b3433542361a92fee7c35339e42ed35682151e1cb7c94116f0259a19954b1f76

Analysis

max time kernel
150s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
Size

196KB
MD5

638ebaf1bea8850ca9ada168c65de1c6
SHA1

1bbcefb36ffab914c5606d3c944e1c3a493a1d78
SHA256

b3433542361a92fee7c35339e42ed35682151e1cb7c94116f0259a19954b1f76
SHA512

ca7242c7dbf8d44b0371b5063f65652298d84e00bb684f4416eeef34249075d66a3b1651528c7d1acadbdf7e3e6ae930cab8e86b2e1691335782806c15d9c3dc
SSDEEP

3072:lPfoxhGuluhBNIyOZt6T5e2GsFEjyKItKJximQdHpTEOA3SNP8PA:x2GIy+6T57GsFEv3JAmahUOP8Y

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Renames multiple (74) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ZaYEcAoQ.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation ZaYEcAoQ.exe
Executes dropped EXE 2 IoCs

Processes:

tcksAcMg.exeZaYEcAoQ.exe

pid process

904 tcksAcMg.exe
1448 ZaYEcAoQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ZaYEcAoQ.exe

pid	process
904	tcksAcMg.exe
1448	ZaYEcAoQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exeZaYEcAoQ.exetcksAcMg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcksAcMg.exe = "C:\\Users\\Admin\\mGYsQEkk\\tcksAcMg.exe"	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZaYEcAoQ.exe = "C:\\ProgramData\\yAAQEgcE\\ZaYEcAoQ.exe"	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZaYEcAoQ.exe = "C:\\ProgramData\\yAAQEgcE\\ZaYEcAoQ.exe"	ZaYEcAoQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcksAcMg.exe = "C:\\Users\\Admin\\mGYsQEkk\\tcksAcMg.exe"	tcksAcMg.exe

Drops file in System32 directory 2 IoCs

Processes:

ZaYEcAoQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	ZaYEcAoQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	ZaYEcAoQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4500	reg.exe
1012	reg.exe
3708	reg.exe
4736	reg.exe
3632	reg.exe
2128
508
4304	reg.exe
4520	reg.exe
4872	reg.exe
3000	reg.exe
3160	reg.exe
2588
3104
4104	reg.exe
1764	reg.exe
1112	reg.exe
4068
4640
2020
4616	reg.exe
1868	reg.exe
2400	reg.exe
2484	reg.exe
4872	reg.exe
2532	reg.exe
4352	reg.exe
1080
4184	reg.exe
4568	reg.exe
4304	reg.exe
2568	reg.exe
4708	reg.exe
364	reg.exe
5024	reg.exe
1572
2856	reg.exe
4396	reg.exe
1948	reg.exe
3396	reg.exe
1072	reg.exe
2736
3384	reg.exe
3056
2884	reg.exe
2372
1520	reg.exe
4396
4704	reg.exe
1756	reg.exe
4512	reg.exe
2084
512	reg.exe
4300	reg.exe
3600	reg.exe
4736	reg.exe
3180
3584	reg.exe
3240
1688	reg.exe
2692	reg.exe
2448	reg.exe
1072	reg.exe
1804	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe

pid	process
712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2456	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2456	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2456	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2456	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
1820	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
1820	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
1820	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
1820	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
4644	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
4644	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
4644	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
4644	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
3116	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
3116	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
3116	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
3116	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2572	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2572	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2572	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2572	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
972	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
972	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
972	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
972	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
4572	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
4572	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
4572	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
4572	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2496	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2496	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2496	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2496	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2092	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2092	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2092	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2092	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2880	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2880	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2880	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2880	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2876	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2876	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2876	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2876	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
808	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
808	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
808	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
808	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2588	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2588	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2588	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
2588	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ZaYEcAoQ.exe

pid process

1448 ZaYEcAoQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ZaYEcAoQ.exe

pid	process
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe
1448	ZaYEcAoQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.execmd.execmd.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.execmd.execmd.exe2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.execmd.exe

description	pid	process	target process
PID 712 wrote to memory of 904	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	tcksAcMg.exe
PID 712 wrote to memory of 904	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	tcksAcMg.exe
PID 712 wrote to memory of 904	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	tcksAcMg.exe
PID 712 wrote to memory of 1448	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	ZaYEcAoQ.exe
PID 712 wrote to memory of 1448	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	ZaYEcAoQ.exe
PID 712 wrote to memory of 1448	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	ZaYEcAoQ.exe
PID 712 wrote to memory of 3856	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 712 wrote to memory of 3856	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 712 wrote to memory of 3856	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 712 wrote to memory of 3008	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 3008	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 3008	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 2876	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 2876	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 2876	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 2568	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 2568	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 2568	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 712 wrote to memory of 3204	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 712 wrote to memory of 3204	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 712 wrote to memory of 3204	712	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 3856 wrote to memory of 2416	3856	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 3856 wrote to memory of 2416	3856	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 3856 wrote to memory of 2416	3856	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 3204 wrote to memory of 4276	3204	cmd.exe	cscript.exe
PID 3204 wrote to memory of 4276	3204	cmd.exe	cscript.exe
PID 3204 wrote to memory of 4276	3204	cmd.exe	cscript.exe
PID 2416 wrote to memory of 3616	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 2416 wrote to memory of 3616	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 2416 wrote to memory of 3616	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 3616 wrote to memory of 3244	3616	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 3616 wrote to memory of 3244	3616	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 3616 wrote to memory of 3244	3616	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 2416 wrote to memory of 4248	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 4248	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 4248	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 3768	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 3768	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 3768	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 2812	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 2812	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 2812	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 2416 wrote to memory of 3500	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 2416 wrote to memory of 3500	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 2416 wrote to memory of 3500	2416	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 3500 wrote to memory of 2588	3500	cmd.exe	cscript.exe
PID 3500 wrote to memory of 2588	3500	cmd.exe	cscript.exe
PID 3500 wrote to memory of 2588	3500	cmd.exe	cscript.exe
PID 3244 wrote to memory of 3748	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 3244 wrote to memory of 3748	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 3244 wrote to memory of 3748	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe
PID 3748 wrote to memory of 2456	3748	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 3748 wrote to memory of 2456	3748	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 3748 wrote to memory of 2456	3748	cmd.exe	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
PID 3244 wrote to memory of 2532	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 2532	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 2532	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 812	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 812	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 812	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 4376	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 4376	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 4376	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	reg.exe
PID 3244 wrote to memory of 3984	3244	2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:712

C:\Users\Admin\mGYsQEkk\tcksAcMg.exe
"C:\Users\Admin\mGYsQEkk\tcksAcMg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:904

C:\ProgramData\yAAQEgcE\ZaYEcAoQ.exe
"C:\ProgramData\yAAQEgcE\ZaYEcAoQ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
8⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
10⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
12⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
14⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
16⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
18⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
20⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
22⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
24⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
26⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
28⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
30⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
32⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
33⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
34⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
35⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
36⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
37⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
38⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
39⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
40⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
41⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
42⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
43⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
44⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
45⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
46⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
47⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
48⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
49⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
50⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
51⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
52⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
53⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
54⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
55⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
56⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
57⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
58⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
59⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
60⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
61⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
62⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
63⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
64⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
65⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
66⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
67⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
68⤵
PID:2124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
69⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
70⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
71⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
72⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
73⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
74⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
75⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
76⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
77⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
78⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
79⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
80⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
81⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
82⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
83⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
84⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
85⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
86⤵
PID:1284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
87⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
88⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
89⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
90⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
91⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
92⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
93⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
94⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
95⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
96⤵
PID:4152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
97⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
98⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
99⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
100⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
101⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
102⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
103⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
104⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
105⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
106⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
107⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
108⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
109⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
110⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
111⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
112⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
113⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
114⤵
PID:3448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
115⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
116⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
117⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
118⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
119⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
120⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
121⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
122⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
123⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
124⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
125⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
126⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
127⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
128⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
129⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
130⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
131⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
132⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
133⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
134⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
135⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
136⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
137⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
138⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
139⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
140⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
141⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
142⤵
PID:3700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
143⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
144⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
145⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
146⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
147⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
148⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
149⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
150⤵
PID:3068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
151⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
152⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
153⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
154⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
155⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
156⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
157⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
158⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
159⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
160⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
161⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
162⤵
PID:2372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
163⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
164⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
165⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
166⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
167⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
168⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
169⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
170⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
171⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
172⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
173⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
174⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
175⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
176⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
177⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
178⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
179⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
180⤵
PID:3712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
181⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
182⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
183⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
184⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
185⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
186⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
187⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
188⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
189⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
190⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
191⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
192⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
193⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
194⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
195⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
196⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
197⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
198⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
199⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
200⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
201⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
202⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
203⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
204⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
205⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
206⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
207⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
208⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
209⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
210⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
211⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
212⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
213⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
214⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
215⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
216⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
217⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
218⤵
PID:3908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
219⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
220⤵
PID:4200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
221⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
222⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
223⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
224⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
225⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
226⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
227⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
228⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
229⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
230⤵
PID:2780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
231⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
232⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
233⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
234⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
235⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
236⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
237⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
238⤵
PID:5112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
239⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
240⤵
PID:1284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
241⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
242⤵
PID:2288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
243⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
244⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
245⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
246⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
247⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
248⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
249⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
250⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
251⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
252⤵
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:3200

