cb2df46750a6f585485eec85a425dde5d6afb1eb360823e894c03383c38738e2

Analysis

max time kernel
149s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
Size

117KB
MD5

43a945ccc2d99ab669fa84f0acb31272
SHA1

1e61b384220de9bc8f994c7cd6a7f9486e52fbfd
SHA256

cb2df46750a6f585485eec85a425dde5d6afb1eb360823e894c03383c38738e2
SHA512

d6a33f17e86ab22a4a0dfc27f7ad0555ccaa836ac6cca33eac13de70ee8ff7f9f3bdf1ca047876ff53fe31370255333f6d560175628520b118c666d511dd2dba
SSDEEP

3072:J1PP8+ij5wKp3Csdclg+Y8iOKi3sgv6l/FxfyLcOwQXZyzX66m5NzvKN:D9liCplg+Y8iG3ncwXk7gNrY

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (88) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

yisIMwYc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation yisIMwYc.exe
Executes dropped EXE 2 IoCs

Processes:

ZsEcAYwk.exeyisIMwYc.exe

pid process

324 ZsEcAYwk.exe
4420 yisIMwYc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	yisIMwYc.exe

pid	process
324	ZsEcAYwk.exe
4420	yisIMwYc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ZsEcAYwk.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exeyisIMwYc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZsEcAYwk.exe = "C:\\Users\\Admin\\rEEsQIMo\\ZsEcAYwk.exe"	ZsEcAYwk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZsEcAYwk.exe = "C:\\Users\\Admin\\rEEsQIMo\\ZsEcAYwk.exe"	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yisIMwYc.exe = "C:\\ProgramData\\VkAYEkcY\\yisIMwYc.exe"	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yisIMwYc.exe = "C:\\ProgramData\\VkAYEkcY\\yisIMwYc.exe"	yisIMwYc.exe

Drops file in System32 directory 2 IoCs

Processes:

yisIMwYc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	yisIMwYc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	yisIMwYc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2416	reg.exe
2184	reg.exe
3668	reg.exe
3928	reg.exe
1008	reg.exe
2912	reg.exe
3676	reg.exe
3644	reg.exe
1680	reg.exe
5108	reg.exe
1680	reg.exe
760	reg.exe
2708	reg.exe
5040	reg.exe
2552	reg.exe
2384	reg.exe
3016	reg.exe
4716	reg.exe
3308	reg.exe
856	reg.exe
4940	reg.exe
2192	reg.exe
4236	reg.exe
3552	reg.exe
2508	reg.exe
2620	reg.exe
3780	reg.exe
4644	reg.exe
868	reg.exe
544	reg.exe
4476	reg.exe
1616	reg.exe
3684	reg.exe
808	reg.exe
2408	reg.exe
3056	reg.exe
1380	reg.exe
3156	reg.exe
3632	reg.exe
2128	reg.exe
1668	reg.exe
4540	reg.exe
4544	reg.exe
3644	reg.exe
2508	reg.exe
4372	reg.exe
2788	reg.exe
3928	reg.exe
3832	reg.exe
4224	reg.exe
4592	reg.exe
4340	reg.exe
3924	reg.exe
3356	reg.exe
4536	reg.exe
2440	reg.exe
1336	reg.exe
1572	reg.exe
5028	reg.exe
3376	reg.exe
1092	reg.exe
4972	reg.exe
864	reg.exe
4236	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe

pid	process
636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2672	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2672	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2672	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2672	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4652	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4652	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4652	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4652	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
3368	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
3368	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
3368	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
3368	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4544	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4544	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4544	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4544	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
1280	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
1280	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
1280	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
1280	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2472	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2472	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2472	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2472	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
3296	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
3296	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
3296	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
3296	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2784	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2784	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2784	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2784	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
5108	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
5108	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
5108	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
5108	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2072	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2072	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2072	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
2072	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4224	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4224	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4224	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
4224	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
452	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
452	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
452	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
452	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
412	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
412	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
412	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
412	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

yisIMwYc.exe

pid process

4420 yisIMwYc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

yisIMwYc.exe

pid	process
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe
4420	yisIMwYc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.execmd.execmd.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.execmd.execmd.exe2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.execmd.exe

description	pid	process	target process
PID 636 wrote to memory of 324	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	ZsEcAYwk.exe
PID 636 wrote to memory of 324	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	ZsEcAYwk.exe
PID 636 wrote to memory of 324	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	ZsEcAYwk.exe
PID 636 wrote to memory of 4420	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	yisIMwYc.exe
PID 636 wrote to memory of 4420	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	yisIMwYc.exe
PID 636 wrote to memory of 4420	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	yisIMwYc.exe
PID 636 wrote to memory of 4408	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 636 wrote to memory of 4408	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 636 wrote to memory of 4408	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 4408 wrote to memory of 864	4408	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 4408 wrote to memory of 864	4408	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 4408 wrote to memory of 864	4408	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 636 wrote to memory of 3424	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 3424	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 3424	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 3668	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 3668	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 3668	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 4544	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 4544	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 4544	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 636 wrote to memory of 3644	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 636 wrote to memory of 3644	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 636 wrote to memory of 3644	636	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 3644 wrote to memory of 1560	3644	cmd.exe	cscript.exe
PID 3644 wrote to memory of 1560	3644	cmd.exe	cscript.exe
PID 3644 wrote to memory of 1560	3644	cmd.exe	cscript.exe
PID 864 wrote to memory of 2328	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 864 wrote to memory of 2328	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 864 wrote to memory of 2328	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 2328 wrote to memory of 2928	2328	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 2328 wrote to memory of 2928	2328	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 2328 wrote to memory of 2928	2328	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 864 wrote to memory of 3236	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 3236	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 3236	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 4716	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 4716	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 4716	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 4236	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 4236	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 4236	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 864 wrote to memory of 3900	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 864 wrote to memory of 3900	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 864 wrote to memory of 3900	864	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 3900 wrote to memory of 2496	3900	cmd.exe	cscript.exe
PID 3900 wrote to memory of 2496	3900	cmd.exe	cscript.exe
PID 3900 wrote to memory of 2496	3900	cmd.exe	cscript.exe
PID 2928 wrote to memory of 2316	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 2928 wrote to memory of 2316	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 2928 wrote to memory of 2316	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe
PID 2316 wrote to memory of 2672	2316	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 2316 wrote to memory of 2672	2316	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 2316 wrote to memory of 2672	2316	cmd.exe	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
PID 2928 wrote to memory of 1964	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 1964	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 1964	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 4788	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 4788	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 4788	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 3940	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 3940	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 3940	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	reg.exe
PID 2928 wrote to memory of 1128	2928	2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\rEEsQIMo\ZsEcAYwk.exe
"C:\Users\Admin\rEEsQIMo\ZsEcAYwk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:324

