3d60642b67e57a36f90e0509ea6a5db29cca6e97fbe972f3263865a543c7807b

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
Size

118KB
MD5

baaf08f240ac06c7c30893aa23bc2e25
SHA1

ec608a6fed123708d482902e12224a10b9c38671
SHA256

3d60642b67e57a36f90e0509ea6a5db29cca6e97fbe972f3263865a543c7807b
SHA512

0726c6bb589d87eb43799376d6ddcf0cd5bef7ec7a1ee12510292b6571ca41e8230006729dc583bda586d2722b175586c93aef8c0bccb830b16c1402c95895ba
SSDEEP

1536:SaasJCspqHvQ+Bqv1uM7OLBkCLYsQv59Zt5Ef12q8sH/dOkFDWLfw/Fd3fjTze9I:STqNNrsQx9ZXEf8qFjFDWLfWFxPKVcH

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vgcwAkQI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	vgcwAkQI.exe

Executes dropped EXE 2 IoCs

Processes:

vgcwAkQI.exejOAAYkgU.exe

pid process

3224 vgcwAkQI.exe
2060 jOAAYkgU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exevgcwAkQI.exejOAAYkgU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgcwAkQI.exe = "C:\\Users\\Admin\\rakMwgAM\\vgcwAkQI.exe"	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jOAAYkgU.exe = "C:\\ProgramData\\TqcMMMsI\\jOAAYkgU.exe"	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgcwAkQI.exe = "C:\\Users\\Admin\\rakMwgAM\\vgcwAkQI.exe"	vgcwAkQI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jOAAYkgU.exe = "C:\\ProgramData\\TqcMMMsI\\jOAAYkgU.exe"	jOAAYkgU.exe

Drops file in System32 directory 1 IoCs

Processes:

vgcwAkQI.exe

description ioc process

File created C:\Windows\SysWOW64\shell32.dll.exe vgcwAkQI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	vgcwAkQI.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4736	reg.exe
3856	reg.exe
4336	reg.exe
4272	reg.exe
1776	reg.exe
4268	reg.exe
2992	reg.exe
3416	reg.exe
4928	reg.exe
1892	reg.exe
2636	reg.exe
404	reg.exe
3452	reg.exe
3084	reg.exe
4468	reg.exe
904	reg.exe
1684	reg.exe
1676	reg.exe
5032	reg.exe
1036	reg.exe
3580	reg.exe
4516	reg.exe
2776	reg.exe
2260	reg.exe
4400	reg.exe
1880	reg.exe
1880	reg.exe
3836	reg.exe
2816	reg.exe
5096	reg.exe
3336	reg.exe
3132	reg.exe
4868	reg.exe
4856	reg.exe
4900	reg.exe
3008	reg.exe
2492	reg.exe
2376	reg.exe
1768	reg.exe
4644	reg.exe
1736	reg.exe
952	reg.exe
2984	reg.exe
1088	reg.exe
2584	reg.exe
2084	reg.exe
1860	reg.exe
4652	reg.exe
3112	reg.exe
440	reg.exe
1104	reg.exe
3412	reg.exe
1128	reg.exe
2096	reg.exe
1256	reg.exe
408	reg.exe
3880	reg.exe
1088	reg.exe
1096	reg.exe
3996	reg.exe
1528	reg.exe
2084	reg.exe
908	reg.exe
4156	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe

pid	process
3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4440	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4440	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4440	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4440	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2432	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2432	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2432	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2432	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4492	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4492	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4492	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4492	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4632	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4632	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4632	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4632	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4400	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4400	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4400	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4400	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
412	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
412	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
412	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
412	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1976	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1976	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1976	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1976	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2984	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2984	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2984	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2984	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3392	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3392	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3392	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3392	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2636	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2636	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2636	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
2636	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1416	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1416	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1416	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
1416	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3412	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3412	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3412	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
3412	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4524	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4524	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4524	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
4524	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vgcwAkQI.exe

pid process

3224 vgcwAkQI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

vgcwAkQI.exe

pid	process
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe
3224	vgcwAkQI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.execmd.execmd.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.execmd.execmd.exe2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.execmd.exe

description	pid	process	target process
PID 3696 wrote to memory of 3224	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	vgcwAkQI.exe
PID 3696 wrote to memory of 3224	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	vgcwAkQI.exe
PID 3696 wrote to memory of 3224	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	vgcwAkQI.exe
PID 3696 wrote to memory of 2060	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	jOAAYkgU.exe
PID 3696 wrote to memory of 2060	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	jOAAYkgU.exe
PID 3696 wrote to memory of 2060	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	jOAAYkgU.exe
PID 3696 wrote to memory of 5036	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3696 wrote to memory of 5036	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3696 wrote to memory of 5036	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3696 wrote to memory of 4156	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 4156	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 4156	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 4544	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 4544	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 4544	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 4048	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 4048	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 4048	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3696 wrote to memory of 704	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3696 wrote to memory of 704	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3696 wrote to memory of 704	3696	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 5036 wrote to memory of 3768	5036	cmd.exe	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
PID 5036 wrote to memory of 3768	5036	cmd.exe	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
PID 5036 wrote to memory of 3768	5036	cmd.exe	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
PID 704 wrote to memory of 2000	704	cmd.exe	cscript.exe
PID 704 wrote to memory of 2000	704	cmd.exe	cscript.exe
PID 704 wrote to memory of 2000	704	cmd.exe	cscript.exe
PID 3768 wrote to memory of 2352	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3768 wrote to memory of 2352	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3768 wrote to memory of 2352	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3768 wrote to memory of 1256	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 1256	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 1256	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 1556	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 1556	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 1556	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 4320	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 4320	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 4320	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 3768 wrote to memory of 2816	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3768 wrote to memory of 2816	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 3768 wrote to memory of 2816	3768	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 2352 wrote to memory of 1764	2352	cmd.exe	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
PID 2352 wrote to memory of 1764	2352	cmd.exe	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
PID 2352 wrote to memory of 1764	2352	cmd.exe	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
PID 2816 wrote to memory of 3456	2816	cmd.exe	cscript.exe
PID 2816 wrote to memory of 3456	2816	cmd.exe	cscript.exe
PID 2816 wrote to memory of 3456	2816	cmd.exe	cscript.exe
PID 1764 wrote to memory of 4708	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 1764 wrote to memory of 4708	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 1764 wrote to memory of 4708	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 1764 wrote to memory of 1052	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 1052	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 1052	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 3804	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 3804	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 3804	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 4572	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 4572	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 4572	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	reg.exe
PID 1764 wrote to memory of 2100	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 1764 wrote to memory of 2100	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 1764 wrote to memory of 2100	1764	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe	cmd.exe
PID 4708 wrote to memory of 4440	4708	cmd.exe	2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\rakMwgAM\vgcwAkQI.exe
"C:\Users\Admin\rakMwgAM\vgcwAkQI.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3224

