640 wrote to memory of 760	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 640 wrote to memory of 760	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 640 wrote to memory of 760	640	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 1988 wrote to memory of 2912	1988	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 1988 wrote to memory of 2912	1988	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 1988 wrote to memory of 2912	1988	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 760 wrote to memory of 2224	760	cmd.exe	cscript.exe
PID 760 wrote to memory of 2224	760	cmd.exe	cscript.exe
PID 760 wrote to memory of 2224	760	cmd.exe	cscript.exe
PID 2912 wrote to memory of 2400	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 2912 wrote to memory of 2400	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 2912 wrote to memory of 2400	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe
PID 2400 wrote to memory of 3760	2400	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 2400 wrote to memory of 3760	2400	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 2400 wrote to memory of 3760	2400	cmd.exe	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
PID 2912 wrote to memory of 2524	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 2524	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 2524	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 1252	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 1252	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 1252	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 1776	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 1776	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 1776	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	reg.exe
PID 2912 wrote to memory of 4960	2912	2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\FwMEQAgQ\GOMIAUgk.exe
"C:\Users\Admin\FwMEQAgQ\GOMIAUgk.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4564

C:\ProgramData\SSkIYkAE\jIsAMsUE.exe
"C:\ProgramData\SSkIYkAE\jIsAMsUE.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
8⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
10⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
12⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
14⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
16⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
18⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
20⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
22⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
24⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
26⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
28⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
30⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
32⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
33⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
34⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
35⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
36⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
37⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
38⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
39⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
40⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
41⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
42⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
43⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
44⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
45⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
46⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
47⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
48⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
49⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
50⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
51⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
52⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
53⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
54⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
55⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
56⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
57⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
58⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
59⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
60⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
61⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
62⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
63⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
64⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
65⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
66⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
67⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
68⤵
PID:3624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
69⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
70⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
71⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
72⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
73⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
74⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
75⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
76⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
77⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
78⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
79⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
80⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
81⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
82⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
83⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
84⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
85⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
86⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
87⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
88⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
89⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
90⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
91⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
92⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
93⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
94⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
95⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
96⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
97⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
98⤵
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
99⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
100⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
101⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
102⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
103⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
104⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
105⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
106⤵
PID:1828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
107⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
108⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
109⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
110⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
111⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
112⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
113⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
114⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
115⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
116⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
117⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
118⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
119⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
120⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
121⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
122⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
123⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
124⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
125⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
126⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
127⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
128⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
129⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
130⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
131⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
132⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
133⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
134⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
135⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
136⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
137⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
138⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
139⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
140⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
141⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
142⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
143⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
144⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
145⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
146⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
147⤵
PID:416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
148⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
149⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
150⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
151⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
152⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
153⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
154⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
155⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
156⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
157⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
158⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
159⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
160⤵
PID:4100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
161⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
162⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
163⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
164⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
165⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
166⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
167⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
168⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
169⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
170⤵
PID:3760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
171⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
172⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
173⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
174⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
175⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
176⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
177⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
178⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
179⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
180⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
181⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
182⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
183⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
184⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
185⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
186⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
187⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
188⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
189⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
190⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
191⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
192⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
193⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
194⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
195⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
196⤵
PID:5000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
197⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
198⤵
PID:3760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
199⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
200⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
201⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
202⤵
PID:3952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
203⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
204⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
205⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
206⤵
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
207⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
208⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
209⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock"
210⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
211⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
- Modifies registry key
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:4120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQkYIIIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
210⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgQcsMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
208⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- Modifies registry key
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqYkcMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
206⤵
PID:4740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:1380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCoIggog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
204⤵
PID:864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCIQEQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
202⤵
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:4124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:3172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:4640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaAAQMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
200⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:4596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:3500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
- Modifies registry key
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DskMEkgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
198⤵
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQcogAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
196⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:2244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQIUMIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
194⤵
PID:3028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:3756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:4424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgcMkcUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
192⤵
PID:3888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:4860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
- Modifies registry key
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- Modifies registry key
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygsYgkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
190⤵
PID:3624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:5032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:1252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOUMskww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
188⤵
PID:3644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aywAgQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
186⤵
PID:2240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWQQgkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
184⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgwwkAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
182⤵
PID:1764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
- Modifies registry key
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKEAEkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
180⤵
PID:1228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juUQogsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
178⤵
PID:3028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:2700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqgYgQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
176⤵
PID:1116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmIMocAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
174⤵
PID:4792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSQIwUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
172⤵
PID:1252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuokAkIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
170⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:1112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGIwgsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
168⤵
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcUwIUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
166⤵
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:1272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwkwIkII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
164⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
- Modifies registry key
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEcoMYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
162⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- Modifies registry key
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIcEUEco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
160⤵
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciYwgMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
158⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FScMsAws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
156⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:1668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:1764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcUgYwYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
154⤵
PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcokAwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
152⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
- Modifies registry key
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcAcUQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
150⤵
PID:4136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQQUwggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
148⤵
PID:2760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:5108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOwYMAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
146⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyocQIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
144⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
- Modifies registry key
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKMoUIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
142⤵
PID:3360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSwwAcQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
140⤵
PID:4740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCgooAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
138⤵
PID:820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeccQEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
136⤵
PID:3048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeUYgUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
134⤵
PID:4740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGoIUMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
132⤵
PID:4088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuUkQYAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
130⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcEMAIok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
128⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIAEAwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
126⤵
PID:4720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
- Modifies registry key
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCgYwMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
124⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HacsIwoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
122⤵
PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies registry key
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOUsQQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
120⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooMwoQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
118⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- Modifies registry key
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAIkEYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
116⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOgkwgko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
114⤵
PID:4248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngUQQUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
112⤵
PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCkAkgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
110⤵
PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqoUcEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
108⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqAIwgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
106⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
- Modifies registry key
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyEkssUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
104⤵
PID:408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:3060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:1736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQgosMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
102⤵
PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mewIUkgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
100⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duEgUQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
98⤵
PID:3284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwwYUoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
96⤵
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsMMEckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
94⤵
PID:3868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies registry key
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TogosYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
92⤵
PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQcAgMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
90⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOQkIIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
88⤵
PID:3088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeEUQkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
86⤵
PID:2092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgAoYMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
84⤵
PID:3456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies registry key
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIcokUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
82⤵
PID:3524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laoowIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
80⤵
PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoAoosYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
78⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
- Modifies registry key
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqIAUkcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
76⤵
PID:2092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AycgIsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
74⤵
PID:3264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goYkAoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
72⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkEkgUww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
70⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyckMwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
68⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYoQwYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
66⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:4260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suMwcksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
64⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGQUwMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
62⤵
PID:3524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAkggkII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
60⤵
PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWoAEQUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
58⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQsEwYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
56⤵
PID:4668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEYsIIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
54⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
- Modifies registry key
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmAUcgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
52⤵
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaAAgwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
50⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies registry key
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaUoUsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
48⤵
PID:1900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:3720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQAIUocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
46⤵
PID:3384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQsQcowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
44⤵
PID:3888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIYsUMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
42⤵
PID:2180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiEoIcAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
40⤵
PID:2700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:3372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUsksMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
38⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOkAUMoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
36⤵
PID:4228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neMQwocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
34⤵
PID:644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAUAocgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
32⤵
PID:860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWMcAYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
30⤵
PID:820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
- Modifies registry key
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIoAkwko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
28⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:4424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwIkEMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
26⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JekcwsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
24⤵
PID:3580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuMQsIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
22⤵
PID:3660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSYoIQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
20⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcooMIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
18⤵
PID:2844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giwIUkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
16⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoAUQAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
14⤵
PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiIYQkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
12⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUAwwgYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
10⤵
PID:820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIokwMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
8⤵
PID:1240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeQYwsgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
6⤵
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pckcYgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsQAsgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe
Filesize
111KB

MD5
1d04614eca7ca6901ad3e2e3e78517ac

SHA1
7ed9d81098f6970be69add2b9153ea9bcd5ed0c4

SHA256
6839ffcd4eb6034433ce803ee825ac12387cbc3dce45aad4abeb655e0df4d736

SHA512
0fa44b1619fce976792b50886fece770ec0274dd6d2dfdb197fc3470f74f60e1ae23bdae95225d0c1b3d40a7305e76bee57c5734f5b5c9b0e9ca94ba0f0d7406

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe
Filesize
109KB

MD5
42e036e3df8aca908598edce65202835

SHA1
9df162644cb2685e4a917420ec5039e33d58ea6e

SHA256
19857b9f866c4ba1ee13b3fd0bd4e39b0b816556039747981d8d406926ea8ab7

SHA512
9ed6fe3a1dad42e0fc46b681610ae672547f6974f3e981e4080894599e3cc1d59708f33d7a385303d397764cb44d21275563598ac8be288be4eea7ec7566bc20

