da42c40cc93dadc086f85f730d8c76b91aef695e4aff37929fc08cc499a8ddc1

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405226a92195e4429fa42c588eb4193d18426virlock.exe
Size

189KB
MD5

6a92195e4429fa42c588eb4193d18426
SHA1

1ce3f60ff39f8497f47eadc456146f2bc04dc115
SHA256

da42c40cc93dadc086f85f730d8c76b91aef695e4aff37929fc08cc499a8ddc1
SHA512

f91b84e3e89183dea4ec0f9b44bf7595dd660659dd8a3f67e72ff0cc876497d4edf4bc4f2c52916f8343b732a35e90795662a05bbf122aeca87c82b89ce3ff2b
SSDEEP

3072:lkg2UE2ZPRBrVC+bmdxyd4m52dVFMKjIcxzzql4BkVP6LQ+9Xgm:lJ2UfbBrpbaIJAuKcYBkVP6cwg

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 4 IoCs

Processes:

flow pid process

41 1096
44 1096
48 1096
49 1096

flow	pid	process
41	1096
44	1096
48	1096
49	1096

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ZGYcggIs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ZGYcggIs.exe

Executes dropped EXE 2 IoCs

Processes:

ZGYcggIs.exepugEUckk.exe

pid process

2292 ZGYcggIs.exe
1864 pugEUckk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

202405226a92195e4429fa42c588eb4193d18426virlock.exeZGYcggIs.exepugEUckk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZGYcggIs.exe = "C:\\Users\\Admin\\yMwEcscI\\ZGYcggIs.exe"	202405226a92195e4429fa42c588eb4193d18426virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pugEUckk.exe = "C:\\ProgramData\\XKIEEwoQ\\pugEUckk.exe"	202405226a92195e4429fa42c588eb4193d18426virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZGYcggIs.exe = "C:\\Users\\Admin\\yMwEcscI\\ZGYcggIs.exe"	ZGYcggIs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pugEUckk.exe = "C:\\ProgramData\\XKIEEwoQ\\pugEUckk.exe"	pugEUckk.exe

Drops file in System32 directory 1 IoCs

Processes:

ZGYcggIs.exe

description ioc process

File created C:\Windows\SysWOW64\shell32.dll.exe ZGYcggIs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	ZGYcggIs.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2900	reg.exe
2304	reg.exe
956	reg.exe
2552	reg.exe
1912	reg.exe
4392	reg.exe
3600	reg.exe
3640	reg.exe
1128	reg.exe
4984	reg.exe
3340	reg.exe
1912	reg.exe
832	reg.exe
1212	reg.exe
4400	reg.exe
4492	reg.exe
4476	reg.exe
3788	reg.exe
4912	reg.exe
1476
320	reg.exe
1548	reg.exe
4360	reg.exe
2248	reg.exe
2552	reg.exe
4136	reg.exe
4376	reg.exe
2356	reg.exe
512	reg.exe
1296	reg.exe
2492	reg.exe
2316	reg.exe
3692	reg.exe
4888	reg.exe
3248	reg.exe
4428	reg.exe
3788	reg.exe
3992	reg.exe
4572	reg.exe
1912	reg.exe
2736	reg.exe
3884	reg.exe
2860	reg.exe
728	reg.exe
4872	reg.exe
2056	reg.exe
1496
4984
3692	reg.exe
728
2620	reg.exe
1212	reg.exe
2040	reg.exe
1296	reg.exe
1496	reg.exe
388	reg.exe
864	reg.exe
728
3640
876
2964	reg.exe
4048	reg.exe
3600	reg.exe
872	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe202405226a92195e4429fa42c588eb4193d18426virlock.exe