C:\ProgramData\TqcMMMsI\jOAAYkgU.exe
"C:\ProgramData\TqcMMMsI\jOAAYkgU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
8⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
10⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
12⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
14⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
16⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
18⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
20⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
22⤵
PID:3404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
24⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
26⤵
PID:2628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
28⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
30⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
32⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
33⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
34⤵
PID:1908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
35⤵
PID:492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
36⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
37⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
38⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
39⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
40⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
41⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
42⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
43⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
44⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
45⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
46⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
47⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
48⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
49⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
50⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
51⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
52⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
53⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
54⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
55⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
56⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
57⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
58⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
59⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
60⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
61⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
62⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
63⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
64⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
65⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
66⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
67⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
68⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
69⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
70⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
71⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
72⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
73⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
74⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
75⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
76⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
77⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
78⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
79⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
80⤵
PID:1364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
81⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
82⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
83⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
84⤵
PID:2076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
85⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
86⤵
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
87⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
88⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
89⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
90⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
91⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
92⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
93⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
94⤵
PID:2608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
95⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
96⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
97⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
98⤵
PID:5108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
99⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
100⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
101⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
102⤵
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
103⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
104⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
105⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
106⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
107⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
108⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
109⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
110⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
111⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
112⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
113⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
114⤵
PID:548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
115⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
116⤵
PID:4284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
117⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
118⤵
PID:4100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
119⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
120⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
121⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
122⤵
PID:3012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
123⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
124⤵
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
125⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
126⤵
PID:3956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
127⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
128⤵
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
129⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
130⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
131⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
132⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
133⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
134⤵
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
135⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
136⤵
PID:2948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
137⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock"
138⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:2216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
- Modifies registry key
PID:4516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKgIEIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
138⤵
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:1096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMYkoUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
136⤵
PID:4008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:3068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgwQgAwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
134⤵
PID:3256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwEQUYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
132⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:3804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PisEcUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
130⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:3452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgwUgUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
128⤵
PID:656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSAEIQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
126⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:2096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:3068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMAAcgow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
124⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOkwgIok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
122⤵
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
- Modifies registry key
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cokcwEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
120⤵
PID:4992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
- Modifies registry key
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKsIckMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
118⤵
PID:1212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkEMAcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
116⤵
PID:2796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:4652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsUckMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
114⤵
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiQIQMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
112⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies registry key
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
- Modifies registry key
PID:1676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQkIgUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
110⤵
PID:2928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
- Modifies registry key
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqIIIcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
108⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:1428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGAIgQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
106⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKggIQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
104⤵
PID:3528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGAAgYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
102⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEsUswgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
100⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:2916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:2348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMkkcAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
98⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
- Modifies registry key
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUQQUwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
96⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGYIAksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
94⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies registry key
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIwkIggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
92⤵
PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taYgoQwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
90⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsMMYwUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
88⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:1460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOAgoYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
86⤵
PID:4784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuEogIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
84⤵
PID:3256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
- Modifies registry key
PID:1776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSsAUYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
82⤵
PID:4312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMQcowAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
80⤵
PID:4768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgwIwUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
78⤵
PID:928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCYMkMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
76⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:4492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOkQwsIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
74⤵
PID:3704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:1880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CusAkEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
72⤵
PID:3068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmMcosIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
70⤵
PID:3480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmYUsYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
68⤵
PID:4272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:4120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkcokcQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
66⤵
PID:3572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASQksYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
64⤵
PID:2216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyMAkMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
62⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
- Modifies registry key
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIIYcYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
60⤵
PID:4380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOgkQEAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
58⤵
PID:2092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOEkswAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
56⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwQkcssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
54⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAososIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
52⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUsQAUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
50⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maoYskMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
48⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqUAUsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
46⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:2096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwowUksM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
44⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziYQAIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
42⤵
PID:3860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKEIckAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
40⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
- Modifies registry key
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQkEQkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
38⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSssMQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
36⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imAggkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
34⤵
PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:1088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyogIYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
32⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEQcAggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
30⤵
PID:736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmwgIQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
28⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcUskUws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
26⤵
PID:5108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:4400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOEssQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
24⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:2084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSgEEoYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
22⤵
PID:3788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGgIwoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
20⤵
PID:3580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIMcwYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
18⤵
PID:3856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiEEEYAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
16⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykUgogkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
14⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liIIUoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
12⤵
PID:4904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIUoEUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
10⤵
PID:4196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgQgoEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
8⤵
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMwUwIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
6⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuswYwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiokYYAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2000

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2816

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 86ab2e9990c12c4fd7b5fbc114e3118c Gdl5ufjOBEqf6rJtqodfhA.0.1.0.0.0
1⤵
PID:2176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:4644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4708

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
153KB

MD5
0ec9f570e45809b0530cfda38fa81b7d

SHA1
db88932e6277c0a024da9e46038396c955a963db

SHA256
d50240d207be8e6deb34b8cc8d0aa2d9199f61d3ddc8aa55c62c13dc40884cc2

SHA512
3525dfa9f3d8f5845d492c049647e5871dbdef529b946595418e29f7a86e37cc7ded5e1ef6ee1f090ab4ee1bab961d43af8b5736eb7698fdebba8c0599076ef0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
139KB

MD5
e6fe41f9d636dcd4e9762e60aec35980

SHA1
01811431ef5acc9579ea7e1b58cbf10e1cebd4d1

SHA256
d6b5be4d14c5caa77201b73aa55341bd52ff105ce9db17745b36cdafe5f0ac69

SHA512
15e23724d546059f87356de0cc13285206fea234fdba58bdcf08f4147068ae06876adc5efa9cdeb0b2967886775e465e038c93db8d92ad123f4a54546f01f9da

Download Submit
C:\ProgramData\TqcMMMsI\jOAAYkgU.exe
Filesize
110KB

MD5
63e5773e7c33eb0fc73ed8ef84faf14b

SHA1
980d22966a4c4c3407dd9d5bdcad54949f4027f7

SHA256
f9607bf01170e6c21857eaf76fbf81da967a419ce0557f6debcc1a048c0e2cda

SHA512
96c17911226aa294a236362cff7ee717ea82c6dfbdb5c2d6958edda1d3d22d278ada07d66f7306b95458061c706ac61b9529977a9850a40cd4cd0da8f0659367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
120KB

MD5
4dc9a00a5551de5e81983fddfd58290c

SHA1
8dee1148bcea1bcfb4a2c615c693ec450d1d6d0d

SHA256
1ac0bef82d715d7107cf309384d6ee1d7ef9aaffef0d7d8fec31fb5937c1a980

SHA512
72a957379bdea9450acba09d7d692a1eadd14e5a8cf25ca22c308a63929bfa7855f442c89596b8b5868d8bcfb599a517ea6cdc27d201ba1340e89c574b83229f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe
Filesize
111KB

MD5
c4cf627f13ae87055b6d4908a34d94df

SHA1
d19072c12c2cc961c28f03bb4fb4e3d9e58be45b

SHA256
e8bbb6bd8c0d885566b29a5ccac9420d9751fc5a8c93a27afd052a556a1c99ff

SHA512
1ba8a3676b8aa9b165afcfb7041f441e03e941d8257e806167612f01ee4316b906ffc6bdfc79d97ccd8133975b881b3ce9b0df5e8d700716cd0bba8e7ec9e191

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-25_baaf08f240ac06c7c30893aa23bc2e25_virlock
Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMYw.exe
Filesize
125KB

MD5
49acdd28a153ae4d99ca1ce31768df38

SHA1
ccc4ba9854ee563ca7ade5cba31b26eb90631f0b

SHA256
5cd62ba7c470893f2920c905d49b4e18f12cdc2318270e6f1dcbfa6e3a34dd39

SHA512
2a1379b6abbe6469252ba0463d0043e948c1a47fc9ac26e1ed838e26da9f7282ee1effa93e614788446221109a961fe4499215209554d6e7dc39e46034641df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwoG.exe
Filesize
363KB

MD5
e588fcc04e89ba18a221760e9df339b8

SHA1
46c5f62b0014c6211e23c81e0c1ca070fcdc0f7c

SHA256
9dbad9d0e61156c60b6eb56a33e3ef515de6435be73d0c1d03ebe1155e9cc3e7

SHA512
63427a5be35d1208e74ae701cb364ebdaa1c7f38ee5802e2485704b24746d795bfe348076535cf729609f47a1ded7be830af9fa56ac6d5a9cdfa90745d320b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQAa.exe
Filesize
115KB

MD5
16cfb48efd84afaf752d991241a801df

SHA1
df8993f0cd9c7c6cc65c0f851cae31f761e0b740

SHA256
eeca55acbeef589d47458f81482135f5aa16fc36b2b4e6107c20ba58c7c1345f

SHA512
0d894d0ce7c42f4be1d5068f34961483b400b9f45605579d0e1d0b6a5fcac2df8a8d0c08a71e6e42e56228a42c5f28100c1767b3eab787ae5685a317aba5e3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUkk.exe
Filesize
113KB

MD5
44fe61cf8625347d51ef35d167774db9

SHA1
fd0c4b0db908568f967f8a5f6b86c76a5a69ab83

SHA256
a0e929f3e8c5f249821d7cbe2990450f4c0e301a6bc4793697a49493d99a3c92

SHA512
1e54ba10217f59525cf71754525ef7937a017d07ebe6f156844e4434c8f9988a22661a81dfc4d22995891fde5ffb022632c7d198e76ff52eda530189d71c02fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoAq.exe
Filesize
111KB

MD5
63866f9b9d2c79f3d059eb20cb31227b

SHA1
5981d94c82a4bbde61d1802634953bd6b484c0e1

SHA256
1bd968b9594f905212946665b0f56de146b9994f42812d7016dc21151850f151

SHA512
c0e7b483ce94060cd4ac42d23f507e4eee5e1c1bca0146af5c07a23655dc0b3f4d775bd9372c8a586b2014adb2e7e90c4f7d8f6773c10d17ac94a50c4cde043d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUoa.exe
Filesize
605KB

MD5
e4209d051043ae019eecf52c274117ff

SHA1
4f2637f2c05a36f74ee5cc3b65e26f9cb05d527c

SHA256
8ea2e69ed853849bfadbf8ae8f0e48f51f9c062e999a9e451a035b000bc648b6

SHA512
b95401fd80a3d6694d39c6e8ecbd440eb4eccf673c24d5ef5a8a3aa7a8c40615d1c58dffc8f49afaf88228ffc6cbdc588a1a0ab48f08efdfa14112f8c40e2ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcQy.exe
Filesize
112KB