C:\ProgramData\VkAYEkcY\yisIMwYc.exe
"C:\ProgramData\VkAYEkcY\yisIMwYc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
8⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
10⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
12⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
14⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
16⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
18⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
20⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
22⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
24⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
26⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
28⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
30⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
32⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
33⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
34⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
35⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
36⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
37⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
38⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
39⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
40⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
41⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
42⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
43⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
44⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
45⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
46⤵
PID:4168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
47⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
48⤵
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
49⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
50⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
51⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
52⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
53⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
54⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
55⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
56⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
57⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
58⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
59⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
60⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
61⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
62⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
63⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
64⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
65⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
66⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
67⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
68⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
69⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
70⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
71⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
72⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
73⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
74⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
75⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
76⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
77⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
78⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
79⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
80⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
81⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
82⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
83⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
84⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
85⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
86⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
87⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
88⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
89⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
90⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
91⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
92⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
93⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
94⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
95⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
96⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
97⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
98⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
99⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
100⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
101⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
102⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
103⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
104⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
105⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
106⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
107⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
108⤵
PID:1288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
109⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
110⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
111⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
112⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
113⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
114⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
115⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
116⤵
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
117⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
118⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
119⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
120⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
121⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
122⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
123⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
124⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
125⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
126⤵
PID:4116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
127⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
128⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
129⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
130⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
131⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
132⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
133⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
134⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
135⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
136⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
137⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
138⤵
PID:1020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
139⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
140⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
141⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
142⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
143⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
144⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
145⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
146⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
147⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
148⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
149⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
150⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
151⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
152⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
153⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
154⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
155⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
156⤵
PID:768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
157⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
158⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
159⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
160⤵
PID:3296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
161⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
162⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
163⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
164⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
165⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
166⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
167⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
168⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
169⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
170⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
171⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
172⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
173⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
174⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
175⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
176⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
177⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
178⤵
PID:3100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
179⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
180⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
181⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
182⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
183⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
184⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
185⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
186⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
187⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
188⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
189⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
190⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
191⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
192⤵
PID:4116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
193⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
194⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
195⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
196⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
197⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
198⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
199⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
200⤵
PID:740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
201⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
202⤵
PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
203⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock"
204⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock
205⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:2616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:1380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
- Modifies registry key
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:4392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUYAQgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
204⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUMIcggA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
202⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:1488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUwIQQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
200⤵
PID:3200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:3656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aucggQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
198⤵
PID:5060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:2320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FasoAYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
196⤵
PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DogIgcYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
194⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSgsYQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
192⤵
PID:3464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
- Modifies registry key
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKogoQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
190⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
- Modifies registry key
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQcosQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
188⤵
PID:4900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUoEEQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
186⤵
PID:780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwgsQIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
184⤵
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:2384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAYQYMMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
182⤵
PID:2628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:2680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqAAEowc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
180⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:4296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQMoQkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
178⤵
PID:1012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWgUoEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
176⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyksMMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
174⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEMAwAQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
172⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUgkggwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
170⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
- Modifies registry key
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWoUgAQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
168⤵
PID:4676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmQIUcIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
166⤵
PID:3884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:1956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:3364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSwYYsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
164⤵
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
- Modifies registry key
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uccowwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
162⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:4792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmAsoYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
160⤵
PID:3656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGgUwsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
158⤵
PID:2140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:3448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:3832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMEgkcQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
156⤵
PID:3424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuMUkoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
154⤵
PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- Modifies registry key
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoAsQEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
152⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncMkMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
150⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:4568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCAcAUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
148⤵
PID:2136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUIAQkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
146⤵
PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqoUkQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
144⤵
PID:1616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies registry key
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCsscMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
142⤵
PID:3448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:2680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEQAkUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
140⤵
PID:3612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiYooAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
138⤵
PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kckIAEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
136⤵
PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCskQMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
134⤵
PID:864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSwkQIwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
132⤵
PID:4964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMIUQwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
130⤵
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmEAUMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
128⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deoYoIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
126⤵
PID:3936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
- Modifies registry key
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqwoUoUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
124⤵
PID:4384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAAEwwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
122⤵
PID:4732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEUgQsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
120⤵
PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
- Modifies registry key
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkYIsYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
118⤵
PID:4516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCEYMIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
116⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAgscYUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
114⤵
PID:3416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGoEUIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
112⤵
PID:3612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSUUUwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
110⤵
PID:668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMAkMsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
108⤵
PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQIkUoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
106⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKUUcsgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
104⤵
PID:3300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- Modifies registry key
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkwEMgEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
102⤵
PID:4732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:3900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuIUkUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
100⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- Modifies registry key
PID:2552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMcYkswk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
98⤵
PID:3200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kggwUgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
96⤵
PID:3920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgwAoMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
94⤵
PID:3384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- Modifies registry key
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUEIUkEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
92⤵
PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- Modifies registry key
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIsocUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
90⤵
PID:5064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heYMYkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
88⤵
PID:3416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:2564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zesIQccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
86⤵
PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nesooYkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
84⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSYoIEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
82⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:3712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:3676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCQsIkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
80⤵
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkoYAwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
78⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tscAwQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
76⤵
PID:1764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkswkYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
74⤵
PID:1968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwMIIYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
72⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies registry key
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- Modifies registry key
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyYQkUIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
70⤵
PID:5064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:4268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAEMgIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
68⤵
PID:1416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkYMoAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
66⤵
PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIoksQgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
64⤵
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcswUkgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
62⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEMwgUkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
60⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWoUMMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
58⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEUskIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
56⤵
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKQQcMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
54⤵
PID:4452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecgUAcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
52⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcgAkkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
50⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwkwoMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
48⤵
PID:3832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyUEgscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
46⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWYYAMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
44⤵
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:1132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEAkIAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
42⤵
PID:3700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyccwgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
40⤵
PID:3120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEoMcIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
38⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUUIkwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
36⤵
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doQsgIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
34⤵
PID:2580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:4616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
- Modifies registry key
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiYUYIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
32⤵
PID:3864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmkgIsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
30⤵
PID:4268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoQIYQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
28⤵
PID:832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWAswMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
26⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAwUMwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
24⤵
PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQsAwcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
22⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deIMwEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
20⤵
PID:4504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYQYcUkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
18⤵
PID:808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUEEYokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
16⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCsoYAQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
14⤵
PID:3304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSMoUkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
12⤵
PID:2272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYsEMQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
10⤵
PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwogMkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
8⤵
PID:3612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSssYoUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
6⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROowwAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUsQIcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
149KB

MD5
96432ba6d2a3f2439c0e61223d955e64

SHA1
92c0dc4702d4f49e1ef59a4bdcc72c76d3c9f77d

SHA256
4b15bfd4ef64715eb2f840e97b2e076c3114a850a20633010cd357091df8ed9d

SHA512
4aa96fcc13b13a3c2fd850352e9f60387c528dbd25d7d214bdc2f71575c3905eb7f750174fc08dd0be86d0996144b191d4daac95f7146540078b0d9b4fab1290

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
116KB

MD5
de24ec791694ccf9be95c3c306d79ef3

SHA1
eb3d84a4cc2eee29741cc371c56668bfab7bb85c

SHA256
1843b27cc179b01befef0e897aa5c3b88b3e4c4f766f293b862a5fa30a90b453

SHA512
9ffbed8f23ce1236100f9328097567920ed0d691b27d66b459e5772a64be1ee28c54eec3b3564a79cde244d9408842c8b9da9a365c1669d3d69fb844093e835f

Download Submit
C:\ProgramData\VkAYEkcY\yisIMwYc.exe

Filesize
108KB

MD5
72e5439b33842a4b0ba9dec2f7e70feb

SHA1
6fc91dc333dec6ea8feb1c63a2559ef3cf58cb99

SHA256
4f08f79db985c68dec92e36568f966a85355ca21ece7b5dfdba7d5e834a4eb06

SHA512
2894bf86ee4761a1ceb841b8700b2b1b38ce6ac2030762f1f85fa8773d9b9fba62460e1443cbac5db639ed42f4185cc0ca1039befbad823ee338d878670b90f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
117KB

MD5
177020ade92b7cb5c12b2ca02df76699

SHA1
89a72d8470db8861a1b788d8acfd804355bfbe22

SHA256
b2d1ce17a5ba104c31b4b9480210ccf410be47998cea239b8e07d68b2828586b

SHA512
be0cffdfbacda0bed45e124d695ec31b41bbbeb65caf1f64f162894fe8c2ad65e75b1feb78bc12500b5a42d8f6a20cc038f35c69a3070670db2da013bf5e863d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
115KB

MD5
cface2d04745e57c5c1bb084f0e244a2

SHA1
07fd75f07099fbfda1882790eb0f20b40804a852

SHA256
b04a5be1b1c82752aa0c94360b6bac98d4c98b2dc1ea030729f12a929f661206

SHA512
f96b7d696df66ac5b9983e55f00d7a69e94fc91ea32aa33b3ae16c4da463e43c0464d65d09cdef3f3379b4f3285d53b6fa22ea51d4c4b9cda4f63106d4a5bed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
118KB

MD5
22a02dc7a2c8b77e99c307bc1c1984d9

SHA1
8f5ad7d54be582a2da5890ef9e4e670faaa616b3

SHA256
db8a13a121b53e1e6b9f7294347d70457d7240e00675c33515ca0fcaa89151b9

SHA512
896507b588919775c3a67c7ea39183126897e6aaf37610dfa074942bccd7d036bec50156e27a72b66f290499ab3ff9460801eda3657812d4ad26c7894ed8bedf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
114KB

MD5
83afab0aa9e3d3a0d54e093b1da7646b

SHA1
65b21b43ae39fc0144119a9f7dab0ec47e8fbb58

SHA256
80226e0dee90d600fd05027e53b648bc8aba4c33a88484b68209ea96fb80c134

SHA512
f91f7f6d144137a2acfce0d645d9ba0697279a2efd8e6ed0790a26e0f725e6a6d97d82df852e6301d2aa27198f975a1b2ef27e759fd8f8eb89543c01a30aa45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

Filesize
111KB

MD5
205c28f6c4da43682dcc2dc523e77fa4

SHA1
1bf4b58ec5180823d4d1bb0fe354705cb8d56dbb

SHA256
fd6187698fe02e478068989119f19c5cdd7bd0d3ffb553b0a57da4c6ae25d66c

SHA512
0c6f975639e3edd377ac22e4a03cc6cbd6de692792adfa73d7b232d2042b3e4a60118d1fda3ef771893ff3c992d398c39bd4aaa9060359129d045f27132d0dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

Filesize
110KB

MD5
0da96ffec793366339ffa80894b408c1

SHA1
fff05843273d93ba91f0b36f80ef16503e3222b2

SHA256
6b6b37468fdd0bd6411cd54700826e54f162f21eab582cd602476e1ebdb77865

SHA512
289013eeb30117d33a292f2725f34dfe14df957c9b269687ae9752eb6b093028f45c145c53dc43d68286f7b5ad908aa44407b45bdc75df6f557c0af59d851381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

Filesize
112KB

MD5
96690e75c024c6771617c609041f5f83

SHA1
f9bab8ac4eed52062c35ed428fb0553b75968e0f

SHA256
e5395fd91ea5672fa8c9198e9ac1d5dfc468d43ca5e739b4854f7974964334a1

SHA512
2c8ed0517650d1864a04f098bff1ab4cf3e7a796e48d39db6b6f5bf19839c19dc57924b5dbb4019f69b73dd9a33f3b0b34dacaadab1898471599f58512f4f1a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

Filesize
110KB

MD5
ce28c3b4a8eb5e828b2cf294d887358d

SHA1
65de91216d5778cffc6142a4e91f7834f8be3bd9

SHA256
7fc2d4f6aefccf1512fa2fb98fd75b30d0abce3cd88ce5c3ac77b3e587378567

SHA512
52ab18512f06b9742ac376ad81433238081e5f9a9bb337683b3a9292bcfe5ccb0d5ea4f663c1f562e68e7b316be9e8d3067b6ab909ecaf313b79e75bd0e6bbe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