pid	process
2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4872	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4872	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4872	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4872	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3788	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3788	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3788	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3788	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3168	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3168	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3168	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3168	202405226a92195e4429fa42c588eb4193d18426virlock.exe
876	202405226a92195e4429fa42c588eb4193d18426virlock.exe
876	202405226a92195e4429fa42c588eb4193d18426virlock.exe
876	202405226a92195e4429fa42c588eb4193d18426virlock.exe
876	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4836	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4836	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4836	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4836	202405226a92195e4429fa42c588eb4193d18426virlock.exe
208	202405226a92195e4429fa42c588eb4193d18426virlock.exe
208	202405226a92195e4429fa42c588eb4193d18426virlock.exe
208	202405226a92195e4429fa42c588eb4193d18426virlock.exe
208	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4688	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4688	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4688	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4688	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1172	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1172	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1172	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1172	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1504	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1504	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1504	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1504	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2232	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2232	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2232	202405226a92195e4429fa42c588eb4193d18426virlock.exe
2232	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1488	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1488	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1488	202405226a92195e4429fa42c588eb4193d18426virlock.exe
1488	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3996	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3996	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3996	202405226a92195e4429fa42c588eb4193d18426virlock.exe
3996	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4552	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4552	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4552	202405226a92195e4429fa42c588eb4193d18426virlock.exe
4552	202405226a92195e4429fa42c588eb4193d18426virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ZGYcggIs.exe

pid process

2292 ZGYcggIs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ZGYcggIs.exe

pid	process
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe
2292	ZGYcggIs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

202405226a92195e4429fa42c588eb4193d18426virlock.execmd.execmd.exe202405226a92195e4429fa42c588eb4193d18426virlock.execmd.execmd.exe202405226a92195e4429fa42c588eb4193d18426virlock.execmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 2292	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	ZGYcggIs.exe
PID 2512 wrote to memory of 2292	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	ZGYcggIs.exe
PID 2512 wrote to memory of 2292	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	ZGYcggIs.exe
PID 2512 wrote to memory of 1864	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	pugEUckk.exe
PID 2512 wrote to memory of 1864	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	pugEUckk.exe
PID 2512 wrote to memory of 1864	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	pugEUckk.exe
PID 2512 wrote to memory of 3024	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2512 wrote to memory of 3024	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2512 wrote to memory of 3024	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2512 wrote to memory of 2908	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 2908	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 2908	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 3552	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 3552	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 3552	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 4516	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 4516	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 4516	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 2512 wrote to memory of 872	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2512 wrote to memory of 872	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2512 wrote to memory of 872	2512	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 3024 wrote to memory of 4536	3024	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 3024 wrote to memory of 4536	3024	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 3024 wrote to memory of 4536	3024	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 872 wrote to memory of 2172	872	cmd.exe	cscript.exe
PID 872 wrote to memory of 2172	872	cmd.exe	cscript.exe
PID 872 wrote to memory of 2172	872	cmd.exe	cscript.exe
PID 4536 wrote to memory of 972	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 4536 wrote to memory of 972	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 4536 wrote to memory of 972	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 972 wrote to memory of 4864	972	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 972 wrote to memory of 4864	972	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 972 wrote to memory of 4864	972	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 4536 wrote to memory of 2560	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 2560	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 2560	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 2304	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 2304	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 2304	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 932	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 932	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 932	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4536 wrote to memory of 1276	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 4536 wrote to memory of 1276	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 4536 wrote to memory of 1276	4536	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 1276 wrote to memory of 3560	1276	cmd.exe	cscript.exe
PID 1276 wrote to memory of 3560	1276	cmd.exe	cscript.exe
PID 1276 wrote to memory of 3560	1276	cmd.exe	cscript.exe
PID 4864 wrote to memory of 2900	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 4864 wrote to memory of 2900	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 4864 wrote to memory of 2900	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe
PID 2900 wrote to memory of 4872	2900	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 2900 wrote to memory of 4872	2900	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 2900 wrote to memory of 4872	2900	cmd.exe	202405226a92195e4429fa42c588eb4193d18426virlock.exe
PID 4864 wrote to memory of 4744	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 4744	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 4744	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 4708	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 4708	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 4708	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 1856	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 1856	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 1856	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	reg.exe
PID 4864 wrote to memory of 1840	4864	202405226a92195e4429fa42c588eb4193d18426virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
"C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\yMwEcscI\ZGYcggIs.exe
"C:\Users\Admin\yMwEcscI\ZGYcggIs.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2292