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
253⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
254⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
255⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
256⤵
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
257⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
258⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
259⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
260⤵
PID:1520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
261⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock"
262⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies visibility of file extensions in Explorer
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:2576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCkYkYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
260⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- UAC bypass
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWEcsowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
258⤵
PID:4848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:3588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqgsIYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
256⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies registry key
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:2084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGYIUEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
254⤵
PID:3996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:4060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcQkswkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
252⤵
PID:2124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiUoIgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
250⤵
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:1484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:1080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOUwMwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
248⤵
PID:1820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYMksgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
246⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
- Modifies registry key
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwIYogok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
244⤵
PID:2444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:3048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecowMAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
242⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCoIIswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
240⤵
PID:964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:1020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:3204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:2308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcwoIAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
238⤵
PID:396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUAcwUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
236⤵
PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUUcIYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
234⤵
PID:552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWAIIoQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
232⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:4276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCEQoUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
230⤵
PID:4312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:3188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYEoYogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
228⤵
PID:4268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:2412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
- Modifies registry key
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:3708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SksIYAwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
226⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:3048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKcQgQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
224⤵
PID:2904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
- Modifies registry key
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:4904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQAoYssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
222⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waccEEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
220⤵
PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCIUEwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
218⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckEckQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
216⤵
PID:4644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
- Modifies registry key
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiEUoMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
214⤵
PID:3068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- Modifies registry key
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSIoYkgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
212⤵
PID:212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:3968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYIwswUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
210⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:3708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGscoUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
208⤵
PID:1836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWUQUUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
206⤵
PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
- Modifies registry key
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oicYkYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
204⤵
PID:3496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYgkMwgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
202⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCYMwMMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
200⤵
PID:2436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKsAUAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
198⤵
PID:4028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyAUQkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
196⤵
PID:4628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:2876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAgcoAII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
194⤵
PID:808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCkkcAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
192⤵
PID:1268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqscMowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
190⤵
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CosgYcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
188⤵
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUccAUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
186⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQcIooIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
184⤵
PID:1108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:3116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
- Modifies registry key
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:1936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOgEIsYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
182⤵
PID:3428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:4016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGoYooIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
180⤵
PID:1860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:2120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncIgwAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
178⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:2568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsAAMIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
176⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOMAIUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
174⤵
PID:1064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
- Modifies registry key
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIMQMMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
172⤵
PID:2868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:1004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooEowIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
170⤵
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:3436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
- Modifies registry key
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgIgYYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
168⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWsksYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
166⤵
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rsgkogco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
164⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYYIQAUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
162⤵
PID:4904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyckAwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
160⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqIYYgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
158⤵
PID:372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:4864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eikowkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
156⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
- Modifies registry key
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUoUIYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
154⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies registry key
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqAkUUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
152⤵
PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwckIEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
150⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies registry key
PID:4184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RokMQAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
148⤵
PID:4188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OekgoQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
146⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWkIgAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
144⤵
PID:788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOYQYMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
142⤵
PID:212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DssEIgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
140⤵
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FagoMUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
138⤵
PID:1836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heQcgQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
136⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCEEIUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
134⤵
PID:3448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:4512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkccAMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
132⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:1360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwwIsAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
130⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:4864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOMYQUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
128⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqgkIQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
126⤵
PID:1332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkEUEUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
124⤵
PID:4144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkgUcMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
122⤵
PID:1936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUIckQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
120⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueQsAUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
118⤵
PID:3564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
- Modifies registry key
PID:1764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkYEoosQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
116⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:1980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:1528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykIUIwoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
114⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WggUcMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
112⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUQAwMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
110⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:1452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsUEYgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
108⤵
PID:2256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeIkkwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
106⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIAgYYoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
104⤵
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKccAEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
102⤵
PID:3156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGcsoIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
100⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAkQgAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
98⤵
PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:3584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FggIggkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
96⤵
PID:3204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmMAMYsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
94⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwwMwgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
92⤵
PID:2292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCwcEIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
90⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCYEQAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
88⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKIEokkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
86⤵
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:4568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaEowIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
84⤵
PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMUcwUYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
82⤵
PID:3400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCcIkogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
80⤵
PID:428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pccooQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
78⤵
PID:4184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsAYEUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
76⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSoMsMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
74⤵
PID:2008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaYokQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
72⤵
PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaAEQAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
70⤵
PID:4104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeMYAwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
68⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSwoUYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
66⤵
PID:2800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYkUYIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
64⤵
PID:3272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSQQYsYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
62⤵
PID:4956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYEMccUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
60⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqQoMoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
58⤵
PID:772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- Modifies registry key
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIgIUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
56⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voIUUUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
54⤵
PID:3996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- Modifies registry key
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCgkAgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
52⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoAQAkwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
50⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwQcQQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
48⤵
PID:4560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCoscwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
46⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CosMEgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
44⤵
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSwAswwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
42⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiYQYgko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
40⤵
PID:4444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsEAMccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
38⤵
PID:1860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoIskEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
36⤵
PID:4268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mggoocIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
34⤵
PID:512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouAIUoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
32⤵
PID:3484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGoIwUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
30⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCMIYoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
28⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkwAwQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
26⤵
PID:2292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSIkUEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
24⤵
PID:4340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgccgUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
22⤵
PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwokQYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
20⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqIkEkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
18⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwgIwcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
16⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCswUAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
14⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiIgQMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
12⤵
PID:3004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROwIogIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
10⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMkksgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
8⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyoEUMkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
6⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAoIsEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUcgkYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4276

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b6309d393dd67cba484d79e09e7fc5ce jwHB2C/8/kWIv7vuzVxZJQ.0.1.0.0.0
1⤵
PID:4100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
Filesize
775KB

MD5
af0855e19d4dac0b5b182e84865bc710

SHA1
21ba7e7c5a3572dedddc6db378a352b21546b6ad

SHA256
03f201f547c0ce7780ba5ff2fa57af70e5862e4c924ca64b124d4e99a3c1cd01

SHA512
4f2bde41f3b0102e00314dd74fec9f26145f9f7ab17d6833a8cdceff3a5c331ec7cd03a0e9ce560bec16c8c4fabdb17a7a5532447f6bcd47da65161133e78970

Download Submit
C:\ProgramData\yAAQEgcE\ZaYEcAoQ.exe
Filesize
201KB

MD5
9a382ebf476165751496238af902b929

SHA1
7484568ad4974328f65c5af9bbf3a445939470fb

SHA256
2f662ebd2c0f1fbe412d3758da17bc8f9a4600c4f2a9d25b8357cf252104ead2

SHA512
6088dc91c9ccfab0a759316626dda9dca52c12b003254fa06adea95ab4e875a22c1721667e8d074439c6b9dcb6221b808b78a4b651a6ac65ce8ca7acaee87e31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
Filesize
186KB

MD5
343f0518b8d7d76b4b25a494e6b4bac0

SHA1
ecdce0adc3af1d7c3c1f2de06cc64fb5c5858bb9

SHA256
7b81f2b52d5938c1ed22cfb4aca9860a39c1e67c44a5084de0cd07b2f1ed2483

SHA512
3a6b286163e29601dd8c3fe448456fe1b24582d3e7635dc8b3b8082affc76fe94069a03830a78e2925c5c9ba5441eb2188d0d703aa1d580aa1fbb12a6fa17384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
Filesize
205KB

MD5
0048a841fcea80b55e1dba6b2727dc4a

SHA1
de64b8736b56630ef20f89bcc10c26f76b659afc

SHA256
e2e2451bfc498bbccaf25cc47469a78b8722f34b4a667ac6eb6db461507673d1

SHA512
6c3d57039a9b71268ef8d7be8620a14b11c15e2039e3b5626530df2858ad8b009960b1200edf1069f36038f47661e6230f64c3ed1079d3c9db60e9d8ef217c38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
189KB

MD5
3aad0e5b5542b6938811716af84d7d74

SHA1
426de99474257da64c14abd72d60d8b502b4cf6e

SHA256
2cb8ecaa0684476090bd7d8d7805b180ef63fa1717f7b1eee34f14b6a679cb24

SHA512
15e0a3146f790cd7f5133e41c433b67f1dc46ce8e1bfa35cefac5da725d56d2787fb7514ea0edb3dfcf42b0755cddb3fbd6951d397cd326e160f9de4bea37431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
189KB