Filesize
109KB

MD5
4eedf50519148afcb51992e2769083fa

SHA1
85c1abd31fbcd773e5557eea6b5d9b904d631cce

SHA256
3c0d35d79ce12143acf51e9870c07e971b1e3be554bf472523fcff7469e08d8d

SHA512
f110762c35e78cdc0575ac38a98583b9d3bb43514bd0a22255372ca8b39a5880508c1c78686caf3cab7e5ef21c6b9465b38a4702baa3837ce70260fa34d620fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

Filesize
110KB

MD5
4599dfcd9336a371932ce86294fee5b8

SHA1
1bc0ada46916eb23c1c43bc8f00eeda1a995d6ae

SHA256
0019aaed4b0dc0cea0843614a0bc0b19bf2901f5e6c660e1e26795b7fd68ccfc

SHA512
95e430aabf8652e48d4a107bcd7949d9ee9fefeadccc7b01f200a4e71405778e5786c0a8812d284e4a57c44066d204aa9b93d1a8ae1dc764cd56f1711e5ad314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
110KB

MD5
e945532b370384336793d7c30ac27ac2

SHA1
cd27322875ba5c6a979ecbbf285842f81159ee8a

SHA256
7991caa4e015acca320a5868896c0af2cb5986b564ecf6d8eadde83b5e678cd9

SHA512
27e3165d0a653f9562657f4d559624863895f75e24eb9a9ab06bb7ef10d481b815ad60ac63f74390a031e2fd4cf0001d6505b32f99da94159185f1e01adac179

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-26_43a945ccc2d99ab669fa84f0acb31272_virlock

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAgc.exe

Filesize
111KB

MD5
1104eaacfed6adb68e7abeebcb4a8fd2

SHA1
7e199dc22704dd949d664058e5bc03c7c3ff4e34

SHA256
3dc1c9798cf2608a9405bf85663b737f76508cea42860ac33db9c43eb8550c93

SHA512
be3afb0e5b42c88ae8f4a47f39fab9fac024eb34f62ab981b1b9333a53ddc0d807c24b1f39f2c20710d03bf939428957694e7ce5e0c9be6a3827cccf43fbadd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acos.exe

Filesize
139KB

MD5
60eb6cf512c2b61b6bcd8d8abf8f18ea

SHA1
2ee39d161da7661fd0708f4fddb6506e1682847c

SHA256
40abb881a3420a52e70522ea40ee9fae194c74aa7609b2dc79995a972e6adf6b

SHA512
d7fb9448f92388df72e9cd94d33d5aa352221a1acf7341dacb5f7fb5adc812b75faff79f0bca1817896318d553d7740ce8f535e618ba2b735d4a4d3dd15fc685

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgEY.exe

Filesize
699KB

MD5
488578b7182fe4350e21124c7903f15d

SHA1
aff4e08f45cf929d936e955c06cba88830bedb67

SHA256
f2506efa465c9dc8500ac4d9b184f8163e2cb45f9321e7922503ee61aad9cf56

SHA512
3837092d962dc4d5c123cee9a8f94fa3c545d40d8dd68a7ceacd5264397ee102833b4ef3bc306f2b015786dbcca64286a8dfb871810e39601060fe95e231010b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwES.exe

Filesize
125KB

MD5
65a9c2e6cee5f9bb18b60d2c6c843ba0

SHA1
dddb17d35d23d94dc52a591ca43dab075ffa9205

SHA256
a46819feaf64de1a510dea84cb5ba096fbd9c257ef358ac8fc752b04c638dbb7

SHA512
8bc5596eba96cbd8f285e87b93731a01fc19781c5ff44143e6d04c9e3cc528cf76b518ea52fa9ecf34cd9ecc7652079cec121a35a3760fc898f26709cfbd421a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAQS.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoMu.exe

Filesize
5.8MB

MD5
1bac8191e5ef8b4ae3ba6d435a6397cd

SHA1
d54cda1977f011b1c4d7b06bd453db4993f2ac56

SHA256
81757e9611e70812083686ed8ebfe84833e175cced8e7e71d1f21753409c9f01

SHA512
7de13a82d779f28ce84bc4e385bc4e08638a24badc73a202fc0d9f92e36dab296bfbe72e182df2f037c03c9e76b7342b9d78d2eb14a3461605c72f126ce28f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYA.exe

Filesize
114KB

MD5
b83739c8877b0e08cf722611a6c813c2

SHA1
208d18ee25c6f6a068766924737221598138a4c1

SHA256
d041e9a5eeb2eed90a77520dd61f044ee6fb0a64a08b727bfeae4e7805782741

SHA512
ef285bf658e877382ad7f7c50f11bec9e673eeb225ddea781732dcd08512f2b5b6fe8a2c4c25dd0186404f54e07de36ca4dbba6d7d071a2ab19f2247421e6531

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEcA.exe

Filesize
880KB

MD5
a87bd33048b9d823f173f7c1f7942283

SHA1
19523a484c3b65f0bdaecfdfa8b9a834f2352052

SHA256
b52255ae44827af802dff1b1ef2c1ffe34dd50b9d94a786918bc1d4982704bc0

SHA512
687513ddf37fbab85b1aed886f65db325ca1d898ed506d405608ba9485dec4778ff1b5f60a8f54350f5328bc072d6f57ca9f0dee2b610af4cfdbdf691c64a25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQIe.exe

Filesize
114KB

MD5
76d9639c63064b356504a0fc95341011

SHA1
47955e7baa0bc9bbc77be331e147c010bb1f782a

SHA256
911d853356a59578a717c479bb28d19994d7ebac7d2b2bddfa8b005b5cbc6af1

SHA512
85a0db8a068f73db901ddb05f3493985bc8697a38b5967fb1751eaad0f82bb1f6414eb12e1cf0bebd4e258adaeb37faa5cb0e1f81bcd990ee0505bfd7a027440

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwC.exe

Filesize
1007KB

MD5
d807943f068fc4597a151d29d062d4d1

SHA1
c9b009768ece35eb3315df28a491f6f8ed306937

SHA256
48ba4ed604e1e62a4f9f6515588b4dd71e374dd95122fba632fbba8bf5d79a50

SHA512
a2254658022b546043e4ad432a0be5b0a753252e632acb4235b205f30fdec5145f33851c2ad96b651d54f8ffcc9f3c70556bbd64409779e803e01639671f277f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsMe.exe

Filesize
5.8MB

MD5
9ee006a633a14da8b1be1b0940472bed

SHA1
2a42b4859efb56552a71f9458b75a2b63f3fd061

SHA256
7c6d2517ed85e7433158702853e827ca2ba9095086c830582ccdd3195577ed89

SHA512
b5dbd3641882f586750f52782f7e5fabe434c93163dd590a623f65f6054e8a424ac1e4bc52d76575b6bb564904e7cd5df93ec061d91e2d66364d19dec06786e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIEA.exe

Filesize
139KB

MD5
e7c2ed7c033e904a7fb4058086714b8a

SHA1
6c69597f7678ea27e02a0cbdcbed62299d3c8481

SHA256
fe334b5ccc978a914cb193ae4394d0901a01f20eb6b9791a3ad55c9760e63bbf

SHA512
bef6c96dd227cb35d0dea6ba3a9a690e9525e037429ba019f92e5a8c4b2b6078aea94c156768cb6f2bb46cf0965bcbfe874d34ffa4884f0106f568d71933428c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwMI.exe

Filesize
137KB

MD5
cd5058d175905544e3b399afad8cd901

SHA1
7ddf04a04e19ce59d26c0e8fe9325cc446a7ffd1

SHA256
9d2222e1dd723ee92460cb7affc9c4f5d069926006ff6b7ad2f3210f622439e9

SHA512
7393955dc109482ac513fe3be07e8c335b4221f36859a49dd52d47581c59c9af3f9d32f9a068c3a39d353a31a79d63250d67f28df855adc17d3f4c1cb66196a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEgS.exe

Filesize
115KB

MD5
6731cbd2da694e4e1261c7d85e94e21c

SHA1
0b522cd9c7fdc01c3c4caaa824e9d3725947d99f

SHA256
716582d668a14fce3aab12112f7b02810f388ca7789c27ce64a174f6e43b56b1

SHA512
beef8e78ad150129434a0eef1124fd38aefc5306bc59a779b3419a2a25904fe6d8e3492851eb2c9cbf97b9c278cc9ed2665b8615708185652ac8bc2d69026e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMcw.exe

Filesize
555KB

MD5
72b0ea76675ef84ef7cfd12e8cd7b910

SHA1
1a178e1637ebd9586902b29e5fdcb4ecb99436cc

SHA256
4e730fdfe259cd8afa66669049e46dc882860ad12c034828ebdb3d78a2559848

SHA512
6fc99c85681fc3b1b7657fab1661f33d149b3727120722eff1e72778130d66d2f530e35023f37adb696c7caf10ee0fe63e74885997ee22de2310c034cec2c4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAoy.exe

Filesize
112KB

MD5
4898c6db0331067a3d725879618a91cc

SHA1
9f840179ee714cb52879c466ac3f90e9baf51d1f

SHA256
d5060bb94bd9f2786803e585db9718c10b1fa9ca3e16eae0811b8bf22852f5d6

SHA512
db2587ccfdb8eda97aafd01d2bf5bdd2e470385a32041154ee8812cec6a3cdbc3fba7ed71f25b3b946d82d1feaf704ccbbf176523fbe2908cea3dbce73d29936

