f3be1b2fa58fca1e478d18c992d3261566350f392bdd813eaa63f8265304e4c7

Analysis

max time kernel
150s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
Size

186KB
MD5

68671bda5a8af1e69521590614c39b61
SHA1

ee94523f75c634471eeb8481a5c0db64d27b18fa
SHA256

f3be1b2fa58fca1e478d18c992d3261566350f392bdd813eaa63f8265304e4c7
SHA512

47f7c6ebee835c06aa324a66bf740fb77b4d7a040d4cbc9a8ec916e1f9b01cdfc5f463943546bbb6f46285d73bfadee901912ca1302d02a0a0d7d55ea50abf5e
SSDEEP

3072:gRQcGe0ul4OJ2mzmlTGtas1Q1XPNQGKNl0XWq4/eU5XbM3cOpzs6l2+wRm4fkuZt:gRYe0Wx2Emlatas1Q1XPNQGKNl0XWq49

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qsAccgUI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	qsAccgUI.exe

Executes dropped EXE 2 IoCs

Processes:

qsAccgUI.exeNmoUEcgU.exe

pid process

3840 qsAccgUI.exe
3700 NmoUEcgU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exeqsAccgUI.exeNmoUEcgU.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oOokkMkc.exe = "C:\\ProgramData\\sCQIAkgA\\oOokkMkc.exe"	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qsAccgUI.exe = "C:\\Users\\Admin\\gmEEUsAM\\qsAccgUI.exe"	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NmoUEcgU.exe = "C:\\ProgramData\\zosooQgk\\NmoUEcgU.exe"	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qsAccgUI.exe = "C:\\Users\\Admin\\gmEEUsAM\\qsAccgUI.exe"	qsAccgUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NmoUEcgU.exe = "C:\\ProgramData\\zosooQgk\\NmoUEcgU.exe"	NmoUEcgU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XQwQssUE.exe = "C:\\Users\\Admin\\ugsokQMc\\XQwQssUE.exe"	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2236 2836 WerFault.exe XQwQssUE.exe
3924 2496 WerFault.exe oOokkMkc.exe

pid	pid_target	process	target process
2236	2836	WerFault.exe	XQwQssUE.exe
3924	2496	WerFault.exe	oOokkMkc.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4912	reg.exe
2172	reg.exe
1680	reg.exe
4308	reg.exe
4932	reg.exe
1264
4356	reg.exe
3000	reg.exe
3168
4200
4592	reg.exe
3464	reg.exe
2788	reg.exe
5036	reg.exe
2852	reg.exe
3980	reg.exe
1364	reg.exe
916	reg.exe
4856	reg.exe
2228	reg.exe
3440	reg.exe
3792	reg.exe
4632	reg.exe
4440	reg.exe
3792	reg.exe
916	reg.exe
1940	reg.exe
1264	reg.exe
2124	reg.exe
680	reg.exe
2096	reg.exe
4932	reg.exe
3672	reg.exe
2800	reg.exe
5096	reg.exe
4144	reg.exe
3956	reg.exe
428	reg.exe
2112
2216	reg.exe
2368	reg.exe
4728
2032
464	reg.exe
3900	reg.exe
1388	reg.exe
4752	reg.exe
4716	reg.exe
992
3228
4488
4576
2380	reg.exe
3552	reg.exe
4476	reg.exe
2016	reg.exe
3048	reg.exe
2116	reg.exe
2136	reg.exe
1040	reg.exe
3928	reg.exe
1584	reg.exe
4792	reg.exe
4576	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe

pid	process
1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3668	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3668	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3668	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3668	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1556	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1556	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1556	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1556	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2872	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2872	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2872	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2872	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3464	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3464	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3464	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
3464	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1824	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1824	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1824	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1824	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2672	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2672	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2672	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2672	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
4924	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
4924	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
4924	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
4924	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2496	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2496	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2496	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
2496	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
816	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
816	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
816	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
816	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
5056	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
5056	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
5056	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
5056	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1612	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1612	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1612	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
1612	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
4208	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
4208	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
4208	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
4208	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qsAccgUI.exe

pid process

3840 qsAccgUI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

qsAccgUI.exe

pid	process
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe
3840	qsAccgUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.execmd.execmd.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.execmd.execmd.exe2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.execmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 3840	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	qsAccgUI.exe
PID 1592 wrote to memory of 3840	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	qsAccgUI.exe
PID 1592 wrote to memory of 3840	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	qsAccgUI.exe
PID 1592 wrote to memory of 3700	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	NmoUEcgU.exe
PID 1592 wrote to memory of 3700	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	NmoUEcgU.exe
PID 1592 wrote to memory of 3700	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	NmoUEcgU.exe
PID 1592 wrote to memory of 3948	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 1592 wrote to memory of 3948	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 1592 wrote to memory of 3948	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 3948 wrote to memory of 428	3948	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 3948 wrote to memory of 428	3948	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 3948 wrote to memory of 428	3948	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 1592 wrote to memory of 2116	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 2116	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 2116	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 4656	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 4656	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 4656	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 4636	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 4636	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 4636	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 1592 wrote to memory of 4912	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 1592 wrote to memory of 4912	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 1592 wrote to memory of 4912	1592	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 4912 wrote to memory of 2972	4912	cmd.exe	cscript.exe
PID 4912 wrote to memory of 2972	4912	cmd.exe	cscript.exe
PID 4912 wrote to memory of 2972	4912	cmd.exe	cscript.exe
PID 428 wrote to memory of 1364	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 428 wrote to memory of 1364	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 428 wrote to memory of 1364	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 1364 wrote to memory of 3956	1364	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 1364 wrote to memory of 3956	1364	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 1364 wrote to memory of 3956	1364	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 428 wrote to memory of 212	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 212	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 212	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 4064	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 4064	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 4064	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 3564	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 3564	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 3564	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 428 wrote to memory of 3916	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 428 wrote to memory of 3916	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 428 wrote to memory of 3916	428	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 3916 wrote to memory of 4832	3916	cmd.exe	cscript.exe
PID 3916 wrote to memory of 4832	3916	cmd.exe	cscript.exe
PID 3916 wrote to memory of 4832	3916	cmd.exe	cscript.exe
PID 3956 wrote to memory of 1824	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 3956 wrote to memory of 1824	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 3956 wrote to memory of 1824	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe
PID 1824 wrote to memory of 2956	1824	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 1824 wrote to memory of 2956	1824	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 1824 wrote to memory of 2956	1824	cmd.exe	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
PID 3956 wrote to memory of 1584	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 1584	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 1584	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 3080	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 3080	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 3080	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 4356	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 4356	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 4356	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	reg.exe
PID 3956 wrote to memory of 4216	3956	2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\gmEEUsAM\qsAccgUI.exe
"C:\Users\Admin\gmEEUsAM\qsAccgUI.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3840

C:\ProgramData\zosooQgk\NmoUEcgU.exe
"C:\ProgramData\zosooQgk\NmoUEcgU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
8⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
10⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
12⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
14⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
16⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
18⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
20⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
22⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
24⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
26⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
28⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
30⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
32⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
33⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
34⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
35⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
36⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
37⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
38⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
39⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
40⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
41⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
42⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
43⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
44⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
45⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
46⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
47⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
48⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
49⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
50⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
51⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
52⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
53⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
54⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
55⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
56⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
57⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
58⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
59⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
60⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
61⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
62⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
63⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
64⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
65⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
66⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
67⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
68⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
69⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
70⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
71⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
72⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
73⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
74⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
75⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
76⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
77⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
78⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
79⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
80⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
81⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
82⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
83⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
84⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
85⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
86⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
87⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
88⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
89⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
90⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
91⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
92⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
93⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
94⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
95⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
96⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
97⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
98⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
99⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
100⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
101⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
102⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
103⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
104⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
105⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
106⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
107⤵
PID:732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
108⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
109⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
110⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
111⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
112⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
113⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
114⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
115⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
116⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
117⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
118⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
119⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
120⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
121⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
122⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
123⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
124⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
125⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
126⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
127⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
128⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
129⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
130⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
131⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
132⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
133⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
134⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
135⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
136⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
137⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
138⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
139⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
140⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
141⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
142⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
143⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
144⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
145⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
146⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
147⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
148⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
149⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
150⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
151⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
152⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
153⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
154⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
155⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
156⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
157⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
158⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
159⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
160⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
161⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
162⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
163⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
164⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
165⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
166⤵
PID:4336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
167⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
168⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
169⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
170⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
171⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
172⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
173⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
174⤵
PID:2216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
175⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
176⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
177⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
178⤵
PID:1344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
179⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
180⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
181⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
182⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
183⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
184⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
185⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
186⤵
PID:3988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
187⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
188⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
189⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
190⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
191⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
192⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
193⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
194⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
195⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
196⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
197⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
198⤵
PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
199⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
200⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
201⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
202⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
203⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
204⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
205⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
206⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
207⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
208⤵
PID:1196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
209⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
210⤵
PID:1584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
211⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
212⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
213⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
214⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
215⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
216⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
217⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
218⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
219⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
220⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
221⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
222⤵
PID:4292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
223⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
224⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
225⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
226⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
227⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
228⤵
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
229⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
230⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
231⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
232⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
233⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
234⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
235⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
236⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
237⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
238⤵
PID:2132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
239⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
240⤵
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
241⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
242⤵
PID:916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
243⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
244⤵
PID:972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
245⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
246⤵
PID:3160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
247⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
248⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
249⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
250⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
251⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
252⤵
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
253⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
254⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
255⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
256⤵
PID:3712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
257⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
258⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
259⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
260⤵
PID:1544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
261⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
262⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
263⤵
- Adds Run key to start application
PID:4272