MD5
0d55b1021f86b92476610c5786e2324d

SHA1
0f7222487727943b9f5b5d194062cbc9fca2f9b0

SHA256
97bad38065f1dc26923d4da6989a80f22f7cf523a7e5f337e663eb7ca6742841

SHA512
4813b03977131aef9d54efca0dc1d72f6f64a6580c285deffa51be20a964130e8e37e56094dbd49a348213762bbad2db3cdb7884561baccc53a59ad9bfc94501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
196KB

MD5
79e8f9694114c505c81c9870e4ef1619

SHA1
3c65f0e95006e3edd20e99e567b38f31bb7ccf2c

SHA256
d6ba772829cbc81991565cc554605f60ba8e03c57bb8991cb03daa372835f1f1

SHA512
5788be73e57d6f43b6be2f9bfa69618d8f29edc38107fc5dbf9502ad2f160bccc50590a2e3c76c7e8c8976e8ccaaccbeb1628955718d83db8c79db65759fe394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
1.8MB

MD5
e487e6cadaaa2a9b2cc38c28e6c02b97

SHA1
b1237a67faaf52a2c876f96ae75d23b0190869e6

SHA256
d3deb237e01a7a2ed099e0266f590dace5578c0739383dc803f6a72a6000220a

SHA512
065b810f5e762f73a305eaa34fdc0fec6e158abfcb302b392cbacf010819c803dbd2fd562dd2f003892723004f978a7b7e39179cdbb85ba66203b0051a872128

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
Filesize
195KB

MD5
718b2dadd36aa051e4dbea83d9fc83f3

SHA1
99f14511a955b277678337dd016d7f310bfa0f2f

SHA256
f742ced7c48a5f628cf7e8dab89579c9000d3e45ea932c33afeffe80fe867b5e

SHA512
0f1e7dbfd1b6dff73157c38378fb3ec8c7261f346c58fe84e52e73d5b1f157b8b47689e1fdf8b8a264ff81dee9c3453614ef8e9cff03f61202413527cc12dc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-28_638ebaf1bea8850ca9ada168c65de1c6_virlock
Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMAU.exe
Filesize
5.9MB

MD5
0423e8ebcfa1f5babbde0f4eb0005c90

SHA1
a1092c865a5e3269054beaeb7a0ec03428cc6f94

SHA256
254d4aecb9aced090edd449aa1407686150d32e12da72b5948670703282f7a1a

SHA512
659e883c9570c1adfbf9471786ad35014042dd16a734897e6fedcc4b51f6e9e2c063a7fe5be2dbf67081a14e82eb32f76df57e014fffc18ad2b99a60799f2a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AogQ.exe
Filesize
321KB

MD5
a4ec7d3a9bd1d37724bba9f29e06a8ef

SHA1
4fff445c97a4ee97de32188b00cfaa3840c3837d

SHA256
e34e1679c691f91b34f7cf248eaf025464c96d42e36cb9dc7e9db934a41a7ab4

SHA512
3df4a37d9c3b3f5d86d35f83d6a8650f91eef07c4a606d70af270067ddde05606097db8ccd6ac060e4a58261b1ef884371b2848178a8ac404af36c7ac2273602

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwcG.exe
Filesize
826KB

MD5
ec7a3e6ec7dc98cfd47730bc5e7be993

SHA1
29c13fb5ab4c0a50ba003274e31e127b967b7695

SHA256
e555dfd2304adb7b5caf6a56954d7e8edc3c2af38469a6b844903ddc4f6f155e

SHA512
bda094bbc987c8aa03047e803407bec29ad202b4dbf63e0d285b8270c35314c0f3813759b1cac80fb21e17849e6480db1aeac04576df664adf3a8358bfc275bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoMW.exe
Filesize
183KB

MD5
754023fb495b971a51771edc709b1533

SHA1
1fa3348520e1d7aeee0fcfc8688440d2802cc626

SHA256
7412024fb2c7d4f2ec5bc1f5967e554925939a43ac4e97693ffb63dce59bb0eb

SHA512
f1df583a3819bdfd685798d74346ed21e1586036e2e00f2b81dcf6235df9584e1e9cefcc1f3d1083e4b8756df83a769aad5babf6d9283cb53f695adc6f8d166e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwIy.exe
Filesize
817KB

MD5
59c5264190ce429b49b4af5756a1712c

SHA1
702b60544dc8411aa415a4c1b3e3c6a7bfa2a029

SHA256
969bf1c3f530bd786aee316561799a8ea572d53c84e61826d1e7238f2bd8adf7

SHA512
7326eec3005831e1249d6afd40997c35138cb81edd54d3b4552d23b0b50371f96c5136adc9c2e2686ffa4f138a4ed0445c0bc11b9b8d35562b67fe95752e8e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUoa.exe
Filesize
811KB

MD5
8920ade8dce7b599a709045206c77a6e

SHA1
8e9440855031654db16ecaf80dc3324d77ae84b9

SHA256
6b757cd97eb071550896680a3991e7291f4ca1bb7322523193d2e8ca629f6de4

SHA512
de3c95c3df5eef2c6260336b23889f9a43a9ce52861992a7fbb5e37190915cc5b1ef043401e6d6ad212b1e1000183b926c56f3178c4c698547844917f3ac0cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAQe.exe
Filesize
191KB

MD5
78e757ac6d77d6fead87b5f458169bd0

SHA1
e53c1446174ee8ee8d53247853b95015b3da18d5

SHA256
0b0752c05f73a054e19ba717f51a0f74d78437cde82f6a5a3c19c57b492cc24d

SHA512
3ec7ca10d9a4a13531b8587e69004c9da0bda6996d14ffb6c7532d145489eb487617f78107534c439330ffa6c9f4d1f4f98dfc97ca03e63be4e44f1673add5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAQi.exe
Filesize
219KB

MD5
a3932289d9ce77ab8f8bd6ca616056e2

SHA1
685ec135c23666f5cc957e13359a38f4152b40e3

SHA256
9efeccdcc2e4e88e01198e848e09c17e71aced0b4c59980b53f51ee5679305d5

SHA512
43862a7ce264a78de6566b50c5d0a1c36fc7f9479e78e70f8243f668de43ce32d21ad6d94de3fd74d3abe190ba8fd5a1e9751263a06c05ce69936b4d849696ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkYg.exe
Filesize
1.4MB

MD5
fc6fea0d70a0248825be6667a1651196

SHA1
abc395cd7f59357ae63cb71d21f4e9569757314d

SHA256
0e328d91901ed5235f54fe545330e089d5266446ffd94aa6549d33fde3c6c138

SHA512
cd548b36b417f99e4d35df5968d2a5c834bd93f214c0aa488d730d20e8769712765560d74cf30f1bad6084e000decf2a3cbb3413a17b054aed99b5acda83b101

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUk.exe
Filesize
195KB

MD5
906f0af556935c0123d7cddb51fc3c0b

SHA1
9f5332f0657a3a948bea3fbb161be9e72a595488

SHA256
9ac04cf99869b82ec4f2bc28d6667c63265ac952e62948152746b4dc31a5f580

SHA512
5f6464d303d8f99754988af54ae5c1d6d53866118e536c0b95eea6bcdf0056ce4f244f4d2c5394007dda2abd8566cfd02d159e88b0c5abb0b7b0397e49c35359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQoS.exe
Filesize
183KB

MD5
50ebe9fecdf201044000d16c85857dd8

SHA1
700261fe961a6c0a4c1e843b15671e6f09efd461

SHA256
e7dd15ecb2e45dde4ad80aae8b1e06e6115dc8c360ff68fe4cef45ff5a5a0808

SHA512
b307da239f6d6af911dc18cc68d77a740d3677ffb2162b9f85a30f4aec0983192c2fb5d17cbbecba7406784ce45fb8d01793c2504d55085dfd11d6cdd62b8273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkAE.exe
Filesize
664KB

MD5
1d9e983e43fffcb7566829672edc8ba3

SHA1
35eaf54afabb6ff91bd03eac9a7e12ceec533be7

SHA256
105d5c09dd7d5aa80a7259f07d2c7a41c5a52c4060781773789dc0fef10e9fad

SHA512
b49bec89723541b9dfb9b91abb4868cfa76341b7b337b227a89bd82b5bef1edb1a29539d1f8eed762455a6886c8df64ecf1fe7df9c3b11bf9cf976d10ccd3cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAMq.exe
Filesize
637KB

MD5
50eae5a34567469684e6cfee742ce9b3

SHA1
fb6752a88eb2646b07d8f4948769523835ec1f97

SHA256
60d013bfe40f6984d7a3552a3d1514f9ad5b1ba6d2d23e5251683a491cbd93e7

SHA512
d2c4d31f0bb213ef4a339867bad12bb041b78ea5400054b7565e87c5f061a65eea690b665e7bca059d69214f216bf9c6b9a2582168a9c744721c6511d32a5e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEgU.exe
Filesize
221KB