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIUS.exe

Filesize
566KB

MD5
7835ff3e6ca2ac18708a122d747b1941

SHA1
a2479df72b4b75635c64f2e5041685146aa4f285

SHA256
5fb43d4fa6d7557089f353a55fb90e0a121e4bf927d737dbae397d2b0aafc791

SHA512
2defb364cbde11c4eb6a6a846b249ebd3e457deef684b5af7b08b5dc3bbb2219ec7bc65f8d760fe2b81824bca14842026b1b769e680a61e748729057fc05bd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMog.exe

Filesize
110KB

MD5
1e5c1d50b24be92309cf13dae0253ed8

SHA1
be34c8e89653f99fe6a1be41fe34846c89dd2550

SHA256
991c347152f3acac6fc4d1e7b7dd07bbfbd9efe71b229f83c00b79157be63725

SHA512
c19b52ba03dd6870e640551512d027be60bcb9360f6712d54d84ea3ab1b2e60ee3a5683fd15e22ca7e70de51cd2bd855068ca76b6b30dde75df292f62af6718c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYUI.exe

Filesize
117KB

MD5
bb72ad83bd078c912a12a3d6dee73edc

SHA1
4b747a4439be77452abc116d06c9761272217779

SHA256
8362cc02a85d7338dddf1ecc404ddaa16a035a99b5ac35039dd604b199dfec6f

SHA512
cc9b1bb83c076ba03030dec10f2adcbbe4bea66f0047dc99dcd1290f8d513ad8b2f84866a5c19ea943a54ddcbdeec2aaca637946fbfe435ff582c36a18270822

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQES.exe

Filesize
5.8MB

MD5
837d5e09a9e19ff69a4f96ff3c892cf6

SHA1
a67f40bc9b3ac65360053c6f998432fc1454d6ea

SHA256
b1705b8295f58ee72c655283592ef7b12923b281cee7a18c7379bab8402ca301

SHA512
7b80fd18cd9a02c47cdf266028f9c284ed6b3d8722902ad6e7a647b1adb2530e246b0d63e80a9322817f1f9aafa076e5e100f3f81034154f13fb9a7bc96a1654

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQUY.exe

Filesize
110KB

MD5
9c6d578c40861f4b75d5698447fdb747

SHA1
13106e873fb63c163e388cd126c1aff8822fce1a

SHA256
1bd2bc3c23610082ac201d0eeb827cac80c2f1e6bd52dfc88192f9477ef5c709

SHA512
746a6de3ee8595d3fdd131ea06faf33b11871be3745416dedd309d9249c623d7bb89c4a6433404920993fa4583a820769091981e6aef504853566357c87e74bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUga.exe

Filesize
722KB

MD5
4f4fc0623d186c5c13d96d3116fedc40

SHA1
d63d489f02c2603a7115a3dae74124a8c0d0f0ec

SHA256
6247733e07021aa6e011d3ceab7afd59b2976982ea51ac9f6a1f19702af71854

SHA512
372ae859a5a77c58fbbcecbfa795456fb45754342b68ca410470257a9de7478645e00370385170c9581fa8a58a636fb8f4495beccf9618780f08ad98e0ee2a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgMW.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYu.exe

Filesize
112KB

MD5
b6d2c1c6246bd3ede3290e3100ac2667

SHA1
90047febc6a4cf60e6454132cdc33033735ddfc0

SHA256
eff08b0335a0addece68cdc7ab0bcb4ed4583ab67144c87c8d16de577d63b64a

SHA512
fad078d1a53e2423380db0801c3595849e2baa55a3147386e762223f79c9d7e1df44f17c97f2de06aeb9d2ad10e774475fee2e548b32cb5e1a21972ddbec8f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEA.exe

Filesize
113KB

MD5
2fe56ec226c9750128cdbe6447be1c73

SHA1
396c33cfb069b8b883bcb3ecdd3ad34c65a94efd

SHA256
77477f55a258abc45f47de8c49c82b8a025426a2b91188642fde87fbe605c0eb

SHA512
bb6bef8798e8520d86ea20d210a21063d792427f0a3d4ea3733dc25a86bcecd7d82157a5c31562bb1fba768212b5c046e4087b3ee335284d1f443c360362d183

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgQQ.exe

Filesize
117KB

MD5
78b4b158ed11d841be373b387841b25d

SHA1
0e30d16319641a2d020608f5a4aa37b2714bfa8d

SHA256
7a7224ae5ef61ad5cf8bd32fa56e40a7ac3b518e1c93372d5b63c29f5f84bd69

SHA512
0d8ff1e6d5a04bb344046530c6ffd46429cdeb70c9bb04b09941e98c6bdddbfc4d08f8e9b971f1e22fde256812901963ef1837533c378b41594bce10c9efb0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAYs.exe

Filesize
321KB

MD5
f4e0e8587c85fcdb6bad82e4f10cf93e

SHA1
c6a6b17b45145be71bec73ad045d139994168c81

SHA256
635e1d613df6a11c4e42d951d164125f2c40c41edcdbe81c88c3f479ec982a0f

SHA512
ebb8306d58a88d76e75aa7ca6e19ee03538fc2ed598a1e5ff5988094740bdbef54618542b8c3126783c1f152d71f3a681444b2e4b26255e943c99d4b243f23d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQoq.exe

Filesize
111KB

MD5
821c311332855252c297568c17ddae30

SHA1
3f6409ab7eed75e957975548cce7d1858d3859ff

SHA256
ef55ff97cbbd4ea58d2ef3edfa5a4297f650dac8ded5ed5fbb0c1e9773ca0003

SHA512
5fd064f05f9718f2cc3eb4d011b4cdf8957e7c00928b58e26c2e692a8e7fb65a587eafb5dd6be748e4216f7de396dd73979a5a2823dd1d87408c16ebec8ea584

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYgk.exe

Filesize
112KB

MD5
70a5b2044a86cbd4ff66adc8049c4187

SHA1
60733efd9ada5b563d7bf1802f08a7ef713a84f2

SHA256
d4a97958495b6feeb289a8f21a4c5134c253b3cafdbcaed9fcfffc76d4e7f0e6

SHA512
6701cfc8cc50fd337af9d66b3f4eb0c49bf663e6c40137059e6a3d085d2f7e6ebb7ffd9106f3ee0cbb19cbaed1f46b72273c5bbb39eb22c134b18b05a7d56571

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qggk.exe

Filesize
112KB

MD5
99ed51d731a51efa8e1dea86724f6070

SHA1
3a2cbd5dc3de28859118f9f6c9d79936e26c350d

SHA256
f9f7a25b58cf7b42bb4d2a85d9b347a138bdfd31e3ce6ecac9003e2265470c56

SHA512
c6484e4d5a11d8e6641bcd43ab16060d5349dd226627b099d2aaa0ba21c55cf287c2397a0bc3467885fd4574a7b8bc2ea677575e1d3740f3ebe7b19d44136d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsUG.exe

Filesize
1.7MB

MD5
8ae5d9e1a89bce8dfef9fb3cda60a259

SHA1
6ca7097092b730640b69350c85ff4eb6c81dca57

SHA256
19bbdddeb36239bdf4af7a88600482936e8dc3ef31a8211033419ef9a6d0e807

SHA512
d48a43e91b03917ce872baf70868e6325ca8f3c86ccfe6ab59f13207339a805d5b93576d4086301e0256bc5544e15f0fda3875ade133a26ba5dcb503c2a3ff0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIYe.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIwQ.exe

Filesize
719KB

MD5
7a48abbe7a17c586ab8887170b1dea8f

SHA1
0812dd02c172742348201c4a01657751b690afa1

SHA256
7ed88ccba56679671efa048f79fd331e01e103fa9210300e6313f0dd3d4f0aa7

SHA512
aa00db56286039a70e4ba79d3d56a779d8d85f636fd6b307e57f26187765c09b22f2816a00c76fe7e2b5c26920906530de9e102bdd3a052c955fe511908b5f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYoW.exe

Filesize
117KB

MD5
9359c5f5c7dcd3640620cee24399943a

SHA1
344717534b6039a3e967c5d561fb894b38339732

SHA256
ba03345532295d5c6f2eda7cb19e0cd8e0c1de4a10048d3e55e62a44a0c592e4

SHA512
e34e95016e4c87e63663897f7cf93483559579cbe0d44a4a75584bcad599374ad24a6c2d02737c0bf62dc9dcf995df3c1e9e398d829bd37996db591554756037

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAss.exe

Filesize
119KB

MD5
801439a65866de475f63e854b32c0736

SHA1
6895008a13b1106f9f5fdf63b76dd2437ab49944

SHA256
476e62e9769ebd9950d3ec10d63bd881648621e57702a64094b7e23dc56cecb8

SHA512
b7b43cfb7a2ab5e447977dae132595a24b487451edbb7ff0a6ff62adcb706f990b390a5bc171136833b8fddfb786c1bfc2feb9f52a091a8486801dae1bb070d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMcI.exe

Filesize
124KB

MD5
c928c3e50b81c50f27c2ac422c30f269

SHA1
076918096b175c3b8d027ed015c47ef4e757bbe2

SHA256
ed1850a0c87aa38532cc2b464043367e48e6e512dda3f711e0febbb4a3bc593e

SHA512
038a2ff7188db7e16ffd49d88ceffc16c38de89125c44e276b84708f925b86d38a33a6fe98f5fa8d4d9c95ee4b1faf3241f695ed1632a067ae3a333342ba7fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYko.exe