C:\Users\Admin\ugsokQMc\XQwQssUE.exe
"C:\Users\Admin\ugsokQMc\XQwQssUE.exe"
264⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 224
265⤵
- Program crash
PID:2236

C:\ProgramData\sCQIAkgA\oOokkMkc.exe
"C:\ProgramData\sCQIAkgA\oOokkMkc.exe"
264⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 224
265⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
264⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
265⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
266⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
267⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
268⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
269⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
270⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
271⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
272⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
273⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock"
274⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock
275⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
274⤵
PID:312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
272⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
272⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
272⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngIEQcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
272⤵
PID:4784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
273⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
270⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
270⤵
PID:5032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
271⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
270⤵
- UAC bypass
PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
271⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSIMcIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
270⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
271⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
268⤵
- Modifies visibility of file extensions in Explorer
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
268⤵
PID:2100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
269⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
268⤵
- UAC bypass
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQYEIAIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
268⤵
PID:4196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
269⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
- UAC bypass
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUcUMcYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
266⤵
PID:3456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
267⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
- UAC bypass
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWEMYYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
264⤵
PID:4668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
265⤵
PID:1328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies registry key
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- UAC bypass
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqcwYoww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
262⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
- Modifies visibility of file extensions in Explorer
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
- Modifies registry key
PID:4576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:2788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dswYIEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
260⤵
PID:220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- Modifies registry key
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgIscIwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
258⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMwAogAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
256⤵
PID:2192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:4736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies registry key
PID:3048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
- Modifies registry key
PID:2016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IicoAsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
254⤵
PID:552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- Modifies registry key
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SawYEMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
252⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:3536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGsEkAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
250⤵
PID:1328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWwQoUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
248⤵
PID:4736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYQYkgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
246⤵
PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
- Modifies registry key
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKosIkQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
244⤵
PID:4200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUEcoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
242⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- Modifies registry key
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgsIYYQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
240⤵
PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies registry key
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysoccckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
238⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAccgoIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
236⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies registry key
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKgYwMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
234⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOQMMgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
232⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:4192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYMkkwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
230⤵
PID:1348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAcAsIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
228⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:4452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
- Modifies registry key
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:2236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akEcYoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
226⤵
PID:3712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
- Modifies registry key
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQkYookE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
224⤵
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:1852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeYIckEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
222⤵
PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIQgsUYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
220⤵
PID:5040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
- Modifies registry key
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:3360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWYcEEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
218⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAcUwAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
216⤵
PID:3492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:4636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwIwUUMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
214⤵
PID:4272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faUkwcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
212⤵
PID:4152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- Modifies registry key
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaAIYwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
210⤵
PID:3688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYQEwcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
208⤵
PID:512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMUUcUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
206⤵
PID:1328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:4004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUcQAIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
204⤵
PID:4292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEYkYIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
202⤵
PID:3484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuIAEAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
200⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:3704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYMYEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
198⤵
PID:3104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icgsEQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
196⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQwQMYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
194⤵
PID:4460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- Modifies registry key
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQMMwIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
192⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- Modifies registry key
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyYYwMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
190⤵
PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noIUoAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
188⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAEcAMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
186⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEEAMwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
184⤵
PID:3648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIMwAcUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
182⤵
PID:4552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- Modifies registry key
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euEAoYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
180⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies registry key
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOwQUsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
178⤵
PID:2124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:5076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMEwQEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
176⤵
PID:4460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- Modifies registry key
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HasYwkgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
174⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:1348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQokwMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
172⤵
PID:5076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKsIscYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
170⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMgEQAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
168⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOYQIUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
166⤵
PID:3900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies registry key
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOQcoUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
164⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:4576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NakcQsQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
162⤵
PID:2836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkwkIIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
160⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSoUYUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
158⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ResYYwYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
156⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uykUsUos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
154⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywYIUEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
152⤵
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- Modifies registry key
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaAMEUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
150⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsMQIgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
148⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NesUcMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
146⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DygUwUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
144⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKYskUQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
142⤵
PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies registry key
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCcsUMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
140⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOIkwskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
138⤵
PID:4892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiUcsUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
136⤵
PID:4004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
- Modifies registry key
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGEIEUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
134⤵
PID:4504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYYkskoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
132⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkcQQgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
130⤵
PID:4196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKgIocwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
128⤵
PID:3816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEIgUYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
126⤵
PID:3104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsQkUQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
124⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKggkMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
122⤵
PID:3284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yicIQwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
120⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKAsYcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
118⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqgYAkgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
116⤵
PID:4144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies registry key
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGcwscoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
114⤵
PID:4504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqIsggsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
112⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWUscwQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
110⤵
PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AysEgIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
108⤵
PID:3308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmkkEYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
106⤵
PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgkwAwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
104⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:3792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUIoosoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
102⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEEkMkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
100⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- Modifies registry key
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgYMEskw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
98⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmUwwgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
96⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWsMAEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
94⤵
PID:4648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCYMEEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
92⤵
PID:3640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMYgwIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
90⤵
PID:4308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMEwowIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
88⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIEwksAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
86⤵
PID:4544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAcAQsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
84⤵
PID:2552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies registry key
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGsIksEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
82⤵
PID:3552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKssoYUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
80⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyAoAQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
78⤵
PID:1424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcIAAMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
76⤵
PID:4668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgwkMQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
74⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUwAIUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
72⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgUIwoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
70⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOQUAUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
68⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyosAwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
66⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWokQogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
64⤵
PID:4648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiAwYkow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
62⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGcIwQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
60⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGkYMYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
58⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCUoYAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
56⤵
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiYcYIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
54⤵
PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYQQosck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
52⤵
PID:1196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEckUoAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
50⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- Modifies registry key
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEggQYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
48⤵
PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeoMkwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
46⤵
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSUcUEwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
44⤵
PID:1048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- Modifies registry key
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIUwMMcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
42⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYwQEEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
40⤵
PID:2872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgYwAcIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
38⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyMcIAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
36⤵
PID:3672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:3816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EakMsoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
34⤵
PID:3200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkcMoIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
32⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieEkQYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
30⤵
PID:5032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMcYYkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
28⤵
PID:1556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuMkUAEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
26⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQwAQQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
24⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCMAIMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
22⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUMMsksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
20⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWAMsQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
18⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsoMUcYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
16⤵
PID:3316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGQEgwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
14⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWoEcgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
12⤵
PID:3188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUUYsAsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
10⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYwQAksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
8⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISEQYowE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
6⤵
PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsokQEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMcMUEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1680

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2836 -ip 2836
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2496 -ip 2496
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
230KB

MD5
5b63e615d8782dcf1d12b1502af54c58

SHA1
bd0a701fe43f2e5c94127737e1643f49b4d8ca58

SHA256
c1a48cecd547490c34f3d76e8521e035f0f75267a3e6905928c38c91dfb8a53d

SHA512
55048061f652eae2d7486c4fa86a81a9e9b4fca7481a95b2da266e306dacb77bd8f6c601dd43f658d5fda72dfde027ac6ececb7276e0f38ac058a78e977add51

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
218KB

MD5
33e81ba71236555184be7118c4dcf8cb

SHA1
525628416ca9a72bba042842b7ccb25ab4d3482a

SHA256
7acce902cd7e8d42dc8ae85ca1cf4d7283ff3c0a491aa1468127296b75e3feec

SHA512
ac306d4acec751c6a9480f852bea3196a308127d0574352cf30324f6676d815d9bd91e3fb76977b04cf61acb91cdc1d0f663eed2a30db0878baa26433e7b2f1b

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
640KB

MD5
2844d4562192303f726e95da98251396

SHA1
aebf1800873039e35098fd7a6a0af472eed6798d

SHA256
a8555f6ccb833f183485870eb6159ee935c026f43025a7523330a8a77c537a16

SHA512
ce8e1fe78de65f0c35f61679f32e74f560fe685c19218efb856a919c9faad6471b2edd0eb19a9875dea7d96ef2a19e46173277039c5329e6170fa0ea8b90f716

Download Submit
C:\ProgramData\zosooQgk\NmoUEcgU.exe

Filesize
199KB

MD5
47159b5a652d3d409c2b66345becd60e

SHA1
b0d5e3256c7d9066564672eeb1c91abbd8b12396

SHA256
2ad71ef5520f6a6826190fcf873e962a3b55593cb884785ed65d1e5933c8d73f

SHA512
c2f531a3f76e7bd97ec4a759fb59443336a36f0ef992f32b95dfa282d18e8c6541b1c4195d53929d75e4df03bfbce87aeaab80b31b834ddc3bf9b5b2ad2e01d9