C:\ProgramData\XKIEEwoQ\pugEUckk.exe
"C:\ProgramData\XKIEEwoQ\pugEUckk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
8⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
10⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
12⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
14⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
16⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
18⤵
PID:2332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
20⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
22⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
24⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
26⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
28⤵
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
30⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
32⤵
PID:2304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
33⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
34⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
35⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
36⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
37⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
38⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
39⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
40⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
41⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
42⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
43⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
44⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
45⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
46⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
47⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
48⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
49⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
50⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
51⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
52⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
53⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
54⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
55⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
56⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
57⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
58⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
59⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
60⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
61⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
62⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
63⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
64⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
65⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
66⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
67⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
68⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
69⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
70⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
71⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
72⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
73⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
74⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
75⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
76⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
77⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
78⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
79⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
80⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
81⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
82⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
83⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
84⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
85⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
86⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
87⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
88⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
89⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
90⤵
PID:1416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
91⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
92⤵
PID:3912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
93⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
94⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
95⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
96⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
97⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
98⤵
PID:3744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
99⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
100⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
101⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
102⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
103⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
104⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
105⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
106⤵
PID:1096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
107⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
108⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
109⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
110⤵
PID:428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
111⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
112⤵
PID:4204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
113⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
114⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
115⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
116⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
117⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
118⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
119⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
120⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
121⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
122⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
123⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
124⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
125⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
126⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
127⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
128⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
129⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
130⤵
PID:428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
131⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
132⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
133⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
134⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
135⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
136⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
137⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
138⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
139⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
140⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
141⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
142⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
143⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
144⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
145⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
146⤵
PID:3168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
147⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
148⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
149⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
150⤵
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
151⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
152⤵
PID:3884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
153⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
154⤵
PID:2964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
155⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
156⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
157⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
158⤵
PID:1096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
159⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
160⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
161⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
162⤵
PID:4176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
163⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
164⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
165⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
166⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
167⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
168⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
169⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
170⤵
PID:956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
171⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
172⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
173⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
174⤵
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
175⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
176⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
177⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
178⤵
PID:3220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
179⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
180⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
181⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
182⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
183⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
184⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
185⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
186⤵
PID:320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
187⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
188⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
189⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
190⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
191⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
192⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
193⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
194⤵
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
195⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
196⤵
PID:1804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
197⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
198⤵
PID:2708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
199⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
200⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
201⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
202⤵
PID:3220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
203⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
204⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
205⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
206⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
207⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
208⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
209⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
210⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
211⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
212⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
213⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
214⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
215⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
216⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
217⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
218⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
219⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
220⤵
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
221⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
222⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
223⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
224⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
225⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
226⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
227⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
228⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
229⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
230⤵
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
231⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
232⤵
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
233⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
234⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
235⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
236⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
237⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
238⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
239⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
240⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
241⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
242⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
243⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
244⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
245⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock"
246⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
247⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIcAoQIk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
246⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUkAYwUg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
244⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
- Modifies registry key
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaAAYsEs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
242⤵
PID:1692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeYsoIAs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
240⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQIwUokw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
238⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:3204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuIkoMww.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
236⤵
PID:2944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- Modifies registry key
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASUEYcMc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
234⤵
PID:4460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:2944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSEsccYU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
232⤵
PID:4404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zecAYsgI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
230⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIEkgkIg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
228⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
- Modifies registry key
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYAwoYAw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
226⤵
PID:3884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
- Modifies registry key
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:2116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUAUYgwM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
224⤵
PID:1504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
- Modifies registry key
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
- Modifies registry key
PID:3640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kakkQsAI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
222⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies registry key
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGIcwAgs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
220⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies registry key