Filesize
114KB

MD5
0fdb7b19b37ba8f90b20626402715b2e

SHA1
1bfbe16954457b821996b5b753e82b6c3d3a63ff

SHA256
43a390cca2f7f01de60a5443513d12454cf1b86cb326bfe230ad4aee47cc8ab2

SHA512
f6e18bb42a9f9236c4f863689a9a610f4b213551a0a14092c3a7ba28b82a1214b177efdc52a50d2f30a6fc62e1f74284344df747fbd4f8fe8f5e7f3ea5055056

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgcO.exe

Filesize
248KB

MD5
93158822fa55b395faa510c5dce1e32b

SHA1
eb5611c1b51880dbe185cd00de8b176ae6bd3bc6

SHA256
2d6f59674198937ed078745ce6b6399f4d9cf39f3af3871fbc96481dadf26d93

SHA512
a7d08029e629ca40fabfff1f3650a58f8e938a2da2c9dc967e05a941152ef47612aade555fd169788c69605e5f0668d1bf1b8b63fd39aa600681b6add788bd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEEU.exe

Filesize
307KB

MD5
43702f48639c96eb8cf0d93d1a8d6fad

SHA1
cad646b2fc6433e47408bbd96884f734a654ee23

SHA256
277b32a684ed1ba3c41e1fac34de0d04f1f45e71fcd4622a0016d6b431716d69

SHA512
66ff23fe7999bafd3b30504b038a7ea9f94a9ff61337595ba42b43176d5ccecccc639b646b608b96b7b9674a0cb6b64e7ea9c6d507116a52e05f582cbaa0d0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgAe.exe

Filesize
424KB

MD5
d78ebb739d29bf1e37d35b5330a8759a

SHA1
79d772d1b72af05ceaea626fedac7b7a66d8cd22

SHA256
9ac65c75196fd7421450bc6830d84718560753fd32415c3d70ecd55e2ed37ac8

SHA512
86b654189e4d892e5b96332f97b4df40a04ac32270d3cf7a2c16dc5b8416814bb58370fbaf02be6075af6e99eddcf19c8bd2bb0e72b8abfcf843d78d08e630c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkQM.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwEE.exe

Filesize
111KB

MD5
6a677e1196fcb8d92ede8cdbda8f5451

SHA1
425dafea7b66388e154c4fb87af4880775a7bebf

SHA256
c202007fc94841ed12aca0b2884e0494b8846246009ddb474d1c4b611ee784b3

SHA512
c5005384027f4e8937ba988414e3a9f7ea260d199a8a3d8cc45c32b8804735eca6be9c77caedb998cfbc11d6bbd14f727c853c66bcceac9875dce7b39a44bff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUUq.exe

Filesize
237KB

MD5
604c769d818509d80b32917754645ae2

SHA1
6f35fb8a59defdaf14cf36ad85dfa9a98a7a2c3b

SHA256
9dee9314c65554b4f3842fa9c129b39f796c3d056abc071f57ab57c021e32d0a

SHA512
0977ba6b5ebe71d498c7988ad803b26f6fff969bbbb0eefd430b2e4903254148e59cc2bc876d553670741e3446f09a917d9bf0e716a0a4ecf2474f079e3d5585

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcMo.exe

Filesize
744KB

MD5
4b3e7e333be734ca777eb8d64ffe3cbc

SHA1
588e19a902a61b2b6ed7a85c73050698bc050d13

SHA256
346bcb007807aede7d49b06c27a122a796b479df977a84791baf277bce41c4f2

SHA512
32b0f23a238fb6de79ec618f9a3a44e142433fd29ddb02d76855b564ac479a3dfcadc01ff835369a467322fba069cfd80a3c17029192d1cf567af50e1817f7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygcy.exe

Filesize
110KB

MD5
e1b6a7e823f0fc1a4ef78cc577c968b5

SHA1
19616bda447ca164be425106ef4b0c56c4c30716

SHA256
2cf85323c1b2bc161a023b7f5225ea0f1b574b13a556634a7eebd910f3449ad6

SHA512
c00479b81468987396bf9bb225ebcace2c98c3bd7fc92fa9d127de33cc7a5215d500cd158b1a2184bdd2d28b092eef2fcfb81f3de455f7bff9897e36ff8ea791

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgsY.exe

Filesize
236KB

MD5
06c284a2230cc30b12794b8b58de51b6

SHA1
352010ce3d705418dcbbcf6475aaa8bef2337dde

SHA256
dc08d2d8b31a95a0dd0a779266e00a5d70521f29aec1372449d849f2c6016fbe

SHA512
92748abdb4c87aeeee41d448d3183618df94fa3d2415b7690c6b0b95d78e1909d4d13ce025ef8eeb36740be7d4292c453729ff903f6d708ded4539e8596bcd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yows.exe

Filesize
720KB

MD5
a3c3531568b9fcd29021ea35525170f2

SHA1
11dceda640ba3a119657ccbea3f55c3dbc3bbf56

SHA256
96de7f8870476e1e5808368452762efd1b715bbcb1e01a892a4a67f1f6350234

SHA512
32932a58e76b61c58ca15cdec91f766756e8b1db0b8f928fc8381e0a7be2038e197d2a81bd2e19e115d360675b840b57c85ddd56f55146a957e23273ab6750ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsEQ.exe

Filesize
656KB

MD5
7462b917d6329fe4271c2a385d8978e3

SHA1
19a25bbc3f05ad89017e5e34cef3cd89f5b7053d

SHA256
a6d9cfee652c1836d912167871744d57211298d8c8b0c5512862011d67c84524

SHA512
55e89bc1dad8a8ef63444786a8426b9f7c9c7f96f91d2edc4a21910d54fb1e5a989015a573b871ec0cf93562c92b2d302794c33c39e6856ad216ca99e67c31c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywcu.exe

Filesize
156KB

MD5
999218557cd6450c9e6bccb16c4637b0

SHA1
3d9f98a90c193e19ad996117009214cb7194e993

SHA256
8eb00ea2863c1712d94bfd36f42e2a06418345fd3e9f9cdebc8bc9f6687805a4

SHA512
b58e9d523f94991b233cf874bf922aca1e3c885f9894041a0ad22eb3491bb57ab21b63dac8bc69eed32e2671d4a56952e13ab01e159c0bd834d3a4c747de8dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMYY.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\acgo.exe

Filesize
281KB

MD5
867bfa9e2bf82c2340bff4f2ecb6281e

SHA1
d67aa4073460594f9aed51301f55c5a11fdef9e9

SHA256
4a29ff29438c6255d3b55d3b2fa96f787337ce4e0184c96596a0f0e6d5b50912

SHA512
dfdc8bf7b49b821898f2d9c7761fc3d3690ba286a2250b80bcfcfeb38844312e9ebab7340a7d31b99ae51213b999c1c51e9a327998f28a247f64fbbe60e35326

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAoo.exe

Filesize
555KB

MD5
f9c55275cb6077ea59e1e4535ce9cba8

SHA1
b091de889a3c1880fe387aac138f3afcbf93b3a3

SHA256
11a020feda557c172ac3ea2e698713c57be0e8f6e098d05777fc149c30b00264

SHA512
99024897dd9cc5bf39927bf7f283f1e30a333fe0bfac4a1bcb881dc2354f26d5474e2e89295803abe1834fa0ff0514406649e50faeae531e58e9c465ec27f0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEkS.exe

Filesize
153KB

MD5
afbb282409112b22059ccfdca333b8c5

SHA1
11b4c8252e91b85c28f777b797c7eb969c8aa628

SHA256
52bb0eb2a510eef75b0302a3de5bd8b8d3d4c340ebf8d152f9745dc3e10e9e7b

SHA512
328abdd955e0eb604d1c33c91ad4af67900cef7330f591bb6341e22d8ce2789d99664f52dfd4084cd911b6fcec923114bb27812dcf35a6fc36ad9f301c74487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQkY.exe

Filesize
115KB

MD5
850b29147a90304c719265f9741bed55

SHA1
504448664c4620ff29fb4eb1a91952511e5e336c

SHA256
5ed54a9f4b71f232314d754f06c8e7c6405f20d465c3a0b93a23b5efe09db3b3

SHA512
022cc86ad2459ace3934cb3ed3052020bd6981db547c69c2e8802da40f5a64b9901f6414b0a954b61138459f90cabeae9237fd833c56d57603754c406d9a55cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccYk.exe

Filesize
111KB

MD5
362b19d905dbee2cf03ed5c1e34fe12a

SHA1
d7444731b25cc96062906a0548a4595ecf722327

SHA256
89e43a77f77571ea9c2ef49f59c0db93a52af1dcacb7c559c3e5007779bc47dc

SHA512
c365adcacef9d325fa12368bb7c7ccf8749b6cfd0e72891b8af48bb43470f4ec5b84a41d86f1aa1ae6ccbcd79220fca341dfb1a5d5a8573ac029e4601c598950

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwko.exe

Filesize
955KB

MD5
e85c6f1a0f5b3e6d441b3f5e344e98c8

SHA1
a74cb4a8d3f15106ca64d7becfd5a46f636f7476

SHA256
b8c1a5725e374728d433ec4c19b5abb4a95b9be02093a3422d145de7da34fbaa

SHA512
cbcf07b24836a726865d6e8e1aabc3a8f7975acde640895c838b54d3146e5dd358e72668c0722412917fb994764a5baccd9165e1a2135896e78d0caf002f63e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsA.exe