Download Submit
C:\ProgramData\zosooQgk\NmoUEcgU.inf

Filesize
4B

MD5
21e0a8f25ea0707068ffd0930691bfc2

SHA1
b3a0d5d57a6c55ccf7178cdfbe311cdc9a201faa

SHA256
aafd6f70f259bec34b2e0ec916886e45b8fba2ab9cedfe316ee8097ea0fe049a

SHA512
d8cbebf4d24448be6ad7c481360d8397658c7b31325c65a6a1712d093cc5e64b78d8502cf34035c6a1ffa0e667746077751548171a4aa9f1bf431e1a8e8a74c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
222KB

MD5
8be47843eec618fda9f8463db1b18789

SHA1
b047ecde22c40f58d20aeb63fe828d60e34c2308

SHA256
92f4e3dd677669ce1e96a6145c6ff26c653a4936de440e08e8881e5759e03fa7

SHA512
fc8ecb936313b44264e267d76af3a2c373d947dbafa4f12425b361ea959a193bb3636b1105c9a26792987042c09227e64143cf481c73cb62e9479167914a0c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
200KB

MD5
d8a668f5cb625f3661c96ed8260e4da9

SHA1
ad0e30b84ddea4a44ee1561fb5e4bce73f98c1e6

SHA256
88bdd6704d02fd14d363f4ca62581396e3af919ae42b3b72934526039d23eb99

SHA512
2237259b187c3111707cde6bc15b28a70a1e267ee3de2e7120ad7cd64e6b8e3d05b7e4342628f1e24e903ecf4b0a9e54090d0e3accab4075bcdee6a3636be133

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

Filesize
190KB

MD5
90f57820eaef88576a79be78a641ebc5

SHA1
f223975c21a83bc6275f6bdcbc23cf92a1cef72b

SHA256
45aeb845868fa69453256c84e734b3f9a747d226c9ef47d1ca08a56c12b5d1ce

SHA512
5d6c9016abcc531bd607b977a516a4f8d430f27e4211bd523a2220b8980d44116a7cbf0802b6b6c0eba37192a73d229ac8fe6426a29ffc4131fe86ba12f52237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.8MB

MD5
f674dd4828c2529728446d07e2e49a0b

SHA1
43158087991529e9a1ce76a7ce7cd3be72070222

SHA256
b3b443abf01b0a20c53fd86039d375c76337168dcd420913ea1f7f26d602679f

SHA512
f75c2f40a5b1df55c44f9b7fd9b7e1322cc5e1f6ee7231e94884be69d7b22d62cc95aef33799b3bea428229a2c72aeffc52f66afce41ff5eb58c81273df444cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-28_68671bda5a8af1e69521590614c39b61_virlock

Filesize
2KB

MD5
598ea3255fb276209072332552903ed8

SHA1
ccd234d34d488634569a4064a65d643e070e80ed

SHA256
fbe10c0c7d282e3136341735aa4a5716f2c32133828bca64f700c572d7492550

SHA512
3b80198ff6bbf9146d1f942d37ab3b1a01edcf634c89e4abeb36c29d7a80afb45f3e30d72ca3246f066c62fa1cac9ea6c3c9627ce5ccd4ca655516c0414632a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYcw.exe

Filesize
185KB

MD5
eb8c1f00e639b01536a80ea672031a2c

SHA1
869805340be5050db63a51255aba393f6c285391

SHA256
3d529c32240054405da38bcf07fd2442775850fbc207653265bb8f2ceffbc583

SHA512
ecbd18724619b51bfb4d3fc93d946ae82ae96a607542cc9dd4aec4c7dfc692e560f429471f32cbacc733aa94ffdb8bb88f456fb8875c1442bbbed1f5b0a805b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAC.exe

Filesize
605KB

MD5
57b9b59301f1fabf6a8a6bb1521d5aae

SHA1
dad55ed46f8fa3ed91b4a1e153e5ab67e12fda3f

SHA256
795c10e86bc60a91c9131aaa219e9aa32dee0fec3d1cd06dc80ee424cad8261e

SHA512
90d445d0e4bd1242a147f4391fd9ba1b7a1714a9b9e367bdb535ab80b1b76b9a7c7840abc13030a8efb33acf76971dcba49851ac6cd63b4060d14baf901c382e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwcE.exe

Filesize
184KB

MD5
7d5adc7c74af0251be574385297c4d47

SHA1
339f7b64b4ef762ec97bc67c661ad5e178fa2246

SHA256
1dcc2672f94c7dc766cb3b5e6a6ed2f5996c23c5169b3a8c956bccd45d169bea

SHA512
1b1b8ac51019743f5367d329d8c72dd45b9075d5d9c173bf2a46198a93e95a3b6564045f30e9106562a9991d51d4deced19f81c106c28d386fac25127bcbec11

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMcMUEQY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAUe.exe

Filesize
808KB

MD5
cf1979c3ca53d7dc167682db30d5f27b

SHA1
0e75d7bc8d942588d8b548df4da6b50db9343da9

SHA256
e47ee269f4254785aa25b99d104a46f5373de08a749437ba93dd3d4e2c430807

SHA512
40531aa13675e293630d1909641327b385847330b62ce97e89b566b1344b1eb3c990f06c8a68d6b82d6576435dd44421209940c935199088f283eddca969edef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoAQ.exe

Filesize
192KB

MD5
8354eb6ffbd75a59c7d3fd51e35a47bb

SHA1
a8033ef48e1c2dfbf0b222e2def6b96877c488ce

SHA256
844d03553df06ca0e959b9a977de6b903bba5053edd191a175f6994926801fc8

SHA512
aa6a510e22aa5c13fc354cc9a46ded8559d0a8984bd7aed34ef876d8d9f2402af3e452ae9a2af16e2aecca8863dbbb9ee3a06b677f464369f2ad457109210d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEsW.exe

Filesize
205KB

MD5
45fa69418b3f6835c51607ff584b2990

SHA1
052785eb1f6792091a4fb6dba8e3b20e05644394

SHA256
d8470d77547b81b888bbec746e446b849f3c775d6f2aac09245f1c84336edaea

SHA512
1be76fe664d88c6a1bac77dd8a2a9476962909329b98e550eaa7ccc427d0216e0ee69b2a69c982b8e628a555f4d8b8c197b1d6a44e17eca9902b139db6a484e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkYI.exe

Filesize
208KB

MD5
7ce67fca8549e9d10242fb2c1c1cd686

SHA1
72523875248ba79606b35ced18d7c3377d200b96

SHA256
bc61da4a8cfa1c0caaa27ce78d5e799642c6dd54df26908f0c26279f1f60e783

SHA512
699df2d611b4bb83155e8af557df96f8f04e6f60b188037294ede381056fde14c4f63f4eb251f9c91070ffeace1e620ca44db5374af75649d50a2d7144c7e915

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYs.exe

Filesize
235KB

MD5
43887bc45e9cda5a06bfa14a3489b0fb

SHA1
d1281df859cf24b686e3d75c4e79aa7035c5f27e

SHA256
76b780a06f0d655e3025139cfc9aea5d9d98079a1d32de76418d2055e41420f5

SHA512
1d4d2630a1395e125427c2d97f3b597d4a70866c9ace319a6055da7730923ac7c846255423e905937cd7bd3b7161dfbd3eff97a2700200c8cd3e0a127b81a9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEMw.exe

Filesize
189KB

MD5
a5d37dacb0c3a784eb239ef387ce3e3c

SHA1
ce49b1959d830ea719dc021cbc8382815054e2c2

SHA256
a40283a4ee7ec167fcbaa6b33a7885eafe7b681d413f42893f8cebb46ee120c1

SHA512
380ac4b7d9c093e6b24e5e966517fcb747c788846cc5cd0fc00a4c957a55fd023bbc514d6e7ad26b29aff70c1883c27a4bcf2fe86ce701fbaafcbcf8f6dbfb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUoC.exe

Filesize
645KB

MD5
128530f51025eb9f1b5f0cf7b8ee66e1

SHA1
852c9b8d010094f2ea34236a4852bf7254ad5a1c

SHA256
b85a56232abd3cb362d67d5fb1a736d5fe19baa8d0c26a397cc22278b4f989d8

SHA512
9ce4db71fa32a0c2115135a781d90344e4f64da4b10e1874182b668e4a99b4c97210b90833dbe655e03c0362f26088e076b13b6b6fafa15cc315b21f27261419

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcga.exe

Filesize
208KB

MD5
6f3588ae00853e168f314e1017def659

SHA1
9152a57269969a259234fb0e68ca924d01da0467

SHA256
ad4204369db0a262e070dfae63b58371057749945e239f80a7adcaa4077f7e59

SHA512
e123de294eaf2189b996961f28062a7c938321b592467d06ad4a3ff4f29a7adaafa3ed9b452469e006fd8abd594a4cea4e5d24fd46215df4e4f8824827e8db4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoQS.exe

Filesize
211KB

MD5
66f2e12027c9a5c247d3e3052ed834bc

SHA1
0191ee1be3da85c49c41a15f2397f65f71fd138f

SHA256
6c9f199de548cd657050a6c67cb58c88a56ef639891770761583b3ccf3461571

SHA512
49a0d7b3c1c143bedd1dcca39c78d86a3dd4ef0a5eaca3277c4e67478dc07fd05864cc01c87af8a54848471f84a16e12d11e3d5683e19b49791b274679d97219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAsS.exe