Download Submit
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe
Filesize
721KB

MD5
f0429463db449e5adf2949ad4b2ec8fe

SHA1
3ee8497c9f304377bfda17d38a31909d67a0cafc

SHA256
9c2498d3a32f9e1ea11a23e794c87f736dd1f4200c791ab19222a787e9860eaa

SHA512
7fe3dee0ce5744d904133aa3118a5a6e40a4e4313c9fb7a90a85be667416cc4af55cc487443046d2ee01ce7bcc0515519ad41f4c0ed041a6970d88c70a9e3454

Download Submit
C:\ProgramData\SSkIYkAE\jIsAMsUE.exe
Filesize
109KB

MD5
a5d18967e570384cbf59f7921660fd49

SHA1
ad40e3b2bf1238b4476d9e3b2b48d8d2ad1a806b

SHA256
f920a8afec774212197500283d67bf2fa93b68b9b01046b40ec59c48d8012d97

SHA512
fd008e1675d50c7277b853313d4c10cb3065d7f52bed004c6c380a3a15a8c4aba68c844c6466980d557bacf850a49c115904a167acb02cca11e24038308b6a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
119KB

MD5
88072646ccfa1e2fa813af1b73a2d5f2

SHA1
81cf488d93bc63c3b69c4aa89a17424758037dbf

SHA256
99dff3afbe138854e58b581a46ba715360552208073a2092f25eb81b25fe672d

SHA512
d8b3dfa97a3c09a6d4e602d0a3e18ad7367a980e4b92a76a9fb33bdc4be007c3c7ac39d8a8cd1ea39dbbd357cacf1807a9219ce900afb9fb8d9637425c7c1f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe
Filesize
110KB

MD5
e0dc56acaf310d36ab53790016cdac7e

SHA1
2e32999968256769cba8f92b7dfd90409300cef0

SHA256
c36b1cb8754ce2be84e54ce5a8055376beea7414e84d6f158f5c685e5c9087c5

SHA512
b671c4af9abe26ccba50863cec05094dec33edf723b75977b16672b491e15d2785ce0d37bd3b1df9e33842b0a0525b332aaf2cca746e26d46082b078df769fc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe
Filesize
112KB

MD5
6742074c8c0e9ac4f6bc466f0a2d3017

SHA1
413905ff2f935f0c14082365d9368c6b0772f6f5

SHA256
8b06b1b934ee781381aae49f50ebe5a07f135ac3e534f59235dfed3b2f5e1b16

SHA512
df00d51955c8252c68f3d3ae0fe3208f09cacf9a475dfae9560c0c8aa3e888a8e2ac19b138a13a158c20baef2808e0788aec6cb34e3fa92c38b4f559ec05bd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe
Filesize
110KB

MD5
2f6e4374e588907387d4b1958724f390

SHA1
a049ee0a1aa4483fd1b66f4a822eb672435d5846

SHA256
dd9aba0c308d679a14fb9959e0d9de66d6630ed6715cfae562f0fe00abfccfaf

SHA512
a30562aecbc38a9ebce77d9659f82e456f2f3ff9262d0ee2637922ef4b046c07e8fe7b8922a1a737093e3b9b2d15e34097e0ae5d028f2cc9ed3063875b1f2a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe
Filesize
111KB

MD5
aec7860a36e0824596fd65059ff8a303

SHA1
ed6cd4b98e9538dfa05fc2637ea338c4cac0a565

SHA256
f3db6dcdeae3362e79897276d61cb08c3ad05231b56002bb746ce75e42cc2d1f

SHA512
66056c19bc0038555a478516fb2dbd1a0948629600e39f96e471329d2fe0c1757f985acfcd3e9900d3f1938afb1e7e56242eeb4fa41989c9c11c1bc376bc1327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe
Filesize
111KB

MD5
e3ea7773a7f070c3b02ac28a921abe7f

SHA1
f50ba7725ff9dea68b3dc0f4f1fecf6808502f1d

SHA256
6dc167cfbec37588b845152825bc0829f0044009999441cb668d132f9cbda24c

SHA512
5a00dbc706c8c387d6538825c15f5cd6cb58154224b15b1109dbaf4cf56f46cf44f3a9127bba3ff4bc231145e30de81c6005904a1c98cca18e0b147b3cea9ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-28_86703d5fdefb4c37d51ca89db3bd1f93_virlock
Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAwg.exe
Filesize
745KB

MD5
542efa571c874fe47c385c71e69d79c1

SHA1
610ee4b0e7100485f18dd3bfef345ffc12ec181a

SHA256
3506de1084f3f62c1f45c26c60023236a251d842ac80db97f76878c4a3aff63a

SHA512
f1e16a4d5456ebdeeab06f2dbcc4c9747ab2ae396a527dbbab8c35d1b30fd35e76528d2e8717f6fb3e9afd98555cac9cd24055636e3fa91a21a84a47e43562fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoAe.exe
Filesize
124KB

MD5
688ccc68ef4393894bed492bbeaea7c1

SHA1
b8f79c479a054b6f8536aab9c460f4e6a7f38d82

SHA256
f81243956e86b1760901ae278ced5c265ba6ff9e4cce1511ce4ad167c31af8c0

SHA512
0098df7ad7aeef17e1001544f3d77d71233e099cf9940af8e735ff1acc061e24f5b360082354161bec21a4a239e5f9154320904983fae38a43996e34e6a56e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcYQ.exe
Filesize
528KB

MD5
d239115eb6f5545461e7cbb0193b1639

SHA1
fa816c3cceed316c1acd8d1cb58365e26ab50469

SHA256
ec4bbc3044dfd539b2305d6846e92580079834c5c737dc9ef8f8da43668bd6d1

SHA512
5ded2e9dc1cc33fa40162f22dac2dffa04e5ee0b6c2099958da809da3d48086422d07c9f70958791d3d287326a26855ecfd06937886da60b10173e11d2ff1fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwsO.exe
Filesize
111KB

MD5
e6064c03a12841a379135ebd36ace62d

SHA1
efc30dc86d9dbb4bc47b427d9761ce0b67b54822

SHA256
7244466bc1d568a6202806e4ef80b65c998e175e608a300809b19e699274c81a

SHA512
dbfcf3d3f9f5feb176c3588e74daa0f7bd0f7581305866ebdadcc6bce639a5841b0d4bc1b3884bfcfbeb1ed891578da7b9a869a24b4de75cbd3c81d4d9735cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwse.exe
Filesize
134KB

MD5
47c4af3c5709dd8d4f71a5e5774b0db2

SHA1
ca6560b3d9697f68c7de7d0858d13bf03837ac1d

SHA256
ca434d4fb04278ac92055fc286a62bc8d2a4815088ef9ba17266517d239819e6

SHA512
570da0745e15413e422a2efa73e748ea6454031b8a9c533a853a7e699c5785022869b15d8e170a5054ac14b7c7173ea5c270eee573c76659c4af2d535d05de9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAgg.exe
Filesize
116KB

MD5
770bf808efa56846bf5b3a66bc0c5ed8

SHA1
1e8a1b0e4e5d40878086c5dec780c488560705f5

SHA256
275320e4ddd5a0894dd3b6805593a1616d541c1ac224629efbf04c812337ccb7

SHA512
4a793ceecaa5b2b149bcdf33da3812239557bffd10f137d5dd14f892cd7ad795f9ca6adf52da133e2220fa575c11d9c91c4b2c6c831c09cd98aad8032d93fcd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQcQ.exe
Filesize
115KB

MD5
6aa098c36afb806567bcab685836f611

SHA1
eb91e0dd8a8fda7918c2aca24f527fcb7bce491b

SHA256
de6babfd8783cddc4e8dd36db5e155a00bf4962c31c5e9e4f8befb254882375d

SHA512
b5f1d714a789cdc58e0c836f4e32524748fd337d1d93f733401bd0145858522ffee432d37421b4a8cb5d766fb70e0b7edb71c131edd0990ba5d4fddc92d54718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecwo.exe
Filesize
432KB

MD5
68fe0640b82b37152f0a6d89748983a1

SHA1
216e4d7c7f05a301011f5e058111b0da796058d7

SHA256
ddc9da022bc96283be5d4e681f3641a2b88dd2ab2e316c33fd1043fdc40d8166

SHA512
a462b271bbe6f3ae3b995bf62859b0bac3966ac894f8f084067990c992165ffe43ec317639a245ce650bd5e2c8c18cfb19674859db754a846cbc6f6bcf22f2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsEM.exe
Filesize
1.7MB

MD5
269431da5e22ed9b1af6acd4a8f00938

SHA1
24fc3b6effcd679d3ffa89bdb41c5b43c63005f5

SHA256
b68555fc5c62d9975960aa1f70454b32bd25ec322bf4f3d4eb1567c69a724b9d

SHA512
e15a8b5ef850d9a479fd215b1ab488b522584c89020f3bb529e7d39fb9344c7d6096715bf32cee20bcbff923195cf5d3a2767d2c64b5ad034e60edc242dfddb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esoi.exe
Filesize
114KB