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
- Modifies registry key
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feooYEQc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
218⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaMAYscQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
216⤵
PID:2240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- Modifies registry key
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioQwEQQA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
214⤵
PID:2552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmQkIIso.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
212⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies registry key
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieoQwsIU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
210⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:3584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQgQoIcg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
208⤵
PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWUUYQEE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
206⤵
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
- Modifies registry key
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reMcgkEs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
204⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:2192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZugsAscY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
202⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGAsYEko.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
200⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmwYckUY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
198⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwsscwAA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
196⤵
PID:648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiYkscYA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
194⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:4556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
- Modifies registry key
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSEUAEMw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
192⤵
PID:3828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:1480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuUIMUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
190⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies registry key
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYIIYQoc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
188⤵
PID:4140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEkMAocU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
186⤵
PID:1480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmYoEwkg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
184⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUEAkgAA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
182⤵
PID:2708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecwIAkgo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
180⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:1816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
- Modifies registry key
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGcEYgwM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
178⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies registry key
PID:3692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:4380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSoMoAUk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
176⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGMgAAAw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
174⤵
PID:4136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAssIYAU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
172⤵
PID:4456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies registry key
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogUgAksc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
170⤵
PID:4836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKIUAoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
168⤵
PID:1272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEIcAoIY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
166⤵
PID:2792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoIIkoAA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
164⤵
PID:4556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKkMkkIg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
162⤵
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:4556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUkMMcsU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
160⤵
PID:2552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScocwEMU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
158⤵
PID:1440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWEcMwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
156⤵
PID:3232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqEMkIsU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
154⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:3900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYksYYos.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
152⤵
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- Modifies registry key
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGckEQMM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
150⤵
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYIEEQso.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
148⤵
PID:428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAUAkMcw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
146⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkAoYgIY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
144⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:1816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKwYocUA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
142⤵
PID:1804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAkQcQYE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
140⤵
PID:1128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dskIcMww.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
138⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWgsccEk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
136⤵
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSgYkkYE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
134⤵
PID:2056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:4424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUAUYkso.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
132⤵
PID:2600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:5088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgcsQQsY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
130⤵
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:2900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:1480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWgMgYMY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
128⤵
PID:3908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:3600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poYAoEYI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
126⤵
PID:3248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wasMwgUI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
124⤵
PID:876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGAkUQUU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
122⤵
PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omAkwcQw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
120⤵
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkIAIYIU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
118⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqwcIoYs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
116⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:1416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuQcgQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
114⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies registry key
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teMEAEgI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
112⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:2228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
- Modifies registry key
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmEYkMgI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
110⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciYMsYkg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
108⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:2316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:3232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCAAUEQk.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
106⤵
PID:648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQQQYAUY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
104⤵
PID:4560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:4400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMIMYQgc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
102⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
- Modifies registry key
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiEgMckE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
100⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSkAoEAo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
98⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:5016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:2552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySksIYwc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
96⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYgkcoUw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
94⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiwgIEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
92⤵
PID:4460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcAwYkUs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
90⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcQEsEEU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
88⤵
PID:1440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeUYUIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
86⤵
PID:3600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:2116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAUAQMUY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
84⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEccIYoI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
82⤵
PID:1892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMokgQQA.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
80⤵
PID:4504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEUAAEco.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
78⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:1280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkMoEYsM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
76⤵
PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:1772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGUokooo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
74⤵
PID:3992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:5016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYEgsoYY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
72⤵
PID:1416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sScoUQEI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
70⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:3692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKIgsMMM.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
68⤵
PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:4392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gckIsYck.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
66⤵
PID:660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqoQUksw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
64⤵
PID:3884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUEEIEMI.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
62⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuMQswsU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
60⤵
PID:2040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCUkssUU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
58⤵
PID:1212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyEEEEgY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
56⤵
PID:1636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:3248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEEgUcgo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
54⤵
PID:1096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSYYcIcs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
52⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUYwksow.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
50⤵
PID:1664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKsgwQUs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
48⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIIwgMwU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
46⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIcIAYUY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
44⤵
PID:4576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGMMgsow.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
42⤵
PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEoYAUAs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
40⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwkIsIMY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
38⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMIwUcoE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
36⤵
PID:5016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcEoccwU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
34⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEAQokYw.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
32⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuMMgoAs.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
30⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcoQMcIo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
28⤵
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwgEUcoY.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
26⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKUQMAko.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
24⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUwwwUgc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
22⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOMQwssU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
20⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voUUkYAo.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
18⤵
PID:2844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIUkAggc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
16⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsYEIwoE.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
14⤵
PID:3692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWAwIkwc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
12⤵
PID:1176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCUEUcQU.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
10⤵
PID:4460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgMcsgsc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
8⤵
PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuUAUgMg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
6⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQQUMIMg.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jicQwUkc.bat" "C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8
1⤵
PID:4960