Filesize
210KB

MD5
cf2462af348a32cd9d41ffc2efc5be77

SHA1
965a7836469f87abcea3f374b3c0539d84f91697

SHA256
4ad9e17458fa6a228df7b15089928065a86dcfa30b6eb9fe2b283ae1869695cd

SHA512
f1f0d0f707fc27d52b66fbcad1f9c76f689c84a5400c27da47337b231b8f91ea4035ec8437b94c63af8dff3b7d3619d59ee11a1d61250b597a8dfb94d1a090bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkG.exe

Filesize
181KB

MD5
f8d63f8e1c7f7bbcff2f1a0e8e9c7155

SHA1
f37f226d052f137df1301c2b3b1cdcce3e18e9e5

SHA256
d58f0d112c1dfaf7f64cb387d847e5aacd234764a0cd4fa485582f47c710ac7b

SHA512
e5d0f2821c878c6d0e7a857fb9327861e0ea681074c075752b5a51b515bb63d6b6ee296db244ca4c941076fae63bfe758050d9c906860c24db950f90637675f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYwk.exe

Filesize
829KB

MD5
f31035859317a62a66283dc9956eced7

SHA1
214992064b41b380d912beac88fd4b7fb830ca52

SHA256
b8cb05228c84d17a9be99e0839bcdccb68e8d563878b94de7b42280ae2662e4d

SHA512
6d0948bd0ac19597d7219d33734452da1846eab29cc2dc0601f956c8e31f40e9896ca743d6986457b52c80bfc5d958e9f2235bd21aae6f0b90dd2ef33df9f7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icgw.exe

Filesize
197KB

MD5
2de592c41eca259378155752169c4fae

SHA1
093a5aa458a6b71350a7519093b87a76d8477e2d

SHA256
1383424ed0a91909cbfff9bbe6a7e471cbc2bfc325e4dee68c0beb14511179a7

SHA512
1e08e7416e913d6721e7c4b61b24252ced08a041bd21dc3b6c16eb7daa2bf4f9f2d072f12848dc790ca53a922fc933ec39b9c2d75c921f1ca9e4307c9236abbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAgU.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEYe.exe

Filesize
706KB

MD5
331e2f47bf03d3d6b2e88ac3a5c91654

SHA1
d6d48508bea23503268783b77bf9d2e8c58b6f56

SHA256
a36cfdb4c8174cf16cdb1cf6b649f3e24b9224b0fa57bfe6761d2b6f782b5415

SHA512
64362f10c0d638b93c61601e586a9a28c143d54215fcae0c650e79694de422bd22fafb6e2aead949d7da67c1d695996b30bb76110f3bd9b466f1fde861ee8e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\McIW.exe

Filesize
637KB

MD5
f3d5e15c7ec1ffe7e67d18056ca0d237

SHA1
40e58708abae0b20b1e6adea463c1e687085f3b5

SHA256
373c63355e9a82ac5232f2e6325e7e14f755206d1c3ff91064e8a12103e8b375

SHA512
665d177b19018abc761bc464b1718fc4b6892a3fbda4ac684952ccf5cbd5d5c7b2ad1e4d2b6f50f70c7ddc88fb1bd82aeab14f6c576f09f5062b91d992807006

Download Submit
C:\Users\Admin\AppData\Local\Temp\McIk.exe

Filesize
185KB

MD5
6d9d2ec5fa1a1b82955c7fa74dbb5934

SHA1
55fc2c35698754f7e52400ab7de5bb3743985381

SHA256
89625effa4545e6ebbdbc93fc2eeaea0aba3a2f3b0b61b233419cae421e853ae

SHA512
df9521c3e2fc71f0e249843b2a0124321852f64bc4073919d2d29caf740e18ffaa64fe617574fd69e9754d83e85ac1c3dd5bd1a7b6ef8b7a0b2519606a607a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\McsY.exe

Filesize
321KB

MD5
cef9628fabd5afa11f396f30bd46d6c1

SHA1
4b86eb8e1513b195f1d7c6e7764c0f9e851c0818

SHA256
54a62f6c167b10ac179078c2fdc60500e7835b9a749e142ff460b6cacc57d007

SHA512
65ebc8c37817d7ca6f1a0028a9503e070ee52608dbb732e280dc5197c4b3957fda010e919b2c9ad628029488dcfcffe6e3e0d67b90bb84765e78fb7420837607

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkYS.exe

Filesize
203KB

MD5
5765b8c3fded1308ccb3b2a099a16cda

SHA1
03de1b25c8f585f69f3a50d8e684371f82d47df7

SHA256
36aa9db5754b8d2bea4d1fc9736f9fbedba0fcff68f7ee34dc3ae6ced85df1d1

SHA512
c349151f984a70a4c02bcdc013209b61663843f87727a41b71447793b52fe7906176a0b627a3be1dbf4a867d41979be58f2190b6889a54a3aaf0ba753e7080b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwMm.exe

Filesize
196KB

MD5
b6a4e86591cbf0fc16bdbb6a8963e492

SHA1
628fa4739fb826e99cd9818336ed1ce757aeb5e5

SHA256
3c37bc9d255ff509e51eb6cd9362c123229b05d9e27be729d3102201c15f9c68

SHA512
583a94b7bce316f864e86162f196f2d03b10c42972da29756853b1e1a854db47556757a6df0cdb8fcfd20a6474d01d90d949d1c10c816bab8565c74f9fb9b8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkgY.exe

Filesize
205KB

MD5
5442c4375d4717bd4ae361b7dd2cb592

SHA1
973c29c9c569e423c1c9c3d548b52c466caf9e7e

SHA256
bd6916936247200d69915c27070226b6fb696a276e861af0f7dd31f6ac86d913

SHA512
45a0a32cf2f70eb14a91db172794c8798b020e6d995740c3307e2de69463dc2725a8490816324cd9ea61ec4208ff1002f4bd6ef7d0b6b1a6250d12cf7412a0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAIO.exe

Filesize
644KB

MD5
407c700f9e2fbef2a88d8cec23ee8af7

SHA1
0cd4a0a2024fb8b79795bd4b5cd81f1246a1edb5

SHA256
d7a520c5450487ac002e64c6627d6213a3486837deffbb9b1cb1f116b347daac

SHA512
cb10de93044db4ac13562182d8feb957c083e95ed75b2538ecdf44477ea6d79109a789fbd830bbe5eb980e858ee8e69eab27711617b8640e33efe559a1041cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEkU.exe

Filesize
226KB

MD5
d0286b2984795129896059d90cc484c8

SHA1
91031f4ba4b30ed5fd49ebf366badb1f57ef88e7

SHA256
e85bacf7776967581b74d6c393bd4badfbab1e3a7703e78b54d630e2c6ed7b1d

SHA512
cba7398d18c190b98d93064ecedbd4d51105a0165f7e979850aec739ee4c75a5b93014f54cde1e79b6c7650ef7e94fbb944a269c02006f7b87a46779f3f3c8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMEG.exe

Filesize
1.4MB

MD5
db6b287b5e7a35f8b7ae49ebeb10b1c9

SHA1
3106a9db96382848ab3bc902e6d01dac10ec4aee

SHA256
1d4d2123a37ec95559d3f341a7ede3b7c2ccad26b682f8f0d5e7a78fc1a159d1

SHA512
62722933dd6dc0cd740abe7cb75de6ce86a5109d24358179e87db1e3674a21156a99f634e72423074051c1545444dda87e87fd836da4f85f016990a6a93f9cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcAc.exe

Filesize
792KB

MD5
c9bdc05d651af45fae211b02d7c46bb7

SHA1
4de260db1c08bc9eee61f14d7dd3d475c2077257

SHA256
daf7640bb8a3845d5e1874cf6302fc27b8464e007fac3db80112d2dc79729d73

SHA512
e215d8da3b584d6d0fc2b0d6051989f85649e1d737a35fa537d3cd00a80c9efc78529f60971740b08f4c48a934c536a2a3e4ee966a2e87ecafecece622bc739a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEUu.exe

Filesize
204KB

MD5
e9598fd872f60533094eb0a65034184e

SHA1
343bfbe138f605959b34b210ab3e90cebc6dbc5e

SHA256
3a51d0f1aa391ea64de318d65ebaa0ed71c942f050488bda6cb4b47848120b3d

SHA512
a5e3c871c3af1e69bb36e83f99c1add16c7c621e3d76bc1e41917664721bd2795112ab328b3abc72cee2d12747cc2f9f92c0e8e3e25bb005f3d6cec89f9275c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEq.exe

Filesize
190KB

MD5
5ace76d34989a836384e28a818ac6526

SHA1
33b4433e13e328dd50479298c503280f8cf5d9d2

SHA256
7ee37419b3e8788c6d26efeb458235080d6f68f394c8c919d1df82c2e20bfb55

SHA512
2a8a96c569fb57c481aed1d4a9a195739a230688d2deab65f34d4e98448ea7dfaab9714babf9a78a2d479c6bbee7b7dbd94a35cdd7e94360151804e03eac6fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgoA.exe