MD5
80f1940e35a4be454e68976aa3bd37e3

SHA1
9a0b680a82a0ff9162941e37505ed9de40b9d67b

SHA256
9d507c5fd2276846aeeb90732a559719ee4bc4cc81d247e4337b3dd91a1e3b58

SHA512
dc569db50332976a3416173280590e58e50595a1e7a42ddd969ca7bf11b17b25bd7acf5eb957af1b111740e493a51a78fb9033b3e80bebd830bc6ff413a5553e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EssQ.exe
Filesize
833KB

MD5
2628ffa84acda110905b27145a241a25

SHA1
d849772c20302b383688d093d0242b481ad2bd73

SHA256
04ba36b6d2603584bd45bf501c2bd688fca5a68a3d75692d90d7389b062148ab

SHA512
75230f71791df4681d86842765c282651897c7acd202e8d9f2cd8e1061e2824cc528d1e9648e1ffe72cbb38a387087821a5856fd8caae6a4403549d46c8ad65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIMm.exe
Filesize
111KB

MD5
8ed2946485a94e6d2d9160110e618a96

SHA1
67389103cad44223bdcf3a0151eb0e2018a4ed8c

SHA256
9d3e1226fb5c3f0952e1725a2eea396d2b087fd5c1739eb649dede2ca1afb9a2

SHA512
c35cbb519f074ae5c4919f3601e6c35006e103b2c8c6286b0c365ef65c669aa2605ce7d3b8e1e939ef68b44161a1d37ebda7a07ce0a239aa660a7c6487ed5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMIo.exe
Filesize
112KB

MD5
70f66b4075f4784b36898c954f198622

SHA1
ecc812516e16e3eed47b19af3bfee6899940120e

SHA256
bd1b2e47b3f2a329b76ec1dd134991bef9528aa75b62e242171d71bde35ec640

SHA512
3aa9558e604eb9aa5152d6e00b02a721957e80ea7f255589a363f2a2a02de78492b682967adb0b08da53ebbe557bb0f8c1ce54391be90f87d151cfc588bf9b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQQK.exe
Filesize
237KB

MD5
964a36f7415909bc2a3d6c4f31394fa5

SHA1
17edc3e7ab5ec981e1ec364dde0bae2648a06e06

SHA256
68b082b2b2b268d017eceb3641a3e83fda7d6f90b26772e3462669fd0840ce7b

SHA512
bebe37d32488a39722356109835ca64e4dfd3b03721aab757420e31a304da18c1ec96154bd6dabb0eaf0de706bd3436e2e2af2fb326779a9461591abb078a095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gckc.exe
Filesize
111KB

MD5
699b5270db1ddf58f32ec1cee9181a66

SHA1
3a6018708bf3861b7d9a5c8ee17121926a659a90

SHA256
a6a4d730709507c756be3fe0163c46d8e61de409d0745bb1e566e8797056de22

SHA512
6c19b1cc4d23fd799234916cad90915c6b0999c8994df35666703a89bacd86d631ede063a418ba9cf9889244c53f0ffe8f53a8341ad876cdb68fd9d2d3362169

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEI.exe
Filesize
712KB

MD5
1a6809fa564190bc66f2a11f6ec469c9

SHA1
99320268082c01fb09c43710b52c537f2928ed37

SHA256
797896c411e09d99547b3d545090aa96747818028cee0f9de4c0abf0e45d2338

SHA512
40f40c1d190f3d18c624364f7b4ec2c88986a2fe49d5906ab3343ef50cb3e49e882b78a1b95c388427e22bbedd6ee1e2fc58889faf0eb7cb8bdc865e03cd272d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUIq.exe
Filesize
111KB

MD5
a5fdb1200242fa207c57abdeb827743b

SHA1
dd9b2ab78d75e7bc700fa6f303f23590c61b7a80

SHA256
b9bb1af5dbb692d0a6d749b8d3a7c628a9abd593b609ee00bb32f6d04e481697

SHA512
e6a333c224ddec4fedf7db23cc9ab3c2a3edf60e725c5fbbd4d0e173abf8df2ce2bfa8156ef15c00449acf7264abb3ce0f3edc6a8b378a6ea471e102a0c89b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkwM.exe
Filesize
516KB

MD5
65ce7aa39175b77427922570de5a99d7

SHA1
7a53ac5daf3ed9a5d348c15fc8eb4361a7d2f47b

SHA256
5ec48376b23ce21938e049345eac6963c5205cde6027a91241df7eee4fc71f7a

SHA512
32f86d16be63b8a5f968918dc4ad21d97839e70f175486303419682877f5d513e4ecd7fe0803bf2e01c43ba5a2ae771a4f0b19a6a709875ab44b52bba2d21ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYi.exe
Filesize
697KB

MD5
e448b038e6119fe9083593b326950cc8

SHA1
9eb2055710f9d0a24cd3a920bea50df33d83e911

SHA256
02f80d67ee7862dba19d898d603bc3cd1f72d1ea378aea6235af595df5c5ca79

SHA512
6ce6ee684f91ab9fc975899e00816ddc17d4c6ea599b9d65c156301b2b81b6234e36da64c7c0cc82a5a365fa5d1a0caa3d2f6f73f42912ef6bda8eb6b2b565c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isse.exe
Filesize
111KB

MD5
171f46783eb71e48c28d06ea645d9766

SHA1
0e7592eb498df49f2a5ec80013b33e9976da0d3f

SHA256
a7d59f31bab8b94cf119cc3d74272731d59ef124d2bb16846845f5a6d4a584b5

SHA512
70b5f3617ccb20d890b057da81abebc5c6ef5ce60d21f312bb1860c70e8b63652c4b9f28221dfc04f1c1fa6a6311842f0b5a7aee963e1c33eb2f37da21769a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMYw.exe
Filesize
113KB

MD5
4ad462a11a47ab09041cb5cee3697540

SHA1
4a1e0684127f18a63b5744c06488cc64b096e936

SHA256
5e5cc2eca069e979333943ec6fbbeb2c475678aff919af6bcfd7bbeea4b162b0

SHA512
bde6a7fb62d8063f8bf09788ea582ddb82b4707c1f2a52331875c0affbfaf1dcede62a6b524febc0a2de8e13b4a624df429108853e6613d1a33a33a8c30417db

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcUe.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsQAsgkw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsUO.exe
Filesize
118KB

MD5
72d7a8af91dce706fabcd0186902275b

SHA1
c2d32321b933420ce5b67fef7bdf4c35c7957ac9

SHA256
c03c0c807bf40ac2d59dc894444f5317477c850667cba6c0f7f24b362ebde4a6

SHA512
6eae0f129e9490b64e323805163584c10b38b86168974f5c5366e142472067ab6cee09d54a3630adbae837dd6e48b74669d948bc27d0176e99558e455341a81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksku.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwAk.exe
Filesize
487KB

MD5
068a17bda460cd0b7295d276b61da315

SHA1
03293de1df3320ad09374effb1982d1d2e6561c5

SHA256
074b01dd6c5d2c81b57d1cfeef29e8f96e432ccc3b69ee133f4a7a75863c0f77

SHA512
bedd15a7b7730cee96ef6fb1da93cfb71e8e3b3817d1b7ebd597f48c9d41580cfa052286e080ec9f8c4f56b2dc9cdfc3dabd8db1b7e63db142146151721bb4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwsa.exe
Filesize
111KB

MD5
98e580024edde3a349d540f7fcf92047

SHA1
bb3715ab7bbb82ca46f81de03393a064ba50dc05

SHA256
a5ad9853362e46560c84a40d1209166a2e80c0bc87a2da707f470b036d65ae58

SHA512
ab59810ab31e259f8a01af9bbb11b65ae1250b5270a126786eb8193688988d6216d2bae3dba281449cec5fc04c77b4df6921f70d7be764b0e8a9b478229fd790

Download Submit
C:\Users\Admin\AppData\Local\Temp\McAO.exe
Filesize
109KB

MD5
7055ef6bc4b6baec664415b43ace829a

SHA1
bbcb4fb50fc48dab2d3cb559acbde21c92fa0187

SHA256
e3640165f40528ee00723a730095fd276ec9f7be02f07faab5642b426c1cbd41

SHA512
c170d8f0c1ec6c20df0b67e884a05b1b822e3aad064108be59dc2aaebb8a43363314effc0e85fe16732d5e3c0a2e5d509dd97bffc3b13a8209838115f2145ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\McMk.exe
Filesize
118KB