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
233KB

MD5
235d1b30e371abd8092250d026835e76

SHA1
6138e689ca08b6873c6f193e4441016033ed7c73

SHA256
5d809f7ee6d2967d958fa94e5e7b684055d4fa0e885f22db18796570b1801783

SHA512
c27d777f010abfe7a0c3d353482082234ab3d03989a3396f3f4ebad83b8d887535435bcd90f6a774e6a7600ee2b48eea43b56e426e657d7c2505805fd5e84564

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
225KB

MD5
7fd56808684a502d1d6f74fa769c9ea0

SHA1
7b51321b65f9174ea56e87cf8c8f1565dd1b6865

SHA256
2282e41c48d120ce406107d8d2fe7b72081110002aa09ff847595bb59a69a9fc

SHA512
ccd362205a649b3316c002c7318363693913dac859c27fc11b0103606ad6ea09f31c135599dee93d8b643df8995751d46bbb9fb8118925c02777c6b20e76532e

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
Filesize
653KB

MD5
4188d8bfc8baba12936a7536005696fe

SHA1
aff74c7fb2fb54b1ee17afc7b0d1e5c4696d8dc4

SHA256
e5da850e8d9c0db59498acbdf8fe9bcdb7582165522b309157f2f086ef9e6477

SHA512
0a3be0e03a7de4f2312039e4640050f9d5a8838055c1fc5e3a44381768ada24cff8e0842bde3346a49d422f9894a388605fe8ef67a76c8a0ee49f4ac8f3969bd

Download Submit
C:\ProgramData\XKIEEwoQ\pugEUckk.exe
Filesize
191KB

MD5
8e2e5e077acdcf473fdf008a3fd044ba

SHA1
f5940c6fdb8f68cbd6716bd7948239782fadc2ce

SHA256
1c8be303f4c7a259d1d6e34c65341cc3a0432c479de39779cae753e873a34eb3

SHA512
8efd96f7dd1ef2d9c371663e0c0738ce45de102350506fbc37b1f37d48ab902effac5855f7751502bb8a0a44b0664adbe593fea48cbbe80584ba76b2d3bf90c6

Download Submit
C:\ProgramData\XKIEEwoQ\pugEUckk.inf
Filesize
4B

MD5
ba0b9a18b60e7341977200658f6110b6

SHA1
ae494a7339bd1629925e8cb72af43c4d7b09c862

SHA256
0aedc5273d4eeb43234a713066e7cf0502600499773833301c35a3f63f3267ff

SHA512
c21bd035995fef495236b36d3e1e1bf3968cb32e802d76ecd190e3a5aa116bfaaac25b76f9710a927e16ec8c6bcc90ac415ccd87c542c696c19faa87b841bd6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe
Filesize
206KB

MD5
a6fa8175dbb8c43ba7d126851f6b4670

SHA1
90e6ef61b97caeb8b84794cffee5714af86573b2

SHA256
cf626e696573ca6d8c3c2bad0ebfc70204f6b945a13ee13080dfce7bced6b66a

SHA512
22b896feabee5b1dad53cbcbeafb9a9cbbb4ec23977ea9479011ec51b3f12078a2886296cfee90fe06a632d57445427ccadf6f6bbeac6a990165ae2b1fee5779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
Filesize
196KB

MD5
d186f3960af81c7ecaf4796080f6a5e1

SHA1
27db6880ee2d9eb7b649fc8bacd824460bf923e4

SHA256
f3d011c65eaf60c0d3b2cef3f8623d6546fd5527ed1e655cde998b67c97a852d

SHA512
089429c21283aeb4d61564f3f852490a01e8b22ee41faa275ee562f5f393ca05bb262181cba788a69bca63e39d319faf8fa66802878cd6195504072bcd9fa0de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
Filesize
223KB

MD5
5090b659571a49bb413272e8cb58d3c9

SHA1
ee40400de9a7062b485164553ae2b5171b89497d

SHA256
d3a34b6a95aabdb50254cc4902b392630ce889a989f8649983a4d92f01ebb975

SHA512
88371b9b2ea24241a355fe177c840aa252683dc29729af9d263b77df638de8bb0e14c111c3e7f7758477cff5f385a3b33a63082ceb98021fd5ef758de15d5862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize
192KB

MD5
66561faec67b33221dc31870b5ffcc31

SHA1
839cfb9f73d859a5a0d64e50bd05676b8d888758

SHA256
0fc02f83c3868b00368f39833d51f8898692544db6da741942ac47f8a0fc04ad

SHA512
7f8e399e02dd36c91f46ab3cc1a9f575625fedeb01d5a99eb45a63d131ba04393ab65863f58d25ae84ba1a51621a04f040382d75c142b4e96b2376d517a8580e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe
Filesize
203KB

