f9c0068ff988ec359ed3da3c6e4910302b9b50cf5e4cfbb512f8ef57f90d581e

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405223f0c845467b75b09102609b7a2c31b50virlock.exe
Size

185KB
MD5

3f0c845467b75b09102609b7a2c31b50
SHA1

69d96b9d5bf8e47550541158ab94d3fc498a6b61
SHA256

f9c0068ff988ec359ed3da3c6e4910302b9b50cf5e4cfbb512f8ef57f90d581e
SHA512

345184fa284c0f9abb9ffd22e21e541313cef3bccb6bb9fc75e589c4c0aaa66cddfd0546e9e4015a0c0dbb4837135f6bfa6fac28437098741f2a43ab1cf28c01
SSDEEP

3072:cVaq5FcYT5BbZYP/6pfVSSsORkMaibfpKG/7Qx0KgxGdjNuGtb/j4bljcEhk4Bm9:ufz5pZYPypff7tjxojI43ohk4

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mqAMUEAc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	mqAMUEAc.exe

Executes dropped EXE 2 IoCs

Processes:

mqAMUEAc.exenScUEswE.exe

pid process

3608 mqAMUEAc.exe
1664 nScUEswE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

202405223f0c845467b75b09102609b7a2c31b50virlock.exemqAMUEAc.exenScUEswE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqAMUEAc.exe = "C:\\Users\\Admin\\xyQQUAUc\\mqAMUEAc.exe"	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nScUEswE.exe = "C:\\ProgramData\\bygIowMc\\nScUEswE.exe"	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqAMUEAc.exe = "C:\\Users\\Admin\\xyQQUAUc\\mqAMUEAc.exe"	mqAMUEAc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nScUEswE.exe = "C:\\ProgramData\\bygIowMc\\nScUEswE.exe"	nScUEswE.exe

Drops file in System32 directory 1 IoCs

Processes:

mqAMUEAc.exe

description ioc process

File created C:\Windows\SysWOW64\shell32.dll.exe mqAMUEAc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	mqAMUEAc.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4240	reg.exe
4484	reg.exe
692	reg.exe
1908	reg.exe
4492	reg.exe
4712	reg.exe
1920
4204	reg.exe
2424	reg.exe
3212	reg.exe
764	reg.exe
2976	reg.exe
2668	reg.exe
2476	reg.exe
1268	reg.exe
3384	reg.exe
2780	reg.exe
1856	reg.exe
4220	reg.exe
4452	reg.exe
2804	reg.exe
5116	reg.exe
432	reg.exe
2200	reg.exe
1612	reg.exe
4324	reg.exe
3260	reg.exe
4704
2176	reg.exe
1488	reg.exe
2200	reg.exe
3584	reg.exe
2140	reg.exe
2140	reg.exe
4344	reg.exe
3260	reg.exe
3632	reg.exe
4372	reg.exe
1908	reg.exe
1796
4528	reg.exe
3476	reg.exe
4368	reg.exe
3420	reg.exe
4528	reg.exe
5100	reg.exe
3148
4888	reg.exe
2468	reg.exe
364	reg.exe
4440	reg.exe
1280	reg.exe
3416
4240	reg.exe
2852	reg.exe
3476	reg.exe
1996	reg.exe
4472	reg.exe
4440	reg.exe
3028	reg.exe
1980
2140	reg.exe
4788	reg.exe
2404	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe202405223f0c845467b75b09102609b7a2c31b50virlock.exe

pid	process
2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4472	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4472	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4472	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4472	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4424	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4424	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4424	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4424	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2948	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2948	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2948	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2948	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4888	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4888	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4888	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4888	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
208	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
208	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
208	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
208	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
5092	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
5092	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
5092	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
5092	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4084	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4084	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4084	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4084	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3784	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3784	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3784	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3784	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4636	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4636	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4636	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
4636	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
1412	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
1412	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
1412	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
1412	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2164	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2164	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2164	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
2164	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3116	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3116	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3116	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
3116	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
5104	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
5104	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
5104	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
5104	202405223f0c845467b75b09102609b7a2c31b50virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mqAMUEAc.exe

pid process

3608 mqAMUEAc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

mqAMUEAc.exe

pid	process
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe
3608	mqAMUEAc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

202405223f0c845467b75b09102609b7a2c31b50virlock.execmd.exe202405223f0c845467b75b09102609b7a2c31b50virlock.execmd.execmd.execmd.exe202405223f0c845467b75b09102609b7a2c31b50virlock.execmd.exe

description	pid	process	target process
PID 2872 wrote to memory of 3608	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	mqAMUEAc.exe
PID 2872 wrote to memory of 3608	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	mqAMUEAc.exe
PID 2872 wrote to memory of 3608	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	mqAMUEAc.exe
PID 2872 wrote to memory of 1664	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	nScUEswE.exe
PID 2872 wrote to memory of 1664	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	nScUEswE.exe
PID 2872 wrote to memory of 1664	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	nScUEswE.exe
PID 2872 wrote to memory of 4128	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 2872 wrote to memory of 4128	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 2872 wrote to memory of 4128	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 4128 wrote to memory of 60	4128	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 4128 wrote to memory of 60	4128	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 4128 wrote to memory of 60	4128	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 2872 wrote to memory of 4888	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 4888	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 4888	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 400	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 400	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 400	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 4756	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 4756	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 4756	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 2872 wrote to memory of 3168	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 2872 wrote to memory of 3168	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 2872 wrote to memory of 3168	2872	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 60 wrote to memory of 1888	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 60 wrote to memory of 1888	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 60 wrote to memory of 1888	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 3168 wrote to memory of 3472	3168	cmd.exe	cscript.exe
PID 3168 wrote to memory of 3472	3168	cmd.exe	cscript.exe
PID 3168 wrote to memory of 3472	3168	cmd.exe	cscript.exe
PID 1888 wrote to memory of 3500	1888	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 1888 wrote to memory of 3500	1888	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 1888 wrote to memory of 3500	1888	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 60 wrote to memory of 4384	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 4384	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 4384	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 2200	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 2200	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 2200	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 2404	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 2404	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 2404	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 60 wrote to memory of 3340	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 60 wrote to memory of 3340	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 60 wrote to memory of 3340	60	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 3340 wrote to memory of 3148	3340	cmd.exe	cscript.exe
PID 3340 wrote to memory of 3148	3340	cmd.exe	cscript.exe
PID 3340 wrote to memory of 3148	3340	cmd.exe	cscript.exe
PID 3500 wrote to memory of 3200	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 3500 wrote to memory of 3200	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 3500 wrote to memory of 3200	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe
PID 3200 wrote to memory of 4472	3200	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 3200 wrote to memory of 4472	3200	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 3200 wrote to memory of 4472	3200	cmd.exe	202405223f0c845467b75b09102609b7a2c31b50virlock.exe
PID 3500 wrote to memory of 2476	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 3500 wrote to memory of 2476	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 3500 wrote to memory of 2476	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 3500 wrote to memory of 4540	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 3500 wrote to memory of 4540	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 3500 wrote to memory of 4540	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	reg.exe
PID 3500 wrote to memory of 2124	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	Conhost.exe
PID 3500 wrote to memory of 2124	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	Conhost.exe
PID 3500 wrote to memory of 2124	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	Conhost.exe
PID 3500 wrote to memory of 4304	3500	202405223f0c845467b75b09102609b7a2c31b50virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
"C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\xyQQUAUc\mqAMUEAc.exe
"C:\Users\Admin\xyQQUAUc\mqAMUEAc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3608