MD5
dc95c45e5f339842268dd977462cb821

SHA1
c6db0fb35810c74fc97c6eba1a5adb49cc8b8077

SHA256
7e7cb9ee482dfd65cd422d7cf52dba6fd415c53e32d1ca4849cf5a90a4f3089a

SHA512
8a445966e557a7ddc1ade87d825342ac8c3f6f7a83ab163fdfca978eb0f632f81defd9d7f8ba0aa4a1b15abcb2ca4183996fcd7ecd76fddd5940f9c1bc3d8613

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwUS.exe
Filesize
111KB

MD5
ea001f4a2feaa1040d0870667f1c43a9

SHA1
e7edfdff42e9ccfa98697942ce73ea571f689f39

SHA256
198587171e9829ba80b36268412384c81127a8c22910c93a6a315fc74ccac94b

SHA512
5bf291a5fdc695f6480e9b51c1f4395bf9864bdd9598f76fc6de8c04ed9e19dd142ac4b018a1fd4c8d43b650691473cc335bc3be7b989df1b902b55400d9e7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwsW.exe
Filesize
110KB

MD5
6dddeb1dbe956a5364e21b8b2ca4d059

SHA1
a8920138ed93ea6c76d5cd43cd1d55d4d86b2d42

SHA256
0f017dd34a4827df9fb161003c5b84e5c349b9d5f231d8004928dbda3a5e7836

SHA512
09b8373a370bc3df029254466bee7b495b7c960cce720a15361306fd7476def97fbf4159ec8737207f63e99abde69b1dbae2a86140f0717e670293c8d3d5b4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQQw.exe
Filesize
110KB

MD5
c5a0c0737157c05b7c66185300cd9eb4

SHA1
1564a44fb5fdacb22422cf20be7b59d7f008bcd1

SHA256
ccfedc90f310f33704ccc805bec1defa4695f42b5f05912b15497e465ace3572

SHA512
573f3765f57ff63a46ef06c1301d625ee26a3fe725b6774947656a1de23c19af5f72f02c0284afc82bc3a68c44559a613e8f2010e62c0adec62e0bf3a74ec7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUQA.exe
Filesize
112KB

MD5
efa3549e78f76a67bc54fcbd3347b01d

SHA1
c97d8424dc91260412cdb6316cf3a530d4a1e778

SHA256
5ca3041779647639e50bad11ceeec36589421ba9f7614f3b9620aa948c9a6ea2

SHA512
64906ac5be3204f0292cb283ea63704e1168b660410ef5913dd29cbbe6cf7af44b82e49426c425fbcd69484e0d2ffb21999d8bcd91ad4dedba2020dbd1208402

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEc.exe
Filesize
874KB

MD5
f1538186259dc0a8215e5dad69ea1f82

SHA1
3c0c8fdf726d0ea1d235557ec8f0264a8d3ec1c7

SHA256
e2e8a10bd7b95233d37913a48b0a4c9090a798faf8be0dcb4aaa8e1daeb63e7c

SHA512
9619bd5d44aa98469930dfcbf1e2c705ecbb2c5cf0161d2864784b759ded79384bfdc95b64aecc8fe48fd0b033b01fc1afd96d7d1ab6fc639cf09a341fececf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQwW.exe
Filesize
150KB

MD5
95ac3f1202cd67f2877bf2e112c999c0

SHA1
3b39ce852eabd24bd43d0df08d2c7ee613294786

SHA256
04bc4e0c6afe1b06622d66bcd31dfe576742a59682dccb98faa417f49a50c327

SHA512
97dedd890147697b31c5c98221cefe1e2bc3b16de6a7c4dd21345fabdc15f12fe7cfb9a8849ca55138016290c39b860949de21e21cea96f120173e78b524e202

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEG.exe
Filesize
273KB

MD5
b25f73aba221ca41aa53576bce164c42

SHA1
dd26d32aafec953edbbf7cdde9984229bce06ac0

SHA256
a1e9527026fb95b43def1dad0c58471898f01709e9cb5c7a59e83187f278c211

SHA512
5b0a966ff85289574c51b0fb6d06ceec673b5c702cbf4de5ab00c4c872ce78cb13a3f6ae986c86a5f1a2752eb5201b5b1574761c1b59be199159d4527698dcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUMi.exe
Filesize
698KB

MD5
95b383770257868782a369d0dcbd46f4

SHA1
9877ba587c2a770b3ba559651879c19897b5266b

SHA256
1ef24d7df3cdc3a00f868202cf8e25ba0a7006a69274cab966b45e0eae437216

SHA512
e697e1149176e9c2d24e917898ffe30c3726b412e24f12bbfc12b23f36e9b7369d7bcc20178308160089a31fdba39946b61008acecc965def35bf60ec559acff

Download Submit
C:\Users\Admin\AppData\Local\Temp\SooI.exe
Filesize
113KB

MD5
590f7d2b7e0bff035be9389c81549e9e

SHA1
d8a5d886608a3357037d89262ba0cb7a94183eec

SHA256
97f5245c1a10a14a6252fb63356d0250725631c1d98e05b71c2e787747498277

SHA512
f0bbe3d21698d1ceebc678fdac57ed5057bf92c6ed2d150ca634d3c1273c8bf54402b958e0a713f2be6c30a4ff34a23647a3b63f131584d59585cac68b2e1ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIsa.exe
Filesize
121KB

MD5
c1128f3cd341a5fee373e6a221f7a503

SHA1
4c8d433bb31eec9c7883ff30c5748bf43636f60c

SHA256
6c1daca33e8176c400a7b858808099801878cef67ee5c1216c36ec2608f6ddc7

SHA512
870b72b5bbcea55c41d441d205bc62a6263fa1cb3fb1c2822447e488e173dbb97f0e92d2ce3ddc8f1ba6076ba0eecb21f7d27c9e32c33159845c7707bb8bdbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugwy.exe
Filesize
562KB

MD5
e1449237bb9081b6ed058f1be7c35412

SHA1
abdc61e447da2c7f0d57f54e6cce1ab7f0a8fa3d

SHA256
3de0be26cef8cf42575bbd3b4134d1fc57ac7a712a20e429dce714c59f5f67ca

SHA512
56130132f5cd06f47e71fb41448f7b33b9d96806b7633227c729be72637a8fc0b55a80e72d0dee880288f34e6570b040360c2493d51728759d984a53539367c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwko.exe
Filesize
111KB

MD5
9f07bea992927d935ccb9175ffec0ffe

SHA1
8b9c64d55ded17b9d4218909ec6f61e3d936b65c

SHA256
0d4ee7d7399a0222d55d64135d6b3b5e61a3e71e4aeb2b3f15499a028c63cc1f

SHA512
9d9a63f7e08ef3e7f6190fdd3dd358b01150feee50b0a6c30ee8792edca4f9f2ed95717581c27df0e973bba2fc780b6cc18a867a9473365e79abd846a9d8722d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEAI.exe
Filesize
150KB

MD5
885f6e047eb7443f3ddd5a76aba818bc

SHA1
5359a344cc98da9b8556d3ddc71749decd2b20e7

SHA256
430edd724b07632df5665922fd282ea9b5e8032da87653368d7e51fe38dce79d

SHA512
ae7e923cf3610472559611288129aa2a0f4a30f8a80496cbabc0566cdd6f4bcab6eb7a137cc032c131334c3984188861dcb49ffe631f33050f7b1a001b448e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEki.exe
Filesize
599KB

MD5
827b20d07c23cf746e7ff9b847e7f57c

SHA1
592fb570d0ba32e4fea482ec9ef7a363d46e5fc1

SHA256
d8b5cdd1de5da4c558e2d1ba1632858a6a7c97316844de83bab6cca6d75df65a

SHA512
94650135e9b84dfd0e533e80a1c605b5dbe81a825155c0c90c0880e787e2e6cf3eb91e7e7fe376e4d1b24c8cc892047be544cd0eadef92d63a2550f514033df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIAS.exe
Filesize
119KB

MD5
0e2bbcc32eaa43f98c81a2ee9fd414d3

SHA1
5cf572f7d6e0346e27f528649345fa0dd3c1dc43

SHA256
a8c4aa381c4bb572ddc61ff105b339b13a4ecd06acb93608e5ec765690141b0b

SHA512
f26123612c662cab7e86f14127bc4bdd445290930dee640f07fc548415d665b4284c84c70bf2d0e8a268f1dd4a098e746de243e7d18458413195563ffe69e4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgg.exe
Filesize
569KB

MD5
e1f2cb95ad668c3a8a8cb990f8e80ac7

SHA1
d4d285b757283ec0005e62ac2c11a84a2009b6ef

SHA256
9f3161a0691e2650636d89346f33c9d5ae313366cf763368af3ada77c99c1ec9

SHA512
b87670c252ee44a6ecf7c36a5bbd3e55a4835644eacd86c1b4ff8f280e684ba3e3a3bf4f2373aeec0501f9a8bb41dfdc3fd0004f29a2729473a1306b129f6262