MD5
ee51e04590a30edec82b7ceda0ec3c06

SHA1
722941b71fd996c356e9ae2af2739f38c4aaa3e1

SHA256
a36317f24063ade4c7ef287dbd3799df63fe5e582801b733243e7daba71cd66b

SHA512
4d57cf6ffc894a9e550ab5e5ad44895a191cfd246814f87e976b782bae8be4d9c7a03287124c77b73b5f7eeeeb812e4eeedb5bad8ffd08d7e9b3beafecec0e6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
185KB

MD5
b3ac2eb6ad38e7c3da265ed9ff70bf7f

SHA1
a91dfb0f7abb6f5f057eec8f8b8237b1c6e93ad7

SHA256
c1a3cc36d51e57471662caa4c0de11adddd986e7bed30a63c80683a9bdf10016

SHA512
40f98862fb2ed9d16b664c3234f403b54df90f9f290f1fef741f3758acb5ba8fc0fdd314dc908cb38643a5606aa0a9e5237902aa49e2ad6e1e93a18a04be836b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
Filesize
196KB

MD5
5febab2faf8a47af06610c1800ebc03e

SHA1
cb29eb30f6fd99ec8f4f3dfba83a7b908db2afe5

SHA256
c9cff32f86829ed05dfee6e037c7963c4a1581cf90edc809bc888c6a1c8620c8

SHA512
ee662a329f09bea2a2cd2f853400b62a7060f91b4f7ac7dc1a1be2af55717fda3a3ed55ebba5bac6627b0bea574f883d7c40239762122cd02e904774c1094ca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
199KB

MD5
208dbccc479b52f98399f8a97ec78f1a

SHA1
d9bcb4dd9c30109baaf52e1007eb59c9106e0713

SHA256
9db69a66df9e27b98cedeb30099ef7590ee84bc74a84af560bb2b4e956230d54

SHA512
4a38a7e351f2a8b16fae557fdc8d9a113f864d66e23bd6eea6b3dcf4c139d4f0505eab8ca53dd40a014da95315f9429aa344de51fd80647975450ab6af32d069

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
Filesize
191KB

MD5
687c6ca048df3adf1e978afd3a63c0ca

SHA1
d7077f2a9419ee08aab4b9eff2b1c759ecd7eec5

SHA256
3ea9e31917b24e626fbf003de614d86eab720602c1ec3a4feb5dbf074b97e948

SHA512
de02190194b9c9c009dedb67c3965f4f5cbf62000d7d01d2fc4475832150f8489c47be99281bdd35338b97e07136f256d6c5d7d2f9eb7ce7cde9d103729dbaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\202405226a92195e4429fa42c588eb4193d18426virlock
Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMsg.exe
Filesize
202KB

MD5
3cc7dc3e796f5ee579bd2603b1eba037

SHA1
2dc58820580c7fad951d6b2f39243485caf91e1c

SHA256
7c84dbd5bc32aff53b081843984b7e869680001aa74df30137bff6c2fef3ed9e

SHA512
fb4a3d35e319940b20c814dd4ea2f019231847a0d1adf976600923fc39128d81c50017d4888e9208205c3817ac877caa6767d5573ec33babd4d392b269a8afc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQws.exe
Filesize
570KB

MD5
67cf693f048226fec5678302cb7da129

SHA1
e70491f2590c42a4f99042c397d78afc599104e2

SHA256
dacdef0d79d5b77f96e38b1a7a91ec3d7eb911187b615722d805eb041a4397ed

SHA512
cafc040fb64ea7fe896af03baae6862bb9ff86f102ebf3cb98c8793392376c807543f1d400304596fc266536dd6ed300220d57544209036e21e9c110e5c7e889

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYMS.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEEc.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcAY.exe
Filesize
208KB

MD5
d6db7e761e8acc952077af6ee787a722

SHA1
2cba72a02e0397263d104e8172f350f24c57594e

SHA256
6bb086479c33fffa5d5ee397f5a4291fe884c80c63eaca323da52cf514ff74c9

SHA512
3fcd0e3c2166d1a9b756ea8712c8eab4446bc284a76ec7a4ee0c4aca175c2cae1cae01f2ebf69608c6707781d0d087e990160e79ec4a37d7f15fcad1e0b0fa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcIE.exe
Filesize
201KB