C:\ProgramData\bygIowMc\nScUEswE.exe
"C:\ProgramData\bygIowMc\nScUEswE.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
8⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
10⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
12⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
14⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
16⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
18⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
20⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
22⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
24⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
26⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
28⤵
PID:5096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
30⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
32⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
33⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
34⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
35⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
36⤵
PID:2696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
37⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
38⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
39⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
40⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
41⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
42⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
43⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
44⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
45⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
46⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
47⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
48⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
49⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
50⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
51⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
52⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
53⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
54⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
55⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
56⤵
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
57⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
58⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
59⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
60⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
61⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
62⤵
PID:4356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
63⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
64⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
65⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
66⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
67⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
68⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
69⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
70⤵
PID:4748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
71⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
72⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
73⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
74⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
75⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
76⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
77⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
78⤵
PID:1928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
79⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
80⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
81⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
82⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
83⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
84⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
85⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
86⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
87⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
88⤵
PID:740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
89⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
90⤵
PID:5104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
91⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
92⤵
PID:3168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
93⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
94⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
95⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
96⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
97⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
98⤵
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
99⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
100⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
101⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
102⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
103⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
104⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
105⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
106⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
107⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
108⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
109⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
110⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
111⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
112⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
113⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
114⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
115⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
116⤵
PID:3012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
117⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
118⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
119⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
120⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
121⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
122⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
123⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
124⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
125⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
126⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
127⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
128⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
129⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
130⤵
PID:1056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
131⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
132⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
133⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
134⤵
PID:4452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
135⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
136⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
137⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
138⤵
PID:3280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
139⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
140⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
141⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
142⤵
PID:4532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
143⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
144⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
145⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
146⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
147⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
148⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
149⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
150⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
151⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
152⤵
PID:4180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
153⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
154⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
155⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
156⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
157⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
158⤵
PID:2876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
159⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
160⤵
PID:2104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
161⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
162⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
163⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
164⤵
PID:2240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
165⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
166⤵
PID:2648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
167⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
168⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
169⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
170⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
171⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
172⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
173⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
174⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
175⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
176⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
177⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
178⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
179⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
180⤵
PID:3632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
181⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
182⤵
PID:1652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
183⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
184⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
185⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
186⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
187⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
188⤵
PID:1732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
189⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
190⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
191⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
192⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
193⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
194⤵
PID:4532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
195⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
196⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
197⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
198⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
199⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
200⤵
PID:3116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
201⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
202⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
203⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
204⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
205⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
206⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
207⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
208⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
209⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
210⤵
PID:2404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
211⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
212⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
213⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
214⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
215⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
216⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
217⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
218⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
219⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
220⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
221⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
222⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
223⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
224⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
225⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
226⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
227⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
228⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
229⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
230⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
231⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
232⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
233⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
234⤵
PID:4316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
235⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
236⤵
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
237⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
238⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
239⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
240⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
241⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
242⤵
PID:976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
243⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
244⤵
PID:1652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
245⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
246⤵
PID:2404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
247⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
248⤵
PID:764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
249⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
250⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
251⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock"
252⤵
PID:2408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:3224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
- Modifies registry key
PID:3632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiAkcUsk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
252⤵
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seggocUw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
250⤵
PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fegMgMcY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
248⤵
PID:3024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
- Modifies registry key
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:1928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOMgsUEk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
246⤵
PID:2768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCEAIoso.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
244⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgUIoMQY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
242⤵
PID:516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQMosYAk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
240⤵
PID:3168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOQEEEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
238⤵
PID:2768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:4976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSEYUIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
236⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReAYIUEY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
234⤵
PID:764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
- Modifies registry key
PID:3260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqwwwUUU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
232⤵
PID:4712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:2812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuAAwwsk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
230⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:2576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcooQsss.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
228⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
- Modifies registry key
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
- Modifies registry key
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUosMwUA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
226⤵
PID:1992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies registry key
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCckMQoY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
224⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:1172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqgcYsYw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
222⤵
PID:2116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies registry key
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngIcckIg.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
220⤵
PID:3276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:1996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcUAwIwE.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
218⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:4332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCggEgMk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
216⤵
PID:244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:5028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAkEgEAU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
214⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkcYMkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
212⤵
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:4128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMAQwowU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
210⤵
PID:4420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeMQwAsA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
208⤵
PID:952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:1488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:3012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmcUQQQo.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
206⤵
PID:4276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:3224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- Modifies registry key
PID:2780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOAkokkc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
204⤵
PID:1796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwgIEcgg.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
202⤵
PID:1036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuIskYkA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
200⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scosMkgA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
198⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGYgkQMo.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
196⤵
PID:4340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
- Modifies registry key
PID:2140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgcskQok.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
194⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
- Modifies registry key
PID:1908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeYYcscM.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
192⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
- Modifies registry key
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIQUQQgY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
190⤵
PID:3088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCoYoAoE.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
188⤵
PID:3280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKIwcAYo.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
186⤵
PID:4260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwQQAwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
184⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWkgIswI.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
182⤵
PID:3416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYEggYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
180⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies registry key
PID:4240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEggsoAE.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
178⤵
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foocIgQs.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
176⤵
PID:1412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:1176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- Modifies registry key
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqAokoMk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
174⤵
PID:3544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
- Modifies registry key
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
- Modifies registry key
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAUAsEso.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
172⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWsYoogk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
170⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies registry key
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCoUgcMM.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
168⤵
PID:3356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- Modifies registry key
PID:2976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEYkoAww.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
166⤵
PID:1988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkwMUwgY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
164⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
- Modifies registry key
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUQgEMoY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
162⤵
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaYcUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
160⤵
PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAgswAkc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
158⤵
PID:4768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWwQsMoc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
156⤵
PID:1512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCkIAkQk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
154⤵
PID:3420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:1700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOkUwsUg.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
152⤵
PID:4792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSYcEwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
150⤵
PID:1036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgsogMAs.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
148⤵
PID:2648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies registry key
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMIcQskI.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
146⤵
PID:4844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKAoQAco.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
144⤵
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:1676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcwcUIIY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
142⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIUsQgYY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
140⤵
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies registry key
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYskMkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
138⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqMUokYY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
136⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmskwsEo.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
134⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWwYkMos.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
132⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:3996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKMkYQQc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
130⤵
PID:640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uowYYQcY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
128⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKQAcwUg.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
126⤵
PID:4444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYMQEEQc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
124⤵
PID:3392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKkIEMEY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
122⤵
PID:2660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUwwgMgY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
120⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vggcEQYo.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
118⤵
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUgUkMMc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
116⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocYIMAcA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
114⤵
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies registry key
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSwYwsog.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
112⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUgIYQUw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
110⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAgYwIko.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
108⤵
PID:1124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGwkwsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
106⤵
PID:3876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:1488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seQsEEIA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
104⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- Modifies registry key
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCIwUwQM.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
102⤵
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies registry key
PID:1268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWAUIQAU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
100⤵
PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOMIkYgs.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
98⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:4504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUQAoMgY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
96⤵
PID:764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEwAYMsA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
94⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\figwgkIw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
92⤵
PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piUIMUMo.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
90⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkQcoIcE.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
88⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYQYQQwY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
86⤵
PID:652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIgswIwY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
84⤵
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWgIYYAU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
82⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmoMUYog.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
80⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XecYQgkY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
78⤵
PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYcQgQkk.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
76⤵
PID:976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQUQYkAc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
74⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMossAkM.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
72⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGIcAksw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
70⤵
PID:4452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmQkkUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
68⤵
PID:4628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:3592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoYYcoME.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
66⤵
PID:3684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:2156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUwkcowI.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
64⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiwMEwMY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
62⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCsMQwYs.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
60⤵
PID:1132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aecwIgQc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
58⤵
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKYkIQcU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
56⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYsYYgEo.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
54⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUIwAocs.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
52⤵
PID:4392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCowQEcA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
50⤵
PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HikYcQYM.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
48⤵
PID:3420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeAookIM.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
46⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaAUcoEM.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
44⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYskYwIc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
42⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkgUEMco.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
40⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoYggQEY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
38⤵
PID:3396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgYwksog.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
36⤵
PID:848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:3116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcEwsQkw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
34⤵
PID:1108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jckYYUcU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
32⤵
PID:5076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:3472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmMAcoQw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
30⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sukAoQUA.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
28⤵
PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- Modifies registry key
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMUAscMU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
26⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQoYQcIw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
24⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMcsskMw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
22⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOAgQYEE.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
20⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcAcIQAw.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
18⤵
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWwAwcUs.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
16⤵
PID:4020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyYgAcgY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
14⤵
PID:528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoUswMoM.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
12⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYQAQcEs.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
10⤵
PID:3504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOsMEwoc.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
8⤵
PID:652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peMYEIYU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
6⤵
PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGYwYwIY.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nooUMcgU.bat" "C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2464

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 3FW0DpdF20KhZqkEyELiLA.0.2
1⤵
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
330KB

MD5
a8ff98f9c534a6eed9f69ebec85f33fe

SHA1
9340450ecc520443e369e95c2eee8be2cee166c3

SHA256
caafe921e9e8052b73f9ab5f6716103022991dac8225ed4de50549124c2c0477

SHA512
adfcf405eb8b72bab97167599f7563ebabfc7f8f404bc168c845953c5f5a29281839004835b80e05f61e4619847154a5f241692892f0d73fcc1fd6a5d9d6d0f2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
226KB

MD5
77af45e172c364ac524c68f4543f8902

SHA1
9e6f50b495e8c151297978f3d05a6352afdbbef2

SHA256
50270df2f77d960db12eab0b4c19676a546c15f7a44abc9afdcef1b5d2919fe0

SHA512
aaed2cd54b1035db8c4ccb215a5a28d19fa79cc536b61085a0c96fd26fb6e991c52f4092d3226dc3806fd62dfd74c681851877985d4bbd56fe0aabadba3b10cd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
791KB

MD5
bb8e42b5ccd7a20bfcaca2446c1fde06

SHA1
1d3aee238584e60159659ee670af0dce3b549dc2

SHA256
22521ebff485c395d59de12bcec1a823725a8c8279ecd817ec551b59d9d34a56

SHA512
125c143348b37017c32a24cadfda79eaea54183120643b49cba8a164f00fc602262c90c2f7671376c0710b8cf907ed158f1443d2d7d3f06cf640a8e9a6c87705

Download Submit
C:\ProgramData\bygIowMc\nScUEswE.exe
Filesize
194KB

MD5
272e6864cfbfb22c4f1160d6c624209f

SHA1
0eff244f25a1e499bbfad045187d2431f4562491

SHA256
aa2525a1a6cea314548d6c53833a279c320cd48b3fc7d15ea36bd280de250b4c

SHA512
9ed40564b7676a98a181ac541f875dd3d575c3d3cf713abf895377ac79df2ba7b3fcb0b4c635614d1cea190645e3486e05354387d2daf91ce446ed052f20cad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\202405223f0c845467b75b09102609b7a2c31b50virlock
Filesize
2KB