MD5
d3002f5b7f58815a6f2c6e123f874a9d

SHA1
dcf84a018cf8dd4fa024513fcad355e0e7a11f15

SHA256
f1e2e114e1acda17bcad037e590063a7982ee6b146c0aeb1be273652a8963afa

SHA512
64bd61a758f16bd2dfc74ef4961a25a6acb80f783a9e79e850db837375670e26a3429504cce2b05a55112b801d1b2ae72f0f90e22a2fe050f9aef544fd11ae9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwIU.exe
Filesize
203KB

MD5
da24a77504791561603d2c29c979a097

SHA1
fbd68adf8bdcb50de55c007f59e1e576b43e8b9e

SHA256
19d91e46f8e8de7f16204100b8f60c79c29b661972581171aa0e468177f1b339

SHA512
9855d9f15af3fe7eab4c195ce5b7b82eb6b43210a1820c7691d5491864927b30508e431a861326c0a562d91dd7c139b361b60702fbf1db91f41c6722718316c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwMi.exe
Filesize
319KB

MD5
dc5569fd4fe940de704c4399a0bfeec3

SHA1
7ff7ada5d134ac23be4197cc1bdaae8c2ab90439

SHA256
68a5ec622b946966286ee3dc9be174a37349c973b1d2e71661083572934ae5e7

SHA512
ba7599a76f4463ba0501246042ae85dd23c1e66400f645ff593ed5eac0b6f98235aa89686401178b804e12fe333d82b1b3c17e12c8107a6c41b4f5fd25842b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAwW.exe
Filesize
193KB

MD5
ff92431f83f90b8b934386efc706ec04

SHA1
624a1f88a666999070a95e5f28aa6315c205a73d

SHA256
5f5bd957ae1d9fe5129b31f41820bc2705e864ca5e18bc90e777b1c89243ba3d

SHA512
3b622c8afb1f1b865af8f95808d93d6aaf88ac352b99f1bde6af41478304faecf71953f00f65293bae9b5417274183299994255c930aceb44d0ea00854996eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEsK.exe
Filesize
213KB

MD5
b4f2d0983ddf955bc7496c3986115682

SHA1
513b94c637a89105f4c10f9ac51ff0e8611488b1

SHA256
245b15342051c110998e2fb06350b983fb3ff796d19f8a32b7736d1a0e5a9a9e

SHA512
1c56a9b97552b8102ccd4b218aab7fe5a6f7414f06468ab56079cc374e26e8bb237dcaa4237188d8d6833a81bb5db66f86f7535d71691c38baaf6b17e84b183f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUoG.exe
Filesize
191KB

MD5
3ea0ae5380f048ac4005b2a835a572d9

SHA1
bf45c39ccfe8b15656ecda9076addf2276c223cf

SHA256
ec49a64396929ba1eb1e3c825307005c5baabd45c7464443246930f996ee92f9

SHA512
c7dc9a0a9df5b65cc4809b387cf635b719e5cfaf3f1993585fd0ad2d9f980bf07a600fb080a432706e93c7b2d3af954c51cf61b6f84f37b0bbe348d3f3d63b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkEk.exe
Filesize
190KB

MD5
72c18ce26f7d9581c108a78ae71d95e3

SHA1
693eaea1d06105c31c044258bdc9d4eee646d782

SHA256
3fb45dd11e0bbbdb11ceb7c2dbc4664e8df499097cb1c0aee3dfcaeb90e5ab06

SHA512
e37614a9796cc99ab75a2e5a5de0e88163e9d6a3811b00a11535cfd5f537ef63c21b70c7cd15a2446eb501897225ab0537343b0520dc15f6a9fe6abbfe8cc81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwEU.exe
Filesize
215KB

MD5
d93d32a969dc492672a2eaa03f38d2d3

SHA1
927d20147ea9617419a13e6e741db671bb7338d6

SHA256
31710e2ba5f30529f5720a6fec25cab9d98cf04bc0f151f3c908e2a50c0e8c99

SHA512
127c89055346ad34da5efb0ddecfa4edf3e78a9a0f3b934464a990d4cdf03fe5ff790107d3692cbe08a0ec668f77181d81bfedcf329b5a51c3c3378aeafff37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYUe.exe
Filesize
212KB

MD5
048e559c180bb753f993ee920e37e294

SHA1
e22ea0e89db8e89bedf0bac0e18d9013c396c974

SHA256
dd953efb2d8466f5af0ddcbee9aa7f6c76b72462c107d85df6890df3c509a089

SHA512
65f7172444f006ed47c2fd404e3f6f0f67bd14f37f2f51f6385bb7b5862ec715f00ac37eb2df8888eafc9712159db50afe91e7c7a87df589f8a985ab53fb509f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYom.exe
Filesize
1.2MB

MD5
3612610fa4debf277992df88402140d9

SHA1
3539c095997f80ad1c160a3f64ccd6ace25babba

SHA256
376719b2dfb1944fe8cb67b839a4390b7cc9adec87839a9e3ecde575930736fb

SHA512
52deabdf6170b2e64925a67dbc1e30aa6c118a3be4f7221b15ac6d0a7f20d11073bd7de1eb3cd801e8d48db5da33362e1138bf132e37cc1f9e03e1d455193ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYsO.exe
Filesize
199KB

MD5
e97e0cbc83b8a6e0a7b9ba93fc0e9e28

SHA1
6e50f2f3f9a4096e8ca0a255034d3787d125ac5b

SHA256
035945e69eb1b6f4a533606504249fac8083e35b6588ce7f78e6365c43b003f6

SHA512
b07cd4563526ad961bca5a923115b1e4ecd8c6a194787673ebee3f4564fef527b8ddaea9532b9df33efb6abf1c24d97bb3f8d5bf04326fe81c6bea6d6ec967b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIMC.exe
Filesize
188KB

MD5
849012bfe9e66af4f30228587a50c4c3

SHA1
92d35d2d3652c0ef62c982661f616b998781f942

SHA256
dc437c11d37d849f77673b8aa7405c8c00360179c29effbbc69cafc3f75fd50c

SHA512
6e632ccc8a971cefe412044281c878eed068aea340c03696b9bc43f9da39cf820f6213a63bb9bbedb985393e951577fbc9af11f65b99d18df3c87fab93eab48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMgE.exe
Filesize
331KB

MD5
025ddd1079fafdc245bf157bb715318e

SHA1
bd2fffa97d552942f8e1c15aec1ec265cea27ddb

SHA256
44d9706bb5d6e8403596f58e896b5bfa83b24de90a3e30dfd71dcea0dd53ea66

SHA512
1295c572bccd731cbae8c6663f059e61401ae0be9997081aa9814c9d1eb3f265e9e5307ef7a21c7bb5996382f12bd223b8703e3439d6123c84568154f73af8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUII.exe
Filesize
195KB

MD5
02140a69ac15bc3ed126ffd77acc3464

SHA1
8f29fc73510f005174bd78a8beb3303db0238d29

SHA256
fcbaab993a12272e7e0b0db20e3331e4dacbabc56e30668af97e16ab333610d9

SHA512
ac050f2b133ce34c5f8972f10edbcdbb6fd40ab28dfd143793af3416780cd6bd69729682bd74a83964619a724cdf022b24b0115d39075e0107477881f4408f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\QswW.exe
Filesize
205KB

MD5
32fa02801f64a396d1de85f868639a59

SHA1
0b87ebc9c144a57cc15232d67a96e5296f015902

SHA256
da87ec850fb9585e6c5e262c485decb400155eafa3030a19ab39c9c424312954

SHA512
037b19cb60f862c66194ec4038dc21ad93e6c1a5016daf747e8e0c6c3ca3f69d5f16699fd276e9665f68c2d60f10f69f71a01465dc6e820f22840f5b008f9654

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwUI.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAsi.exe
Filesize
182KB

MD5
6f1c9ccbc5925208776bbc6bc47e0cc7

SHA1
98134808ebac559341cda02368fb9f16120c642c

SHA256
89635762dda890b377cb4af8aa473a46e7f050b0255839b8ac1caab6eb963a57

SHA512
0b0812e3bc61c063935c7245ffbcbd7fe461c4224d03ab2166ddc66a13ec097db40e9ea3e8591194669532d854f41651ef2cdc80e5dfd6ca90b577bd6949353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMwa.exe
Filesize
197KB

MD5
ca50c9d1c812af571bc433b51e3a1dff

SHA1
582a78eef22996e7c2dc4e5dc4c95047b46f1428

SHA256
a961d608b755df251efca17e59b268ae73bbe29e6e69775773c5e0eec533d821

SHA512
7996ce3b865e5b385a879cc1987ef487d48ff30c873f8e839ab950b9a123c441ec4a98aaacb88763f949f7825e05b2a7423bdbdb16b0aa6b59d455aaac2dbb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQES.exe
Filesize
205KB