MD5
75f8f225cbe3950473dc0c445045f6f1

SHA1
b8a2486106b8fa5a97fcf15524028e4b80dd3255

SHA256
e1460cdee8a22e214d601dcbe2f8ec5cee5ae35b1f97cd586b2953f9ef3a1a1a

SHA512
b0f7b926c5518a13fdfd200cbc0b6a85417e3a422d0bdaa5448f289d07a0117322ed917083dcec770a1c23ff0977d6b2e3231333b6c849bab5895622f6f8f1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgEk.exe
Filesize
267KB

MD5
b407a401c73b68d6177c221a1a050ae9

SHA1
8e85f17e096caadf34be1c3744786b7bddd75171

SHA256
24da5e168284646578d86e3c81624f5217182abf8ecd3da455751fd4288881d8

SHA512
edfbf4ad355708c4e5c5f074b06469dcde0e08f3f510c1f3f320f298a2ad6e57b60ff64c34fd9f4bcc92b0f7ac5503528b85f2be2dcf9570d42af601df293c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\CssO.exe
Filesize
188KB

MD5
c33575ab1ebdf0fe48eeecf2c6d560e1

SHA1
071ad474bcf7c4df9f49449f2d005ac20afc448b

SHA256
27e04200f1cc85f53e2a6fb06a8b79565a6083caf942b8791509a138b88cfe52

SHA512
e2e7c446de26e4ec9e81cc493a0e75227535e305092e2c6c9919d47b8da57d1f004d8f6061f65285fff769e6d6af6f20b07db50c3b1ec49f8b333d653df47fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EggC.exe
Filesize
575KB

MD5
fccbe590c1d5557331c62f55307d198e

SHA1
25521a07dd62b14549330565b0681efcf9c3da14

SHA256
2443b4e6b4950fef854a468b9e841981bc9d04727de0a1a453bd20a7e3b79288

SHA512
6369a95424fca44969722254eb5472334eba086f17e0869de35417e7f0cb2ca60b73389e52684f5374dafb5546cc5fd9ce23d32493ea57e7eb3237392954304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoIw.exe
Filesize
566KB

MD5
490f6af0082f9d286d8924e626c37a53

SHA1
06e84db4c2708a07f8a771bf12735da16f15c21e

SHA256
11e6d1115c4a076cf3c334267958bd074a4552e8608a4636961d031f20a75e02

SHA512
40b1345197b33867da0ec26d49b2e28cc3acede5398329098133d8b2d713fe461ae24428305a311dcf12dc69b68ddc32cc311f7b5ec62cd88754ed2a2e9d38c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsIg.exe
Filesize
2.9MB

MD5
a12a91f26df04e8588aa8755859bc292

SHA1
addd0e58de207555b4f033e1545d280c5f9a651e

SHA256
30ddac4a8aea02dbb06735cf750db0a33df7b9d98462568c27197221caf36ba7

SHA512
89dd344e46d138ff775bae3a564cbd1885decf0084c72c41dbd6548eba4da6a42bc389fad402ef927bac0f3a431c04254ee1b86bb4098ecfd411c3f450be8b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwkO.exe
Filesize
198KB

MD5
176b96c959ea585d5986fce75c551f9a

SHA1
e528dd0197a21d0f0a3472f8500ee3407ccea861

SHA256
79e840622a9eae7e835ddb49132f278f04a89d2cc115936896ae1dffe283f1dd

SHA512
3f1f334f8274639ec0d967c7b0f1cf99cfbc018345949d2ed5b5faf130e11670a5c35424d4a4a7db16b49e42d905b45551f17e31a762dfef8b70e5fc1a8bc2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsW.exe
Filesize
653KB

MD5
a2463e3bd167fcef6b740d399de27b7c

SHA1
59279e9ac9342b63e0a5646b5e55c7b61cb23fed

SHA256
1b3bd5ae959627752720a28b4cbdbe27df9b0d27d39f755ab0be8b342e158327

SHA512
62d0a972ad0c9c2c8e073dae58b2efa3612127062a2318132b9e1e272d6128fcf941bb39f8e7e89371cd40f15e1175988865a3812c43b35b6dcd227546989336