MD5
35187f94bd240bf691955f0838deb12b

SHA1
2a5b89516f4c60cf569ccdf18853586cbf6ea144

SHA256
208fd54fc7819b2f69e10cd3323068e3d5a449245c1aaac70ba1b0414c924d5b

SHA512
d68610af0f3b2313277d6ec177b7ac1e4639382bea60631136ec766b0bb240c752c3e1947150ce5fd30afd9846173021fbe88b7f084e5048f8c3243bd9e2fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQMa.exe
Filesize
182KB

MD5
acbd3784dd290118b829d2a8d30c126a

SHA1
79a2feaf71dab4d71c49d63a8c79b95290be866c

SHA256
287c0788c2f8f6b21add510051376125d48c66c31a98846408da23f86f88f8eb

SHA512
e892d802aed4704a5188cdef12f92a8348cd970e56ec554b03f290adb973fead8d36279b60c79ddcc20170453e2e046b6fffbd42f88434a36dcc14861189ea3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYY.exe
Filesize
185KB

MD5
3408a5b60e45f310d36851cc35b2ae4a

SHA1
f95da9c0afc262c3d96d4b7e17858e56de8cd13f

SHA256
0fb90f379123ca6c0890e11dce61e8177cd310d7e6446050a98f78cc12f8e92c

SHA512
07cde521b1a589649143c2f4bdfa6559ae27f8a798cc2bb2543c09fe3caf181969d6868ca51f0ba54e96d8b238284eee315e4610b0010a3988d0de723c117167

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acoc.exe
Filesize
196KB

MD5
a2a8ae316ebcf234a5b6d85e93a9d0f0

SHA1
49ed5ba3295cf319ad19f5ffe8aa3c574406c8a1

SHA256
0aa0a242ade5c1f6be2803149b4b278259b31d2d23c412e57f6fe899f2c3d30b

SHA512
838fe483c15b0868d7ebfe9cff0d669423082b466d8fe53250af00efa9fb3b0d8776640ec4079ef1c0090a3b573b0248ac57f1c110517d2869008fed20a2f12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYg.exe
Filesize
195KB

MD5
323c912e673cffff49362ddc42c8953f

SHA1
0238f207a1e8a0690c9f8011b4535e4dfce4a0b0

SHA256
0ba7eb470df1634958fe9168c04d8e9e4da89eb68a694e43f67bd390b71a5020

SHA512
437b3edf330be251f61a8d4f80062f4714fc92698e359137dd2bf8a67658e23a54b7e0d7e6d5c0266fde94915dd388b5bfefdd3d4958110ef91076fa6d1a0450

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEAk.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIQg.exe
Filesize
1.2MB

MD5
5fde28b6ba6b3bb91efcb3a41defd85d

SHA1
a21375eacddab5dd5d15d610528e08504d035efa

SHA256
3e6fff3df59345e03b9c1b8e4aa6536c4f696405eb1488b04e20f726e60d18b6

SHA512
6679b6a31e2f57aba81a1f2cfae0df23269eb2431aa7834aeb97a6a749fe141d78ffc0634cfa6ceba76c0bdee3f50bfc24e0d74bd646bac11201934fff5cd167

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQa.exe
Filesize
1.1MB

MD5
3909fa79e28331953dad3002765dd982

SHA1
b07ad838e860c93cb301d106448b7185a94dccca

SHA256
77a31a364d99e0dc822b14bedc21b9ddeb2efeee2ad84176991933f2622aff14

SHA512
9f0d90179ed9a35d6cef1cc9c4505dc561c36ea608a85afa093e3a5d0f5ff6d4f6a6c82eb4ab9f5c6dcbd7fe684fe52a670c1c3e7859c0726e26216e3930e84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEww.exe
Filesize
200KB

MD5
eff6205c3b8a7bcf7e82ea6e1e13f7dd

SHA1
f04b61022ac66f9b2e263c164585b1e2ad24e179

SHA256
0123282dc6a28da592b15985b88c900c31451d8c8ec00cb20428ad0d3823bff5

SHA512
9dd72df0a089b6636cdfd6cf311f5764dbe867a7f5cca0f6dcb8a14a70feab1d314aefd9f2c82728e91d34c25e17b551768456b204f4640ca7b4d9b508cddbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUUm.exe
Filesize
193KB

MD5
7f3ba9b2e5af403fd3d6bba725816c19

SHA1
57dbdf0432c1139aa6c9f760ea48b4813551c6aa

SHA256
814cc35fbe5b9ab755d0f1e5bc35073cdf42a31212573da4bcd73ec02eea6eee

SHA512
bdef229f7e1b17bcedc63a958ec23ce6c8ea075cf330841a29c5eb39f086624e7cd79ee5891980cb32dde4424f562a35cb3fcab85b6c37486e5c27371303288c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQu.exe
Filesize
229KB

MD5
ac0b588d72f9611851d9792fac6eb3ae

SHA1
1868a641fde845ebdd1f9cea96bdc1eb38fff90f

SHA256
28020d20962b0d02a2702f4fd79ee3c6a5be8305bb02e6f1c01ebf3977a369e2

SHA512
898e744b22b416b5f13e51d355c0a5728fff47527ee69d68bc21c1febc28e260b64d3629ad24b5c3bd65036e880eedb40ddfb5c6682010531764f9e3b35f206c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoIE.exe
Filesize
193KB

MD5
06e24bff94f62e270de384bf72f43643

SHA1
f8f56a103470ca6e21a402f691ed12b5a67a3a03

SHA256
fd9524dfcc5a2eeafd8e06028e8a0052edb916b2c3c85e744696a6a9a0e224d7

SHA512
14ae634cae58825d23f0a8abf8054dc65014782474b431d26cde8c289ff19923a067b93dfcee85a8c3ebcf6cba0b93e65a64b49b425f0d6efe8eaf5c954cf2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwgy.exe
Filesize
829KB

MD5
9f45fb0c3eccca6253ab590bfe618b40

SHA1
8f9f6739b6c20d29cc6f90191b8fb52fc4f2a862

SHA256
1f680ebbfa4fc2765155caf2083e3db2c7af56e986b10a8d769f0ec9bbfd38f1

SHA512
acae68924d5b82bc0460312dc4b5fb91e129f7d048d6772852c1ead929857e60114246744af1a32737d23dcf2f756e0b4c84162285083398ae5b3757fbc0f683

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMkM.exe
Filesize
196KB

MD5
a082907b185884d40e50182238a3a92c

SHA1
ed5660bc0785deb7703aa26b75035f1bbb1c0ada

SHA256
143f35a6f026f2f17dcb2186447e278027584c33e3fcf5455b5705c1894781a0

SHA512
a95b47c32876fd2f4fa09865768b5655d6a5c8d5ab98c391fdc04fe59b84a530f0d15045e9a2f11d4f55c0ef0993af735e9e582407c204bb7368bb20f40e3a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQsq.exe
Filesize
824KB

MD5
8c8b7ea8089a0668ad865b6e09dda764

SHA1
afb1abffd410c525457f6a6194e19e36594e7be6

SHA256
820c6e27ee1b9451aea1a1742ec85396b9cb0bbbf93ac9bde5047f5d9cd41719

SHA512
1a61c1c20188c01c774b0c057eb2fe812d4842010a84dcf884d97fb1be80071dd77d97b8ce3d30c7e5a487720d40169881c8277c29f338c0a88cd7c04512b9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IscO.exe
Filesize
235KB

MD5
1a10fbd45f83e38323a8450f35588388

SHA1
1ad5901d7d7dea72c252a68a900329c9bc42f094

SHA256
1e34daab844f897b2b3a4c190e7d245241b1f218ab036bf1c473e098fae53e07

SHA512
efbe0d93a856ba780f65a737e8baf774156f535df8daac6d61bd2b316cf1905025a1a973421f4f007b1018ba2361a267e1b0be14678b6717af8189920f8230a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iscy.exe
Filesize
258KB

MD5
6d987bcf5ffbbf2a66c2df13e25fabb5

SHA1
af4ef777353bebcd61e748bd04afb5a4aa1d954a

SHA256
b0a2eebb8edf23478345aaaed2e22ae92e5fbc4a4bc7aebfad2cd2c62ca08877

SHA512
8d93510d8523ac5787e9535c6be268602503b2a2f0e9ba4b817614183b4217192201f509056bd71fa8b6c8d7254e83510cdfacb9eb5b32d7a97dbf1399e17a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwIw.exe
Filesize
185KB

MD5
7b2cee1419be4cd0951fb28a9dd37feb

SHA1
3c00c3e82d20077057f9cbbba59d1eb3d6e5b7f9

SHA256
585bf6904ea5346e76aae9002967a6ecf787452a723221f70813441b0a489dda

SHA512
ecbfbc21772a5507323cec47338905d7e21b81b0d67ff9bdf2a1a12e78d0411bd6c091fc53d1241bf95f710fec9472eaff5ef083f6e865e940d6627f02fca3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEYI.exe
Filesize
1.1MB