MD5
05cdc00a9b437219dc207cf21b78b36e

SHA1
08ebe9358a24b443db8972eeb6e290072b5f58bd

SHA256
410d831d1c29ef803cf6b655825bafd6c071b820e28ee9733e16a39f33a8b417

SHA512
105fa9d77631c023720e9e042de2c3b2d27b84bae7c0d3123de65821611cb5e8a39ceb8b45be6d9bc6bd017e6a31197e30006fb613476330033605d833bdc3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgkM.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cska.exe
Filesize
237KB

MD5
f4d02d82efb746606411d19bc08d880e

SHA1
ab1e5168338aed6e2aabb33553a7a99d4b62bb69

SHA256
b86aaa86153b4cfd4289923ae5846cf383cb3f9d5309032fe65c450766ce03a5

SHA512
fbf4b2ec6ef55ef22fd9727fd93cd0ee8d1a87e248a40e8f64667e31bf5b87d7714cd4639b93db7f1cc8cf5050a24cfcf49ec10734e4d28487350ec18b70ea56

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwAi.exe
Filesize
698KB

MD5
e077593b2a2bda86e8b95fbd7b937c46

SHA1
d6ba95818f93c1dc63087926f907a080ce0dc4f0

SHA256
a986aa2d6b0461b70c7b39e317fb4fee2af5472d10012d10c112385c5110c353

SHA512
95672c0f1470e94227bab6a8d7fdc83e6c1f76af4c0298cbbebe0b6f29bbaed3366c0352ab65e0f735daf35f6a33f52058dbcec6a631e0d7532962bd71ede0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEcO.exe
Filesize
674KB

MD5
ca1d0694c1633f207ffe6c33b1a56244

SHA1
b0bab0960df26182c30f6c859e88ecca6f58af60

SHA256
446f42dfd938e8a17df05845049c2f51e5b961b36ea39901a40453892160afd2

SHA512
ca545116cb0925a590cfb6d43c93a8cddfa02964e85a5a1ad46a4d33022237fb32421a31c169b689f19fe48aaee835cf1145b110b9a8e8d949cd71190abef178

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIMG.exe
Filesize
111KB

MD5
1123a3c2ce997185b2ebc636aabceea3

SHA1
535041f22e42f184385bd73b5f2bcf2544025b13

SHA256
f5b97ef6867372353186bb28eb37fdd819e4195b509ba19f4b9799489c2064f6

SHA512
983ebed84eb5f38ad19831d2b012d815f46183576bcce4657eb2ef274f0ff1347f1ef5e31262a660d435700abfb97a3d8fe73abc2052c43508e76c1877ef7e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMwE.exe
Filesize
139KB

MD5
03bc530b63c61f44ca507f660445d650

SHA1
c37f7b5abe93e4eea9fa3b72467f60df8de0a075

SHA256
d5a164b1b4ca8c5b57f774f0604bb7b39ec95ed54d66c85abda762e3e5fad1f9

SHA512
453302c9be6ba28318911ce342962dc83409a85bc0a2756d10341fdd9d97371132085e2b8eaf99a852cdaad64c5bf08bf3d7bf2acecee04b8ab747844de4091a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYge.exe
Filesize
120KB

MD5
20760d4a2dc456e30eccbfe042c5051f

SHA1
082658197ec49e46685d785f25f2290ff05d8a54

SHA256
10cdf0537e9b85e7568a83f4d0b8b562d4264b531bc570cc6c7c43a81916118e

SHA512
b260f403a2eb9b6e0485cfa306b5faa672d3ee972d90b7ac0ebddd87e91e059353ea0bf72b77fc5638249b6f0ea8acc0721fdea902c3024a70a96e539b479ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYoi.exe
Filesize
111KB

MD5
e2a134b7b7a0fbbcf02aa418795128d1

SHA1
f1e17a68ed7b9153773982210c674cc12588c3ef

SHA256
4b5beca49c8f6e4059db503f0782eebe3eeea5e7c62d633cc767ef7d75535c9f

SHA512
291f659b3ab29ca2afcb7e8e8141f3605229b09b9453f1b24a1e0f9321d80a2fb6085eef5617a172ae6c8a759ad3525e2323147bf058694e0316ca0f64dd452d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcwc.exe
Filesize
113KB

MD5
1359b3b58a005a4351425b16b418ebb2

SHA1
3eabe8ce85c3e6634f49ff4dbfa57215f782b0f6

SHA256
6b4b0530fd43eb2df94ce37efe67ac85e9b49023ee7eec778df6018199175049

SHA512
515dea27b068882d6788429129cd95058175c51cd5a2498cd69b6c3fee28ab89d25a9d59226ecc78a81b1ccbbaf652df7589055a892f595c26591ca81530bd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsIS.exe
Filesize
115KB

MD5
f9b12a32b364de4e4ce980acaeba6ba7

SHA1
4062ede443409c7f782d6967c50dc670dec464bc

SHA256
67ae012b9524d5a659aad6b19e2207350f710f145afbd52a83d1ed921571b45c

SHA512
ccef55e81ac899530a6cb5eeb6933b6840dd08d8385d871fe23229a53df8d2c29a954d1b076e501de3b88994ad466a3a79c78fa44cdecf89a938b30c61754a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUgy.exe
Filesize
111KB

MD5
ad4238f1bb849b8b8835300ea6ef9e19

SHA1
24555cf61eda58597c0b8ff1d84ced04d70f4110

SHA256
6a51da22956753b0df306740972713049d3346fbb939754bef92e2f7a6b63c99

SHA512
f9c6beff5d02536264bfc43359947757f21b3bac42fa9494123eaa17f1537c903199cace211d9b398bc80914dad178a76657746a8a1752e7f6a66c8a17d6b38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fkwk.exe
Filesize
564KB

MD5
3be9f9e29368d5d91336777abb0afee9

SHA1
3c59f202f845dc52d645e03b87de6139e0477762

SHA256
93dad5aba973b0c078cd2f55ee68748700f6418290a631d51d46bdd8f287c759

SHA512
c06040f355d2ebc72963cef86b39d278417b1d9516f8df9c46ef595cbc003bdae437a6a3e162943b3b5d467903006f38679884f94c7a79877f65beef1fe90675

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYQw.exe
Filesize
120KB

MD5
60e838a44016b7a3e46ca6560f6305f6

SHA1
795ce5c825b070add8fbfe725ad1016b051486ad

SHA256
019523f58f95e95ca5f5f5cdb175753ff72502c843c8dc8b02125e7016db1117

SHA512
8b5e1a3d4e45bb9a48415f800f58ce6968d39acae23b12e5260e83683876f32a5230a551dfa62055f25d7c551ca62da6fe7ed61531abcbcd35550c7874a72eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggwy.exe
Filesize
113KB

MD5
d1c7fa00db91892bc8746c6c33b2a798

SHA1
011f5b136020a9540ef248793af0b1ccdf08dbed

SHA256
b96fb7a36fe1ba0a1ba70ac2b5eecb033c10d51213df5bfb84fd58bae925284b

SHA512
b40051bc86bb540082fb9110c813e1526e3766df2624420192741171742518266da9d9abcda5edff41610a18ad7b75329e6c636db8655a2196e5fd39035ff196

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwYI.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwgY.exe
Filesize
121KB

MD5
c3d8bde95eba47c3b008c6f0e9632540

SHA1
110ba86438cea4ceb107a8d1b5f46f069e08a3c2

SHA256
a51946597b9735a8ab8a9071ad6f67b181f422c2fd1564eb5667258ef010b7ac

SHA512
45414500b02699804638c22776ab3ef59c9a162beb83ddb6c5e3b6cc9429ac7204b8c94e1ab0e279917b08d4171f43279b213eb817c59629ef61a1f81d41281a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUcI.exe
Filesize
120KB

MD5
4062106d34486a4912baa7779e681e46

SHA1
148cf74a87ca42286dea5dfab63fc50372e048e1

SHA256
806486c17d969715337be0978fba7a92220201a31bf559ea82174eaef86642c3

SHA512
2be10db8632f8ce880221284d1a028a0ffd189ac8eea7a2c610e22bd810a55a2c51b957d189c1697d3512a82950a1853a70382aec96e2162d2bbb4d8eb06852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUkC.exe
Filesize
111KB

MD5
0e6299cf2389243f2d15a83b928ecef2

SHA1
8fff5d8f94f8ad80ef19c2649bca84f74cd51b70

SHA256
d6af6a3026da45624d28cc460adaa3cdea75a1edccc21046bbb8943012293ea0

SHA512
0327b11eeedea9b2f0a72cf2e4bf64149560f5c95c93a06457295af542348b350cbc08fde78a34b85c48394e334062a04b7520696b2e1d8e23e0329438eabf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkMg.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAgY.exe
Filesize
148KB