Filesize
236KB

MD5
cafd797e36af39f2b5087649468ab8f2

SHA1
47b5fb7eda9c3326d6ce7b4963e6741e1e654ec5

SHA256
87417f4b317331d38edcb024345265f1d2cc59bcd2981b9df8837ee45453d0d8

SHA512
024f3df5cec31d3a7810f60339f7d1c135b185403aaa16715ed0009f2bb29ce475284ffe09e3c01668bf7ce4a1692787bb6f30436345cef4b023fd229ee32e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAIi.exe

Filesize
118KB

MD5
e3acac552ff95129fdd741a4c21850ec

SHA1
d8c3f2ce7d43b035369a206c10ef900cbb81da64

SHA256
3fd0e2c5da92837fb438ec9bf72935060a536aa73ad4edfbd56a560474f8b182

SHA512
b71a5a02e68a87e9aac0d5c9a4dc63ee7f5dddf070d739f847a223978ba75f407da5e8f1c7e0fb1aedfb0da6ede47204ebdb5091a9b1f37cc90eb275fa4da574

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUEU.exe

Filesize
402KB

MD5
59d6e9dead0ec288b3ef6a0cb9b4f8ee

SHA1
df03f2d2e5d4ee224cd1eca99fab3350ec1af46e

SHA256
2709c82a991788c87d6c23f5bfdc3c6063bfd9a284beb6baeea0fbfe62647ad7

SHA512
7e94d7e4878ae163cbd0b061c70f2e8ad27ddff17cf0218299b540ca34f943e147a40d3e61813807ec91952583ab34a44de006caf283447e92ad77c8d33b0fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekgu.exe

Filesize
118KB

MD5
3a3bae81ae4b3b0eece70f0bf6114a18

SHA1
c366a63e1f9f1f5afd85ecc92a0d1f8f927d890b

SHA256
8769ca5514f32c1bae9fcfc38fcf64146fbeddee3bdd0a22af3c1adcf37bd5a4

SHA512
0fb847f7f7ea4e81f1dbc53ff16a6afcde35d50cac25bd6e30c6b11be982e5c62c740731977691ff61663cd2b6aa0160ab6f4ed0083fcca4ac131d3b8dd7201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIEC.exe

Filesize
148KB

MD5
dc3f41da46ce100777ec52b51e4b83a1

SHA1
55d23d6542fbf8f111de28071290a5e474f5a11d

SHA256
e6ecd00de5f65f9da4ddbfb1cb99c5a7a75fde93de46476645bd6250c5d6647f

SHA512
e7ebb9f26006740c44cbeabe2bc77668bb4df7dbbe3ac3b008189d5f3838203a1da52984938c751915b96618c4f9c2b3f63590f7f427bad785d22ffd5fae0cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIQ.exe

Filesize
111KB

MD5
b1f3ae9a38f6ba18cf7d803534eb855c

SHA1
09958cbbeb122ebceb2ce9cbccf54b97ccaad707

SHA256
19c19df6d069b0aae5c59aa69eb43740bde0ca80547772fee810f7ab640a9f6c

SHA512
9694f1fdb1fb122802f5a7469872bfc968dee86172f141791ed66d6f073437fb552259acb1489558d890f47dabd32386640919b904ef708423e21624a85b1355

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggQO.exe

Filesize
565KB

MD5
c9c9c0086a73e6d9720cd48034f8b2cd

SHA1
3041ce6e694d9b429267428fe360d1d310510d2f

SHA256
647617b03cc62a737c4e296283e4080219690f2cfda1481f8f7a1566ecbc6d6f

SHA512
70847e200b7b2f1dc712a6157593c13bd2c7bbc0ce0db2fd279e4eef24eeafc181e3f695f29ff64ea909f149290945913075f7666fb7e30a772085f63024032a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYgG.exe

Filesize
680KB

MD5
fbbd18dfaecb3df24a0ea91739c46f12

SHA1
82d882ac06577a795ce2590583e1e88834b7bcbc

SHA256
78aaf2e24459fa2221eb09d108048643cc43d400eaf34d5dc69c7feb659768d1

SHA512
48aed2f4b71f8ec11fb1015cf436ace01a1784bd246d872132d0ff684fbd231b5481757d3cae2f2401265bab84f8c29b9ddb1fd2b3ac8412162dca781eda0f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\icgu.exe

Filesize
117KB

MD5
f3833338ef49736661227efe905b1133

SHA1
760d5bbc06d7e05c9f34b0fe40498cc1fcfb611b

SHA256
aca2666c2b5ae9dd69b25e61ae74afe3546ca33925dacf327ad816377ef93e0e

SHA512
8386f21a66e781095379901bfdc0ca0ae81466c0ec3d1c4b26920637886520ed525d8cbf2d8c7be61ccddf8bef34267cd6172c267b6600a95b2ecb53e5426d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMIk.exe

Filesize
115KB

MD5
0da1cd417c6ec2989f4cd1abd95b0407

SHA1
63c6d0fcbc54750d82c7e9bbdd4fa88ecbea4f93

SHA256
09a1f380d03148b81c5e42e31c7cc11d37f5c98684c6bcb40021f7afbcb605cb

SHA512
c785d519b5fa9197d6778ef3355e0bc734109972b76fed346ebd6505fd66d91029ffdf9bdfd59ed922437bb655a47cb8c5d59736e6e1100e97016b334eac8b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwI.exe

Filesize
120KB

MD5
a3eda33ca70d54525b2aec61bd680b81

SHA1
919e5073255671352fee4de0375b2da618509704

SHA256
e14af330cf0c830092454aeebfde422aed6c02980d4d815465a245abc4430b48

SHA512
b60f5e8ae83fbd6d5508ec61c5f3daa25282ec12139b9d23f5df3288aa8a0a6de6c025cb52550aa1c3a2a6eba2bdcac9cfd2c864ba738cfb69986231423e27a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcYY.exe

Filesize
365KB

MD5
0a70df22ee8546e7145c5796f5060ccc

SHA1
3220ed2fbd08314b769685666d55178477aef0bf

SHA256
02d5a1b0787bb89c196a2b4675e3f4de7a4f86a78752e6918f8ce0a6e4894ead

SHA512
1e4fd427c0982ebae5dad526c0d64a79360bb3c7014c525c99ce4eb639c00a4a9a1505795435e896b9a6cbf2877d62c0c24f7df5948367dc3a0b0c7f49ebc534

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwsu.exe

Filesize
111KB

MD5
245c543b48203d16e2d0120a3e8279dc

SHA1
07c4154c6ed9125f5344c544ba1f31e41bc66fbf

SHA256
e1950ac797ea8a0d236cb4bc41ab9c0bddafff2ee315b4789dffd72f360e97a6

SHA512
66085081cefa94315c4c51746d4f776ee9dc44b6dcf4817d5c6feb046814b05cc978daa714407f71a19acd01bf38f3dcc023a0ce04bb0b3190bc2a07db6aab51

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQUa.exe

Filesize
116KB

MD5
bf0ce2792d20f5a36b23b4477a3f4597

SHA1
579a07ee48c8745e7a534c04aa4374278d30645c

SHA256
7c1808ec7a097da46518fffdfe6841bfc6aaf8265cf7d4f2f4d8b00bd5f67350

SHA512
61ac2cb684ea7a5fce248a2d42e4c36d4fc5bf688a1b77942ee4ceb79872c492e82258f062676abd70365dcdd44b238e7c9744b14b67355a3b5aa6d3e30397cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcQU.exe

Filesize
116KB

MD5
51e2ca8f3118ae2fa00165da42b7104e

SHA1
6e3974ab863ff5c70116c5daba68d17d95528484

SHA256
1e890c50542db9437ed5fe19395b68e943e01d665aec849f1ac95cef1819db0c

SHA512
9c39db7914c2a83c6727fb4e806fe847e67a8d49a269630d39940030a6ec4c2cd5c18c88ff6ed1ffef4e45cd1d028dfe60e52daef0ef156eeafe51e10a51999c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYAg.exe

Filesize
301KB

MD5
b25332c3051754e1ca55448333d2215a

SHA1
380c193057eed3743893d7abb4df64ff56aa995d

SHA256
919f6e3a62964b0bd69dc97ec038632f04136d3c9a00c7b86dcbab43d34f5eea

SHA512
90a2188001ce669fd18d6a5138f755ca3258e373bbbb01f3bbc0868f3d5b6c645494a00f3a448c734a8ea01b6c8460eaa223cd5a5f5986ef635ff9aa3bf07c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooga.exe

Filesize
356KB

MD5
c7e2b1ca640c0a16d6ae5e409827e054

SHA1
8ad073a0ffcc5927a41ed527017ed91c1dfed66e

SHA256
8e294efd6ccb65383d20186f15d56f0df94e81b8681b8f474c6906af02ed078d

SHA512
45ba0cc0a4794a3815780969bd646144462eab66cd59c86d9c6275105c99d8db4027f64330376d17e0250c8d3d199c8463f3538d0b52d21117a988e49ba9776c

Download Submit
C:\Users\Admin\AppData\Local\Temp\owEW.exe

Filesize
115KB

MD5
97ab22d17d1052cc11504b89d90eacfa

SHA1
85ea901b857a2e8c6e62d672644a59e599a94424

SHA256
d1ddd7421ebb0805d385309253fe1dc9894e5131df7da77eb62a4a4c3ae7f8c0

SHA512
84cfd4ec7bb34d652b43694c18919860c6a5acbb76194cd03a8803f7b8e3883f5c08d992e0341a03c5f7a852461aa495386e4d36826cea61f391eb2f1b021362