MD5
6962dc7df41de5968cb586e388e55797

SHA1
621da5f1823e4eeb161ae0959bfebbb64e7a7a29

SHA256
7c4e0961b5d73f6e8fdfc0df1984bc18f0b13064ceb670028173220a6fe6843f

SHA512
101fd775c8ad134b09efe8a9622c665301a4f989a95651ceecfdf06f8a530a8c840fc5377bcfcab0bdd05f656a1c7368f59a2acb884ed23c5a15aca5c9557cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIQA.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkkU.exe
Filesize
1.0MB

MD5
3bae996982ecae880278c05741e8cee6

SHA1
65d0d53ea7ed8fe4069fa04465d5450c226816f4

SHA256
3e0054ba7cfc3e9c0506d431ef8c38404fa5cd8fb13a8a9004c39206b0a0a37c

SHA512
7b020ae0a0c247d71f40e3ea7a8fe770a8c962a779309ee386b4b3ebcfe9d764822a49c06a8a1d2f208c5dd13a5ac8b0e3f8ebbf3c73af7ac7f4dafc526803b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAAG.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMS.exe
Filesize
200KB

MD5
46ba06fe63193715454303d1c0108a8a

SHA1
adfacdab57a1d337d4f44f27f0704ffb7d150ded

SHA256
739686a223036f7c3dc1f253e12e3962face770c36a3a06ef8ec5075218e0d06

SHA512
5af62ddd1f802c01e033419feffbd074bc1d3fc1c575f16f5da68ad0354da33576095e256de371aea984c23fdf7644dedebaaedd34b5bce1722700fcf7d362fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIgc.exe
Filesize
811KB

MD5
f6c165568ff831635d26121f291ea387

SHA1
be6361313561ea0b9af998cfd938a67806e68dc4

SHA256
dc883dad519269c887a6675f78b80df66d8ba3f5537434e1b338705dd3318761

SHA512
c5f11e7adf768784fcef66eb73cea6da8e801ddcdfe6d4d4484548d4590c89b54c61dc408a55a5a0278ec0eeb55cfffc4f795a5d2c5906bf7a9edc52a9a44950

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMwe.exe
Filesize
190KB

MD5
fce938a1027c2f598500e5f196fc3b19

SHA1
da7781f0b8215b363ec3cfd25eb8e21e528f5518

SHA256
50f3226e85db0f6399732f568551fc87ba62fd1f938ebe7aead38bd3434d8a19

SHA512
c6c433f7b53b3f1bdaa5b5138696ad077235f4ce46649aa61a53caaa1ffc7f8323bff7acf54441ad929001f2d74d13af7166588815138a562b5b8fba43fe1127

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoQE.exe
Filesize
181KB

MD5
e7760ecdd6cbf0acbbdd8004fb819bc6

SHA1
6325bb282341a2713cd86e594aaca471f160bb56

SHA256
8e2f741d135618fb3b4f968bf4db06b350a202fd09f83ba397cc68be8fce612c

SHA512
3bd69dcd086bccc35dd46858bcd12765855a3d7aac70df440d11539991dc61c50350535c7bc2bb55c2cfbfa375fdf4135edd80a3e0808936f5512a9361eb289e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwwC.exe
Filesize
198KB

MD5
b66edbb50bb1d2ce7bddf8014fc03f46

SHA1
d1eec1d566c9bab0a7808f406494d1c7bf06dd45

SHA256
47eb3693d022d3d051a906e8a89c10ec4e17fd8d95d0cb43e05f877d39104d8b

SHA512
1ec895b7e2c57ff8b441dce5d20fcd8b7decd6b2f7d36d2895baa644d6adbb5d1c403ea496cb02aa617293835d8c6f0dcaea580799c56d9867bfa7b61d279915

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEwU.exe
Filesize
190KB

MD5
eb2261e9428ec7bc61a9f8bda0e8c3e5

SHA1
34e985a1c5fe074bfcda4642fe129404e6f2b42e

SHA256
92696d78773da84628c5a153050856d0019554f1e92a565aa855d6dbce2af496

SHA512
5fe01af225747c78875299ccb78570e2e1e9e8aaa3ef72e5cd5decf772559b145658c62906eabd5cbfa789f8efa3ff5fb6526dd8626cb7d69295122a51572a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\OowI.exe
Filesize
210KB

MD5
d2c60e23a06cbe070abf3f0abc7d3815

SHA1
56397ee520243cf688d099e97fe3ef30292a475b

SHA256
cee7c1e4939f9c0e4214c7ea8ae2cc5280021b9494402eec0d762789dd1fc1d6

SHA512
0f600188f0a646f09a97db8de58f0e4dfbd9a9ef3c796950997f7fe4e507d9d2de1c049f094a2cecd77cd476f2231a9bbd8ba73f260f2cabf99ea4b217fde0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMQi.exe
Filesize
222KB

MD5
cbfe81dfe93cffd9d493c80a972b7e02

SHA1
f23d9d17d0a4439c7972e1b16d64bd7cd745d4db

SHA256
091ddd2e977d62fa94130e1f11149a94c0249459a4b690a831672b372bc1f1ae

SHA512
8de3f591bc4fa4d6cfb88e2436da25dffb88eadc2811a33974610f674564ab2adff7507954bf2b900f5374919c30382f5213314ad0988c5dfd500f4d73e2d25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMoY.exe
Filesize
789KB

MD5
8438b98e5deca29467b612d7a40ce06d

SHA1
cab6e22db10844c4c4c5009d7c1c0b74050af61a

SHA256
687cd4c963e3e46c39adc858abbac74d20d7b0e3fa0c0be6b637811c3a924f80

SHA512
9159ffa8f5f4f8017e5c5657fb24557e3f8fd8046d90cf9d5ba53e41fde59e3483b63b208cf5e314f9ffbf44c3863cf37fb880f8135c3b4f07e239ca0519612d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYwM.exe
Filesize
332KB

MD5
bb231efca8ad2256a01fbcf54c41c721

SHA1
5cd658d2eb7f36876fb48665d63eb9379a613e33

SHA256
689313a6dc20e3f2d1d70e42b1872b555eadcde58efcff62bb779f6be3496bda

SHA512
67576fa5da7efd9cdfc1f8ed11f25460a2234228ed68a9fdd9b59614ad1a7be4c3fae4eba19c5b7a65f1515e8800509a1ee8637c960410df6a4f599176af19ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYgg.exe
Filesize
871KB

MD5
fb26e5405eab04399a5fa8b23d74a679

SHA1
c329e529f04075ca15eeb4f16f6b004650e2acd8

SHA256
9040dcfae4386d9bd5483ca2f488689e369efc3a5b242e40494e1d05e13c25d7

SHA512
73530ba876dda3f4c00f50ffd7ac9e9a6f9b937e7e53ae44604b58532154087f8d9c13b2a12dfdf8b213e58e5c769919936a27a5c16d61cd3345d47ce1a250e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Socc.exe
Filesize
426KB

MD5
82a37fc7ec01c5559f1762362d1e4630

SHA1
408330c1cabad410de0ea03611771d76febc45cf

SHA256
1119e818405f4764de24754f784f62978bf0d6258b278056696763d652bba531

SHA512
51dd3ceec20f62c565c149f794b3a98fa488d1148665e720e420e648fb28ffae9eccb9c136601a72d48e54034c776305a2b88f8af7c7a98de4d6c0b135e592e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAYs.exe
Filesize
182KB

MD5
0be94f757598cdeb7e387d3ddbae5651

SHA1
4c29ca2a48c29b89fcdceda387a2baa342d99db1

SHA256
36414051a9abe5f78f8443e11b2fab70cbcfbb787af8009b0b40038760c30d0b

SHA512
932c54f96c6dd09e9c125eb034fd70d35b9753943975267d51911b9997e70e66ac8564121c1bdff7c0b31baf2c5e7f4d58895172e9d3934c00d6e8b43da7fa50

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEQa.exe
Filesize
325KB

MD5
d74a12aafa115cadcddd849f21c4f036

SHA1
e94e64b023684a0d9c5282a7832b37f5d07057c4

SHA256
e4d66cb588a7ffa5d467579ccc13f30957e77f3249d73f7c05a36acbccce828c

SHA512
0deda72338288fec18a483b4e463e73cfee9c60ad9bab685f5c6543ddf383d0f1ebde87e259e8456ee993cbb3cda55907c68391f118ac667f740929a6407cc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMQq.exe
Filesize
202KB

MD5
9d8e85723a52094039f5030207c39d10

SHA1
7e25d05631465a53b1899fd0d873daeb723bfe5e

SHA256
22a39ee95687cb6218fef8729bafc4c3fc1f6c3ec9a40904cacafd9be989b27b

SHA512
f5ad2935edec3970ed20b2fa33ef90fa709c32744b8e668381316c5125b7c21e82cfecfc62aed63daabd4184622c4ee0a3a40563481d05ea0fd1f69cbdf192ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAsy.exe
Filesize
195KB