MD5
6ec4bf4b2d2d317f4733fa97612ed1c3

SHA1
02f0c4d5ed4f1e8a8aa71d82cf8084999d1a9ddf

SHA256
325027322ad30d423b1be3f434a958574930206ced20a2ceb593e67a17572bd8

SHA512
9e78177b726e42083df3d40991450e4c39bdec16993ec2a9a18daa26027316569ebd844025d1b45d6b766349ab228a71725b413b5278e19e9ab4c248c2d46202

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukww.exe
Filesize
187KB

MD5
d6f72056298bc16fee8eac835d12d6fd

SHA1
0c1891a845aab1073edb62218c761688d3f13029

SHA256
cc073c9469dfe692d0a7602d9946f88a733f2ab6fa1e6af67122e0a34b2228f6

SHA512
7766c116241606a4534de943d2440992ca23116c3ddc76863ec1c55597dcb39201ae4f8dd8682b539fe5496bedd7dd5a924a2760a419fd2ced64963565fbad89

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoQy.exe
Filesize
201KB

MD5
816dcb92eb6bac5eec6e766a2b7cf9ee

SHA1
e97157f03c122d2016cea1580f5265f670ada83d

SHA256
314f3b18dac7c84e12c373a0c74a77d37c1166e6c80fd950ebfc35661e15feac

SHA512
6799c5cdf281f135b91151599f5128f3ec5956795ecdd20ae141a7b06bc480851fa341e0b0dc809458e60a9cbc28904acfeb761e63339a1584b713f224e0ed05

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsQO.exe
Filesize
803KB

MD5
4c657849646a8ca58e723b09e955791a

SHA1
04e802263eea9e8d2761968ed77cdfa444d101db

SHA256
62b2a6e3caf085b810f6fe4935cbf329f45f2a7aa311c11856591dc8dbeaa1ec

SHA512
8afbc1ae9bc313331b7ae183f38561cab72354c4d07078201f03e23eae297b290ade4905982053328828d120bbdd32d6025ce08e5111a1cb30cfd810779f3ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgI.exe
Filesize
1.4MB

MD5
3e572044c634bb705334059b6dc77526

SHA1
379601544c066511b9a72a99f7547e601be7a8ea

SHA256
17b1f7c5c35a4c3d2d13823e078002d4a08d87cb746e4f0c5bd5fe7ba5f639d4

SHA512
c7979063260bc7f0b0a2265d89f8423b4649cd8e9bfe79e1c54d7e5eb14e18b35e407c6912198f7c433e1775cd67a06e9f56035819c882a60041d4d5df5cc004

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMso.exe
Filesize
651KB

MD5
514ab5ec568303f1da1aa38a5b9f094b

SHA1
7dd34cadea2a8e7d399d55be47f1015df5721b7a

SHA256
e16da6a1f92fbf3a7ed09044d8f5ae8c0cf4201dbf0b63ab6b3ca36e2e769ce5

SHA512
3097648db64af9ff78b116d6079481e35b62ffc83caca3ae9c2e2d668ffda21cccb70a9b550dd2effe9861ba1c888b6f02d5eb40c0a0671e6fb8df3ebf1899b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkMc.exe
Filesize
203KB

MD5
0b619b4d7aa3686748d9293abe3d12d2

SHA1
3d1c2304b696ad8e0525b7457f2bf1b70046ffb4

SHA256
9a262a4eb6093e83170f0bf5ed2d98aa0f2656ca55741740f5047b59d4e5020a

SHA512
d180917621e78569fa3f68f340ddee5a28038469fb87cbb089bd28b1e0c4f39f1346c1dc72ee70af46c0be1820fb7cdf905c73b6909b1aa5b65e97c13da71be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wokw.exe
Filesize
187KB

MD5
873dca6318db558bd943b2cf607b5870

SHA1
15f8ac72706d4ea8e39b113b6cbf1f73c735ddd1

SHA256
b528d053c3b8d9241c6c111a9ba8702cfb0e389b14785cb1a7b6701a2e0e7fc1

SHA512
7284e0bec33e8b5a6b6c1b5ebfef30aaa43f98437d284888ef734787a2462b36874735e20cf90a37e1cefd40bd6f4a4a006e5ae17bcb6f5edecaccaae16c1ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAcy.exe
Filesize
5.9MB

MD5
46bb4211d33ebd77e5d3cc4ee467c9a2

SHA1
254a5c30581a7f531753a889d59c1921bf1602be

SHA256
638a8f1e7d48f3325d173eab27beed866be5b3dbca3a2f53beea12b8d4b92391

SHA512
94723ac9af0b67b1bcc280f9009ea6cd1952bfb47d9bcd92bad022c1bb97a6053f4673065cb0ab49fcbac94b79cac6897891f1b8581594a372b2fc1f9951cbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgEk.exe
Filesize
204KB

MD5
2933d56c278181cbad22fcec65587ebe

SHA1
5dad586d1e1de82f1e582e9fc5872e13e99a778e

SHA256
96d07a85ab4f5e731c62ea1e5729a5ca1683bdbb840de0732da3897271d98aeb

SHA512
de378d9c1010986fb992f08f7dc97f55bcbc07444bf58559ae9e8ae2ef3f01125178650cb7af1ef14119f6e524a6018e29bf5196468ba09f85c8db38117d3d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIUk.exe
Filesize
673KB

MD5
1854395c23e891a56e542827183d2260

SHA1
65199cfe40143fb4694652c3da9d1e3e6292709b

SHA256
3f836176f487d1fcc9f884fadb0ead9d61a0ba4c64308ff5485557b42b7e6a17

SHA512
3f25230e1b452db47001757d9d1feb8b98d270fca6334ad9393aa1045b6e8b7118e9d473d6f068ce906648a1d3b15a3dc9c4f0c6c7eeb6dd3da235f3ff9d56d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIa.exe
Filesize
197KB

MD5
ac2fcfec6c0802080e90c1e3a676aade

SHA1
a36c09fd930ce430716e29a3bd05e2904b537b7a

SHA256
411a7b87ad9728b61a8d5500a82e432dfd8aa8c7085d5d198ea17e0ba2bf8347

SHA512
5320aceb522579231291eb3285ed54e20328aa6950352baf84b24bce92705522330440f31d8ef08f5377e53798acf8e9ecbcb71b4f3c5133a70e337c7d75228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\akIs.exe
Filesize
639KB

MD5
fc56f7d0d24f0f0253368541641726f2

SHA1
845b7f6295cc4d619ec57f4dab26de894d41a1ab

SHA256
822ac05fd16c498c221565a661d23565b16215676dc2fd4e14950187b496d6f5

SHA512
a741faf01ba91f87c19368dcec52710df9eaf6c4a570dc4a7ec6401ef51c24866e56b5c5b5d9871d88bd231faa26012f852316ec6a94810e857b372299e10388

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEUe.exe
Filesize
193KB

MD5
5894474fa0d5cc79468f9bb5d57705b0

SHA1
fbf5808094b1146a1062380ba61a607f8e545314

SHA256
b2ec0b91b4d0830dd673312632670772700bb748727f4d33411d7c6cea4b32e1

SHA512
38a3ca297d69eb2ba2e3f225c2cea30eed3cf7e61dcf61455fae80a7d5b91648b824fbc4c6ad30c835bd8728a108f17324694c011b0f1f5cdca10de3e8d48ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIkK.exe
Filesize
749KB

MD5
0658ea8a6ea60e82a6771e4a6ff39e60

SHA1
9dd5d4e2bc67ecd8b657c41b893b85d09c8f0e47

SHA256
04ea0e48ca93925cc5bf1227f6462614a7e72d9ba906d912ded9f7c7226d7223

SHA512
b38fe6d9bbba4e6bddecf9369854351f2fbc89e61f9ad2844685ba24d3d3acc096d72e0801c0ac75861e80f8bc1bd3e0a9cf6bfd633d6b0cd662020abc736bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMkw.exe
Filesize
189KB

MD5
e85b6ad74855760509d7d533f7734824

SHA1
126c14877fcb576037add78e93d95c0272ebe42b

SHA256
ac704eb800b88b8df07c07fffda188be2895532a0dff4a932c629c8e4d2107b6

SHA512
6b8f909ff41a6dee845e6da7d9aa738d4b3ba0a77ef6e7838a217f3e44c5b0f2722b1c0e3e600b2049d7d7fba2a08e5fba001ec6267747fa394a74a0d774096f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQoi.exe
Filesize
207KB

MD5
881d29660d945a1eabb0b318d227ae5b

SHA1
febee15d0578479a20310cace46df4c7ef6e5853

SHA256
41515ab7940863915c5f2b266f99de8796008af1ba6688b937225cf86241b26b

SHA512
a58a1390d0fdd3c5e73636ac0788cb713951dd91f63ae706fa957b76162a3e5fc355e0843a55288f6fc38ea8acf0e421fecbf35823f7a9bf27e23f58a85ed9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYUA.exe
Filesize
325KB