Download Submit
C:\Users\Admin\AppData\Local\Temp\owcw.exe

Filesize
112KB

MD5
bde46af9acdd1a333f587ce19a2c8153

SHA1
e60250766565674e799c4ded71b7860f03648a1c

SHA256
e1ec09c571ef4809983ff4064efcb2b233a4becd05fec586fc808967c866102b

SHA512
47fac6ded9b8ff0a297e2c6cfbecb6fd44916400bc95838af9278b0b696741fab269fc4f7a62624e3b2dbfc60f1d78785b76d94fb2c0730715482f058d4687b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAsQ.exe

Filesize
113KB

MD5
c2b8de597b57e7a28e14a6c6a4ee9ea2

SHA1
c5ca7760b7b7d207a66b3df345783393d60b43f4

SHA256
f1a9631d0c89d282bc0d7e0c00d7b0f041f5c7c9533058e09a19c28889ade16a

SHA512
5fbcb8d43829fc4564350680db62a6412cda549ae6044a900d8bde121eb60e87ff88a18842b17b6725ccc22eafd884a0361654e34c85140afee02917a4540dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEcI.exe

Filesize
110KB

MD5
1a3e2652938be274aa5e88eae5a04408

SHA1
2303159113fc08170e15ff0e0ca7016e3c71ed51

SHA256
38dd95147bdf80ec60802319ccb284366ed478885175cdd70bf552d881c60b98

SHA512
fda6e0a10ef819c21e9d0afd18fcc029bd7f60615cbb3f77bd1f7f6edf9f9f3ca40172df3b1bd8c1f9d3e5bbec0079a3e5ee66ab333ab25967f14e2f6015a08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEcW.exe

Filesize
119KB

MD5
c3d28b9a04b37fbc0c793485a14d077f

SHA1
a5d8965ce7576a8d06a58b2c836c07e9fb811b9d

SHA256
57906cd5929ca1d6ab750515f964cb727c3ee9fd6ec5bc5e495694ed19e04035

SHA512
e1610cf061fdae84608c665a6861bcddf39971e7f77461c1989dc2e10ea5fa51d76bffbbb6cd354a21510025408e4168012c891c8b5c4453111d261bbc4a716a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMom.exe

Filesize
111KB

MD5
3c5b4cde5e49a65e074f53c251c2a1d1

SHA1
ada7a339de58b625043410471d12b2d575c4a07f

SHA256
6181e791aad18d04a320d7022d14844e1882bdf4cb35081e3bca76dbc4f5a41c

SHA512
9536ae2eb92747af3837b2697dbcdd6734f88b08c57b1cc58058514c751ac8ae369640536141eb4df2e592e8f55338c96d30b3782088c57186f7c8bcc3e7cd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUoW.exe

Filesize
115KB

MD5
9328864c429c4866036d05aab31c3789

SHA1
7d6a026f03fd4acd8f9727bafafa5064572369b3

SHA256
aa41152a6f4c6be290a017cebe72767223cf44c9c2ab75ecc77f27d92d6be354

SHA512
2d78bd4aa4a937b436698bfb6801d32ea42c47632bb76a98799384c7284a24f5cfda991d195bee2ab2b724d8e87cc61b38c2853b5bf3f5a1aeee4bc46868e510

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkwg.exe

Filesize
744KB

MD5
820d1f545b9bcd7f8376d53c84f316e4

SHA1
02681bf78ef41e904f5c9d1fed6e3db967cd0aa7

SHA256
90e71bfd9c6be4b3c49d0a1e25b20304598558b281cb46f627ece8abf0697464

SHA512
2c863db2f6984083fa682094f0a0211f9841e1dea14e91b3b33027693f5ca27c46616b3a22dcafc98954b65783aebb653f84954989cd99662dbebfd2c927111f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUM.exe

Filesize
137KB

MD5
14d856bf783bd58264433c4cf8e5920b

SHA1
d52916b59d17cede41b67512c482c74b0d7d3a1a

SHA256
be64094ec07931c443e337454b131d1974b61c8fac29c632a1f2d218ce61828b

SHA512
5dd81f9c9442f7eca540afd460b25868efe0d6ab69f59e8535f8edb6446314dd76a56cc3c65c9a810f13a1cccfd777b6d6b70f8ee24ed4b117d663c40562ec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAwW.exe

Filesize
347KB

MD5
14203204d50a8cc5dfde5e47a6a35904

SHA1
ba04e251446917bb6b3fde75396d61df7dda2eff

SHA256
9bca31206f163b165a2f3ed873c4a471304c85953bc725ae9b5b4947f5409505

SHA512
072d95641dc74116da30f85c6e2f7a3964da952d70026a2887e61486adea5388533717a784d6b4a429d9ef83368d1383ed955356b7dea0e28862cab2b0dd2347

Download Submit
C:\Users\Admin\AppData\Local\Temp\scUC.exe

Filesize
140KB

MD5
b2c61ef8f1271e6f9d6d548b7509d7b0

SHA1
57bf8a7f8ceb62872bf6714e6c62b2b892b662df

SHA256
115a388c5601b4400710d6d57a90db0f07c03919c1ef27c36c47faa7b483f7fc

SHA512
734c90622165a856a057bbca93d5a8c045d76ed9649e42711e236b24e17f1944115709cf37b9bfdb51de1f766fd9afa90c9c747aca43eeed158931763cb82b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgYM.exe

Filesize
111KB

MD5
7be88e4c94652054399a96f4174c30c2

SHA1
9c22b1bdec05e7dce9a62d96ad511dc7181e39c2

SHA256
89e9da0d68442e9e3da59c273450ba4c32fdae2ed9655d73876e76b81d9d2462

SHA512
a10abaccd1481313e187c1bb2ab0b0af2cc477c6761ad12c1882049cfe2b47ddfd471dfd98411b7ff95061d11dc36bf1d146758e8e1ce8869fa2bd4b2943c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEkI.exe

Filesize
111KB

MD5
4858f34f9ff540088c425a35847faefd

SHA1
45e8e28358306e7eb16b12c8c8e0ad920ec00480

SHA256
6ad5f562ff257c85b283eab71c49096ec61f4b4f8fc8e516d993ac16e5b4eb48

SHA512
dcb4b972f51b6dd3009c92b5c5c6c34c2d4b6792272a11927a1d5fd7b51777fabd502db3cc8dd3d41e7005f9337aa826a794d68960121dc410ab0e5e7810eab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEkM.exe

Filesize
566KB

MD5
7a752444e1b7bf2cf8d72d3945ca9edb

SHA1
218fca5dc96f0431b1bf9eb42bd57af17464487b

SHA256
d855493daf6d8007e08c0f7823e7f60f41b739c897d6967c9c339e0b23b98084

SHA512
9e8b2aebfdcfdbd697710f19dc8296f3b8f27013deaffecdb06213f0fa2daa4d68bfb035d1b876b48be1cf34c014655a10bfb63746f1ceb5ac3e8b74c3ad24d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYO.exe

Filesize
236KB

MD5
599c9e161592193065ada11c623ef3cc

SHA1
0a3c8ec9180a5370f45afaed7b6981ae83717c98

SHA256
79b21baa3b44435661aa0378196d90a76773db512bde085e2ff7f7eb46ba7388

SHA512
88788de4cc0c520c1fcb2ecb73cf123f5fd2673addd3be9a834a23e137a744f7b33e8d7fb6553365b7462d8582192dce6d9e0354b2ae3920b693280277b3d723

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMUK.exe

Filesize
110KB

MD5
ad36024fcde921628b4a19bc6d1a03f1

SHA1
297a29ff6a81b3dbae0a8a2cf0c094863f429866

SHA256
c5d8ff7963afa37bdc668e8d51a6ce9f7ddccefc240e23cb1fcd64a3067aed9d

SHA512
e4c12ba21736f495a726737be638c9a9c3f40fa3c14bd5709bb200fb6870cd86c200e1eab323e22137d884ecb0a69200acd18dfc4fc41fa7df9849dce51d9d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugIg.exe

Filesize
110KB

MD5
da156a4876472a33c854d6bbc5208d88

SHA1
e61e07e527b7399193f2148142d6968d51ff6e30

SHA256
e03f8436adbaf490307cedad337f56a983a40adab3c2b010bddd493257464a99

SHA512
905b0094cbd4b1e88125b3bedc11b72a9a4ea32331095c36cd0aba4382b269ec6d6d6aecad17049cd2c6fba2a71eb43608f7e7d11ca3a949c2fc78f364587834

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukYU.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAEU.exe

Filesize
117KB

MD5
ac810db7c57233cb947b88b4192838cb

SHA1
730a87f0aa1859d40201b8e5b1bbe20aecf4f551

SHA256
9da497dabca33373e1a135b43bbe952e57a9c38d601049785cd8385b8245e71a

SHA512
361e06741f38e5b88068f486bc418ab6b1751d7837b3da0ab29fb6ef01989f39cbf963ac63273a4b0506c266b8258c54d1ef179b652345b2092d31d8689758ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUIg.exe

Filesize
112KB

MD5
6d1658a5f7e16ea7e338e5acbafee69a

SHA1
ec00893df0cf4702badb446eff9b7bf278d91500

SHA256
cd33bc6125ef377bf4207f1b5e502cea672c8edfd07177491aa1a7c41ce32cae

SHA512
11def337434374520d97353a0beb37c37b955f7b6fd84c9f59b5af009c8afe69fb09953110c9d8d6cd10ed1e89012d038d567eb66acf7c4d9c5dfe26ea13b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcMO.exe