MD5
1ccbd857ab3799222da1e809c2110a0c

SHA1
d1bac457a0760db054a01017e4e49a3be42b0d26

SHA256
f5afadda8f7bfb886ba928ab3f7ff34d4edece4002d55a55d250628889ef735a

SHA512
f2e93c35a7a5c61b43d38db5c8ee1b000d12f7535583a163eecb4f0ed664184ee629074e18bc214906c4356c0d3886f6925e0843da5c40b160a71a1a196af46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUUg.exe
Filesize
200KB

MD5
fbbd42392fb5badbb66465f15f6cf062

SHA1
c3b5daf1b5becb70def84e3fdd3bf017ef47bbc9

SHA256
fac4ee9b53a975cb75e5b1e0d0c8a32e0c373999feacc8a8d0e70cf63638fd53

SHA512
a4b61ee2f30005e0384f2ddb94b5fcb8a69157e059a702db756806eb5b5079ed231db596b62e371a15793512d08dbca913557e13eef2810bd75ce6c2e588953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkAS.exe
Filesize
648KB

MD5
e492acdceb8d675beacd96e5bfa49d8b

SHA1
0d40b80cdb3596a9d907c8dd7581a4eed38812df

SHA256
0811217f15e9d9a5909de8bbb1238c7e4d9aafbd64c4b0cda6fb22d5f6e9325d

SHA512
d04b6c24e2d51ebe39dcdc400b169e22128d40fbfc660fbf88e08cf7e776ccc730f2e87777dc344a9a63e8836fe26b90b020e26e7fd8bde76ac933a595777f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkgG.exe
Filesize
521KB

MD5
63fcd5cdc792ad021a33e9a11f23df74

SHA1
1e9aa56e7837596d46c94c7354c10e25d68d9e19

SHA256
5af1fe7327b7ce4798ce67af31950198c39c3834d1ee3124b7b8cec57b8e0956

SHA512
c14cc3ce00a6518b1385685774187b8fd636d7275345e77333aac0b64cf2351ebf1e54608f7bea109ff4b71bb894e56e73a5311b2dbae840c6547747e7118a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsUO.exe
Filesize
562KB

MD5
8aae302d95488ef2c7b25b20b4a1b043

SHA1
46ab32b6dfa2b6f651aa5d4a0adc39dc811734b4

SHA256
64f3aa8ae2ec4ecc87c43587f68f1858e4a3dc676306c681367bd1358e448dab

SHA512
2c760fb7f26d7d1cae480060dc3b6fbf067259332ff9fbe288fdaf8ea16736f84a0ae4964fd71a424cd15cbe4391dafa2cc3220abbe01bd5fa638670125bbf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwkM.exe
Filesize
835KB

MD5
416315a88e6b32e06e1d68c79ab37e26

SHA1
aeecb5e75652788196af7a6f23899193b93e8933

SHA256
47b71d425be41175d2ce9c792a450ffb3cb09b4834f900a6245c7121f4d49123

SHA512
9cc34cd03f1e8c96eaf31c4f9f3b0912c378c6239d96623c35611e3f6b6111171a26f62d6378ccf8c23192be1ae7974dd32c1f782cc2eae0b64ba32d7f958d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAUe.exe
Filesize
196KB

MD5
5be6a1d3a9a4f936bb96eec19183daa3

SHA1
9d0a5073a24846dc9ef78c60fef84e494e9ac765

SHA256
c03df1d550a58e6fb354876485124ef55d3caa0e8c64dce67163b7c612b384c9

SHA512
82080cc9b7a5a860077e1ffa78b42c596c5fab57ffefc5e52478ff52fd916059cb58933edd3781fe4ff9107100a71d96961b34cb25f2cd34a519fd48811e4f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEMK.exe
Filesize
189KB

MD5
aeed1651703c2e6e71fafa8dc071d2ea

SHA1
fa29dd78ac6b7fa2b6361ef90379c2a92eb0ccbc

SHA256
988e3146ad0d705483568d9f765657ec95259182f92da7b8b776e026054bbd43

SHA512
6bbaeab77174cd6097c8e96b6bda5d83a518ee773a0e3ee45428b8da5d32a6658b03c7f1decf0dec41602b1c46edd905d3dc746f1051b3ca81970c64fb55ccb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIMe.exe
Filesize
193KB

MD5
e51dad6990f44a90d92c31c0b2994fbe

SHA1
4eab58843e03413f29b15cdd3033054104bc0dcc

SHA256
9ba835dbfaa45262ce4a0c373dbb6fa2d0bb973dea88d46c643c73017dae1d22

SHA512
92dde904e506aad1c6470679ed11c42162eb140700ae7aeee3acb7fea18135fc9b839a744b77217ceda6cc8ec9550ba40f303f5666db12d67060e5fc08f40fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUgK.exe
Filesize
195KB

MD5
062a08da234e9e959370a6d13dd4e81c

SHA1
5546cdca6c9b586f0b2c9a1dd2ea5b18c3978323

SHA256
654aa60222a1c14a9580a1558d287d75f9825a343f51d4e1af36ffc15e3b1cd4

SHA512
c410a758cbc88e6a9d618d713b331aee61f642375329e53e0e378e40a8c9eef38ac0c10b4d4d1727fcb0f540cd13a9d6ec94840ad1542218ec9ca55bfaaa5ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcQo.exe
Filesize
628KB

MD5
1216de3a6c4ec61496f7bf565c06701b

SHA1
307dea1cc4227eda5f4a0e4d1a246669b4384ae4

SHA256
e5590cbce80e3ab3d89aa67b571af068c2537a2ce4ea17b4317c69ca3815ced6

SHA512
582d425f7952cd1fca07d43354b23cfa58c492eeba774f41a3bfc4c1d8fb9e1e4825672f42f3a9ed427d714df9f6078b69761269a35386793d95503909ce2681

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIs.exe
Filesize
193KB

MD5
d5592b7795828d29a94767dda6a3346d

SHA1
b0316ccaa498824fabfdba19f5fb2200cc2f42d2

SHA256
7bae98814e3390af983e9c4ca5de0f102f84fe43165ba77e53c004efe9dc7d92

SHA512
cfda2fe79c767858a91c228c338d8614731d836975d88ba22029d763c2bd6807f25fcba44e9ae621979a928bfeb1e02ae43e97fad24be3835f2aec364e196184

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMoc.exe
Filesize
190KB

MD5
d8d5602b47304197907a6c236ad8e6aa

SHA1
485a14fd2a57cff0ba351b61bd5f7af1bdd393be

SHA256
c7585df46eb02f164b6b2e1caa7bb07b4f168356b6a92ab037270eaa17b919c4

SHA512
08978ab469c617ee49b383421d4f00a0a9e596fbf83ba13f38ec88d82f6124daf769209844c35c5b87fe817053f4640cba9976f496d2bdd905a72199015342eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYck.exe
Filesize
208KB

MD5
5400a67cb95d58c8d38bc38eb8766c21

SHA1
71a768c2ff7760bc7aa549c85d5a79ca98124eaa

SHA256
94c039468f30e9e76e3fd03cbdd4ec6299ca241c175634a93ea02989b4e36e30

SHA512
73f64ec3857781371825f29a95f379cc0405a1ed42cb68fdb7713fec0fe22a469eb90adfea9444da591011f0a50cf3d5ae30dfb768ac0e5c1ee1bff0858211c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIG.exe
Filesize
204KB

MD5
71086fc96cebf5e9f002ed2fea20dcc1

SHA1
44fcaf5c17a23ad598a3e32ffc9e3ae57cfee891

SHA256
c87cf893a3b88c62c972a5cb8c9ce20da5adec229ac3cde02167ddb2d9533945

SHA512
c302a8226b14feaeeaa1dfdd2acdb499dfc8ae42930de7a18955da415e0a29a2423a7dcd329019119f727c79262e368448cfc6db71acb3a7585b5d6b2096b393

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoMW.exe
Filesize
801KB

MD5
17b80beb8676c2dbb2d32151633f6fcb

SHA1
07e495f133a115ddb792820f8e097c810af7d555

SHA256
3fceb5c20eb3c3bc315651f969cbdb9e9033f5a87cbc53105ed0750b32ab48d3

SHA512
bec5bae2bc20e42ed795ecebb4725aec5b0a2f5576c8c344203eaafeef660b81c87f8a3eca9bd23f9a7d37ca6e5fb108bd918dfbb3bfecb72a3400374b6620f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAUW.exe
Filesize
188KB

MD5
56ac0520783b41068eecc02b2aea14d5

SHA1
08d67c8035d1f8523ec363f7ffc81c72bfc96e17

SHA256
d32cdce1ba52c2e2a8c18f0728bb46a3640892819e2e480a19660c91c6ac0cae

SHA512
a873291c7bde87b250d123c781eb20264183e5e11d9f4da22eed2455ae22d3c243752d7e7c8155d91e99cc2ebf985081ab002c154509ce17a4b53f396f2a16dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAsc.exe
Filesize
206KB

MD5
2adb5f65a1516e6b8d7081c8c92dcf83

SHA1
7a000c28a6852bcc1cbf65085290f38a16cec0c4

SHA256
f161b10895766a5608aee9e1b3ffb7bd6a58883045ca9067413299279da0a811

SHA512
592bb6b65849224c57284cf479783f67ff2700f686e1c19b5153783e0511f9fc992579f24fc0239aea796d283ae4a69b180e566fc52717badd9cad0178ec4ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMka.exe
Filesize
184KB