Filesize
196KB

MD5
cfae896e04f3a3c480f1616be3aa9dd1

SHA1
45b44795005cab9c83846dc62323df853de1e4b8

SHA256
041bcdf087823014e1935530447a3bcc3b95c19687ed8f7b49c7dc1989b02c0b

SHA512
e93bd96f8d234fe424759629365b8fe9c9541da90e4ade861ecfbd97115fa6dff9f96fe6a1a96f1ce433bce84e8baddd03dd305b1d63b973008cd704f3e218aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ssgk.exe

Filesize
211KB

MD5
7d00e35b67733af270c4ac753604236d

SHA1
109641a109abc8ec3ea5878e876c7becf5ef99a0

SHA256
605866f2b45dbb40461af0c9be38ca16ef77390295d18f23317b2b989daa72dd

SHA512
e717d7ef0fe3e8a929b1258bcb9e7c6280fa9459e5844fef1bf540d953ca3949d1a568b806109bdb3982a9030bbc6dba6361226bb474f5b2fba1fc9dd23a19d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SssG.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEoe.exe

Filesize
317KB

MD5
68a3462b9358f0d5e36335d14885de63

SHA1
dc9d94761afc506b9b70487bd818f78713d3286b

SHA256
e04fbeaba2ce914d4663d83e2d14209e0bd9130d5dfa1065b719f76c84f12969

SHA512
60f92c6e0c6fb83e13f99d9d48d0c9fea0f1d93df701f2e4178332c7c677b4909c7279321f11ba83fec9f86031df489b4af93c8aea2894e2aec50abbb8f2bfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIka.exe

Filesize
261KB

MD5
b1dcda4659870c4d6f22a5d57676b953

SHA1
b960969c58776899893d04ac2457216f7393e671

SHA256
0f961e53bf55fe62bb240d4db0c8716ef71477abcc38253f3e02e7864a66391d

SHA512
e8b88c15d447d6f8eb9aaa0e7a80fc812a8a98cc10f1151b500ca48801511091ee4b1f1fea7e1341147137f14f8db40d42bf7ffe49d6e2ae28c8016b4a61eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMks.exe

Filesize
206KB

MD5
d59d4680c8c735ffc4ffddcfb4ace8d3

SHA1
35add844921f343ab11ef02c4883ba5f95a8bcdc

SHA256
76f016a185fc96afdaea055831a653a4991d1c373bf17c347c642f83cc1165d7

SHA512
7fbc092aa1bad0e3ec25788278d8f0b6b07552af8547bf38c465fe86548b6c103681def11df98dccef3a852956850f98309744851b9e64fa8eeb9086e83ad12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUkk.exe

Filesize
580KB

MD5
2be88959660aa1e7ab625a9604993a40

SHA1
40e7b69afc00450fefa4450432563f0a2aaecf8e

SHA256
04a90135ca432839bc76ccf0fdf4df0032ed790eee8e62f98f7d3db5ced59f0c

SHA512
0e9fc31cbf3cc29725a6ab581466ca4d32636c901bc3789647f2c4d8e11149a5e60410b22483fe63f10407ca1dbdcdea44f4d453d858654adcd244e9b85f1bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgsK.exe

Filesize
230KB

MD5
a8448453a0e12e7f8115f2a6c53af876

SHA1
b41c1e64f7028090ea9383e1d82e6f1544e3176b

SHA256
6e67fc9b1ea46b8dcb0e96167cffd8707d6b8ac8affebcf04aa62ab70df07cf9

SHA512
4511758494dac654cd266e0f0cf29bead698d6e6e1310b9c455b274541edf9f69d9fd53666572ce60cbedb9c26906232ddc852d3020cab15729c296241efcd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkYE.exe

Filesize
200KB

MD5
c85af6dca89df399b97118a5b653ae70

SHA1
0c60f106d6a350c1a7655075753120c0781c63c7

SHA256
0c1c8ab649b42d8ed131009bd39167e4432ce6e919db23c39561987be3853dec

SHA512
84131d2d425b865e95254757120a8b0445f9c5948372aa7d095bd339670392f6eb8966cebb1bb17d139dd637dce7b154aedeb6ab4838b398f1f707df41e77e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwcI.exe

Filesize
409KB

MD5
b2b384ff8ad50b009d560cfe1d4bcbf3

SHA1
11d60c1eaaf0ca5b1d3b908f80d70a190b9e5670

SHA256
41e9051a0341d139d03328a5948061c82317331c6e75102f4284844c1c671941

SHA512
519fb4f181b7d4b35d232445a2c6b00484e6415a0ca723d68eb41690b860cb0ee9c0d800641ea65df86bd6a65589ee975570072d57f7a4e23d275b3cdc5c7e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwoe.exe

Filesize
194KB

MD5
6d69a1c1826d20ccbda04055e3bfdffc

SHA1
8107c37ac77e5aeebd2d59af53378d23cb2e07bb

SHA256
b6187722c904e25aacfd0a77a3004f337c8c3f3dbbbeae4680285bbf51ec69db

SHA512
b1e8b4fbb9d9ca096fbff58060aa08f02aeed313a740101d14d2344f1df5ca676c365d88f9f8c41fa1352fdc23afbfbb5d60663a000545c04805d411ef997901

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMIy.exe

Filesize
189KB

MD5
7eb525401605da38ccedae786a0deff9

SHA1
84c58a289f9231a3aea190aa6935838cade52c28

SHA256
785a755ebd4c537cf51eab84327e13999d9db7a2032c2f2c81bd6bce0d246ccf

SHA512
2d55bdc9b59113d74c38be1e06a4b80aa73e7a8ba5ea25b4896a17d2fc67a3d7df705cad8f35fdc4cb95ac09bfc4e7e7ae5fc5f8e7159b063142a2dda16a6e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoMK.exe

Filesize
1.6MB

MD5
701ebc40cd2c1a32c3e864cf5902264c

SHA1
618804388918cd467099e096c8fca836f9c9332c

SHA256
a5b207e332350d4065e5c4c0c51be0d5a62d521820e824226765435c0c6b9694

SHA512
346f91821cc39d04f51656264634cfec54df82e91ed04924a43e67663302135487a259627e775f8cc9c028aa190cc9d0f20c67f6aeb37010597316ed0b109a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUkM.exe

Filesize
187KB

MD5
93a64b02776fd81c6bc0a268b451f7cb

SHA1
713b67532e3051a86eaa0e4178d384caa489c3d1

SHA256
bddd2bb33122fcbde4dd15571c0abb9df0e99766cd06e0861dcc8df00bcc6272

SHA512
fec3dac99604da349baf609d6f7df36e01976181f3b9a4329e9c4e6d0859d7912462057270a9d9dc1a2d70f676714f14affcd308dbfa71090acf5f78194ef428

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYIi.exe

Filesize
194KB

MD5
a163814e569b70ce109c015da8d76c6c

SHA1
717dd1dab1edf18f6a6a25bec779264fe1d024f4

SHA256
dd7875204bfc687071592eb13fea5b82eaef39860d845bd9a5005e13dc76dac6

SHA512
fb8f071c8724c235e1d855f2aee5b905302365a61b90f8030610127a89c5fe2d04b862c099f4292058aa5726ea25ea6fdab174e106c70934dac8ab73cbfb6597

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUUQ.exe

Filesize
427KB

MD5
b201a2475196de931a6b79814ba98bf2

SHA1
e395d36fb16a7b36b86268d699db37edbc58d619

SHA256
65818285a2f4ca88f0c65389b785ef5a1ae1c5258b06df893094d7870292efc5

SHA512
137205742b84316adec07e47f74dacf4d18ebaf827ebc42a638d1b67b3c41b3fddbdcec18ec0407b34362600ea704d2934268ebf7b722b606a356c80785129d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUgC.exe

Filesize
189KB

MD5
94757de81cae47f9a26a40ac407c52d7

SHA1
99745df0e7d11a335fbb7c41bd918c3913b5d976

SHA256
ee47b696bf581a59c1c82ae19ece5623e002fa142c44b314dd95a22e615ffd38

SHA512
36f3f73a8bb45ed3c7c3f9b560a68b798b73b4385dc24cd2b447070f7c026f492db64ed2771d457afad0ade53ff68b920d17cadac7ed1d225f8e87c38d74bc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUku.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYEi.exe

Filesize
631KB

MD5
375a52d222d19711c55a3ceab4a3537b

SHA1
1b123dd8fd23925c354f8ee95327b8de140e2ea8

SHA256
64e3d1c0f49990724f882d41da77081a8a2560a2bedc98f7064df81e90e16b00

SHA512
910ca2197964c128260a38098f402f95064a99c52e5867b04dd896f2d3e6dc25c85eb217ed28a0f06889afeb47918941b02ead8cf265ad5c7a4685cd8bfb14d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\awYs.exe

Filesize
721KB

MD5
88581696c4e717016a60f3ef5d6676ef

SHA1
2e2b07875996d28006f33626b97466da29e68e90

SHA256
6c711453d11f0bcc69fb668d779e6905a2fcde02ed5946bf84347de95de03ffe

SHA512
0fffdffb13feec1cbd659fb9955571f5949fdad2a5693c41082a4068756d5a21a2c473f7b1d30f1a8e56ed02bcddf50e079149f721e99a9f28635837d1343465