MD5
6537ff319372e454364272bf25af1f92

SHA1
869b68695f5a267c606cb6d6a1ab0f3ff7f960b9

SHA256
c484a6bf312b1c98f0712afb5e2cce54a094b0e953588c213697e2e37766e70a

SHA512
b6a04bdb06d1d79612c991e5fbc231e0e57323551e4c754c42cdc45b26e03ff18c400972c9a1f4125de8f4f14c4f9a0e1dc9d9c4ed173fcefb574f920c010000

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccEG.exe
Filesize
194KB

MD5
ec0263fe9bb9261efd5c7559488d4905

SHA1
8ff6256bb782e16696fb60b9c694fab6903f6006

SHA256
c28e051ca274ba41f80a51f282acc3fab856fbef55b654f4d611ed957dbc213f

SHA512
af2fcc0d379527fe85884fb89327c8a06069bb57bf01165cae1bd25ea06ba00135c01ce64168ca8cefc933ed57ca2b0b1ac3330f2e55b2995dbd21bc8105838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckIq.exe
Filesize
209KB

MD5
b8c27e5ab321f77ecd018cefbe3f41da

SHA1
8de7f27f174d767cca9e0f57f48265297bcfd1a9

SHA256
a8e1589bf664b32385399fde68efdb6f8d979146ded5dca11fc13058ec3cf597

SHA512
f235a2d537180e1a768a88b59b4623385c76e8c77a90502016fa433cc6fe35e3b1bd44186780e438b1b3779f127f70f1f8797251475890ed9e91c525b6a67dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckwW.exe
Filesize
203KB

MD5
9218a91ef9896e04218124f356786052

SHA1
b30a4f96ae0f51d0e0efada71776a5bff8934f7c

SHA256
b10060c060bd9b74cb4c1dcee97b247a33a50ae4ee7c942124f9269415e72b4e

SHA512
7509e84319d0dfaae9311431fdf1191f2605cc21934843da9b9d6a358cd0a8282894ca878720236905a25004a4f354054a878c263228435705a7932fe2695560

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewsK.exe
Filesize
215KB

MD5
98eb409077d7a3448f1c2dea20b77b16

SHA1
12949a35a903969ba037c85b3e52e0f4272b8c1d

SHA256
d9bbf82a0496c8feb1135f6e9f3786d454646f11fe308ffb6b2b13fa1b5a6322

SHA512
dd899697bff2896ac9f18c26ff171b6408db3d5abd0fc28e3316d58ab21d030e2d3ad0f14800886916a1ec118fb71cd9e8b2619d28c5d43038eb4d6deba6ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggES.exe
Filesize
196KB

MD5
aa2105879763f963b1b3fbce88b37c6e

SHA1
5341de4448cec1e2713d928e02c50f2f4fa5e9e9

SHA256
2a0ef09f4aa54395bf3fcdb2eea716de262900ac6fc6d153282ad57fb718f8f1

SHA512
c5d5bd07f6b17cb225c8d9616a0bc3d943c8ed19b7c743aa4515857ea1d94bd4eace86b0cb78e02d257e512f2d010a5d68966b0fe4697319ad7840aa15120a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gogW.exe
Filesize
191KB

MD5
05a517b6b8f32901d5a1c88bba89927a

SHA1
95cb3adcde71995f01bdf68664c22c77665dc709

SHA256
0f2b908accd98c26d26488a3a5544b3db92613af699434efba35c0dfda465126

SHA512
32cbf91d3c9420177ebe38d79a63cfef1c0100ba918a1d81803a340043b67dc6d8122183979938fda650c08c78ddbca98e9c9f28f06e34fec32e1f558da5c6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAAm.exe
Filesize
195KB

MD5
fee693330a6835b04ec1d40bec3f30a9

SHA1
29caf7240eaafd1ccd6d11ef2e524fee00f2460b

SHA256
1ec80a199153ea8114d3d7c4f346bf7a50c08ab7f918cedb968114838c73d3f4

SHA512
e3feec6a4a42310459bdcb12e2473d52d9d6606adf023cad0339dbbc2348d3d54ca2faf8d1ea3949e1aba8123326d57679fbe473a3a365a00d6d5cb50f4f7080

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEwA.exe
Filesize
196KB

MD5
c98f65a96ef4041a6dbe8b370601d0de

SHA1
395b31d5bf456f8c20fb5950e380010aaddd8851

SHA256
d04a881c128b883b2b130f5a6a1e79f213e24507333347919185b583ed1d5e02

SHA512
c65bf677e5fe2c62c8b2aa1eba7ae0779144d906974cf995afb3e201d605cff36d89ece2c42f0ff68cd5056a12480c6442fbf60a61cc127a46dd3dd838eecc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMUk.exe
Filesize
215KB

MD5
7337d28d0b2970e452f15d8106f918c1

SHA1
79ffd04fe4e139111c44712d103098f9872cd514

SHA256
2f869189ccd89b83934b1d713756f805d2238fbf69b1c1d83ba79cb905258ffa

SHA512
a59132864848eaa53abb2cadbd6f419f2ac3e408e940423dd7c1f30a25ee5318f4f46a02069905821443740cd08b51af1b1b64f823cb2f1130f43a6591480bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQEc.exe
Filesize
5.9MB

MD5
2fed6bd21a7c84f4c15a101a8baa4efa

SHA1
a01dca0b3c663472177b8e10caeb84d88b9bfa74

SHA256
bb61482d36ff06b43f44321b5cefdcb7a5fd70319abb22fd847782a8e34f3305

SHA512
5c72824f3bf5f3756b589b2032cd00d4d0109b764341ba2b8562ddd61b9f9d9fd7d311da4b9e52dffe5227c56b5ef3dc87d1544ca5932d278d77e8e28e8e0174

Download Submit
C:\Users\Admin\AppData\Local\Temp\iggG.exe
Filesize
574KB

MD5
718dd1e860afcd4284aa829770f4fb38

SHA1
fe8531e99d494df500391d02492f5e0693f3d856

SHA256
0025f9afae6d6d766cfdfe210d4679cdec9683cd82c6b07981780ca1718efce3

SHA512
e84babc0e9f889b49d04e5643f63c3861e5454befa1af3e93932862771f7decd43a9165ecf1b48bd841e4313ce689e966a6424149d07116331a57d0ccb9759f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\igoo.exe
Filesize
441KB

MD5
3b4a1f6121d82eed09f4711f6436dff3

SHA1
ab41c343ae1893a21d936abd656ee4efb684d1a6

SHA256
26633e2f55b869169aa42096c5a71a3169bf5c20e7d8809a2dbd1c44b1598b33

SHA512
138080692849632095a4e44b78dbc4f37015c12ae6d4d2d0bcee2219b6a28191ccde8992b5749a44811d68ff16eb63a5dafbd9ff4214900611803153f6838197

Download Submit
C:\Users\Admin\AppData\Local\Temp\isMa.exe
Filesize
236KB

MD5
2ff37fda3d875f9ad1d4a229894a027b

SHA1
ac6fe173d1e9b804fe02afebaf0dfefabe0abdff

SHA256
fa8964f91e56349727bdbf75ec22c4c55b0b01bda33341886a87be35727b8eec

SHA512
46fbb75babafa1741aca5c45894f0e7ed1e6a4ea684b8e587fc67c5b99315ab2d65a531569577c601b811226558ce5a7b3b4eae30c5c9ef917c7f04067a4f6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEs.exe
Filesize
195KB

MD5
dbc1c4c02567287d2bfc6776fa1bfc80

SHA1
c03b13f2372d71470b01328f75f1d8f925707274

SHA256
4adc1b578f7a55d2097323f298b15baf2703ebee8d1f30b820aced61495178a5

SHA512
bfd4267fb43de916362c02272b5ae58ea3d0508c48948072a1b1b5e7e218d34f8b914833343bff1ee1c8ea3554274e22b4d50fa8b3c320b4770df8b5e45fbfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIk.exe
Filesize
198KB

MD5
2e11bd3e933bba0d46e3f6cc7c561a07

SHA1
9d435a344f05259d3afc1845650a43d6163ffdfa

SHA256
f9696760913ca993919decc4a16fdde62094c3e8f18dcf85aea8f3887f2bf7b4

SHA512
1e46e4fe688fb8a019f4b8289799b5e3bbb4d332cca86302926049f4408baa68cc6c711f82f513f39dfd269d864abe5dc7544b40a6d3c3cc88c0e39b5dd700e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcwy.exe
Filesize
5.9MB