MD5
d7bb6fd989a103270264dad3a2007411

SHA1
87d32f08bc7cd18bc18f5b550ad2d6579b7d4d17

SHA256
9e6914d891e81fd29c4f97234d2fd614720f342e75911a74e5c7479046d6959b

SHA512
12de32fe502be6d1e249f9bfee04214ea39acc3a9d786880be055d575c29bf1b2c70c6f81218834ca05eee380ac48571718940ce74f98fb2a29463d12e86bcae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccMw.exe
Filesize
224KB

MD5
ff76c742c80d8c16039568924491ebdf

SHA1
b327e592d132142a2e43d4d3ca0ea6be2afb9e50

SHA256
40d9dd6302a726f9c334d143c005ddadc1123bedeeb52f225b7c7251ba4be549

SHA512
58cc5878305ce25a29b8fb8496fe90a8b72c3b5e8b2e1a82eb5e8258f603e057338595119bc6850a00c75b5f350c16f9b6911731416594a257ef35e0cf32d765

Download Submit
C:\Users\Admin\AppData\Local\Temp\csEo.exe
Filesize
205KB

MD5
40edcaef75c2e2294107d998a1fd0c27

SHA1
9b6a42aaa9f9fa003d573efc9c156fee4b3f7f1a

SHA256
783542d4bcf21e2be847b31bd0bdc4489c7407494b3f39ff6481ad31a7064950

SHA512
153c0285df7f8d99cecac460df498cc11c56a893587136aa5b766710b65a8551d33b620f84682d0679c1b3f117c91d3c0dc0152657d5cd96401645a50ec6c51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csIk.exe
Filesize
195KB

MD5
7c90d1eb01362b088e3a69c877526816

SHA1
69ed7066746503500f4126c852b2a231f2f203f0

SHA256
2f4fe56f91f18ea58c180100b6c88c992ca4e328bd1da18a81a6adf9e5d4baaf

SHA512
884d6da7e9913dad4876bfdfa7eee3bec81e4f9b756fb549656687a415c3f89087def236d985659f58abf04f9e55c3b8c625635532ad6a4a8a2d204f4583bccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYAI.exe
Filesize
306KB

MD5
95ff8dca5763aae1a54708236a817483

SHA1
d2a5a85ab03729a6af51c6152e2ac63fe45b4314

SHA256
6847a8736d8ad3149932a9066f2e50ab74567b32adc87a8b2d00bc1b1f260964

SHA512
8859f28d2b41b4c2da913ef6c6a42614c1a8f1e7c3ea18831af5f31934f1a516f8189f70277a595507e7dc3d3ea9404a3187e65d33b09991beffe5da9197f0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEsO.exe
Filesize
1.0MB

MD5
1b359d2e551e18ff038f1dd298cf4eea

SHA1
82d378ef090e354c94ffdf7d1cf3d3ea2bddf62c

SHA256
6c58d8dbd5e76c22410383dfdc048b62d7302a975803a57056faef80c4651c63

SHA512
9a6117ed32a06e6467196a37cedbe5966b355f4819dbdad27f3ec7b8221e749043743f037750b76c3d6853b2551791b9f151700e7c586084f8583b0054453932

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIO.exe
Filesize
199KB

MD5
fc8cb36a63b3d8282a437f9fc4a7c9b1

SHA1
e6f00343e599857d59bdeefbbb4759a9e8376ba1

SHA256
2f370370109e4e9c5e3ad692ddd47ba0b2e433cf694f11b574196f34870f0b25

SHA512
395c33c5827a53c2a0dd1180a890a8f1f0ceb0f6732ee0af2b8358ad9c3411002bed162568eb728fdc7ff2337a45e1bdaa4ee4a291f13ebeacc7c7258bbc4cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUMi.exe
Filesize
204KB

MD5
a5d8075eaf7120bdeeb28abe939138b2

SHA1
74bbe387a82f95c1dd4bb653c909cb557fa8b9b9

SHA256
93faea5112e61dee5559b12704fa96c1397f2d0431c0766d3a64fdc3fac91928

SHA512
0f04c631fc422a587453cee490ee003d618a7457382499f1f1c3dd8f8b8c86c529253413842b756c723d73a65e8d45f6d1b6d784953b45c38bc8bf44860f4bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYgy.exe
Filesize
195KB

MD5
d0305624471067e90c68f17305a9fcb0

SHA1
46d409033e48949abee8fc3311bc7412b612bf00

SHA256
2612dffdae1ff05256acf9b8d8d5035f4f7cd4d99729134715fb420c6fb17c8e

SHA512
2b09b8d1a2a6e64bd49b6586856c390e565c68f0f23dbef3bd99ce7da4097bc72b7419945c0205867f02d19f67b105cc333820c5f27aab9e3ea9d388fed40564

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcEo.exe
Filesize
215KB

MD5
c6cd058e7f44504052c0846eba9bc69c

SHA1
2d4c5568fec08af1324f5c3cf2e2a72249e65512

SHA256
e7ece88c8fe92e52c3a6ab9f4f0ee2d278bbe8e022887523e49a18267e7c3458

SHA512
d23c7f21cb145539b4be8ded0468ff78b4b8c34a62e8ebadacb8771395b2e2a9f3bda36324425293b49e296d4c8c9190fd4cc1b68f212b32398698cd1a271d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggUy.exe
Filesize
200KB

MD5
09aaba4d3cc1e8e1fc5c314321207807

SHA1
18943563ceb4236a87a5342d7ebc077772498cb9

SHA256
2d5d3e03db6961485adf84040d711b4236c4547563960d90ff82d8067d3adb1a

SHA512
0ae72b775f700c17450da6078b7964f73056870268a71adf92c2cc89905de6e8bfbd7222f8420b1ecc2b8952ec1fd2049bf17ba58426a337f53c210200c57584

Download Submit
C:\Users\Admin\AppData\Local\Temp\gooQ.exe
Filesize
183KB

MD5
6b1c33cb0a9abe3519f521c4108386d3

SHA1
bdcf2e8852c05ecac1fcc9222553d9d4fd47d6d4

SHA256
761f7fb8a480e97958b90488f8362d3b76a9e93dba946ca4fbb693d583fbf1db

SHA512
e49fb22d7e3babf15ece10cfdaf42e56701f7f33a05f6dd336fc25c483dfb00587805940529251fd85bbb937618ce6b09869d4e36b373db4fdc40d342c7c8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\gswe.exe
Filesize
637KB

MD5
42fbb7015196b2aab4d273665eb5d19b

SHA1
ec484fe03a7fb6a2c7f26666bb981522c117403f

SHA256
c1853c3dbbc64662c4265e66cca61c916e6e1533701716c2e613fe7a6f8a8838

SHA512
cb3b2d5fc2dea4c356449671d55b35773228f0344a39a547e51fa6e0ba6644354d43975128ccec3e2bdd23822e441d6884cce0ebe42439549d2be6237a8b5350

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwoO.exe
Filesize
205KB

MD5
bcc328121133181961c7785362880a8b

SHA1
4e867d9ab01967a99b8728e7496bb994c925749d

SHA256
e594794b70c1e917b81abd3246f67fe4bb4e3b6f86e63572b4b99081e901cdfa

SHA512
8940388bde6e8c4be1dd599ba5a9387e2fa0b77297c23bf12fd046acbdec37e54583261f9a95b4d89403d22bc75e9fdfa5566f8808ab95465057330697b93c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMsK.exe
Filesize
206KB

MD5
1b01d227035905e404dbe885aec2404a

SHA1
1ace234f1dc8fdb91ee0b7e5c22947a6b6c5b43e

SHA256
799ca975b1ec5952ef6b6b44ab33e85579a369e614c92dea46cbfe0cb20e5a7d

SHA512
20a3c452c8a36aa3a4fabd775f68122c10d4a4065da2af5c8647c12b3e8a9c2f6a72cf23ce92c88e36fc35930fd5305a71fc05fe739b0d7c1e269e6083da1bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsm.exe
Filesize
186KB

MD5
f044e36a22edaa2a14e82dc60d2fa819

SHA1
ea9bf3f1ece48b559939acbc21599c5b7cc4570a

SHA256
5aff938ebfcd6b88a4a027f5c8cd85feaac34d93d3051c160335e3baea7f7233

SHA512
989b96d6b4a67ae9f444512d518b308eba567b5f515ddd877f7ee9bcc3acbbd52cd581d7d936ec5c6160ee077fa14a9dba06f3645bd507cda34efdc4e0dfa28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMcC.exe
Filesize
5.9MB

MD5
14ea5505640cd4f44c2c762e2e688fb6

SHA1
4826075e554c024fa2fbee6d42a11532678c1b3c

SHA256
db8121054797f2d78e623352c08f7e6a7bdc09280456e933a9adf2088d77d37c

SHA512
f2ccb65402ab6cd635c0a63008427bead162418af0578fa622c34d3492bfcb722249da1e6667ab6ccf89e6eface3216c94b190ec790b92b7229cb6fba8738894