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAIa.exe

Filesize
237KB

MD5
b223e3428d5485a790199a032782a7de

SHA1
3ffa8b2916c48b2fffda8ac7ec7a762023c4d0cd

SHA256
56475c61018c742f92cbe73d6ea62d6c3fb8b8f9571648f5670578aec3a49b2b

SHA512
ab8c18e0c4cfda4f15f8315b2a01e80e0c9ccfb155d1db57b55901732136cee84a2a100365bdccd963edcf9105f33e4560d322ad364c3fd4a516dc41f1e5ec0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEYI.exe

Filesize
208KB

MD5
984ab7943bb6f63f84804c6944e0322d

SHA1
9d85e271458fcb03f98757235e3d1ceb3131704f

SHA256
1e1857a99b78abb6e59f0e8c012e3727108238e9ed401095e5c21471c062e388

SHA512
09dc189e086b5f97837f2131ca5519ad28e48d5798d6dc4ad4bf31a1b15759ba4132d91350bde070a47d6aff7c6f2f6dc4189dd46a56a30ad71f294264606d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQco.exe

Filesize
206KB

MD5
27812d765a383fd1b354863dcf4d538c

SHA1
af8e12809829a3da6c6b29eb6be4b316af175bf2

SHA256
6e5e9ff7e4360674798e81e1a401541b4a30d8f4827cab5272ff9e6748042e69

SHA512
1e7a8bd69f840cf9311bfd4b2be1d99adfa16fd0e4e5e7d5fe45a36daf8c5aad8e3d9319174d4cd84ffa570557641fde33edc180b67ef0c6ec04e69e994a956a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYgM.exe

Filesize
829KB

MD5
ba8d6f18bcaf9b89fd023d4570cc742e

SHA1
8e1bf7ad58b4099fe3553584eeb6063c62fa2fb1

SHA256
a08162ff41cb63bd752b6f7ab05ccc674ef5f9ddfb36aa98d9a5f1c98606dc52

SHA512
02cd4a6332f354e48e513385466d3bc675ef1abb71e8061108a81bea05fbb8c78db110db6802e1c975d6e663f447b68a0337ebaf13b46c49101dbbc5d7b65957

Download Submit
C:\Users\Admin\AppData\Local\Temp\cccG.exe

Filesize
197KB

MD5
b48688f734b8c3f9b34312a3ec14dc98

SHA1
971c5531ae4e923086f4c8e16533af02871d94e2

SHA256
b0adf2ec37ff2f3b824bfb714ea0ffc263fb908422518af238c9c7b53c7f582e

SHA512
9476823a33f8cc69cf3387cf9cd5d530d0042b413e9ba33a5f66c5654589eae90b08db9c55846e1d1c74c08fc9e7d493b14023e1cc1c9810cb413534ca2f1ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\coUi.exe

Filesize
319KB

MD5
cec940482b539fcb176f65a61f299024

SHA1
4f94286bb4f80d9dec5acf435abd6c9588e63a3c

SHA256
92723d0a31d0a3b821031b4b33766d3a0aa73eaf620f9b145f7c9543626adeef

SHA512
93957b11e1b7a272f9b0702f0b68f9d9d2cdf0c734e7c468dd7cfd3e22a8b8aaf51e3e526027875ba2a58262a2ef7c81d7339f776e3ef894be2fc58d68d7744e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIos.exe

Filesize
3.0MB

MD5
e38ccdbc67da28c113e5ba3c51d47caf

SHA1
4f3be00fdbc898c5ac23e39e80b4080006141998

SHA256
0aff9019565f3a880493af1f2f345e0c33e58e755c0873573a41800e7574af28

SHA512
70b835696c23a0ffad09a71cb6e364939dc84606fb593e71da3d2de40826b95d287524bdfb94647af6bb2191c9bc3378e9a381a269c3d48b45de31c1101788b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQUi.exe

Filesize
190KB

MD5
4a28e8f479ac5a2308c3023554b38a50

SHA1
c3077bfc2a09c7de961878513993dd4639efb26e

SHA256
72ffece9e35f1fb8e3436534fd6aa384138dc8ec60d5bc4f3e611d6a419e1358

SHA512
be599bb15ad07ea81c1bf16f5e8eb72ce2b68aefba00244accbf37971c112f9d52a911c3324eb9fc0049d6f6b334ef2f165f8873303af9af94d4c4eb1af6362b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUUI.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecsc.exe

Filesize
200KB

MD5
bf83de1518497bd1d4a1099690cc9132

SHA1
ab543d78402f8ccd2d34adb9e1359c808adac808

SHA256
17061f2cb04f4c0ce64cb911fda329956143d8b4381dd25690f1546990e01927

SHA512
746d1d3a42fb904c2876c96f77ae7412040c8a4183f5a6a14b5d44220cb88c153c3f31d4ce929f1e5597dc12d43e19524f3b65865b8c9e3df7e8b4d84fdc7a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEq.exe

Filesize
3.0MB

MD5
68445190b60fc98a8f5ab67e7e342a83

SHA1
611c3723a751886c2d97d9f75a6f102c3cd3b9e8

SHA256
a2b0aa5c7f155189a9ca11f84297c3e40fc263bc2a432331a895aa45527c866a

SHA512
2e643801c68db4ae3f409d2070ab17a1c685540492f74ba0676eddd24eb2b26281cfee7406e5a5a3cf98d9d8a568f53c104b1dd7411dbaad883da0a8c27efd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekQq.exe

Filesize
786KB

MD5
c3ad3e21f0341c8a7247b95f5325b4ca

SHA1
dec6fea31b4c43ef121702f75cceb737c5ce3891

SHA256
004c165b301d791fd700ac5bfb0e3e3e5d0c4ee641bd3512e797079384c8b488

SHA512
6812c63ac85828a8438b615ee5095a0fbd87ad4190ff59aba7d723d7ff4a4b61121aba8b1c6c73b1074fbae28c57cd68373371756a0fc6a8ce3a0281707cd71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMgA.exe

Filesize
805KB

MD5
484463de630991be37fc72ee84bfe3b0

SHA1
bc54ab6398c9877652a2a67e8df861f998c3782f

SHA256
6b09aff7a43027027c314d4fcb427f9c6970d68479fc99e8676193b03bcd48f4

SHA512
1920da8bf72c7acb48b4ed586b728b0eef5a8c3518a073dadffb2c90d1b2a86ae93dcd6fc90b963b15686f52d485d78f6497efe791c14ba84aba89127545808f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcEK.exe

Filesize
217KB

MD5
dd114884f9e0fc9e1807980def6c0074

SHA1
ae70e534606bf0891fd237cfacdd15e428967741

SHA256
20d1e0dab2db23be6f6a96d4e4b9c15a6e68945528f4ec797687aee3fdbfc6d8

SHA512
a9225f7844ecd334677bcff9adaa967b62f5665e6d11b49f39a99cdbf56beeb35c60d6760a2fb83b3136a40557acba901e0d5e424977b8eca47bc8636fb33c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoU.exe

Filesize
182KB

MD5
d056279ad4e382787669dbf197091499

SHA1
8bde124c94531d70cdcf7721b6d4f0a3f9524e7a

SHA256
baca5f80b50a1bf0080e60f18a2e517ed524dab6eef05a52fb36f7bcd607c8e6

SHA512
2af3c08695d30bce34e4848ce4c2b865a0d8343964909347994b0d893a5db0a6995ad11bee64887fe298e794eb407c1b3a370ceb5312e1260660a891ce63a0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\goEI.exe

Filesize
195KB

MD5
8d92a22a0c0e8ec63961a2ee40c8a19a

SHA1
84485397b66ebab9a7109102f7791a9c7ee532be

SHA256
d3deae86af0318871d35fb8eb02891430155a1573b5b5abb2174417063507916

SHA512
ebeabf9cf319b3787a1b84333153a8981aa70d73bb1e18b91b013f08b3132dd66833b924b8d6b8ced59b558cbc4cfefed65b144205de51c0ee6b4b746ab63f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iksI.exe

Filesize
771KB

MD5
eb80893c7c769aa4fccba1ab758c1d67

SHA1
4b174c46bffe6a11cf2acccb5f3a89f8fdf6091e

SHA256
e29ed6032e2fb7dabe0ebe682909df48887369d9d7110e21335ebe1cb8f05759

SHA512
25291ef741434f2e5081c5da4e0516d7c602618d6daf589e3becc51fdd7a1d6694950f76e7a0da21aeea7538d2d898ac85d34ce301c9797d69531f0a885c28a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kckQ.exe

Filesize
204KB

MD5
e971f5d8aa8ab811a0802c2d969b9527

SHA1
63e541a6d1bded7588473b5bcadfaeab4317ce57

SHA256
e29aee649fc064e5d5c46f04c0e1357f4123c3caeb537832b45425d59f8c5ca9

SHA512
443baf82e629c346ca4690dbc2eaca9c3987af60c259f50260375809796c732e4da24df4bf695856cebfc964a1d85ff23d8ba397a528e4b446958661c4865dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIS.exe