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcQg.exe
Filesize
111KB

MD5
3614d4c38d4cadfa2efacaab37db9dc8

SHA1
1c1a7ff131ad2052ac0ec07ff666218a7235f632

SHA256
313a611f38bffcb6aa6fa5e84b2fddbb7fc21b99fe2cd1b9165f8c4cce2839bd

SHA512
3dd3e384f8d67fc1ff9f80971d00aba8118bb7bfc44629a5f4f12fd521e7fa6fef0c76365837e97895356477f0e64182c5a17f0a81611bc2a677bc3c49416e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Woki.exe
Filesize
555KB

MD5
043acc032e65214d7b00584c72dbd0aa

SHA1
ecbb4d2ebe5661b4ab156b372c83322611fc454e

SHA256
b4b480e2d5539d02ec7b211c225d6a90df42cc2b2a83e1e7835f3730e30d8d78

SHA512
0e3e692b94695f5ca136fa153cb0d0d873d50962ae9d7d648026699bb4a3b7a85fb6691e9241986bcacb1c887bd525e8a2ea2d82875e7ab43a2b92731500892a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsES.exe
Filesize
669KB

MD5
8092523f40ffb655cac5fbc4db1289de

SHA1
4a217e4844c74d08da085ec8ea007a7b229fd32f

SHA256
88dc4ce781dc2f4cee4be5668a29e1600ee3c48ac41c92f8a3e6366e6c331a1c

SHA512
6d3333d9e5a07f23d3f9a988fc685459fa0f9b5ca7c3cbe0f4a3f064710957268d3f6d01b901c820c631669feca3ea6bd6eb0a493a0b65942d6e2c7a86ac8360

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAEy.exe
Filesize
138KB

MD5
447a2620029a3d520fbee71ba1ef5c22

SHA1
4e44d76c4cd9d2db921d6516a3aab1eaf1688c57

SHA256
23a1b20b9d9f96f84c51d166ad6cbb49372d61902bc06578f664dbf8550a8adc

SHA512
617ca36f531a85822e1181eeda2a8368590696fea68abf818fb347a1f151ae760a5f9be92911bf7f1cab450c5144bd375ce9178545b3d3a9f7827e302d01db8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEIM.exe
Filesize
113KB

MD5
8af65232fb120ffd29dd5528ef0f8e39

SHA1
084cff0b3dd0d8d5fb826e554e5593f35054e460

SHA256
660931b7679dd89f79ac3f9622fcf5db3aefb6aa58633de7c8a8f6ae762fe55b

SHA512
bdbe08f580e3508daa5e3c77517bf0db7126826899e855b4cafbc1f169b045bccd39eed806a8121548d0f2aa710a198ae68a613f869e7dc70b39e4293d0b1241

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUEy.exe
Filesize
554KB

MD5
d2d0cc77b0d4f8ae35a0dc9698368770

SHA1
21921c0fb75d2fe7e1a128ce2d336a1892ab6502

SHA256
9fb6b6f67334e25e9243941ba3146fb22286a19956cdb4293c83f9ee43e73190

SHA512
771fe7e1dea5d4df44ab4eb94809d9856a81620c5fc54b9ebb219a04d410a21ea1540f16bdcdd54532762cfbf4fe58400a668e8416e046fe0052aa82ec8b8bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYYo.exe
Filesize
114KB

MD5
ca4080dc4dd587c6bb6829ea3409ec7e

SHA1
8375d27479b5be0c9512079a0b600b21c2cdeac3

SHA256
84f81e48daf1a905070cc38e53f2a4ab66a3d2dad081221df9e9b46548c1d341

SHA512
6a54ece6027837509eb5bb301d5111e4c5e1e6c41969201a04eb9db9eae9700f6196c29f5459379ac1d24a5252c88120c4de749f9986eadb901354bc464c5d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgEa.exe
Filesize
110KB

MD5
e50b2b1b2c01c92ebc7f9512e9b91878

SHA1
cdc11581cbec06b930bf99a65358467cc143fc71

SHA256
96fee8fa08129dab9720c2e8e57069d4afb6debce2abe7fad3e5d7a6dcf50727

SHA512
940e56041dfec3cf423886712d63499f531d98c976d6593c7565fa2a922a0aeb23c514c3da4bfcd1b58ea3d44a6c173c2426e6912dc3cb70b559212fa1cf787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkMm.exe
Filesize
153KB

MD5
a27b48b30524e2b8d3a31524edee94d2

SHA1
3bf1169ce165723f9bfa3a20999dfc80a13c9c9b

SHA256
8b6bafab7f1320a364cd769f0f508c94870788dffe6b6ea339d7049320fa92aa

SHA512
7eb752c5a169fac8992894398790a19c20fe46126a5608dd74c5c5c89b9c53855661c72fe319244bb375601ff23392ad59a5de2d748ea2c0a1bcc5cc2fff6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwUI.exe
Filesize
112KB

MD5
3e74a2196e20d6ae094699d91a03cf69

SHA1
bee67b9c5381d3e3e552a52a61edd23cdd7dce04

SHA256
366799c14b7dc264fb8f46526b38f3671e975ed5c8e0bc8eefda59383f1d5af8

SHA512
773b9f60651f3937ec47feed304ed6f323fd0c3cfeca9d4284a7c1d30da95aaba81b9d2a59d4d0ceb31b262c7077771d1c7ecfc97f71cfc99b0a85ba0e0fa876

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUAW.exe
Filesize
116KB

MD5
bdc5585462555206e560889ca3545912

SHA1
775658e4f2a58dd80a6353d6776d393378b9a6f6

SHA256
5437904a01014306dd2012c1cf1439f508d059f3e05004b6ec12c13c953e7b34

SHA512
1973aaf41724de861c169dbe41dc81ace2ccc28f2137ab8053cbf1e1118543e70f3a26ca07b5e8b16fac4dc22dde8782d862d638e2a7d166f455ec65dd5b7099

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIe.exe
Filesize
114KB

MD5
9a427fa2af34308925f70fffb03d558d

SHA1
e3dbc6c994c36321cd843c76322d624ea97373f8

SHA256
e13de945d89d5ff4e62fa753cdf6a4d8c523cc9c6f3bcb28dfd857acb3842e07

SHA512
16de4cc3890f94bf5510172ef610fc16bdfa16f9f64b485a12b666eaca22d684b4879447ef94b3b51b890d6f3fd4cac37e18454b59a688032b7785adb7139e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoYe.exe
Filesize
113KB

MD5
a8ef3a15f033a20a4322290137f52d31

SHA1
5488c71f1117c5f2ebae04bf15b521d9c4c5367d

SHA256
3a6ee56c9b90a00cbeaf02887076669501e69e0b2212d76b425cd639297f852c

SHA512
29a95b66776f6fa1d2c3c36b05ebd9746a21c7acc777a43d0f8f6504226b368150951220f4ba497a5e422bdb57aa4ccda59180b48334d4b6d72a55f3af890192

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAME.exe
Filesize
111KB

MD5
c135938d0aadfb9ac587e55dc45b5b87

SHA1
f92d0aa4e07011fb20b483bbda02a9ccf00367ed

SHA256
4b0ca0bc404a177aba281710f7346db701d6393cdc8964105191cb45900442ed

SHA512
296466bd36ee6d34373b227bc7fcd228b35b101b2a38328b2ce0d83eb9f8c3770fe32df91220c29be4e09ad0af6dce3806e34247330d83740c864374a1ea80ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIkq.exe
Filesize
488KB

MD5
3dfae971349478ee77cdb53e4e698565

SHA1
9d76dbede565e019850552b191e540b3d43c10be

SHA256
920179384c4e6bde3beb20587ac681b33931575704df4ba0f19ca6b5e05d6009

SHA512
8a67fd10be5af67f522faf8840be3ed7a1e42c532c4ab898dcd7728b1473b97b72deb3965301a0d621ebc1a230600f1a6a589a7218bcc8580b262c9267f34212

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUIs.exe
Filesize
237KB

MD5
aa32ab3c62d864df3077f7b5014e7b2c

SHA1
828fca52144e81ef35f1c43e12d10629676f2f7a

SHA256
5ae55a5a7096339e4eb52726c5fb5157ecf043f8df5b33b13c205b7ea0f8c563

SHA512
216fa30952a520b775bf3cdedcc032fd1aff41b234292c37d108c439f9103676130581a9f3b5f9e24229a062785f64c9548cd565ee4c4c3ceb6fb12449cf67c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgsU.exe
Filesize
110KB

MD5
6bc2b289ce4a0351b58b4852f5e2fae0

SHA1
07049c2eb920f4846832d1fbc7fb4d29eafdef26

SHA256
ca8b1de4b2cb573ffaa294b1f007b60bdc8caf5f35ed6a81e8c1e3340ea72f8a

SHA512
d2950c79218fdd109765f36386e1b46d9c33dada7d87dc54ad2bc7a78db6a9a18bc210139cf2b235fed8379a6f51be493567a993f572fe4ef8994e4549209143