MD5
9d2a64712f9e8a68e3d50cdb0277d223

SHA1
e6925095499f0f838810154faf7e61c93b3b7177

SHA256
7883829d6a7e8efe3df29eadf4a6ac731f81ee61b183bb2f9783753322b0bcc8

SHA512
65373787376dc6bdbca532d9d22a29e5053024cbca192dbb8236c280e59cbc07c6e125136a0588674fc6f97949f98f430c50539f72901f8e1b2b1bca0b408f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQEo.exe
Filesize
114KB

MD5
19a81a3b6e19c63eaf16b4f92a5437a1

SHA1
40c26e8d469f02fba2138a6134d9b95fb0e8daeb

SHA256
5748d4e9df8a13753fee70909ed85c9bf8f7f901aa1654a7744eb582979bc23c

SHA512
373ad584a41cfcb986f7e6036dd13df952617d6aaf324735bdfa70c498e34bfc51dce199b1fed4a6c0baa566743a29f4b1f45fbe19fa1154394d429b31c7f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEMW.exe
Filesize
113KB

MD5
5221226fc44bf722a693386495debcce

SHA1
e54fbcb2fff9caed2abf00009d3d62635019d871

SHA256
8f70a1e2493eb31b3e0a4d37dc2ee195a946a19d072f0522594ee8a0dce5ba62

SHA512
f1ef0211c403e769caeba884f5ac41bf9159a361868c5f432915d3c5e50c282a2b9c47816779c2ab1737d9787c6f701867ec3cbe3002a33c7e008b44b3c5135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgco.exe
Filesize
112KB

MD5
e568cc110f34ee9d1764817047b076fc

SHA1
838062a5cf0e9a40294ae8f61077b3852a2f9887

SHA256
fd09f583d168ba46fcb62f3805da8fa331b36a875f9225180e9d4a7c1ab4cac3

SHA512
6d20557e9a98ef521f37fad6515e07ae943fec2b5f422ebc8afd2e8d64236a27482fe029fd5bd2aaf6c2697c0e7ca7481942b6fc7999b49404ca8b01487fe4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMw.exe
Filesize
110KB

MD5
958f30d162300d753ea8ca101aed0fbd

SHA1
1745f07159ccc7dfbf79be2dc83deebd282adcc8

SHA256
4a76c1f3de6f43e45bac46a191961d044ad9ca94ed056732de67148bab7618a0

SHA512
7cab35c4d866719c109be387a55dd2a9fedc84dcec5c02181bc1e8207abbba1c467ae640534f250afb4fd6f104d783672d2eba267d49e3e851c7679f00a724f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUcQ.exe
Filesize
115KB

MD5
5d4b7f0c6787a949d6c4a369ef0ed810

SHA1
ad605cad40509fd43bac8ac9e02047d997e74164

SHA256
1174d3dae90e95ff7b1fe680810f47e8d9a054ea6bd25b17ca1d5938c3d666c1

SHA512
6cd4b14f0a950062d2124a7d512e3569ec46ccf7eb47dc606825fe418d93d61b2ee2dd88292ccd5fa35dc1404b761ea8e83116cdcc42fa0a142ede2fd41f53e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwME.exe
Filesize
483KB

MD5
9c7b00cdb554de531b3a2d7eadaff0ff

SHA1
ddb89af29b95059b58c83457c48134482dd7dac6

SHA256
a6fba43c5f5caf8f9369aeed383a000c16eb5947776ab75f104689703ec21c4d

SHA512
15427bb7f4f433ba60633d604f51669893a3cf2695527f19ae3aaede475d2cdc6943023a8ef074062bb9298d2ac378f2d05263f96e89fc9bdd5fd818cf8c2fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkAs.exe
Filesize
110KB

MD5
e8d0c3b03cb35d939874d0a43c994ced

SHA1
5b58da5a465473b0366363dcdb2e0a3e60f0cf8b

SHA256
aa4016e67e03cfd4e6e7de0b04d565acdf722e35dd9c908f4c54d7992ba538a2

SHA512
ca6353ee2ef7ac85fb2bfcd189c86c9dd7ac2918da94a7b3c41f11f11df4453f3e0892bc2bd45217b9a61480ffb31e4b15b8187ce5fdf17eededec36ccd841a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEIy.exe
Filesize
110KB

MD5
de33e2dc8fe16770adf21caced0dd2aa

SHA1
cf0b90460c6db7de52496d5f4cb870c3a5905a45

SHA256
45b9d9baa7c01d3c2737a988b89d4402c2c5b417725edc6fbb737b65ad4a26d0

SHA512
078df26b70d978ca66cb9b2594c5af36129aed2fc5f3a2be9586c2eeaf77a0bcb2d016fe4fc1bb7e51d86e0930e6dcabb7e43338328053d7f4be52ff364a965e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Osoi.exe
Filesize
139KB

MD5
d3ef30bba76dc8e033bb31a769bb0034

SHA1
c7df3532868e2433fdd90c7558f2f19060c3dc39

SHA256
241af20da13537b8bbe61d3a50f3f1d1040437f96bd941546b1eb808613c42ac

SHA512
d4b3e282b485fde5927e447c3466d668139c1233e109b26617cdd7cf823163a4429cd5cb8224077b4e3b7a737f91d8dfe76a5003d25de8bb0fabf49ab3cd433b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Psga.exe
Filesize
111KB

MD5
aefa0f383c6d608ecdd286daf3ca1389

SHA1
4091f5bf312e0dd7a330898f19640fbfc6f1f440

SHA256
ad46afb7ec6e0093c4b03ff97f77e48a9e23d962a84c1945d091f7b25ed6e3d4

SHA512
73fa3c3165e85120b88fb9f1186477a588c6068bc7b79ee1227de1c6cece8e45d88b7c6923afda6279baddf094b9ab807d39aede4f770511d9591ced5a84c755

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAcG.exe
Filesize
148KB

MD5
1e998675832d3a7b9b1ad5b264a50eb8

SHA1
05a435e28f903ab12e9847a2393e8c5101e21b8c

SHA256
089f8096251ab1ab7e58ec761a25bff4b6a544e496dd38bb2947785b6612611b

SHA512
eec30b567c415026b16c88338def7f3cbba607a99180e51f17c8b10e3da36357d963235481b1a1e3874050c8450236bf9a8d8c7449fceddf85ef2d0ac6864e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYsi.exe
Filesize
565KB

MD5
6635b180c704bce70a2d7414152259d9

SHA1
d3374b783e3c4ae0bd83139d4c29a28da304e75c

SHA256
503a5be21a68678314eaaff8bb1237c5f95400789bf4ba5f1ed6360829ce7e12

SHA512
74378211519e2c3bcbc6a45d1471f6895bdc9ba02a538041b28da6477610a0a9a437da33e19a42d7aa52f63ce2bce530201decd2dbd2a88dbcd9d1f016e11fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\REwA.exe
Filesize
5.8MB

MD5
c0131d150cae034fc0373a766e95253e

SHA1
9bd737a1e7fecc2a2d8d5a4911b59e798888e1c4

SHA256
a2a839d94f93491fd7399f77da9006502e6b9184b94ec5d58479d2bf7df6985c

SHA512
1cd9e37ad8d39e3ce29f4ae0784593703ad9c2f14b250499df0438c28fe830ca9a6f4fed80d041d844051c8634d6100fd2ef2bd8a7864237853093f2416b42d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQcC.exe
Filesize
118KB

MD5
931b4d7486ec02f5db1bdf6575887cd5

SHA1
4f8f3bda055beb680b2eca0ee8e724c3adc1180a

SHA256
31241a0d4594d33e0356afa46c8ee373fd7e4545d2e3f9b2a239349a3e0be660

SHA512
26680d4aed68a91b59ba958d897edbaf95b26a95879d683043845fc65ea2f1ae6008d126c3525466ab376664acfa044758be6f5f8b7fb76b24f7f13be907bb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQwE.exe
Filesize
744KB

MD5
bf705387b3c6aba2d8aa992813ecaa1c

SHA1
bbf6df7d4c8773fe4664a2b855e005969d80ef02

SHA256
cda2e60f86bd6a87e083de04bd6369d0e2263dd871685ce5ca5771f75b312816

SHA512
428db1b9071c0627c30b7098c8b708ff8cb7145e40f49969b21435c631daa28832bd760f9dfc8a473ea33bb69b43ca69afdb0f5737a4edcc18ed439bb0ec151e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScQc.exe
Filesize
111KB

MD5
903702d90ae8dbc7bb8e1d716e60ee11

SHA1
1b8d10ff56a58267ca71c8ae78b03c8fa75a3f49

SHA256
5fed2ec1ec70e303f0eeeb8cf3f174837fa215044918b1be8c8387becf0c5229

SHA512
b347dc4a4b9cf3cf23fa10e64c04a8d3e362680e19e73e2fcfe848dc5e566a8ad7d40f4f3dd5cb4ad37623945eeb600ad3573f30fc2d2c973adadc709047fb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SiokYYAk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYsY.exe
Filesize
113KB