Filesize
193KB

MD5
f0c0a46759efac1d51f919c266b9f48b

SHA1
b50e6f74d252a5fcf5b0405d3db17e2afdea78b8

SHA256
805132cbe9439de809bad58aa07ea23842fa54a444e8e5bbd01aba985148a75b

SHA512
a69747644978ee8141c865a4ab99a832b1a1075c32d223bce66fccbd67f08d056da9a96105f1d3b54c60cc22ec7f72b9a6a362b0e3fabc1f415944e878281001

Download Submit
C:\Users\Admin\AppData\Local\Temp\kskw.exe

Filesize
216KB

MD5
61c7057fb2f0e116b84bfb6ea805e8cf

SHA1
8e5339473bc7b9e4e3ef80da17540591b0f433db

SHA256
a9442557c89d672593dd5bc634dbc0e5432a152466106850ad05460e3d25d8f2

SHA512
d2852434714fe1669f1b4dfe11e27bdf0312e251e3816237ed2eb51ce48c3c8c98873b6ca10b34fb4e341b554bfd312730a3e6404327c4ede9618063d33a4267

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwci.exe

Filesize
194KB

MD5
0cb3b459de34c4069404f4d488668978

SHA1
e1515b758cbe701393eafa681ef8a6f2b658a581

SHA256
070bbaff3c9b941e1474b8b1a4be0074487b573540c90855026092696885b677

SHA512
778e954945b3f0fe9fe15539f434947810c2adf3003760c5a931a79ef074ffeda9ebb769fdb24000a2e4831136ac4e58c7ec75ed52f7993907c609be4193132e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwC.exe

Filesize
189KB

MD5
ee7ce08bffe68224e4c0d9c87192395e

SHA1
c37735fe81e200dcad09d7b7a139835d7adb2bea

SHA256
446fad03d6c6466a524fbdfc24ef9ca7471863df4ea4a041d33f73915f9b3566

SHA512
241442172dcaafccf00968d876a239d6707f71899d1559d0a5fc09f0e9a5e769a2d278edddf7424b9267c55d07f5f5813607f2dc6d33263a2f7dd8c73c0f00c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUQS.exe

Filesize
329KB

MD5
b7f39db871fd253c18446e95b3907de6

SHA1
36cd1ced36cc86116c25d58622c7d36945103ae0

SHA256
7e6f2804ef27932fe777ac4c4bbb2ab12d266a2acd1c75078e99c2b4b161b827

SHA512
15ef11194e139d3815fa9d2065b1157bea8b754ce60295d59166b7f052c01e0a6e6c477a4c41ef6b33109b8be512583fe85e0affde12fd2d8962d81aca5dd534

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYAA.exe

Filesize
190KB

MD5
36d5880ccb83e1fc043a60fdcc1c6312

SHA1
e1a92bceac6365959ad812d50eaac228fe11c1e3

SHA256
1f4e5c173c2fe28772eda94fbf759eb1a06fb28c58d6fb4fa07e8fcedb1e49e2

SHA512
244019fabb72614e5279e898a7a833b8389ffe14af5779e1574f8dc27d1a5476b66ac40a302c5807a76f92120cfae3ec5f3f55b83105457a2dfd151d35b849da

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcQq.exe

Filesize
2.1MB

MD5
584f9f2eb9a8ba238c6abe1034cd6ec5

SHA1
5f78a943b2f7ed28dadbe344f2867114eda97179

SHA256
33210d9621700e71384f9b858a0ff45b95bc53387b377c535550642c794fc30e

SHA512
f4774f2a15f2c84c4ad279b8dcd0dcf0fb01b981ca1b40956de79815c38ca785abbff4c97f6895609e00dc5c71be125a015e8e7cd7dd33866750a6f6a6c4aa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAos.exe

Filesize
185KB

MD5
8a1808ef07190648463f64710ed667a4

SHA1
4819fa4418092edacb34658c5ebd12ec0f81bc58

SHA256
55c1d463460005baf2265ab33cd778e5bf566494a7c6b22786f0c6fce5628063

SHA512
5260930c3b6563294e258ecfca7594b9248421c23f93badf7598fc4e0c80d0f1415151cb746c9a6982079f7637aafb14d562d15211c71548c829f86ebae452e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oscI.exe

Filesize
604KB

MD5
57fdb6b69dd6346a1d26803cd8ecd652

SHA1
7d4d1ae093056df748fa74520f5048f1ccc09595

SHA256
a55268fbccd2047a69a5954b2ae0cc5eee0d418d8ab16c478f92281d9410259a

SHA512
1a200969b0fd7c9116ab26984c8c17d27198b2baa5b60c4638d4f63c1a505c49fb0aa0773e524f827f0ec5863b505eee7501f2e617925d4b8c0e7969a32ee5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAoE.exe

Filesize
206KB

MD5
a09b2de85f01bbf24de558a531c0789f

SHA1
081172c0fcf7c4bf45696204e69fe600615bb3c4

SHA256
12a46dfd335ae7aa9f6b936a1dba9b7212cc6aa00c47874098939f495ae19f5a

SHA512
b2b2fc57af42903ab421af66e741d1c45348cf26bb97a23731b616a922c73ceef0a8af5386034b522411d409c1b01e9fc5260559879d04514e3fe72d878e6b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwq.exe

Filesize
190KB

MD5
de048696753baccaa93af2a1d923744c

SHA1
8653ab53e54cbb77c664de80df8691a5fdf46930

SHA256
1ff1a083c7183ac4113198dbc3cb6d91e35aae0c1993a5483771407868e77421

SHA512
af25a14c8262d5ba696a1fdd851008b980a0879baf4bbd75b6bc5030a1ec3b33bbe74650736b6bd2efcf00e68da50194eb966493219ba28e9706875c73babbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMMY.exe

Filesize
210KB

MD5
ff6a13f0b07a774013889be495349fdf

SHA1
2bd285c25bb676645ecf023fb9ff835d8e42619c

SHA256
1c467d6f6096e888721319ad7d17db0714149cf221b93b2a881912477155a707

SHA512
d5eb4fb452580e8528cbc791825d96e7778c29b6deea0e4b850424db5b548525d3c1d402d011b8fb144d5cede967ef900be0ace31868b8b1cd69c19d05be9fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQYk.exe

Filesize
191KB

MD5
e6e459518d2ad2f0b0f62465dddeda3f

SHA1
511b7161eaffbc0e096b60daa450c94ecafb7a3d

SHA256
8f98759f19316182dfdbe27a10eb7974eb59ce512c2e2e7551735bd9b9205464

SHA512
66cecf17308dd33055f82e5b7d5f51a63faef0a227c5ebc16dabe320b261b6e6acf6d43c44d209c75d6ebbf168cb0e4f973f0b66fc49ef51f37937580764fd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcsS.exe

Filesize
192KB

MD5
c86112a0770d7243c4e7052e0691aa2d

SHA1
15007f84d4430ded5e23c1ca4e0e2e73547e5fe3

SHA256
806dc6fc7855d16bfb9ef00801f5188f83cb5daacd616a06e6305034dea8aff6

SHA512
291af7fb53a52d7b9465d219cc1bc472c2ac25b5934068dacb3b286c306c20e0a2e7484e59d3c33e294a761c3543e457fc47f4d4d15753cd03278604ce9b5bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIq.exe

Filesize
207KB

MD5
5e87d52c36bd9e67ab96c87101b255ed

SHA1
6af6f37721951305a7b1c0e771e324b47feea76d

SHA256
1c7108f5d516a829bfef95d23f122075007d31402eb0cc1678ebc18e7e744a35

SHA512
7f7a1f732f0efddb301ae74a8be689b8695e98ae253fde9e7432b0cf1f344e210f185cce7984449e14e277b3dd58db304febf92eb376b938781ce1103f8cd053

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogm.exe

Filesize
195KB

MD5
674071c055ce63e6b8c75bca55e3ed8e

SHA1
1a599654ba126b4acef4f9e5acef6a8e7a1eb7a6

SHA256
f28fb308938d0d15904efcea7f640b3de328f2b6039c8d3e35192452344dd876

SHA512
daed3572866027b757f0f78ea8919e49cf2a02003c297c024a95d635010567b1661c7340ecf3d0bbf1823611e7203df3ccdd49725e53d18249247c7ebf9cc4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsMo.exe

Filesize
1.1MB

MD5
c9b76080a297aff4e0124d9f4859269a

SHA1
c2e23940faa2f2e7a7e8a6750215ed862f691e1d

SHA256
95aa885ea116626d13adf8f015f6b43a68fa0e802f948b52c3531f81a108f324

SHA512
f7dba06c38f913b6a1ddee5c2519a194c0214c41b448d271f935006c76b9d7b30ea9c2c112831b1bf5a74347a27714160cb7ac2524f3f3dfbe0e917dcd904954

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEMY.exe

Filesize
195KB

MD5
b2f8f3ab198bff2d16dc307bc0308ab9

SHA1
6563e741f1b7d5120a911b8d37ed497717cab17c

SHA256
3b01f0fd786aedbdf0054cfd07a0dd4d108cbad34b264308646acae8c20577fe

SHA512
b0c6df5db879be2931ad395fd36f15a24fc3a712909d545c76bdfb2f63c982c983cf16d9249dc3115be037ed6fcde6b7db4a3f9dd6587b0cbe4abb7662b32845