MD5
fd3a19db824ca1fc753de085f49147e4

SHA1
cc45a9d404461708f39454da3b6c80cf2e3710e4

SHA256
cc2c567e79a33cf0fed2e4595912cb8369756d0d5d423cde85772fa71632bc72

SHA512
753348ed7ed8d27593ad2783e933ac1c25f458c636f80f216a5bf812e8ad620c2d4ed9eba892b63d0c0fd0e3a7a3d4d2e3433bc83da6ad0bf3db7a68c5f58a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIE.exe
Filesize
195KB

MD5
fa26109e958f28c5e7ba595e6689ca68

SHA1
f80a54f4249ab30b8d07bd360a1fb52bef88d810

SHA256
fe206797bfb337f822503e0f7b0bd52bedc73ecead978dfe20adc5e19665c6d3

SHA512
11577e1ff25e3f77c373c955d294055bf37bf5035c3689009e2bd5198f2df28c737649527efc72d1f24450c1117b0def019c8e0339535242d15e97c3f1be8bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksoG.exe
Filesize
202KB

MD5
92ffb03a86c14ac1feca69e73b990827

SHA1
79a2c5670ac7f6c1b435122db872f1f156003cbd

SHA256
c96c807034c1327278e48cce44845c6d8e08a6863423853962176d6e10524ac1

SHA512
c7dcd4c10905a3b5226d6863bcd55a1dfb516da2734a725ac9af2d380a5d659f7870e1952c3b66a458c972500f0efd488c3390f8dff5d6184a2ceab2fa5ea329

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwk.exe
Filesize
192KB

MD5
7f8ca0095b51af3442121775c778e89b

SHA1
d35c6a41acb90d19ffa719ed26ec02ee5202e663

SHA256
874e22779df53ced07a53a30f0499a66de1ca037b58804467cf931505d4b1005

SHA512
6513e2972204ba61b27238e4f93c292960f18e3ac63ff60c5b9753c3f8b0bd0b03962e635a54864db7661ef0760dc958e0bef213d25d83d61dfec8154061a4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIwC.exe
Filesize
634KB

MD5
4760e28091f7a2657e7c34962aa9e9a0

SHA1
ad08d1ae76728bf05c2b9ce790aa0c73ea3c39b9

SHA256
ded3743bbf852ef764efab2911b9c9dfb19b0261e71da5dad057bbcb524dc789

SHA512
d325e487e2836e985a9677c17e33f89053099326368a9cb8e2ddf0d899a0e9e38155950d8a6e948e7016ce6faf061a014e5579274dc73e1dc8d96d858f611c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcwO.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIm.exe
Filesize
213KB

MD5
aaa519cde22adf228a1d0d00a9a93eb3

SHA1
c02c4ca1420d8e30ac0142b4264d8fc05b0e8275

SHA256
52808e10acd3c04bf536cd7c581677385f96c82dd5afe1c367d84b95b7baf2b9

SHA512
3deae425d6cf153bb3b3b0dab52d3b2e62fab71544307022854634f4a02cb11925f8e1f9a7795f267c06fcb76e7a1b1946411ac9ccbdd36d3a25c1a7f39fe8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEMQ.exe
Filesize
945KB

MD5
a16b220e751a09f8f023588e22a2274c

SHA1
ceb9913ca13ccff72e1acfdd232138d0fa859187

SHA256
65df9adae7a4f4bb2b3d27810fa399680ac968221d1ad6945c582046be82b26c

SHA512
37614a1999d7a26ed0dede11f9f67916766622de7fa2748418417d25c80350dca73113f4d52b8c88c71da12e828e80bc048ab7e1121e9b49dc81d2ed9f15b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\owYo.exe
Filesize
782KB

MD5
5ae62ace7cb3919b13d302422e40b68f

SHA1
ead9ff689917cdaf5970f13221f4f7ee296ee353

SHA256
80d377e0e88a6633bc256350773fb32080905edbf0446704fac89f75991f0392

SHA512
cbe3e10c7888c3b86c4424f91c4fd651ca1770b8c7e1d24af3a17b3e27b218927c4664954c14d9a516ce089966a455943677342d09d4f1d8066eb5c1ae1452d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQke.exe
Filesize
228KB

MD5
ca46873000c1ca9ec69b5a7fd48d1e64

SHA1
a0fa7e57ad31866640a8244f458e176ffe4c2e6f

SHA256
b5a5fde6fd5021520c4e46c2541d480a0381d77feac801a812a9d484346822e0

SHA512
c94a8f132e8b8e8c3a2d614c180c1943082e4ae78d318ae017429a6d333a7bfb793c00360b3b7f3bc5d7384f1411edda422afd00e81300d56b5f3365919ec6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoo.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYYw.exe
Filesize
188KB

MD5
0008a15bef803caccec57e10c7ff424d

SHA1
dde7db65a49d38b2cb27d4a4575a1aa97feadcde

SHA256
1efa5439e6428e69188868f4097c98fd919233c5dcc109648a096624adfa69d3

SHA512
5474cea40fbdc9736f981b9de77d08bdc87a90539e6d7558281424c4de36cd5758c67a4ab9a6f3b79ba9de629ecc4e5a0e4de59aacfc62f48cd235ef3654986b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcYW.exe
Filesize
5.9MB

MD5
a56f06ea4d5caeae5ef7bd7fda97c228

SHA1
e49fa838346d92e2e6176634804943a060322c30

SHA256
f5f9647ee10cc2c6020d951574db49bb6feff9a618edb35d8c269bd8431e4f10

SHA512
fc41f0e043d760a34c67bf2ed92d761cc3de836e684f9c4f411f8eacf429a9107bca85ede8c9fbd6f7dada628a7d9050216209656f04585e0af23327aac535dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwoQ.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUcgkYEY.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIYe.exe
Filesize
190KB

MD5
18cb3175f9d3b0094a76045ab96899ec

SHA1
9f02c5c1a8b57039ac9bba78cc14cf8cab38db26

SHA256
f3af65a72de1351f2989a776949919de329de0ac3c1fed0afde16fd6312e96ed

SHA512
75dbecbde0b679c5073efd166d1a61960a1d5abcda04f37951351763567ee1f468be02de77521ad6d3449e3eb8146635b47ffc2f1ce9de879b538fcc80885dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIgG.exe
Filesize
186KB

MD5
cbe58f470f8f2362830a22aa6f362212

SHA1
c2d51b89d51e6da4ac20261185acd479a0d94158

SHA256
9baf40e4352595a6d4ef85187753488b8b248565e443fa196a43ff16f26bf6cd

SHA512
2c549a84786c4d01a4e4fb6bb20f17a280d44848b20809504ad0c315be6d91771692c116b72f5ffe733e28bac548f7baa1b022224c23a32ce4d269c10add6512

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMsQ.exe
Filesize
186KB

MD5
aa4d49d510e8dc3805d8ad076900f640

SHA1
5dec53a17ebffb3e3ca218e7a85b6fc6f2751cc0

SHA256
438cacc89d2c33bd88cf9ca18d27bfdb7ffabac378ebdd995053c32b3c6487d8

SHA512
cc284c848a32ece747069ec89a2172e68c7e15cb724be758f2a8f7095a7f354847712cc04b661c1fe0bd1dc623ee5f5aa06ec4b90b2791aa0f5327ad5262fe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQkW.exe
Filesize
188KB

MD5
1b8f4283f828c811699165770f72a45a

SHA1
15db2b780b222f02d5c9544d18d5bf25afedb9e4

SHA256
80ae5c5f4fd202d6a840f2f0a2eba00127d21a02aab7d96fd18de9fe5eeee1ff

SHA512
791736ea8fa028c6bed44351eb79299809f3bcf299dd6e5d50506f0aed2307020d354f50c23b0b2f8d395e4a2f031ed83e899f57ab3526fb091a8c7750a9a31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYwC.exe
Filesize
803KB

MD5
83fb0990992c4d505094ea6f35af1c52

SHA1
0a4d0c434fe6f4d23f0a2057decc445c39c96be0

SHA256
987b3d2449def21e906000bd2d6119f9afc9363d27a16c87507fb3a97df79d93

SHA512
68b20ead3d7ca48a12239a071edb9331671618cabb1a57524d1acf896789dd88022a30c2ae474cb1090bef5334e8e32474c3e34fc3a41dd36940a8ae60645c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\sswi.exe
Filesize
188KB

MD5
ab5f071b04a3262968e81940818864eb

SHA1
2db316728e3f7ac468447ddf638ce47cfbe1756c

SHA256
48b730346565ff487be473fb6a7b80e099b8701bb7700c2959a00d7729b29966

SHA512
f5d6a753f5ce1c1f37629a13d1de2af12121f047200d2da35469220f25c58f8cfabac21d1af029ae3ed40950cc8356fad63b3a81bfd4b0860eb24f99529949b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwu.exe
Filesize
208KB