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwcw.exe
Filesize
113KB

MD5
ee4ccc16fe388d5715271f9eed357483

SHA1
f0044f3b44ad338768fd56bb5621162c47e697af

SHA256
a130ca17162a8200252f5ea78db7225f610e63e5ae9562c8f144fee621e6b205

SHA512
2d05bd7fb59f9350009eeb3fa35a064f6199357b2e7f0f803420886da73431ba2747687331e5c7048501b7641f75a87c3b8579da3716564021424a7a0e61da10

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIco.exe
Filesize
110KB

MD5
838627b30075ae755ca82cb29231d246

SHA1
78b6094084231b239894ed36f65fde15b0dcf33b

SHA256
938bdab3286cd3635bef27682984a69784ec7a25a6593778eb4cb863a1750751

SHA512
5bdac4ee96450a8c80e2fbf82c393b6a83e340db89de17fb343ca18a3c2ce0e11b77596d4418e53e45f0e0ded8e0595eb3d227d9d26be16371ee9f522613cb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMEU.exe
Filesize
155KB

MD5
e06f4a863de8a5b43c52f7983adaf478

SHA1
740220313d15010096c6582025957f39f41879d9

SHA256
45f9f1fc2991bb7efae64d5ac75daed99349f3891076be68f3cdbc41a11ebaaf

SHA512
c555c73b96dd681bf93864cae3ce8eea387f96783bbe2c5a18d40900c059c68aae48291b224141fe0362b07ad1b7adf821b8f9434d84df8d7c832cbf6774100d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewck.exe
Filesize
117KB

MD5
976a59c1f7e3e70d97135c0bd15163eb

SHA1
caac0e44ed278c47941322530c2f4855dbd705ba

SHA256
346803da5658b6ef6b48cc5952b5c6ddda82fad344836be9d2bb83a08f0326ff

SHA512
6f8c0988d2fa327ab3fcfb7da3ba9bf8d939306781f4d982899cd208128c659a69f8bc9471031f61ff8f6f3fa08c4bd7c88cf7b7a2d38a9d52cabb2553e403c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkgw.exe
Filesize
115KB

MD5
6cd2469b68ba8d4c4f2dd29ba78c38be

SHA1
f673da3dd6f18f8e6938ffbf928c0aae4c440341

SHA256
d6a190227478c91f3490e7db0292cfcf35ff38ea0041651a4bebb21c2634be59

SHA512
dd9e8958311beefd1c3dc4c4ca9b856d46ca2615db0414c0a040b7a052c90464e3e86d19907c3eec4fed4c2dca64e9e6bb3ecaae2d51545bdf13df61c704f8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAcm.exe
Filesize
137KB

MD5
d6f4c72882dc5ca7cf6624ee7973a156

SHA1
6916c7603d60b3459401828295700a6db43a503f

SHA256
6eef25bd62bda31ce2580d94d319d160bc938ec47c6f19413e34e637a1daa2c0

SHA512
2f0e290b8f5e92ef26d0e6d1fcd40ddfc8362a43fe5944a9538369c8a469be5d7d8140dcef714defe2d777ed8f624c718063db6dd4f4c49c7dad9e543c54e00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUUK.exe
Filesize
117KB

MD5
0d5bad976c63ac072944c3fa6cb162ce

SHA1
048809bf45618d0d956fef5fa4b599cfaf3ea22c

SHA256
ad531cf16ed169228d404502c02d1337e669a7c94cd1a82bed42eb71c7cf37be

SHA512
9bb892fa8076ade5e0a52a9dce92d8e0383c46c902a4a7da7937cf42ea36cbe0472b54c87595c8aac2e5980fe6fc9fe5ab694a2e2a7cfccd0170bcffbb263694

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcI.exe
Filesize
121KB

MD5
4a818550a47bc6ba2980f90297118d4f

SHA1
e33bce19ff92d4cde68c70d0896a9493b0755864

SHA256
18f5f85260f1f47360b3abf354de7e9f60fb5bda23096ad51f420c9401676dea

SHA512
8b61aeb24e9e67f403deb2d2302e95296204a39b3a0de0d1a1ced811cfd54202d20f1858054670757e520d27b579cbeea89496ec5aab6980683e1cf78df5f03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYgg.exe
Filesize
110KB

MD5
b3e237ca4d92b87a244de865587997a3

SHA1
9ed2596e14c38ee19eb875e03be13c00170c6ec2

SHA256
280454b17f53211ce29db59304898c224c1db020324da7baa56b881da5e4db2f

SHA512
4b336808695482cf9c732afdf000702f0d9ca25468993b06abe4facf7496ad6a175699b97ea15466cecf30a64b30966bc84fdd88b35a7eef9926ec44e44163e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\igUM.exe
Filesize
112KB

MD5
21c947dadd21e85a5ba7d2e686fc1a7d

SHA1
beea1c63ad18be8a25a819994c7355d849abd356

SHA256
7e7a947dbae571298a7594b968de1f6613def444dd7c3ce3a8e19c52d900870a

SHA512
185ffe559fd72ec6a70f12e9485124ec2884c1becea42fe93fc87bf05bb500a7d546d502c8a53e4f7d48ca749d00caf20b4ffad11c6d8bea04c181c51ae47626

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwAG.exe
Filesize
683KB

MD5
2a5c49e6be8bdf56e3d148767d71305a

SHA1
d82466ce3d2be6ef28509d349a59f7919639df29

SHA256
bbecd76dbcbd0d17089b4cfb84b2c5da31a53a9aec0ca4eb34a8916afa3e9e07

SHA512
b928f719e9f74ed9b5c2ef6fc83db82dba87c5be456d0f386670f3dc8182d24b9c61becdefa071b8cea08109f8dbcfce032decb360176ebad6543bb0383e9183

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIwu.exe
Filesize
757KB

MD5
11498eef28f19f4d073347f716423a04

SHA1
a0970f538e5dee000c9fd769baf8b8e92178254f

SHA256
0ee8515cc6a01a2c43390c365eb7d267df1f5e179459858127623282f09d17df

SHA512
3947c886f2a3ae880245cafb329312e5edaae07a63ce71184cc7ac5e1d404c6097a98fdf72d28d83f0af12b4c816af5636dc9ce830c89b832566e9a657af13be

Download Submit
C:\Users\Admin\AppData\Local\Temp\kokA.exe
Filesize
121KB

MD5
26bfb42294402bdd49780de0469a1321

SHA1
2b6f83639dc83aa977642adb40d9c19bf29ba59c

SHA256
e267f5b9e3f66949f805cf76a939c8559145df3e1f9f3446098fa79d6ffbbeef

SHA512
34f76e77cfe3246924c896e8030cdcaacd1a2f9b6f7b4f0176c4351aec7eee07301de89d025a5d9183e4fde4c7aea3537405d118c019a434f89d87ac544dec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAEc.exe
Filesize
111KB

MD5
86a43d2437fe9faead214e79f3dd6d65

SHA1
bd27860a01059274c27730fa8b3fe3574e361d6d

SHA256
de9d8bf89db0f0e85637914d175de694a80f17f263a83c0de15b0b5a80115b6e

SHA512
d048edf1d48672db8940a8d9fb78c7bab546f2ddd72fd57c5c9845677fd011dab24b7f18d71e78a82eb6d43106e7f0017a850457ae0dddfe4fffc75b09074c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEQq.exe
Filesize
112KB

MD5
4477b33101e68fd69b9636a57e535637

SHA1
313f96a2abb3671d005c1af2847584d158b7f6eb

SHA256
5d66c455ef1135e0f73e1dc238906777c930558c7988fd3dadb3bf8cb63df29a

SHA512
1644dde5a195ad586bcc3fc5cd8bf323346167e145e23b1f643efe1032bc787c1fccaf1d0242d2a3f14d892b1837bc0dc7a7b7d865b1c202120ea35ca02898e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMQq.exe
Filesize
786KB

MD5
9b27c55580e55a63a30d4d90df80a91e

SHA1
c7b70bdff3766a5a35b0f1668bba4ed76c396d28

SHA256
87d5c45583e4d28043ae9e24b3dc485c5f08656a8f91272e1dabd2f705d66eec

SHA512
474e931987e3ca6bb9cc64955c84ac762720c7f95bd1bd91b0e71d4f6cc978a143b2595253e2e5d1416af2accc62c8f16f37778b4236faf3f73ea32fe3d480d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMcc.exe
Filesize
115KB