Filesize
697KB

MD5
973ad7edbb4611c5202a5c534fe84aa4

SHA1
3414f402d8228e34aa5e9fbb3ea0c1b81f9482ce

SHA256
1de95a614cec6e17873d71c8ab7c09abc7a5b242c698a213c9b76e9410f20570

SHA512
ba2cbb953d9154036680fd464f4078947e43b523e89991208bfc097e411ffbe9d845a0fc3c03dd66a3dd51a06e3a516719a5bfb8ae08a6f9f14e9b0c8aed7883

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcgU.exe

Filesize
537KB

MD5
a0589a7b4f6bbff0a59878d25be23bec

SHA1
102732dc3b0847c7db9f9411aa5512916b7bc9b1

SHA256
504c9d8f92da3f14bc0e120d3135b55fa9eece6e95762948eca8b935b7fd7994

SHA512
14237bad086056c2ad826fccd261eaeb3147bf6e7e988024e051cab25cc65086f88c9b54b268b49bdf0edd30edd9ddbe38b4e0e49289e43aca0b1e8055cf4f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcoE.exe

Filesize
486KB

MD5
bf6105a171cb1de92f2f7fba435d56ea

SHA1
7f4e2a6c271ab424f8df99482dea5660c4e55660

SHA256
f6f8982c650d9173775459804ed0e978230332bb06b04fe693064072b66ffdfc

SHA512
f8e77fc745e8b9e0622cd4322802fc0663982556fd6dd53a92c52a50c27e0468595d15c5dadea9bb31b304b34827b0d92b75e5697310d60c181ada7765501930

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgIO.exe

Filesize
1.2MB

MD5
13a5d311b67e881bc88bfdf91b68a6ee

SHA1
06a6f5d2cf503e8b26ca905a8ab56e5384a5e7dd

SHA256
7ca1ea163544582f2996526933bd037961a67df99d4279619e4bc5ca39970a81

SHA512
47e2a95ad9b3eff9dd716f714dd28cff0ab25fd1ebd1deda32c84813e3cb7e03aa62adf8ceceb68db7235b206a0fd3fbb97f46a92ca55adbc7cbbb27cbcddac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgMK.exe

Filesize
1.0MB

MD5
f623103fe00c20a89c496fc632e31233

SHA1
c806861cfa367761c76654940f4a9a6321946c77

SHA256
9fc95a488ab22c241d43557e5fdd2b52dbaed2a56e835c8e09a139039112acec

SHA512
157cef401ed45c2dd2db96131c055e01d9d5975ceea85d0179cd4d3b5ca373b7510b1170769ea034e582cef980903b85120c9dde19518cc3c0c7ec5f86b45b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgcq.exe

Filesize
113KB

MD5
20597c8b5c2a942d426f0cb5f04c533d

SHA1
fca8834f6ddf7316bedd41b26acf6049586af719

SHA256
20c319e396df51699ec2ffecaeb3d95c4cfccabf54d0a6b8065c0cafa4318d3e

SHA512
b4416dd837b7ecd069e333ed6d05e671475ca21e11f484dd182622f062db014ed1e30b320cd5a1de0553666940f1edb2330fdfbc9fce66906820cc96999203bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsUU.exe

Filesize
115KB

MD5
8456dbee6d4607ad6419bd1b6a17719e

SHA1
3b306217a1375a4176a2c5e48763aba520e59c6c

SHA256
7e1475010b1085e2eea671bda7fad422741e48289a08cb513874ded6a23673ad

SHA512
00903fcfcd29419639bd87ee181efecdba284e441ffacec82834991a0b40d641151d200233f38d141c3c17e09c0ce100dfbe490362fff1558625f588ca479fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUsQIcQc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAIO.exe

Filesize
1.7MB

MD5
0a62e2f208d7241b949f357f97a921f0

SHA1
2521195bff9f703bc59860aa33006aabfc60c675

SHA256
1788a90c1a419a72ae2f8f83be732d562533eb32da50fe2c6c149c4b0859fb7d

SHA512
dc1c6c2c92f2190ef03bf062f175319ea0943d24da8a4260af602aa6a1ed44dab73ae9474ec6f3f1505f237a1e428672f88f1b425ae23a166ec8067703fa3ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIwE.exe

Filesize
111KB

MD5
c5af713ae76bd983aef6d3a19a0972fd

SHA1
c9d0fa19c525c6d3773ffc600f8788697c48d273

SHA256
148753fc4a7bdf7f02211a8c7a85ff53d63f3f4c70eb849a551eb6022a518f55

SHA512
5cead6fc21f6ead088dfc10ee425835dd142b480b57a803266e44462bb86f7a09165725934d8b4174175794ef576bd65465908629b6feecb58ac4479987d08c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMAc.exe

Filesize
113KB

MD5
2ee1231d19a88bcdc74aa2e3c2073241

SHA1
3bf6458d8dc3830e1ca9bc1f56d7179149b831bf

SHA256
c98405a19833b7ae5293e2988d1ff0febbb2d3f5b20a6a70f51bc0e291a0a14d

SHA512
491b3912d91b675f84763b4fc516e93c15a2223c7c00341211ff9a0780f2ec57d7e4f2dee9ceb2497157d9fdca15c7b2d961248b7e9e18b17f5b48c27b6fbec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysUU.exe

Filesize
119KB

MD5
50b973ece6933113dba7a853b8a63ac4

SHA1
37f06f26755cced78ff730885716aaf4e79458e8

SHA256
1ef7d054b856da233ef739689bc695a16edaf55e26ea5e439345de8da0229b06

SHA512
00160e2c799a633abeed9c9a16e5be2ae5409b3a732c50cbdee837fc8b1191fd119aabf47bb3e98d1b09c2f69779e1f071bcc790a84aea69498b98d197988c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywsk.exe

Filesize
116KB

MD5
6cbab0e3cdf23cf80ee067f26a632830

SHA1
9a676421617bc12052313c675f241dceda980b90

SHA256
1ec270f75af2819b9f94d0ada881fea8c742c74d2f83c1328af9bdfa5ef9e254

SHA512
109cf63436298f6b143b7798c89c7e338490344c68004667d9fd3de8cdf0202896b8302333c97283259054bd1ef0d28835ae0fc89bf14f4f57f9510afd9d9696

Download Submit
C:\Users\Admin\Pictures\SuspendEnable.gif.exe

Filesize
465KB

MD5
3b205f899e05cebff9c31298c0ca4a05

SHA1
f25cc580d951244774066fd3ea9040cba984f052

SHA256
78ebcb9748d89123e17ef93826ddee8f5711d4db042df39acfe71f1ec9594258

SHA512
891f6397baa8d6dbad5257b3c49ee44f242dd4a5bb56cebbba76a941119bea3b194878e540eb1ef9cf8a3dcc3c4bb88ce8356fb01737ac2cdfbdee1420fc3efb

Download Submit
C:\Users\Admin\Pictures\UnblockGrant.jpg.exe

Filesize
343KB

MD5
6f0bd988d620c3f501fe7fcf9a994897

SHA1
fb0a3ed05a3de239fb7202e2300543edc3ea7991

SHA256
9ef8ad764168f5619e89c17e7fd048fbd2575ca8ac535f50dec1bb815b76e559

SHA512
9cd63d3817a58621ba7c0ed07842745b91086119f18eda5d6b3516997c1047497181c487b7069a908d53915be70d9a8f38851b0cc0ee74eef4c68112a274d185

Download Submit
C:\Users\Admin\rEEsQIMo\ZsEcAYwk.exe

Filesize
109KB

MD5
d0978e4f5afdbc04b06ef981b297048f

SHA1
663a0a804967bb8fe3c33f5cc4155a01c2de98bd

SHA256
77e23103ad5e53aff564cb237e6e8fbf26a6c6d6f077ff500118a89235fec6d1

SHA512
ac0345029e7371da870533985252ebd73a1d9f192633fba6d5175b9bebd0c2f4c8c8c368c7e92e98c950a7e1fded85bd676a73dfde1b5d92f7ae3350a2aa144e

Download Submit
memory/324-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/412-195-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/412-183-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/452-184-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/452-172-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/636-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/636-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/636-383-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/780-331-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/780-339-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/864-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/864-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1112-401-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1112-410-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1184-411-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1184-419-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1280-102-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1280-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1332-367-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1332-357-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1544-304-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1636-999-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1712-240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1824-341-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1824-348-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1824-478-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1884-206-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2068-846-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2072-160-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2264-762-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2264-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2264-684-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-486-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-683-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-618-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2472-101-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2472-114-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2672-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2784-122-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2784-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2788-428-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2788-436-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2968-427-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-217-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3108-384-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3108-392-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3220-402-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3220-394-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3252-462-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3252-452-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3296-113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3296-126-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3360-366-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3360-375-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3368-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3368-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3468-279-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3468-287-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3612-322-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3612-315-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3748-296-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3748-289-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3760-229-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3760-218-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3936-905-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3936-837-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3948-495-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4012-305-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4012-313-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4048-270-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4048-278-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4144-453-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4168-503-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4168-491-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4188-983-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4224-171-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4240-470-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4240-330-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4240-461-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4420-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4544-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4652-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4652-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4812-540-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4840-252-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4840-241-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5040-444-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5076-261-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5076-254-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5088-624-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5088-350-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5088-358-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5108-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5108-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download