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMwc.exe
Filesize
194KB

MD5
149309c26e50546d7b41e7b6b576b326

SHA1
d245c08672776d48bd6ad95e7b29da54379319c1

SHA256
94971d226401241caadc26e3d9f39ccdc3fb2c132cdc3a9016d1548cc24df412

SHA512
a563739e03150e40f9efbcb151edc4618e77525de62d0ed7a63e6c70c168335f59f95621e7e8b2816fd6c5e664c6405b8cb7ac38414d0c8d628727f443d3ac6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgIy.exe
Filesize
185KB

MD5
a879c535dc772d6b1093365ba4caea4d

SHA1
a1ce1864ac8448f6781c10e2ab23125422d69336

SHA256
9ba8266f149cf44bfdd37f16f73a525304a4d8801acb6ccf13ea78db762db8a6

SHA512
d65a333cf00d329cd88cc73ea2c08e3b4da01d97994a3d6374a691c49c25295c987ec499d0c35a15ebc8857acf0f83dd2a674eb9dbedb55fe9beae3dcb191c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksEu.exe
Filesize
220KB

MD5
88b9c96f7fd3419ca8c9eb0258a51836

SHA1
67191a6a41fd0c296dd046305e29c99b610810b7

SHA256
bf69111713a6f4443e4cd1198f763b5f8aa9010a61cf3906c140ad9051fd715a

SHA512
423e4d8efb6d6b290b48d8765d47d4bc563fb1cf42ec7c5ac98295697e556b34e94b7505ab0c9711908aced3c5ae4747dc76930c3358e03cd9e3cbb752ab7199

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUy.exe
Filesize
194KB

MD5
3f80bc4cef69f1591d134a39fa5dce56

SHA1
10401dcd52c3f45f2cee0efa6736b8dc7bbc12ad

SHA256
076be79cc244ba7d3eef37106337ff0a5c0696f837c65712d17b22044c8dd9aa

SHA512
f8bb489882d3144ee0b39ba8e126be393b4da3678de581dcc4e0e68dfb95ec37a34e87e543abdc027e2838fda56d968226aaa4f4f376523df13996fcf1f4a3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYsi.exe
Filesize
650KB

MD5
94e315a04025ac88433272fa19a48b58

SHA1
d651b535ff5dae80c68676b8103ba0847e86893b

SHA256
ef7e22c0e69fd52a594a96cd0b797ba506bb86c4839b7953824c8bf3850669ab

SHA512
e2966f8b0922be3106249eb86d9cd247e3e45a4177a58c3ab8f3b42e580f84e0eb99e3ce6d8277b643675951d2e7b383be72dfb486228a56a75a340c961c4317

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkQS.exe
Filesize
768KB

MD5
903fd38071fcd13eed0f2dd00b59cb5a

SHA1
f31610f8b06225d9e0989f562c31c21aa63c1908

SHA256
82501adeb92c2592fee0fd55b60c89c945088b0454ddbf8a91cc82f31b9fbf0d

SHA512
fe49a7cd3852f897d73b6b3ea4dfaec2bbb7292c573cfe4ec8e8bc433571f85b2b9906bcbe0ba61c079651110165bb2f451ad02ebe0743f281c4414ad54b540a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkwc.exe
Filesize
227KB

MD5
8e07e47958291a697e3b46dd2d0a3d91

SHA1
334248bf1abf608205d417b67b8e95022a7194d0

SHA256
8414c509a3fb9cf751f0a43cc2f198e9c7faef3b7385722ccb0c73fb51fdb0fe

SHA512
1b60ab571bbec587802395a49dad44ebac2a2bdbccfce6655ca8aba86e47fded59afd4cb9f5940664913f25aee9edf746d49c7d9f127dfd2980536f9e443ba24

Download Submit
C:\Users\Admin\AppData\Local\Temp\mock.exe
Filesize
198KB

MD5
91bf47e1bed7bc9469ba0d487ead5738

SHA1
98ffcea9bbced7471d2903f531a52a6ae2293c5a

SHA256
dd7e1ff382eddc2c0cb1fe1644c85e3014e2adcfbff814326723567e8d2380d6

SHA512
60f6fe8efa7a1f1332f125c9497e03adec4a1755a1dd7735fe7fa3607151a5cead2d99a2e0cabff8e995352133bd10edf41b3ad8b3381c2678b86d7092bec701

Download Submit
C:\Users\Admin\AppData\Local\Temp\nooUMcgU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAwm.exe
Filesize
189KB

MD5
28a79ce04cd404c65e0643e55545a4ed

SHA1
be8128d0e004839e7add44c3544a8b6636c00251

SHA256
9bc9631316d7ccdb4d0f74d26d8048ee068a3cceaa1d617b45a98447ba95050e

SHA512
37072bf0cf9419bfd3655124ce678d293a433328fc165b44a85f6eb432db4d036a3332c326b7f68979ce00471cecd8ba7c6e250aab1689e5555cf650e1dea79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIkQ.exe
Filesize
203KB

MD5
0b71302aa814228f72aa4330447e6365

SHA1
8300568eab363f908c9450a796f9187289ecdb17

SHA256
11e1ff87aaff2536268d10a5a4384dc47819eb55316ad4fd24ca59890c5b26c4

SHA512
966b7ec2b8e5f4e60f63927635648f86eb2e2ab3dd557d4ae151a6fe6bdde3c8b97f9e5c140144e90cdca7048ab6ce5197809129678e9b899408fca227f16270

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossc.exe
Filesize
203KB

MD5
c021e108e3552e8752dc12874507e492

SHA1
dc59b8de514c38dc3c7f36084deffc6880cd38b1

SHA256
a6e6417a094a79d7fc96d89e68e11bbdb4821762f185ec5166ef031967ef9403

SHA512
e22095e8a77cfafa3eebe060377f7f855b27f16618c6bc2742dd0e50f47f40246cf5d65309e073ef112dc7022c4668d9cee63ac9fd230636d68542616aaea992

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwS.exe
Filesize
200KB

MD5
479a89ca85daef728a6f697411872a0d

SHA1
c281bc487f01316fb99c42d8e76a8d0b1729b14d

SHA256
ecabb6a699dccc1ba6cd0f3ea0b7f05dae1d49cf4c98aa57b7f05e13e90b4cc2

SHA512
2007c666f855f5a4afe1445ebcec0060ff2365bfaa367feb92ce6eca105d6cf204f11960a02196b174b2697849ab064472a23a4a5b413090ae4505ab485be988

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQIg.exe
Filesize
1.9MB

MD5
e82854822d71cf9a24cb75ea74cc22a4

SHA1
fd2bfb6982ed8c1008ed67873fc24be4c57d1059

SHA256
06b73ac12912a99e06b36fd557b08ecb72bafccfc5a477b1adbeaec4f04e4457

SHA512
ad8116a9122c89bad1ee2da8920df45d69fcd0d5f0283665061b9e92504da4b7cfbc76b6f5ddbef2dac23b03d9ab55a31aaa550514585fb2ed30c100ea6974bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEq.exe
Filesize
195KB

MD5
38992ab027ebed1bfda7e51d9aea67de

SHA1
46b71e9d6972b061e7a6dd4c17ec29a59a213f42

SHA256
1ba5686fce82c19610d39c3706ded38a6fc50c2dc70db2f844938a579ac2af9e

SHA512
fe612bbbcdb8ae8e8a0df0ac25f978f03a23bbb8bcc2ce202710510571eae6a1da8c05f0389d79ad3d1726ed00d9bfd6bac3d95d3ca9b3c5dd6525f2987d81a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\skUm.exe
Filesize
194KB

MD5
858725ec2f4995c3f1055cb62477391c

SHA1
441464c1519f389b4c691a0cc03c4aeb21c464ff

SHA256
daf4a60e38414e19fc01706d3bceade4f8d25a1d6b923489a58d3d400432679f

SHA512
0b1e6a4e91e3c1bbf1baa0fb8413a5b6a94d098774701abe9fcb8bb02b6e30a0f1e2d30eea35ef6d89df68ccfee92ec73d03b23f027ca557ebb1c629a55ea600

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAMi.exe
Filesize
190KB

MD5
5b34d68ac3a119d7dc46cbd4fe4cb221

SHA1
665137f5dbebcc887840f5e45a1d7ffbc892417c

SHA256
ca4b8e9c4b81e99922a85ec0b23dffe2fb79ab583fdd57f33738498055857cd5

SHA512
684453cb0a49925226232062360538a776a5119385f956bdf1aaf789255a0d9b22a263b009469cd97f9638480cee763af477bb13d81ba5f2c8b10226d25c9d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIgk.exe
Filesize
647KB

MD5
862a1c2cb3e016b891b82272de666eae

SHA1
b4f7463fb3249d29a55bc3d6b21cdb5cf532a644

SHA256
4116a4bebfb06743b15d90082eadbc7df0d9531c030c2a4b91e0e3fe09502baa

SHA512
65016154a8a85261690ea5b49c446479daa9f591bf229c50f77f3ee8ce5e39db22924d2615bcdb7df76d79242260d81deb25492dd8d2b0f466cf8b773c886d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQAu.exe
Filesize
201KB