MD5
4aeb567ba8bd3efab5fb895fd987b617

SHA1
d5444db62888ed30023eec5171de0b709b70f6fc

SHA256
8b70453a51411d1dc2266fe3e8386dcd22877299bc56840455e5bb0207c943a6

SHA512
39ca238d5354d8535e70cd7217bde16b8a3dc616d20b84554f714b9a7bfbcfc2a126a08fd063d25a863bc8a2c008c983ec2c90b56bf48d2dca338cbc56f544a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYC.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwoO.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAw.exe
Filesize
119KB

MD5
7872dc7dffbddd0592c0ecb293541b48

SHA1
44cf22a986e70736f6416f72f54f6b83f0b5f825

SHA256
55eb6ed17816b346bd8da02d843555c041908a1231d3ab1e1dca2df0b1f17b66

SHA512
501d7bd5d07af3a82e12133840c50f40781ff6453499104f0367a6694e35f2e1a9bcda9f5671dbeb4be8dde9b5ae67c2adc0227d4ced343e6c60e1158e5da50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQAS.exe
Filesize
602KB

MD5
e769a27713e48f3bc1aea6167d5a90c1

SHA1
2942799e2e23edd887da5a6b335ac440322b7f27

SHA256
f6a892982cecfbfeecfdbeed28ae0a868617b82c97f1c4836140c2f3e76ccc0e

SHA512
ef32c69cbce7b0f9746de223db99567dd30fad13e41b4f4a52c2a5286b27b63f7fa2890468db2007b01ab81ec974d422632e5131ca75195609608edc826b65e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQIy.exe
Filesize
5.8MB

MD5
861b221de259238f34df80e98f7193af

SHA1
607321faaac3628629afbbe7ca1e1f0bf8aeac27

SHA256
6366d90877b375fa9968440fcf0c54b9a61d0994c01b51216463d26e7d80edc9

SHA512
b558993e127abf65a0ebe5185a28b8589af755d9876ff9c9c9275a3c07f7d385b45c769d56de7657be067f1598925264aeacd4a05199770f6be5a49c31dc88b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\okUu.exe
Filesize
567KB

MD5
6e90c9fa90229d15ef84263c35ce0448

SHA1
a74542a971e26877d55d61df7ef04e7321afd901

SHA256
7865e4612e9fc1bb8962c99bc89d9717040b5b5864df0d5b60d205e199264653

SHA512
191dda31bc190aa60f27f87faa17b19a2f0369c8f0cb17dcc8829d98ae88ca741be4b111f82f4ad5a015aff6bccc61c7f31d48571452f525697b0eb36c6b4867

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMc.exe
Filesize
642KB

MD5
937e8192a6d87cb0fae1927592b77320

SHA1
77deaf209ac6709bf0cdc29e3ecf47b171c4ec0a

SHA256
de011b0a93fa081ddb78c96f27bd27a6b5e735a1ad425a7b7e969800557f99a4

SHA512
c774ed3c4751aaa45b4053c2a017e9b1e9f21a65fea756af1e550f931054ff8c97508d67b37832a9a16405bf9bc2d7ed95fb5cab294f74580556065d62272a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\owEO.exe
Filesize
111KB

MD5
f4e9c2d59346006cce5feaf14d576a70

SHA1
445673d3d52ee259fa87c4a97754f4da6cbfcd7d

SHA256
e68ed5279e0ad9b8646c601c092e00b861f1a7e7483905326ce2f95cd534fe71

SHA512
9844677dcd37bb7a31f490450aa532a398a44ead892b40d7a815b896c6a5a013e4727fbd9ba11219047f445dc62dad494101b75aeebc19f373eeabd5025b64d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAIs.exe
Filesize
1.1MB

MD5
f8d8296719d8d945131e9a08063d91ca

SHA1
346b015fe99ca066ee2571aa4720758b45204c13

SHA256
6cfdbafcc720460b49ded54c527f46ef86d04b7a455ab7a78f22d9ad369ae59d

SHA512
5b17a2396fa0085acef4197ae4bf91b93f1de8ff4704244d1f5fffef030bc03726952522606dbc28f72f583374ec298bff8329b6505fb95759b297beffcf8d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQwq.exe
Filesize
115KB

MD5
531a916e90866997a6c10e60dd21d5db

SHA1
46f6d3c1bdfab5c90b1f0bcb67b30d8c72597521

SHA256
dd3538ac75861bc1d8497202a574c097f207495de04e2b8d0dd0f21dce944bcc

SHA512
06ffa24ab2acd8202887faa4f03f1972f5f6ebd9a70c473cb6458c25b58f2bb7875b648f44920212fb57d4cd52f1fad72a06cb566e6fe975e2306ff31cca48e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUAm.exe
Filesize
349KB

MD5
d4d3c6642c540c51d6d64e68d1435691

SHA1
aca4f81d7b1cb0d8bddb01d030aa18ea34975971

SHA256
52f2aa2a96e8b317b2e521fa9c2baedfca9b0ad49d30c97eee2e97fb0610ab57

SHA512
d65416e137e490ebfe86bccba9e8b72f6c29fa5992188701a37e7dfada65f1be56e647586414a93bce354e98fbbc206cabd08e3d3173bbb3c0936ad346fb3ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkwo.exe
Filesize
111KB

MD5
1c6c1ac6a1d02b09bb723fbf93092e07

SHA1
90e0adc75222d535e9501540aeb9849735a68cf1

SHA256
62c4c39b0a2b1ace9d3ca4ea8bc67bac7d43275a8f3681477b4a59571522892c

SHA512
7663c5281f79bb75c2aaebe87977d582163044830ca9a77781444996bf7085858575863d5a435c3bd68c0f3a792ec5d8e91318c3d887e8f3e28a15e4e9a329db

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwMe.exe
Filesize
113KB

MD5
8b528b864501a464496013822323aeea

SHA1
74bc33388f26498d1f4ae648b086386bbea7368b

SHA256
ed8f89c557ad0662a4d86d3cb0c99383e8b121dc1350600b4765ad1c1db07c30

SHA512
efd2913719469f1ba9adec6381f37c50d7b1e12a91dacb8853ba021774b38b696b6c1b45a3797db250e46937523aa576c3b9cdcf360fb3e1c17e93776619f1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIkY.exe
Filesize
564KB

MD5
4a52b07b2377d7a8def2714f4721c64c

SHA1
9ae983610865ec910ef8178026f028a7222070a8

SHA256
f802ffdbe01c0e1805e4588cfe1fd86c48ce5e81008a8796f5bdb90e1c504bb6

SHA512
4a335a62698e5cf7bfd6e5713a25ea9444d0ded6562a6fc6ff1d41927254c9b95a52f72ccd6176246167de22bfddaa7e7e31ccdd1746701768c9b49fb1e1cb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwE.exe
Filesize
110KB

MD5
199787fb2a5cfc7d2a155bfe5dbbb3e2

SHA1
ed5041601d018025be43c1dace6567243c95b26c

SHA256
7a62795ec8af426909ec6f72a43ad54608ac3575cf89e8499f9f9ec61ec40b61

SHA512
b00b8908e97912c90bc43ce4c7a5a2cfb5f2decd67e23c9cf1deeb78e6c1039b23cc6547d4bf0aefe39182b78c5daf595c0a1362c4996e17f0316f5353ae38f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUQi.exe
Filesize
139KB

MD5
7673f462fe5e72921cc1ed07d47738c6

SHA1
6eb1ab059f5014f059357d259bb6142e7cd80b8e

SHA256
60d3524ec025fa3a73349664500e209ce708e92624579776b7786ceed0e0aacf

SHA512
941caf974cc1d9d9b47ab38672090cdcf728015bc2fd7341b488a8482d85bd609ca68bd56fae9bdb163db4b765af025afbf519104a74924d4f8d694be2c72254

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYUE.exe
Filesize
119KB

MD5
40866251b3ff8b5e1fad949d8b6ef172

SHA1
04fe98877791972154417f01532125d89b281465

SHA256
82b4d40afb19107cac5f8aa93dfcb3fdbe58e79ff96ddb5d9c1ea3d59b2e4e27

SHA512
b6d8390667254367814b1979a30ef297ba4151f0edfc8876f812c64a55486bc67461948df241d9ebfa353028003452dd25872358a219f52b776f0d4b658f9377

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEAa.exe
Filesize
720KB

MD5
61d81095aed500609e4b8ba8e32ad9fc

SHA1
cf3fe85b48694c64cce437bb0aa8f16dd7339d47

SHA256
3155a8085734d1a014f9c86b285cd8be9ce5c7fbd3290529dd6643ef9a036cae

SHA512
5c3284c72182fdb313821ad1dcdff0614830da992057dda04368cd7506830911ee2164fc41e40ce8587f12c6b2fefcdccf750a6b7588ddfe89b0f188429892bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEck.exe
Filesize
237KB