MD5
8af6a932a78ca7a28da64558573925d2

SHA1
aca854a1d40644fd8831b7b1bc6151410ea089e7

SHA256
39424d3edb6018b3968a696b57e9356866f311a1da4d64b9e741c840deac3a8c

SHA512
81f2e0f67731ecd6722bc0826010a256b6db87351642991ee96a450217bd1c6cbd9897f653d416f2f9a45780e02910b6425cd2627bb2a3200d1703badcc85431

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEca.exe
Filesize
307KB

MD5
a68353696d64973938e8450d3c9c4882

SHA1
5a62e43e4fe36427bb6914e1781a106df8516e19

SHA256
ce99c265580d615029935e4484a831929ef6c343a22cb90c03729723a6d29d0f

SHA512
6f6ea9c29edf3225ec03f1662ad7021048682e8962c7ad56c2fdbcd79ab86e298f9d10f286f2e7e5310e24ce38f175e92570d16bd5d1a872b7c37295017cdcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQsO.exe
Filesize
111KB

MD5
6610938557de11543159bff458673723

SHA1
8222e6798816309f10bcac9ad084725ab49b6110

SHA256
0167d975b9a34698c665ee8862e34f5de60542a58955987f8714fc7e8809bcbd

SHA512
3a2bf54c73b62e77a1d20bfbb77518d9b9ebd9e734ea8e1fcbd866668a6b71b6b418bce383aa1c678991d02bae01e171cd707957849fdb34f15b56a8b9c98399

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkAa.exe
Filesize
697KB

MD5
6e2422bd45ac597321ce167a27654cd6

SHA1
49c39b40d8ba47a045b5aa8524922e8beeb5b0ff

SHA256
2b9ae2851140bf5dd72c8d7758bce98d66169c2ca531afd88af586c767c93a2b

SHA512
945b6dca1197c5aef5b71a2a83e2d7a6338fcff33db9d3f34b15e5b8a605908cced98505df19f97127ea15cbebe82a2e32ba2c1601d1c2651abdd7c1b3657e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUC.exe
Filesize
722KB

MD5
105d83463ac1927c2536ceddd0e56178

SHA1
221c803569e920091eb598eeb8bd03bd8185ca88

SHA256
0bdc91f69da3e414b78d5dda5d85b89909256f0a47b9a0c4d1a894c68b25767a

SHA512
298b37f2d21add8c272305eaa5b5044f957074f4f75e00dcbce49586ef430fc8fdc2a9b5368974d81c6460158c64e71ba9fdccd9a75ad6d491acd4b386f8678a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAIU.exe
Filesize
1.7MB

MD5
93f1323f2062b325298f5597c9af67bf

SHA1
b8937281ada97b7805dba46b15cdd36939d47eac

SHA256
b6e716a7f2352b0c8b616eb1bba9699a25899243a1f774b9cbf798454f08de59

SHA512
6881d96f94cb59dcc4634c38df5d1eafb39880e4d218ca21766bf000db01c033bb775c11e7f26a794c1d229ec5adf92a78099f1ea423f5e449849b29c32b881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgYy.exe
Filesize
114KB

MD5
eeab80ff7ef305abbbae4190381ddee2

SHA1
e9b1d0e38d4e9ba23065c96612ab5b88d04c4496

SHA256
c5c49585804cb8df44475ad827912b5502da375e413c854b80306fcd50cda87b

SHA512
cb8d1b83395cc310e87d523034c6703fc0c8cf02680e59a7808ddc9a7f73794117af2c2001a5c963d65dbf4b9064983a4cf368abc1da821a236bed3ab40e4dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yswu.exe
Filesize
639KB

MD5
9893f36ab539a54bbba08ec9c100a321

SHA1
59dd16afaaf377c4b961a37e18357b8e54687a78

SHA256
2d9e1a4437d2649a0d7f011607bba1ffd63daeafddc6b9fabe7055efca97b22a

SHA512
9eece991020eaced0e5a0387a12a481695572959fde80a7a3f34c60163fa1c9ac707645a0cb9a5e59f6e434af70d0e583b63bcb3e5d7f9c74520cf1d67920d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsMO.exe
Filesize
110KB

MD5
79088c79db5a279395ba4edfe6212622

SHA1
0cd1077a3432ea45c7a0b6295059048ba0c52493

SHA256
5025f8c01257d7582db39c3bc3161615d99e38834de9e426830a6e97c9fdd109

SHA512
88c465c5d0db958ae1717e271f6cf7b60d8fd385cd70abaab4bc7600e322c0942a12746c7cb602ddfb90c9487a0056184800acbac260a39d95b7d81ee67ee48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zssi.exe
Filesize
112KB

MD5
2355f88a8378a91ccd7ff40926900528

SHA1
431b8d72d3f4f40a15497c6ae693e0edbb42e2c1

SHA256
0ca2554e5a3b75420a64dc5a67c188afe91a9c1f9262376327c147ce63dcf379

SHA512
7df2216eef27bfc607add528d60053991871442e48f54703b753a52def3588acbae8ffe62718d8f3e62cc232e99311001471dee1aa871ff52b50072bee175653

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAoy.exe
Filesize
744KB

MD5
58b3388451fc794363f98e443407bafa

SHA1
1543ce0d139346475828dbd99087a218777e9843

SHA256
edad45094ba2a3f3990b89c36810867f43d54d84fe8396225ac6ca6ed2c0a888

SHA512
e58cee36e867911372e5811f09a27fb1c2a2a574cd1d597154265911f7f153d880cad715cc28dd51e498066755f1d24f5ebb985e110c0675d44f7dc621fcaec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQMq.exe
Filesize
112KB

MD5
462ad374284771d10990bf418273a280

SHA1
6fb5bbd1e13039df3c0bfc4f6ee6e99b3edc3ab5

SHA256
45b720c4522a6a5cf27fb64583d05208ac6b1077de9cd552cbe0d139a190666e

SHA512
aa06747943159ad725c5e38753b038af3c57c22363ee9efe43179a614ad6f29a74d50039e1a1c7505c2db79b3f04c4cb48974b0760ffadf37e005fec99ec1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQQw.exe
Filesize
109KB

MD5
c75d127b8e2c83398cf0ddd00511fc73

SHA1
eb2f46b6a9adbdb88fd8e877f8bf443195ce7c4e

SHA256
3b1af9a7edd3c54024d8e0d09dabf1b6ddc5f504b52c90d896040730c2ab5a95

SHA512
40ebe8bb4025b8f16935a5a2d7f4d69001524187c80783e02a61a15939ad638330799bc0c6564c525732a28c404876858c079ea7fe0a95c9b1974c8540e0be31

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMQo.exe
Filesize
441KB

MD5
57cee7f12d90ba8c2eddbad0ffbbee5b

SHA1
9e5b061c4c1e2ee8f4dd5601f25eef8c4a7cfe77

SHA256
65beec849ed91566557ac7bae783ba6079622194b008552bb172e9cbc86105cc

SHA512
2a12c43d56b194881129d8bafb437b2f799ee34a97a40c9abdd58ade6defbe912f4959f703673beece34d0a94876051fb08c296dec47a0ea987d59ebcb09f692

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUsK.exe
Filesize
881KB

MD5
7775c53ff6fce1fb35576317ce9a99b0

SHA1
e83b676526089658101e935c00b861d768292382

SHA256
db7a2ef26e2c7e5e11a8958eb7996f85979cae4e19bcfc1ad25bf734aa23e5f4

SHA512
4344bd62fa845e9e9775dd4fd61885c2e086add738ff9226483c5355f93c76b83bdef1f8101062936b5f96fe2542457546efd23984cc62ff68734b2b0a63748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMEi.exe
Filesize
634KB

MD5
3b56bf7a7dc9de1cc7f620c8e6051c13

SHA1
2c653ae8056629eaa40ab03d15d05d5eb2191244

SHA256
711b06225e7b92bd05dc99ab55350768fd1c70ebbc1cc88426bb0632328239b8

SHA512
3406372ae330f63a4319fe6c97eda2e9e10a310a02328d656bf4dcba2c8a7667bbd1ff1c1378915083d8e19a5433571dbe15619900b1911e57800459b7d2a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYga.exe
Filesize
111KB

MD5
f6615cd52dc88d876c6ad4aff7267f96

SHA1
ba2f144d062be16ec93ea9d8e8019baa4dbb26dd

SHA256
3523a32087d3b3c9b3bd79102a37be7e366c11f2dd94c17c260f916041449546

SHA512
dcd3d7715e3eb19d82ad086c7fc62bb303985a8698cf92c22906b816c69c782ded7b2a6d7291e3912e52166fe0a96da66b54f9b09287ab64fd6355ce76a2fd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEIQ.exe
Filesize
111KB