MD5
53b2e4409f3449c8368f8a71aeef5ce0

SHA1
57b2546e1751e9980268b13f4de1e66df040dcb8

SHA256
20944a84499b52798870e8a9ef3b8333ad8c989a3b4183ef733d8ac035e930f1

SHA512
18bc13c40f3280f9607aeecd5a78230ce879f8a08a890cde80b5fa14ee7535d196361517a3319a45eb91bc5bd863096e8292c3ad5036154cdda9f03bb759e84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUUa.exe
Filesize
799KB

MD5
3665468d8ea3c2db75463732c95f5910

SHA1
0e4614875d6953f6a3ec4b238784c8d3954f8c28

SHA256
944b76f3a6bb756dd128e0b463ae3fb6fb31dc2b78863fe49eeea44bf77b15f2

SHA512
8f11d3630c5a35c86efd9e679901fe9da9d420eed0d5c2cec13490f2c52c17e38778a35bd915b36976c919cef84bb07e237c38beb1e6c909b38029c91aeecd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEY.exe
Filesize
235KB

MD5
1be22a09bc9a1543d9966d9d99b26b86

SHA1
d4dc3fb990a53859af987734c7c41c9a6a6d64e3

SHA256
f65b4f42cb6e12c95dc57bea92dfb20a8376154f142664faa75f3bf15fbe5862

SHA512
6cb8e081dd0077113e55f9088060ac936374a1bd11ca48e60e19f1967d46b20b5547b6225c64ba4ce8878b9a9a175b84143fef67c0aa13e088c3c4ef403215e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAki.exe
Filesize
197KB

MD5
d150018ccef064f379b2c8fecce8da70

SHA1
41ef34d2341de4cbb903fad5e233afbef31e4e36

SHA256
2b6be457a54b730cbfbf94acc63d3a7e044ec5b7daff09362784e868868fe10d

SHA512
8ced27f59f1a65f50d74127378af97cfaa5d244218621cbb97f1ee69cef05b45ac7943fc6cff58e135c92996f77e8997d85302787615ad144d2c00bd94a7424a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIYa.exe
Filesize
203KB

MD5
48af63b3241198093e7d69e229b5c074

SHA1
cffca8168e18b8f41cc45bd2f5f223de59820ab3

SHA256
45b9829948bfc9044b236672cc86a19ec20728899d080abccb9986c1979abacc

SHA512
264f4102438cd3e278e70d2eac460623ae83716e360d5d87d6592f3a03b43526c64e1572ddafe90651e771515359925ecb88d9ca296ac39fb034ee166de0bece

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIgc.exe
Filesize
708KB

MD5
beab55e7a48b3c6da5748a78e33a705f

SHA1
9b1a3f329021602365913722a2cfd3b3448843e0

SHA256
5352be31e762af7de1babb9d00c7f2a26deabe0f9466c154c4dc8e8172e42029

SHA512
c391d05d8a064f62a43fa2a10e8dd45ccd55042a43c14006ebe56b160f06c5816a6d4f4495fac2f0a1b77cc59921fb84c2520eda70aad39308062072b64b7740

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMgO.exe
Filesize
1.1MB

MD5
234aa6d20ed04df6c1b080ac8499ea20

SHA1
9246e2c595505a0b6596dc61a8031e881a98fe67

SHA256
07f3f99810f7171514a6c453e83132ceb588c9e2dd56a6baab163b402bd33e27

SHA512
23fa525e326ba619ce8f3b761672b4284147865ca97a54edc4577b018c491de0f261125e8d09046989f502142cd31e45c5eb39098439f54c1e79e593cc8a85b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgYS.exe
Filesize
641KB

MD5
f809f735f55981be09e31343a02c4272

SHA1
0f0b56229c207a0e362093359305b04f8a24ac8f

SHA256
94f489fc0fb372774a51ac3a7046d57eff28f3e6254fdb99ae4577dfc0498f32

SHA512
e0eba7be6841df781f52e03d4c3fbf2a5abb0d978c9f602a1386d23187710ca16afc43469ee0d2205f1b64a93855535d73dfdab9f7196aa7b38da1c2f3817a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkgU.exe
Filesize
243KB

MD5
8c7ed354df37cdf62ff75f89684033ea

SHA1
c032274d0c323dc5e64d2f5c22739d3bc2916eb1

SHA256
5def75cc288c17b85ab42fa7d35ec69d35a1b48c0a70f46dbabdd6178d668d9a

SHA512
0344d49d10555ba9632a2dd42473aa439a26b99a56a4d5ee7f50429f03c94f668700bb0c70921e959ad2c6e27b3a2415e23f646d53ec528f73add98d159c368a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wooc.exe
Filesize
183KB

MD5
7923dafd91ed6ce03b49123b4f5e45d5

SHA1
d65939cd7c1f913f6e2f72f56907ff89836a9ee0

SHA256
28748fe293e192c0f4102baeb6c6db264eb5de3ec3cd150e0c5aef86879afdc2

SHA512
3d865e825f304793c82466fde4b79f21a46b1446d432f38c7b6061d442a642df8b033c2501fc1d390b8efaf935ea533d4a2adc7063a96f35a4d067edb03faa2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wosC.exe
Filesize
269KB

MD5
52de8522f1ae0f0ee7024b39661c0bcc

SHA1
208d75ce8a0ebbab00910cb56f45c3f2b8096116

SHA256
ea92f44befc67e33bb02d91e69eb1334222f9c41dfe07e44b38427eae34c634b

SHA512
d24438299fee397a39efab74ef70e77bde74d27fb41101dbf39ec3d8442c9fe5d63cab9bb6adcd8631d00cd097c51ee1a5e61c982b9e69337ca21f33b22d9f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsgW.exe
Filesize
217KB

MD5
3d621449b279e20eb930898367783fd7

SHA1
dbb1c68a7bbb306dae64af5394ff4f547c45f5f4

SHA256
3c4b7235fe5245922c9ed7decd8a2bfef3713e5abbb50a76780d11512f5ff6db

SHA512
7bd69e7bddf97a5cdb68a6e15e4d86166812f8efd20084bb797f6638563f34312841cd58b7e5c0e27bfdfc571f158e8dfa68b9239abd38b464f34c01ace5dcd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAAK.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEIw.exe
Filesize
244KB

MD5
1e91eec34dde8f83cd4c6ce1ca03f631

SHA1
ebf3e2869ccd19754d2272f548f3dfd6f8600729

SHA256
3663ab097ad7066517f173b5d147d011bffb4a58fc2defd8f66fbb986328c35a

SHA512
35c93b3f392ff1abdc927f07f532632065ebbd2dda3b3e192ca83e8b94c160f7b0dad2f4f7f31b7629750f9719142ed71cdd8794fdc3eefe61600690245c6fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggQ.exe
Filesize
195KB

MD5
fa25a14d756061f4cfa7f8ec26bd6195

SHA1
d97250d1f1d776741b4ef0e4156dc86b7fb78c87

SHA256
eeacd8bf96b491de242be3e2224b0dba19a7c9bf7766abefbe0ac1622ac238f8

SHA512
30a4b973dd2e1bdaa1718442c4165f5cc99718d2df4830b3cec8483b4c1ceceb1876eecc74b21a2f74efa757bd7c98eebe643535670fced6407913f718ea6696

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygsU.exe
Filesize
200KB

MD5
9515fc586647ff0e6ab41f8f6a2f0fe4

SHA1
dbffb5d85aeb0366f7179cbbdac4d2c1064aca0e

SHA256
29ca9a4fab3c13b6ba42ee68784509383a9518e55c735982ef5841bf390bb050

SHA512
0e6b4454698801233a5696f5e05416ae3165bc52a8271bf2c06bace4039d758573391e9c410cc4283095ea184342b407c9ecefcc2aca6d51c7e8197138ff904c

Download Submit
C:\Users\Admin\mGYsQEkk\tcksAcMg.exe
Filesize
200KB

MD5
5d40e103b3f42a5ccb7307be0b754698

SHA1
b8f933c8783bd57a8c3bd875ab2672d95a79a71b

SHA256
3e1130077b5ddb2667a8b3d1e818970025441e14466e4771746aac34068fb973

SHA512
eed8db3e73e83be40eaf6a896e52c08c78188706fe024675eb90c74e0ef6281397e72934396036bec25ca3f0c82153fefd570ccecd064ba0732839ed71c0f568

Download Submit
C:\Users\Admin\mGYsQEkk\tcksAcMg.inf
Filesize
4B

MD5
c5770068434a5bdf392f260fa60447fd

SHA1
67a2104257924bde1346651fca2a5dcc3c2be31a

SHA256
6ccf562f0ef451c3a20da731e89c119cf4bed0b6755b0c4657351b5e6846703d

SHA512
6a1ff1f4c88fbfc401109cf1999d37b9d21dcc58a37140f56bfc50fc8f0819b0fe9a3288114ba3e202170537796e1f5e97890b8bf37012ab9d9606c49af50d67

Download Submit
memory/428-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download