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMAy.exe

Filesize
191KB

MD5
2e60e7a2a2e92454baabe7365264e0c3

SHA1
189462dc224155cae5198d4a140f46a48d72e927

SHA256
ec890470e145355ffbb05c0da50614164a1ff716d82c740f28b7fdcdc9a942a1

SHA512
00561f7994b9cb86f83998f89f63290d4d8ceda13a4de9be71a6d212db87b437997c5a1e628aed8d02c6576a2056d09a4fb305358aa25fb7a1a79c48c8457878

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYcE.exe

Filesize
191KB

MD5
2df24b99d27651d49345e2921391fba1

SHA1
15377409e09b73980aa4b9484393e6fd3beb5626

SHA256
caa195bc2d664d5e55ee284855c3ae1f103650727e4d72c4a7dca2f35de478f9

SHA512
f8703e2248c06d368187ca1564f4304821be3e0a57f6ec1fef082eee8a77082b6d95973018c83759f233d83b06328ee66d23edb7679d2f44fbe2e0c7ef7f2a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sskY.exe

Filesize
193KB

MD5
de62d0daee9778cb894c5a4ef7af5f59

SHA1
ab63eff4632de960c357f8fe1fcd9f0b14899c45

SHA256
bccbe4bfeb89d28d9c5f03289cc4d9c51816de2c19398cd7d87d1b966485e4cc

SHA512
62b976ab00eca473565e9575b492fa8d51e4aa17adc0a93b280ebeea63d6b0455bb83e092ad71273e9a72b66981f96de53e9e707f85ebbf0a10bc48815906cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUQs.exe

Filesize
182KB

MD5
9c219a02c1836ebf7a2a10a9885ae43f

SHA1
dee2533173d61dfb01bad30a92b98e9c68465c67

SHA256
b4dfa2551e50c1d1ffed535e2ca0f1fc41f28fc4e1034821678556d5066b2c08

SHA512
093b3288b70dc5f5fc425776ce76fbf0fa4a902dd734e5be5fea3a9a4de9e3fe38149c10979610beffe94f072696e8b63d1b8593bcca9b767452298cd1b090c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosi.exe

Filesize
189KB

MD5
c0d1310a41a75754e28165e2c5ed94bc

SHA1
b7f7d3b2492a079f7853051903cce28d373c701b

SHA256
88530e38e4807aaf3a80366262296b7ecbd26ed16011bd90e44b6012f4795fc2

SHA512
814f171a49960fe0777e6068708067c2ce70a4f65cc24667aa4817b8844114968e3c9a49287d3d86636aca49cbe3eac2d10f4614bf6331865550f80b450fff5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQgE.exe

Filesize
199KB

MD5
0a308a7d30eaea6f53a7b0826e64f117

SHA1
5edb7e00a145983372f0280221c77389233d7286

SHA256
3a4a3f6d6c6145ee4b6ec12ec194aef8bad5f73b6129cfe9c81a6d2ccd81b426

SHA512
6a7307b839539c748665018ac668f69f31a7eaa06efc7e1f17719b8545ad784ecd720855a14d088d1d74f0ceecabfe3bce6150d19ba740529087f643e87056e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUU.exe

Filesize
952KB

MD5
716fce15f09800dbcc8647dbd943a1e3

SHA1
60878cbc9fdf6737deac34de73576ab56d257611

SHA256
e49fc0d423f7a4aa380e904258625e88b3084c895b122e2e0cdc812d35a97668

SHA512
86c8025009476500b4ee1003160e5cb8dceadedc7bde86de07f7df4b6b9ecd5bfe9a97224a8ab4f2ee4d3bc746773316c564903247177aa13161a42e57e67f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAgM.exe

Filesize
646KB

MD5
228f891758d1e3e1408a392e2ba820a9

SHA1
001a78ed376e1e0232a8ec89caa8357273b2ce0b

SHA256
88e9da0f34c9119292240587fd008b2885da5ca33e02490909a82bf8b5741250

SHA512
6daea00c02c97e5cf31a846601083076692b4b0671ca8352bb01965efe4743e1c5fe932b83376a825e371ec567b361b616d6807c4c68a7843e8091a2972a1b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAW.exe

Filesize
196KB

MD5
b5d8801df7de19af541108838a33d6cf

SHA1
694849a209d11d936c3794423cb5d028dcbc88c9

SHA256
a52caa9e0bedd079c88a5c9ef213acdf1f5fee59db41de7768732bb8824bf186

SHA512
cb99fcb89b2e07e84a2300333dc0ce965f047ec7a88d50d88e7320d45d6cf7a82091e31d13bebd9c69e05e82153d6fba279d8cb73111236333e7d1365174e2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEsO.exe

Filesize
210KB

MD5
d7e3552ec89853e55acf1d71caa14301

SHA1
3a197500d20016c60d08191dd0cbcbe353f5c664

SHA256
0b73908b71be819d9c5a01a15e55be9eff3aa2ee5fcb0d1725e662838a8ae075

SHA512
5112b0ff31a4a5b1008e95eeb85a04e91bba4a752b7e00d999500b26f7c0fa24bf076a82e5dc477636c85eede9bc73782fdf3d36bde59ed01434173a66988f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygko.exe

Filesize
209KB

MD5
36acf4858d01f8331071ba4ac5f80f84

SHA1
d0a96dc32060451050580e6b53057684e578fdd0

SHA256
b6d3d6f89819ff4a60f1ac1d994a63d3a3af937b2f070a0f14f1be37d547755d

SHA512
d14a39ddc03af6f7153ebc99a2567383f432867a6af8dfb6b5341b84d226fdca1e28c1c417dc672bbd6a3e14e3f4a961dfecfb04452b761edafdd3658e74006e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykEG.exe

Filesize
798KB

MD5
794685313cab5339fc3565c770b16261

SHA1
92e6a4f856f649b258bf7fb513ef015ad9c68368

SHA256
00466f7e6d3915b178c982c1f753013370b5cf20ca2d1b819f753f54280b0e7f

SHA512
d2302d8cbc4ad969b9d279b55ac86beb86ee289f4657fa5d84743b7288eb006f7a2ca955a9a1e6955b0b772c8063fb276ad6c8c20ecd8ef43e092b96f8d0170b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQu.exe

Filesize
195KB

MD5
a53e39d3094c821ca8c0143448d64404

SHA1
44de4d17339050008b117ac37e95c411a943a83c

SHA256
302c4ee7e047bc48a6d1aac5ebf234b82fba3e3774bc17fb9ab55c559a9a1ac9

SHA512
d1af5a6dc89a7e6a74ffbd544363781495f05dd4ddae70c0d34d3325524b679b4f8be238e3ee2c0372eda071b70e32c3cc8108dbefe299003d906c8af3dda703

Download Submit
C:\Users\Admin\gmEEUsAM\qsAccgUI.exe

Filesize
190KB

MD5
efb600c4b46640c3915fa3574879cf94

SHA1
3d665fd13586e4888c3b9a785f8ea5f945aa77eb

SHA256
9e2135bd085ffbb5772b8525900d846ed11058e56989bdaff6a9c3db8e574f67

SHA512
f5823727ffbf5acc9680a0d09757301032d66692e8ebb67cb5193406daf259fd3d8d1db7eea63e02285aa29417e8d8f81d8d2f39d76a294ea1d4e9deb31e2567

Download Submit
C:\Users\Admin\gmEEUsAM\qsAccgUI.inf

Filesize
4B

MD5
ed207cb7927c31800bce4b6a60438cdb

SHA1
66a29fee147b1c306415f979491b11b5a4734b75

SHA256
d1e6e896a302f28ba2ead6401938d806806571ecb6ff0428c76e7326aebc9e39

SHA512
b3404eae359b4b5642e1919975535792e802d3d7d0d07b32fbee9cf47407d1474577ab11f137cf56ab5f0d07007175a351e5eb6c1d7c61518e37253d34cd84b5

Download Submit
memory/220-367-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/220-359-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/428-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/428-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/816-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/816-171-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1032-297-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1032-289-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1328-451-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1348-441-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1348-434-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1556-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1556-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1556-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1556-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1592-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1592-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1612-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1824-121-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1824-108-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1972-348-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1972-357-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-470-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-479-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2496-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2496-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-544-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-535-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2672-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2672-120-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-488-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-525-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-516-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2872-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2872-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2956-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2956-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3032-534-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3032-527-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3140-317-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3140-310-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3168-489-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3168-498-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3232-246-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3232-236-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3284-412-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3308-396-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3308-404-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3464-107-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3464-95-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3484-346-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3484-339-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3488-553-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3488-261-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3488-268-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3520-469-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3520-460-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3668-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3668-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3700-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-423-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3792-413-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3840-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3900-271-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3900-279-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3956-46-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3956-29-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4192-515-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4208-206-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4280-381-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4280-395-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4412-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4412-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4416-249-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4416-258-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4448-376-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4448-366-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4448-506-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4448-494-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4512-288-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4512-280-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4512-461-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4512-453-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4512-222-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4512-232-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4560-329-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4560-337-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4892-425-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4892-432-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4924-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4924-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5056-319-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5056-326-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5056-182-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-372-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-385-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download