MD5
e04c573ac1873188e63647f07390dad0

SHA1
408efc4901c4d9fee6538b94552b7765407c6597

SHA256
4c611db2f6f1516526a34ff370f3512b9fa5efe61185c05cac466b141ab8325d

SHA512
b4783ebd1387f051e78413a7a91fce18f4c05f82e2e8508de51ffda5ba4c47536df0028131d8d88ab001c73df9a2c425f74b3862d3c2bb1c199f0f88b1b5af85

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgMC.exe
Filesize
110KB

MD5
5a8e499ae8e1b92636dd46c20c29d15d

SHA1
c08148e0e1b186ceb16650ecd8cc8eb15cfa4552

SHA256
8152a5880e6daf495db694240e65e66f5ab8af7835fb7ca0df3d0a72b6e12295

SHA512
cd9a1dd643732d68f4ef2c37edaf26d59c3888964278f0ecf359a45da433a4f55009e6cc16fdf19ce626518140acce6be89eb0e400cce4c8d491ba72b7316e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekou.exe
Filesize
111KB

MD5
ec85c1f3b9383ed3bfeec2b967b90685

SHA1
dca613ff4a0e2b1c017d64418703af741d3558c9

SHA256
f2846578545f8970074d3eb56f01fd6fad8553834e81825026c8e84169d61c28

SHA512
20d2f134301a83fbc59b0f81925209785fdb52218d2796892b0aea78d3faac3b4d3a4b5d4738e7807d84753cd7f596c8e893a2c1c6c163fd61932019250a316d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQMk.exe
Filesize
119KB

MD5
02ace94a8cd2d726b714920082d0c141

SHA1
30adc2752b457f3d40f811836874acf4cd3de7a5

SHA256
dea08d7393e79300a10a98536dac2c6a55e7549971aa66dc00dbcbd60021d051

SHA512
b97143541e68b40a47655f77256a99e033daff878ba2fd3fc5273815e063de046eda04803106771198c5feafa196373d3dacb204d9ecfc35b8fb9432488c03c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcEI.exe
Filesize
112KB

MD5
cddf0c6a3d854d06c7977981063b0fe1

SHA1
e980f317fa881c504a4094716fa30e0e3db00f34

SHA256
9755ec4ba31010ec5f9c0a04ff8cd5616d422d942a20a51a0bd4718e500594d1

SHA512
1cfec4dd2ca258bd649a431d4811609195759a9739761f1e7579ee79025ca6299f507078962c7bb80767fd54e538c45bd6f39ea6c6bf7914df26d4513ecf52a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcMI.exe
Filesize
503KB

MD5
4c253ced47e9cf304b5f7480ec0f855e

SHA1
4243ff7b0c20446510e883b2493d2548de4e6efe

SHA256
0cf5129eb5108338498d05e3e9b02ebcc7eb866fd5e28fbb8ca72cdebaa442be

SHA512
836cad10e1aebdecdb40a576d666ea2ab2712df8d3e023888f78113a42a42fd59ba9d76b1e83a8e2da1396439434823a4cff5fa102d533c0698886166dc06c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUES.exe
Filesize
113KB

MD5
983b705e10f7da6e8e9aa8e0b3427ad4

SHA1
80c979149e27c1bd39dce8c22bda9801d76b610a

SHA256
45fb9dabdb98cb53413ed219ae89f61ba2ec360f704a3f696f78e5f40ea55855

SHA512
6cdc3a9c37c7770b9ffb19ffcae2ad1944e1d2e1d6309ba9b644d0721106808cde27f0742a2a50a77a21448bbf8c0f9844e2d498fbd3065b483dc19355aee888

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYQI.exe
Filesize
720KB

MD5
507dab7a82eaeafb7725a634aabcd7fe

SHA1
325c84bd24e454e503a10d150535abe1bf504a23

SHA256
f7e589c17f9b17c0e99e74a216f4d66f9d806e643357597572e09606a6c1d126

SHA512
4378f1c2d6b0dad237596eaeaaa33789c8e7c39fbcddefc8f5e3c41a190975fc166672f75fadb0a8e06fdb35afe6423bcad9968ba6596039898df03396da21b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsUY.exe
Filesize
116KB

MD5
3c87adeb7400fbe45d53b192e517560d

SHA1
3f341089459871e234081f9747352a66a6a7a7cc

SHA256
2e4e5448f79c96b4705dceaf9cb26313dd71fad3e7b04e85c844cea8d2cb4dde

SHA512
4b872aa1d709a2f55e335aebcc1078d614a91972debaa3017a7753933ccd0b55d94f9f40c1ae043e3fd9113c7b3312e4716ab88e3d0442b93caec31ae0ca495d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwsq.exe
Filesize
119KB

MD5
c05c55792fa4a0af7ae65d117b1a9524

SHA1
d5e1e38fe10ba0ca48f90c636e6ee2756ef7b488

SHA256
dcc9fb19d718398c13785faebce1c9244293cc202b0a3aee5ac8c44a08261fc1

SHA512
32944c06695f395c60725a67dfbee2ea5e16a02c837b8ec16be4780bd58bd7277be354d77dcb6812a2c5c901ceb4be4cee7466f5838c8bf2cb3fa46feed0b971

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAcC.exe
Filesize
118KB

MD5
de80ef6ca1c5417fa2280312faa76a17

SHA1
f3a551ca941bb1278fa5a29f7b347d74472e429b

SHA256
8549b1d99701df12e321879578ef6c8686df1ccef7b49dbc68ccb367ab7904b7

SHA512
2cf2bb7496db716f778d3d1e54385caaed5868352a8a78f33b0a887492295542db91e5ff5fd8c2d172ceb8b3349a5d450290cbc844de338277bd6cb04227cdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUIQ.exe
Filesize
112KB

MD5
0bbcedad2cbac44f255ddc5e6476975b

SHA1
6379d8fcb6831170079a10fccb43c4a030daff15

SHA256
8f6b3d37b1c8e340520e7d703d1e237b7d22338522b9ef6a29078842b8c81639

SHA512
460b09548ea80c4896740f098671a98108901342f870b54df72dd9f451d9ed88a9f97cc8130509c8069d5fa2f4c180af1bcf4fd314ed794f368f557feb18ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\icQS.exe
Filesize
110KB

MD5
14e68c75b25fea3c5c321f1df0cd9520

SHA1
bc69d0301e9e3692c783cd3acd74bd6c48291b74

SHA256
54d4d90aa0c27f45df193c3ef83ab1f9bff4d57047f432cf322e5e9e89666a54

SHA512
4dd347fb040f3b07605c058b1d2cf197fabe9758984e4e644a641979081aab2cc05024dd257b8ed72c9848339be0eedb49861c69d442668840de6a5a6ec889dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\icQg.ico
Filesize
4KB

MD5
c7fffc3e71c7197b5f9daaea510aac10

SHA1
23262fb8038c093ac32d6a34effbede5de5e880d

SHA256
71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865

SHA512
c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\isUQ.exe
Filesize
110KB

MD5
59f9757dc9cea4ea50658e0523037cb9

SHA1
e780d2d5875f494b25da66d92d9e699e42242afb

SHA256
65945eadc7121dad4a471ad47c3ceb6b67f83a94e92876ef0488d23d05a69eca

SHA512
94c4b539ea6be342d9b719ad12627fd8ca1740f7f113ef181468be1d65ddf1b1e84c89ebe101713b8d8ca0f097fc695c1e734f7196428e75460136b307725cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iswU.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkww.exe
Filesize
566KB

MD5
f40cede7b8bd7b804f43baa6bfbf3316

SHA1
46577416d86a9c960b6b6a8b09c84a3f78bf7f68

SHA256
d8085d2ac90ce1b13fa8bf1ce834645120f24615434e80ed0751783dc50df720

SHA512
eb9d7412f36b8673c075305ed898add9d2f1e2689c41c433d76be304d60dce7df8f4cb89d32ccf57a1b6b4bf83fceacc68fdc0668842b69f505df3accab8f8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgoU.exe
Filesize
117KB

MD5
ae0aa25876ccd299c060ada7a026fa20

SHA1
90f12bb6f84b87ace8c5a634ee2008bc137abbe6

SHA256
58ea168950cd61bb2b79b3d6abda1743abbe25dc99bc814a551080cdc9cd02cd

SHA512
59fdc3299cf969550328de50bff9e746e64a167ed807f6403d062dbbe4f391d779529e0287faa4dca37f18ef360a9a4cc517f48d06def716a11c04075855a3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgku.exe
Filesize
5.2MB

MD5
c07418f44035ee56ba69818e49332ce2

SHA1
e9b67f80d0fce6e7957c6efc511f6e77c5a93e60

SHA256
e45aab8814416110fba3dbaf9709ab2e991a46b1136d424612894ea453a020ee

SHA512
0c3991edcd72205f1dd77872c4135c65756ae2c216081c60d916705f1707ad5ba3f42454ea63deca1027688f966a791bddb9bbae04e4ab25290ed774547054a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAQ.exe
Filesize
112KB