MD5
0d8accd92277f4fcadf960697fa2730d

SHA1
524fef706b3f8941da8451eca24ab31b831ca69f

SHA256
4b99530407ab55b12d62435610afa8f7ffefc7b841d2772b83a990af250afb13

SHA512
797af0605011bac59e01bbca496e622e3977c35f2ed6a0ec32764707529c6b31e889997a97618cd5bb9df99efc180022f2d74ecfa01576473f4edeb6285664b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUEo.exe
Filesize
194KB

MD5
2547d4e821ddc25955324db74c45142b

SHA1
70960ec1a8e3d76bc36af6e0eeeb63146222d91e

SHA256
ba9043899db926ef7098e35c356c0fd2663e4539db5e0231b166860fdf70f087

SHA512
bef0a5c5809a42fe273ea0d510b7aebb098d25b90b7b3844fac129bfb2181b04396c6f80e6b6c571516f4912526d31bc28345ffcef55a0ab9bafd5075af6f741

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugIw.exe
Filesize
776KB

MD5
0fa17f45fc0b30006c25ebe905eea107

SHA1
2b6d59dc6c4e0e91917bff11b10b2299472e5667

SHA256
31a9b583552293c03556d125ca7561fc9f427bc31e087e9134c65358f1012c0f

SHA512
d0f3837518ed11c6de1f20cdf16f90dc8c48b5ca2181a21c5df438a151f8172ad8eda5c15931a10d6a81087b3d0bf50fc18252eeee51f0ba73c9efd9fb8bd806

Download Submit
C:\Users\Admin\AppData\Local\Temp\uowC.exe
Filesize
199KB

MD5
47c3f8f64df027a54ed9406a12486636

SHA1
208b24c25801102bc68dc634050e0a75162b5a6f

SHA256
a825132ca1a3c28bbd22d861f3796a76de1748b9ab2f12b5143738bb3fa8ae77

SHA512
751726c63ccdce419e6f00fa705d817c4f3b6b75b7fd9936460eeb2c367b231f7893835edbe9eca97ff0d0b082daaa055369ee0ee4ea231947b58e89ec6cc1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEME.exe
Filesize
894KB

MD5
629435599806887d336d61c9865097dd

SHA1
552d1e509711acd51c4423cb2ba12336337e0490

SHA256
746824156999c6547616d98bf59268afccadc59495144f530d65626040194b23

SHA512
f623e9c82eb953f9f08a68f1f827551335dc9b920ec122268ee1b659215f41a16f72c48a5d312137647bf04144b08c142c3f24ab0f16893899f03972da18ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEYY.exe
Filesize
1.8MB

MD5
b1c3fdcedb26790ae9c51c0335861471

SHA1
677135687e2311dcf2935222394c92c9f5f8146f

SHA256
16f178fb07f68c530597a6b23022b792f6bfd84ac6823e15a940b187744023aa

SHA512
9ea2b9641a06466a4e26eccd0b4e4ccde9314e14aeeafe5bcf05972607526c574dff240e74475348af3e44846ab69b824119f1e75c5a093693bbb69b88661221

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMa.exe
Filesize
197KB

MD5
f47cc9cea5cb3c23f8539a656b8df4d6

SHA1
0aba2360e3a3c0d08c33fc324fd06bf0ebb630fb

SHA256
e464cfff3bbe6be5f58f2c6667e62e54060369183bfbe06c87ba394bdf59ab1e

SHA512
d39b1f37f68b88cabd78280ef47ad511cc4d03c41acd465eae48de6754676acc00a1e18d626279c91716e4d9517953f1aaaa9cf6ca6d60cd14d5aef86ee40e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUUs.exe
Filesize
218KB

MD5
bf4846a4612e7461409ea851a028e8db

SHA1
328cc742fbe67357b96d706501e210708d99f893

SHA256
3d8b17dcd3cc6dd7382aa4cf1f75fa0cac14a790d973ed406d818c4b156ef853

SHA512
da8cd9ab9dd3b3e3bc833bfe47da08c8cac866c0460cc69d2409fa25e54c1913638755555628a3f3e1cd2826117c16e0a7ad7bc2ee989d72ec2084f84a810533

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYYA.exe
Filesize
188KB

MD5
d560e151b43a5390d93c6d21e00fe064

SHA1
a5b3f9c78b94ce9d046d67c2edae8a9603849f31

SHA256
ee549b511f212875926d818ec04d335af3ccdf44361204244c85eb045234782d

SHA512
cb189f60efc830bf64ae999112e566aa764a1dce6fa72dd5d782941640e20c10d44860aca261d3cb6829dcdcc1d971d7474f851d088cce03361bc4dd02749999

Download Submit
C:\Users\Admin\AppData\Local\Temp\woMO.exe
Filesize
200KB

MD5
42b7377ac454616964d620b7437daada

SHA1
40573ef4b3547d1765a2281fb0d128ac5256de98

SHA256
4f74bbe561ba05085b2a419b72bdcdf65b40e3234400fa04411c1a55ede274bf

SHA512
7bb737ed7a4a14d298fc02169d165d00949a658f31c3213951d04b653a5ad96beec938127204adefbce132f4e5d8db037c6c0a98e194f3cd27859e6dbfea9684

Download Submit
C:\Users\Admin\AppData\Local\Temp\yccy.exe
Filesize
184KB

MD5
1513fc570773dbdf961c611b3019402d

SHA1
b4b6860b57804209ee70302a8081bdb137c7c0f5

SHA256
ffe4f361cbe0e3e7780d4abf7bd1d9e8cd3c21eaf767c9029501c83546df1e88

SHA512
fe9f713ac6f351d4c21a7953fed399ffa8347136fb067231f5b9d212d32c322607b7e18b9c8e33a379d9105da8aa416e7951c3e1d4362ac9269c73b870827b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\yogS.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\Music\SearchJoin.mpg.exe
Filesize
930KB

MD5
de92b2bcf176683161b1a34449bd4f32

SHA1
15f18c6d9bef499726ba685f60f17740b493bed6

SHA256
8e801e3d35988cfbdb34c4747b1173670b3ee8c97221f3f06a9b2711c4e678a4

SHA512
ce651ce4318e4fb1148d71d1db9b7eca7b914a8e58871f1af2cb5d31f37896baa9a6fc96db6b920f0ef8637091b4068cab030862a68432e2e7032386abc68238

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
Filesize
204KB

MD5
b61fc638aaa6ccef45e6405798e86567

SHA1
7ad46be87a665ad3f8c533fd2fa8c54abf3a89ed

SHA256
734675401bf971e67823fde6321b1890c7c2c5313131dc488466dbd4010e1f50

SHA512
a2ef1cc6d5323b74cd9d9286cb5d6adf6a57e745da77f2b4e3f4736d38b030ea434000a633d3ca0eed7d81c3cfa1cca6dceb8329ab5154dfa469934e884c4731

Download Submit
C:\Users\Admin\Pictures\StopUninstall.bmp.exe
Filesize
1.3MB

MD5
46d833d8444a6309c699e1e039c9827f

SHA1
87cd701eb5dda4a3279af0b2d260e47f6f71ec10

SHA256
84eb4cf61de8de949a765eb66872d02d21218899edc8d200250892f8ed522b4d

SHA512
7d5d078cbbe069f9bcfdf425de6b1b9a4178faf49ebea19d54ee28299380b1a9e28f799626eb63861cf7fe7ecaa2e4450bb26e9ace14565511acdc3b7185aee8

Download Submit
C:\Users\Admin\xyQQUAUc\mqAMUEAc.exe
Filesize
184KB

MD5
b32e6877a12f4c360f5f7b85ba126919

SHA1
ff7057f85cc7a75d235254cafc7eb4614c765c4f

SHA256
f7d0901aae4dbde7c2aa2d7d870ec0f50a885cd6dcc16bfe2dbf3c22a956026c

SHA512
d00f8d8b006fa71747dc4505b530c07bb632659b6bac39edbea96303250e8ca54c25b80c80b6010eecd7285000582f5673abbd61d10dd5497c3039540e962e60

Download Submit
memory/60-33-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/208-90-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/208-106-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/364-511-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/392-323-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/392-310-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/516-341-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/528-369-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/528-356-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/672-376-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/672-389-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/712-398-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/712-385-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1056-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1056-206-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1124-366-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1124-380-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1156-214-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1156-230-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1412-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1412-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1588-294-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1612-254-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1612-238-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1664-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1780-492-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1780-484-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1916-336-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1916-351-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2164-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2164-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2200-418-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2200-403-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2416-531-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2416-539-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2476-519-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-431-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-445-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2804-529-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2804-520-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2868-475-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2868-483-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2872-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2872-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2876-347-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2876-360-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2948-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2948-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3016-548-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3116-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3384-314-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3384-300-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3500-29-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3500-45-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3608-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-127-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3784-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-277-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-242-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-273-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-285-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4084-114-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4084-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4276-451-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4276-463-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4288-446-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4288-455-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4332-414-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4332-426-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4424-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4472-319-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4472-331-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4472-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4472-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4636-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4804-266-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4804-251-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4880-544-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4880-556-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4888-465-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4888-473-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4888-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4888-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4968-407-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4968-395-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4980-503-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4980-493-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5020-435-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5092-118-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5092-290-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5092-305-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5092-102-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5104-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5104-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download