MD5
dd00e2fb7cac37c3baf56ba563c74243

SHA1
9fe81f133f81414560e37c1df66d046c57804050

SHA256
fe4c703d1fe7834f59c91571d2b93bff28cc7cf81fb49b51bebc48a6447fc065

SHA512
e174d34c0d4b0ad980fa160b4994d1d40a4632c101ca2a4d5afa9ab50ba3ec0c007b022d21e7a869081efdc454ab6f09ac78deba49418ba788917968e316e808

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMgu.exe
Filesize
737KB

MD5
150aefa4dfcc352b24cddb81a25c4d41

SHA1
6580567a319bbdaea799ac3e3d294bc2a8bada37

SHA256
421100cfe98ad457d567f0a598fad6b9cda2b1b986fb32efe3a66c90256ae345

SHA512
3cf83bb2157f54af4ac09717c3ec2de96b48ed63121cdb1129a08fc241f41966b8a96310376d3f52bb35fe68d2ba9f6545b6ea4c50920fc2fade7db86961bbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucYU.exe
Filesize
113KB

MD5
af31c52da8f4fde3f92a12ff95c6c617

SHA1
44d13a35ea4334a9e700a299f394692465031821

SHA256
a5d4e30c914df9b39d8b2838eddc93dabbf6ef074730a5bbbbca5322b6cff24b

SHA512
4de0de11014c219f14ceacd60801d330f0a938e2272d19422966841ed9ed289cc927fd2cb6070acc1ea73f956d53d1dc9a67aa4603d5d980e98bd1a0c61057b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEC.exe
Filesize
139KB

MD5
f9d4b6286c779148f53b8853cb3531ef

SHA1
e3d5697c54024c18ccab1e4355efe460015c2605

SHA256
f64751bdf96822aa4e2777d689979ad6aca883d6f3a42cb0f7ea11f09cdbb08d

SHA512
f021677892a0434eba0644f1866bf620b0a34e90c7a8176de70831928ae59ff7a9f8c24d92b8b23bae57abba7515927564090e55a0a5851745d3afda03dbf90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksy.exe
Filesize
111KB

MD5
6f7c7591fa027367ba588d78a3c51746

SHA1
342212110170da32688a9a9d0825aeb2f16b747c

SHA256
1522173247803c8981687581f8d6144b81cdb1ec4104e8a6a031023577a92c39

SHA512
435bd6079dfb795c83588b0cb34828dc9cccba7cd2c4570578e4c776c6fd8d202a634c191f4d436ce6af525c49ecd672ad19e9ba3f3dd2fc2b1d3c6c91a4052e

Download Submit
C:\Users\Admin\AppData\Local\Temp\usMg.exe
Filesize
5.2MB

MD5
b6a534d9e3f0901ae951bc0db8a7cb86

SHA1
1dddfad9d9472b5c9441fd9a12e1608b9cd56434

SHA256
2ad799377a2a84023166dc7256c487825288d2c0fd59c43b828dd061f9b48048

SHA512
86c305383faff924c65253478e2749cd669a2b8bc196b031479f32d44abcf1276f3be7ec834ccd78dfd2f8b49a534c1bf1d27d8076ddbffe60770019cae95a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\usQO.exe
Filesize
745KB

MD5
8651ffd828982d4b9479f1b4c716e390

SHA1
07e76f7d5431fed7101d3a3be9fa37572dacf471

SHA256
0b5e558ccd20367ad42c084a2207260f67dd0f61cbb8a9dae594d3f36393c594

SHA512
2fc671bd3bd545448808a5f3e9558b80ece74fa679792510ba286096bde2c506f0d7c03ff739e332ba7c35a669cc4f242263835353d5c8e142f7f125aef28f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEYc.exe
Filesize
109KB

MD5
2af888f520be4055f77c2a9688aa5a56

SHA1
3f890a6073eedb358c7f1fc5ecd75e0b25ebfb3c

SHA256
9e45eacf620a694002bd9ecbde90780f440f48a91466faefd68000aa780bfa7b

SHA512
518f9e9cecf5c85a95489028b3c0df0169cece0502a65bd612231f1890efecf04d76a56dd2cf6e530fec109434d86b1cc68dd41a0c45be1ea10f040ddfd76ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIce.exe
Filesize
512KB

MD5
dc78f455af01a16068fb55cf42e0f4b4

SHA1
15569c8c862142e0931c77336d3e1efe974b85a6

SHA256
d6f721fa0f7f037cf0f3da44f2ea871cd6e42cd89cbff12a5cfa5920ece22052

SHA512
f7ef1f60ca3b782d13198a73688f0028e950efdadf3e4ee698edb6a0e794fa7f61033558a04a85b1a24c7ee1b25c29f79e61570591ee8a8d0bea173b8643ad02

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIoo.exe
Filesize
794KB

MD5
b946ffcbb29731c27d666b33d6a9245d

SHA1
83129e9e1fc5c15d2a6caedc70a66dd82781eb23

SHA256
26b6cf665a1f222eef89cd698d38e22b2383d59666a6c6152b98d8e6ad5d8f75

SHA512
53ae8ab55ead888e273f26b05346d95f1eb942c70500cfce1cd4dd7a907729ef7a8e3a29f559c168a7beb49adb15f676179b8ee94a140bab52fcb87d7a6d4116

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcYC.exe
Filesize
265KB

MD5
7367d778a912312da12019fa04eac302

SHA1
880cf3600c691c19f081def24d5b55023e60031e

SHA256
461612a992fc59806f70668d729deb2b2715bdd51c14d647a9cf3f62d6578560

SHA512
c2c845948f98ef9d7652aaea6891faf664c1a7fbedea7326856558875c68f9a38f263e4157abcdb5c025373ef8f58c64842668caa66d33c9480bcfbe6fc63d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQYA.exe
Filesize
237KB

MD5
a5c00a27d7ec4dbb678750ffef7bb084

SHA1
5461e97ee372e164d71cd3a1c34cd12226f88d01

SHA256
48012e3cbe8137fb86fa8d6a8af49934ae7e8be5406349cb40a993120e40537c

SHA512
8ad41e9d71d83fce035ccffb79ff1a1843e3323513319a01a0f530225f8d9eb013795547aaac9815c65129f5dedba37db1240febc7f7ac8cf6df6d6e19fec31d

Download Submit
C:\Users\Admin\Downloads\UnpublishFormat.bmp.exe
Filesize
442KB

MD5
324f85ca522d2ac9448d5b1106d6ecd0

SHA1
7382674f3f8e5d6ba0c44b226961ae8932f4b86c

SHA256
c2bc1b902737b50b739562bfe277ddf12a7050caa62d526874e092fef22bb5e2

SHA512
46398faf59ae1edfdf00bf593f7582dba4b9cd55f490d0f87e46fc2527673cf7c76efec596517e47c9f5e668a6d112c22cdc6802325c98d815faa9d66f264477

Download Submit
C:\Users\Admin\FwMEQAgQ\GOMIAUgk.exe
Filesize
108KB

MD5
53591828245e84feae82a8f56e62977c

SHA1
fca72844aa49be65aed7ff2b1f3fc92db13bd4aa

SHA256
9ed00a83501eb32dc0a66892c284eb458fa265259ee7540b68cbcdbd7598d0e8

SHA512
3294deeec4e1e93db15f5acb9c92892d469c42ff5939620139518c728e86635c2bcb1ff90a43cb97dc08ed1b9274ffe5cf05b3f0ff5727facfe632580326d58f

Download Submit
C:\Users\Admin\Pictures\ImportCompress.png.exe
Filesize
1.2MB

MD5
f77ded581149a37f1500cd29374b912c

SHA1
406bd7fc5f89f1ba95b03ed7ca8a95728eec1083

SHA256
d43b9bf20dc5205e686ccbf1abd79ad8d31f8d78f36aefe7c510425d80513aab

SHA512
ada2628f3163fc8dd14d08b04501ae7b22aae5311fc268c59b8e63411cf912334d22c47a0ac82cf4dc45bc9dd8e0ddcacad88ddea816a56f907ba24ab1b6f108

Download Submit
memory/8-318-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/8-327-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/408-136-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/408-152-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/548-298-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/548-309-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/640-20-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/640-31-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/752-246-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/752-234-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1736-258-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1736-266-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2228-200-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2228-188-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2416-140-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2416-127-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2560-257-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2560-242-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2676-211-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2676-92-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2676-77-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2676-197-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2700-80-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2700-67-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2912-32-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2912-44-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2956-317-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3028-336-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3028-326-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3060-332-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3060-345-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3076-301-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3368-173-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3368-187-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3388-275-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3388-89-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3388-104-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3672-222-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3760-43-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3760-56-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3832-0-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3832-19-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3932-176-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3932-164-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3944-233-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4100-148-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4100-163-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4248-350-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4248-363-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4564-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4592-68-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4592-52-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4684-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4688-354-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4688-341-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4748-271-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4748-284-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4928-128-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4928-113-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4952-100-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4952-116-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4972-280-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4972-292-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4992-359-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download