MD5
22a506b6a8cc8df788480c552d4bc442

SHA1
dbd081883212dbed836872b90af77e175e66700b

SHA256
daf554f7620529813cdb9bf98e4ae6cc9938c82cb0c0429c3d7439a3001570d8

SHA512
8da0a8b0c81e90bc31b2a31746f8d41d25cb944004ae69537c229d0a06b479b2dd7437636cf14269fae076c894f18a4c1fac0fa8ea30fcf35f49ea8029693302

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgO.exe
Filesize
555KB

MD5
71495a375e8dfe39a146601a4f95cb6b

SHA1
73d54665b3cb5380eab6376f7498b653dcc26e7c

SHA256
e07c940fe39f9644ab057e0433329717ba1aa742495bb026f654980fdb9edc72

SHA512
3af0a2f09bf6ba7279b51fcfc0028201f5aa385a19f218f53d1debf8021c6b48550e501303c1cd9bfe63f9059491b41baa421d17944eb3da4700bf13ec2f3ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAEO.exe
Filesize
110KB

MD5
aae642593aaa34bc036a08096d693ef2

SHA1
c4aedab424089afa019bfcedf929c88a15c054e9

SHA256
6f592a5beb8e5c068c8528f7c0d90d1cd2349ed9d9d6f238545b5fc81068a2b7

SHA512
f830f60291ea67f1e0d9b7201c4043489028d82251dd94f2823e2f909fe6efec6daf717c2349c54f89aa6bdcad7caf80a366060dcb3adb500c9d71d4e625deac

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMYE.exe
Filesize
348KB

MD5
073f8a6cf1849761dff4747a8eb8bc1e

SHA1
91673ad2ab53934d504c28158ff80f025c40001e

SHA256
c34b6af4d4930234c6258f93c69480a105684c0a36c578df7ec98c12b148d1c1

SHA512
6ac1cfe1b843104bd603039740691cc3bce6b72455446c4c081115471980aebd776de554edd946c062a600554fd08bbeb51e6c6db402f9f8a9171b69458149d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYEq.exe
Filesize
119KB

MD5
e2f5d4cbd83e5895431369b095fbf152

SHA1
a0c2753221d4a2bbdbb6de5e5a0b37e18977160d

SHA256
f1edb01b16964629c1d6d3358a65fe8457936c370ce947b8e72e003a948a1eee

SHA512
0709cd0e370efbc6104e5bc6ee49c6ea9ae2247a803568dab732474b2ce633fa7d159f3af7202651bd060a9b627fa645292b3444bd4998875629273dc2deeeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAsi.exe
Filesize
140KB

MD5
b40d7830ca4b06ddfe04a13c39c7cd4f

SHA1
2bdf3a04148a42a266e81d46580d677abe4ce733

SHA256
184d40cc108943e3fd9e57f556dbd1f8fe26de9c1e9aeddd54e893cd0a98f149

SHA512
66ad456261fd0864743b8b1b9fadc6c154366823c28f9a603d5810168cbe946f71153cf94434240f0f34e68e5b0e5d2600e2891ee7bee30403c7a5e3a1f87cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYws.exe
Filesize
154KB

MD5
2d348872408e3a98a534ee2f6cedd699

SHA1
f5e65be1f1345a788e52f0b5158b8281addd4a58

SHA256
669e7401f35c3357c19d1c7a34127ffb38854a225c345b4e146de18e57a32ab9

SHA512
da5625a181b86d8db8fefee0ea94e2cc6330cddfb172ee252b870050d4c7273841916517b83b7693873d789b58d5ae40d51c54718eddb6a625ec9c1037c1d0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgwE.exe
Filesize
1.0MB

MD5
5261c5a903900e9a5edc872845196f85

SHA1
b721e9a1fc17aa8f0ac71f5c168fe581d37a6fa9

SHA256
d0d1679bcdf245dcee909cf3e051486936841b277908c0d0f92b11e459dedf7a

SHA512
705b33e6bd1612984f99e2c895ba7fa2ece173ccf9d5288a6c501fffd95520d6960dd3fe20a7d6bbfb9f2d4be31536ede401428ab586e9b1436e224aef74c71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIQw.exe
Filesize
237KB

MD5
50c1eab62eaed70eff8206898fb9793e

SHA1
14419f4af7cb91162c1a49166889e990343bb022

SHA256
8349637c3f76638cfa91c6518fa370e4af896f16e29a9d904fef3893ea576843

SHA512
21c37a0694f4b2fd84f9684d3a8039c103533df2d94b25f7ffa561bbbc3ccbb533c40c92a9be7e4a8b51774c97f88714af943972fc8a6525a1cb193f39b5684f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scUu.exe
Filesize
112KB

MD5
39d03ce491b6e501c4db9d43afae92c1

SHA1
81161e7c8e3c22f205646b4a9369cff4fa8fb81a

SHA256
944694c4f0c23c07380ab713288880c5a14c3520e5032b8fa19d7d49ff87fd3d

SHA512
f712e29696f3b8f5b02b5eb8752707f82b26a03a0e3c143df75e871a021477474e36bf8d92a2656e04eca13d084ae435f8cf14b17f2e7a1ad7e3d2b2fbf43b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgoG.exe
Filesize
112KB

MD5
f289f3984b250fdd6a4193148ff1992a

SHA1
c869404218ff3e48529fa5135c6d40bb69a7d7af

SHA256
d99686aca7d71cb07e71da4385af41c4d06f51ed1f2eb8263a017e6938c5e8de

SHA512
732be92bd3f7cb6f82a0a0035fcc70201a8e335aacfd4296eb0623e7d4c46a8b647b2ad68306a33593448feff0dc6b6abda361a91ccc34dfd1185113e77baf08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAke.exe
Filesize
238KB

MD5
dca5797f76320ce482dc97d8a08b14d1

SHA1
5a54bd9cc2f9866537141ebaabf6c5c139cac653

SHA256
1d179a696a51f8f20c16e2f77f579fce8b5760e4c1cccf24a382cc8b853a2811

SHA512
261892fc08fc65e6ac01abbeb6b7dead56fc0bcd4fc710178bbbfb2ffc3c282ec182b6394a70a3ee55b6ae0f1a8770def4d0aa468ffb6ba4aa85ec3179a49f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEIO.exe
Filesize
243KB

MD5
2bcefebc3aa52caa3a74cfcfbe928ff5

SHA1
a7d205173f62c5fc55bb138a8f6ff67cacb4ada1

SHA256
72366f1c39cd7226144f4a0c48b85217c34ca429c053fa00d51fb031964928e8

SHA512
5088168a2f41c91f97857920ecc8154721e9fec8333b0de7e1bcf928474903abe848bcf8c03136eac51cd1675e9dfc6b1ead2bee32dc52dafe11719c150e8f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYYy.exe
Filesize
113KB

MD5
d03eb00dd783d5a8776d273d92945910

SHA1
3f4d041cb62e3c415bfe3afedc0b5baeeca39568

SHA256
fb4869bde6c6cbffb8cd0173865ff81fc0a0404f815d489910dfb0eb699a7c89

SHA512
86f628485ca19fbca669dd4c716f343e82552944db2ca650abfaa9cf0eee18173a322c2e0ac024ce6e6fe03a22c1bac3387dd083faeb2645ef43661f75891106

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcoI.exe
Filesize
112KB

MD5
514c049a031071eb2c70b34bb604a12a

SHA1
1a22c1281a97a892e841252b8c9c4d7560e2dedd

SHA256
b444398ad8b4016b7479bdc95c8ce8f2feb531ddc04cd2f45690e382f65980f1

SHA512
aae84594550c21240b96fb3e172ab3675b17835d940c0221f1cacc2fd7e99abf840733d52d138611afff4f39d9d4533a1e377392f4a4b8be43c1a9dd67e98ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgUK.exe
Filesize
111KB

MD5
522691937f3ba0bdf707ca29f9a0699c

SHA1
0e05033d7c43a0b25a33b8b6b880f44efb35aa54

SHA256
e67cb179a189b8020a189b043bad927f37b7f95904fa9c778d91326c729140f9

SHA512
bc6802255d2e4f39f5cdfaf83a3c11f7ffb61be788c0f0b035ce17b20fac059ce1b761b48950e4fe45f651892c07ebd4c9a8a5431063ee982860e1f4be8f2ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkgk.exe
Filesize
113KB

MD5
0d40cfd2868b09c592a53da4a5d64fa2

SHA1
98a1087e00cf5b5e8cb43f58f0ec4dc92e082e50

SHA256
60da62997a18a9d9cb6c2628a7470f60a5b03162808223bdd59447e9af59d410

SHA512
1696cce7aabed48dcb29f506ba2f74c3717a285000edc1e4d88bfd7449685c2f535db10e9a6a88fdba15001af285c32b5c6fc85790e4404afda076b397786bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukQA.exe
Filesize
786KB

MD5
2939db7633543e45923bc6654e90c658

SHA1
087617ada072a13c930fc835f8deec818a1047d0

SHA256
23851070142136adae0a5576c766fe361e129e6da1046735eedfc247348b56b8

SHA512
da14cac415c2d9c1d042d3a6a17285dfe3e29131ce496c4dd3526a0053ffd5417dec956d39335cfb194caed033bd88356a851fc21888afdaf639e81ffee2f585

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMow.exe
Filesize
1.1MB

MD5
4bfb1017e88845ff6fe198677fb1a9e1

SHA1
a785d9e3176ddc1e9f9ad12d5e010038ba93270e

SHA256
6c605a500b659740d31cf0b8bcc92b6bedb7ede23ced1f3258aa71e8f998af99

SHA512
a3dcaf4534e5eb12b5eb88c8093cb303deaf552c9c6e0f691615c63107db38d6a23121fa055497ec60eb4576881835d69617dc3a33323bc3fd919af9c52fcd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMsG.exe
Filesize
111KB

MD5
672fa8c8954ce80ffd0c36ed7e0856aa

SHA1
0d2b8b1555e9845fc0247665bdc5c85c98136759

SHA256
34868282a67e604092372838c028ec9f425922d14d4b33c94c73f47394d7dc2d

SHA512
439ae22d0453826c101dd62979d353971daecf9ecbfc8de28e058a595d5a0db3bd0f36422212100b896d9da8e500b79af922d1e4509bbaccf2c41177ae8a85b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAQs.exe
Filesize
116KB

MD5
72639f7b711c3002d51abeca418c37bb

SHA1
929700e58fe4700299fc9b4c5e17a118e6723839

SHA256
98aaf2b2a8645755483ab76b49db27a9cecec5452b50c95436ebc86c331194b4

SHA512
a3c994faa4c0263e99ae75a0c6ef03deb9b1fb22bd8fbd78ed65c8d73686897b7d3e28129032085c23b66e91e53d3fcc6ee8b4fd8b159cb54285587ea4dda548

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAI.exe
Filesize
115KB

MD5
4e9d389e83410135110ea452c360955b

SHA1
c1722a26db5d6f72358ac2282abecb31f1b23d75

SHA256
0e83cecc15b99d415489b501f6735a65ef41fc523b18b7723138d66b553b39bc

SHA512
78f9664987f4159d9a0138bb5681cbb2478072356bb3f22a4ecd6552281a2dca5007dc6de38794ecf6522d87cec72ccfc3ffaaa87dce535b9cd6f12514ae2b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIsk.exe
Filesize
113KB

MD5
fab7cbdf9f7c41f97c6b6c6aafc8e60d

SHA1
3ef7e6e46ff06aeacc87c6d52b0a530cbc23d579

SHA256
4d7b8cce1d532dd2a3084f15cce7ef9fb186e6aa9976d3a5e88cba333f0b68c8

SHA512
7206217a2bb879f226d4b2c93657619f94de07cda902dc283fcb35d9a127d243a949f6b343cba590b3e7e6b317dc96e7cd2e3949a27182c493ef05788c23d233

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYQw.exe
Filesize
555KB

MD5
30cec09a9250cb59e89d2debf3fbe479

SHA1
80c08215e37b5ce3b015fba5df9093a8197454e8

SHA256
c51628c57ca9de63456a8f796f76aff110a5c9199f3bc5346c2e3ed725269f92

SHA512
d3cb1747b4d2cedd8955f576e5ef1e4268c76d704e993242fd3fc73d804f41b4e724677b5e4d5ef1e1ad3dc869d0e42cae6aa59373eaa06aa1d11672491d6254

Download Submit
C:\Users\Admin\AppData\Local\Temp\zosK.exe
Filesize
112KB

MD5
e9914a58ae1d3072314fe10b6e41a979

SHA1
2a34b738b2b9a060059b703b26ab41f43abf6419

SHA256
0df49905597ad4b158dd0e0c3766a55672798a29727369925fcd7e1105a52105

SHA512
7645bae9b9d8fd83e672f26dc60ca5c6d271dc6614be8a95607666061a9f6a4526c56b7a9353937cec3dca35346f15f18912fccc14999c033f48d43f6e5856a9

Download Submit
C:\Users\Admin\Documents\SetEnable.doc.exe
Filesize
1.9MB

MD5
e08648d8b0d3528e4cebc4fdb9f0960d

SHA1
6f0cdbf97946566dd55001c71a85ef12656142c5

SHA256
f896bbc4fb876dd6811cade2c03b73a16c999d72b10fb0449241775b1adb7656

SHA512
6e279b2084e1e4b5f380dc8442791f58a3f730249f893cb6e7e3db9703ff5e8759c0512c8183975448abf8fa2cc137ca17d84962714436eeb613a32f32cec6a6

Download Submit
C:\Users\Admin\Downloads\InvokeClear.mp3.exe
Filesize
537KB

MD5
b7022ad29be433d10ca219c62b58d146

SHA1
01737e523596d35946a3512fca0e933d30d45f8e

SHA256
8ec14047c9aafc69f4bb5651b48227029420c476af1405cec075b67d84066288

SHA512
49446e000cc6837b726224e217e2d13d1c5e358fed02dc1bad71d0b87c7b71f7a98fa25ede22005cdbf4428f0c5209871a6a6201cc6873694628a92c1595e853

Download Submit
C:\Users\Admin\Music\DebugUse.zip.exe
Filesize
542KB

MD5
9650d04aea78a2749fa1a43a593dab1d

SHA1
8fd3610ed9016b20b9f5bbca66b7f671f81b7cbf

SHA256
6248248a9fdb6ee25552686ae2db48ed6f2fced886b620eadbca8608a4748017

SHA512
959a024d0e6c90e81f3d8253bf8788f8a6baed58660c17c8613475cbcc784e202bcef927a1eb1e8e9cbe7d3f3b1338706c2c07fadfb69aeda43c54df0394ec12

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
Filesize
136KB

MD5
7d132f99db0dcf31808e83131bbaadeb

SHA1
37eedb1fbc4bec075574011f6664ec2048e58679

SHA256
68b785b25ece09af14d4959546c496ba7a363ea04bb2aabc7b39dcfcc497cbd6

SHA512
286db477d3a18c18d71a4fed1a2e90828a6825d2e42fe2b14dcbae6d4cf8b810feca5dd45c1bb73a4e6d024b06da2ea3acf149016d55e6ecc0080f356753fa1c

Download Submit
C:\Users\Admin\Pictures\OpenCompare.bmp.exe
Filesize
273KB

MD5
27e74aa218a1e44731247d27936ee218

SHA1
295f2c3bbabd7c7c42d1706b21fed53bb416f1f4

SHA256
5a89f131def2cd5b8e4c029ea3d49d5f5eda25744d37d2c28f9ff9d2928889bf

SHA512
4192fa3d3ca6d8f352f70b1914b97faecf4647cc853c29786faa1b96a6aa47ce089fd00f98208e06204a052ad609503c6da3b8ac7fa1efc5426e4065c471c273

Download Submit
C:\Users\Admin\rakMwgAM\vgcwAkQI.exe
Filesize
109KB

MD5
3b45e826b7fc59efa3c4b0e5dff0d9ae

SHA1
7096c390eca5d8982d65616ef8b3e99a5bb02cd2

SHA256
9f454813fae6149e5ccc6a046fdd2a6f676bb2988f582b6ae8f9e6ef6583f229

SHA512
925247aff5368dbcff25b6215201c418e799becea82da37be5de2179b19f493a4633d9d2c5cead56d928e1fba8e800e89477c9bdf985f67f74903a30ef62fe68

Download Submit
memory/412-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/452-264-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/452-271-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/492-210-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/492-199-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/552-243-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/872-279-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-510-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-545-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1084-280-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1084-288-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1212-313-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1416-164-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1528-297-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1528-290-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1764-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1764-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1764-376-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1832-501-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1832-479-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-118-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2060-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2100-213-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2100-222-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2148-400-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2432-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2432-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2636-153-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2984-121-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2984-130-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3224-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3392-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3412-175-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3480-360-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3480-352-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3504-263-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3540-351-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3540-331-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3568-509-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3696-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3696-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3768-633-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3768-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3768-597-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3860-188-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3860-198-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3956-464-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4400-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4400-96-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4440-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4492-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4492-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4492-233-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4524-186-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4632-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4784-383-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4856-368-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4972-392-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5056-560-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5056-583-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5088-305-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5096-255-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5096-244-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download