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgcW.exe
Filesize
203KB

MD5
2332cda594743dfe8bb473812d65dbda

SHA1
714c652288d2737c7b36eefa36c89586b954d196

SHA256
ab43db5222625b11b8e1fa1b115a61041ed9f6534eaeec050274da19c0c149fa

SHA512
68d26bcb98833b38f0308f354c85f1a25fdba64134d6e1a6e5e44ac4969d745197f777bc2c3f1ec1986556412283d839e1aeea390719d2e485d690da16df9401

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgwK.exe
Filesize
792KB

MD5
4c6c5ecfc4c68ee0c5a804b9f8c56baf

SHA1
ecef12c4750990f1dea8240b20e935f9473e6275

SHA256
9ab71a90f1ef5e4398ed2a9853369d73857cfed3086be02b60417c73dbfec565

SHA512
365c0f71422b6b7f8cdf33ce236d93d720986eff62d96ae245100e8e3997c3f770d1170c3103271de2261fae6a286fca3126d13b1ce36c3964d0810a6d216459

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYQC.exe
Filesize
242KB

MD5
819bcf91965d9c71deb553a9e5492414

SHA1
6a75bfee1361c4c35167bcdb6c74088618b6e1ac

SHA256
3686a10e80c74bff66764232058c8f77066e23c531f025e2c064713f670ad84e

SHA512
f679bf57fd8a8a1b1b398b82616747bc6e4b263a05f9d60a286016d765bc12639e6f9f3559dad395c953da2bffbc269f94d2b2d379b6e357c8460be33cd37af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IosK.exe
Filesize
1.8MB

MD5
38aae6741fd95a87b9ce88976fe9ce43

SHA1
274e2d7b48c9e6b33c69659dcf6b8f330a9aab71

SHA256
77fe9c11fb2977344c4f1ba3e40c809e990f4bdabbe97c67683e5b7b30b6248f

SHA512
2c1d4423c16a4350d00991b68749a905d4b11407df6e12e9d969358fa18e256dc3a442f3978e777e39dfd8a1259775dd3f3ed2cfe1e7d9fcf98332caffd9a994

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIgU.exe
Filesize
190KB

MD5
f5fd038898471019c4247c21698f3e25

SHA1
998026b4d8ab21b5b2f059248bdb3ed0891b7fac

SHA256
af9912a940d88b14127518cd385964ce98d47ae8157979b4e1c40b3728957feb

SHA512
8dcaddc2642e06865a5c8046eade6c2666991b3cce663b0a215e0e3cb945e5c65abcf467ee3bf5ab0d74baf6d3ed6c4e48c5e6176dc7e7e9f8fb0123c9464c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcoU.exe
Filesize
197KB

MD5
18236908aa88a314a8eb49514ee803d9

SHA1
f44066c30d810988ae1b1112ca75a363d7d69b43

SHA256
315abd3d3622800d81cabdaace6bb0fa3e37128b48faf04fad368dbc5cb741fb

SHA512
881a6d7dfbfd92b1045d1c44c7e51ef87491a2c5b5ff0aa4323bc8defc1002aeddbabb6cf6bdb1c4bbe168b0bfc37bf13e73238247bbfaf103a1059b37a3987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMq.exe
Filesize
240KB

MD5
4c91ec950e49a2f062fb60f42b35e28c

SHA1
47e1c969fc5ca5fad9435f50a79364e3c009b8cb

SHA256
b15d6f6d0a625c970a52725bff0191974665430bd1308a6eb0c0b8c1668b8068

SHA512
9bc8c26dfd813330f4397d0c7f89f7b879e0d8d0dec333518ecd342a51e2d781f66cc65ae76668c1943e0324587ba63c5a535109e61505089d30679e92c64321

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEUa.exe
Filesize
200KB

MD5
96ddc06f86d5b5423058972fb1f85bf5

SHA1
fd8cfad94783294487350b1ca6f752a65d7ed143

SHA256
0ae304dc23f277258b18395dadec92c3b6619d0240ad9851a09ca0ca252cdebd

SHA512
30da057ee9b03a505c904c645e36a3ce4f77dda606cc4e4c515b3cb12bbc438f5fe7eb045359be7a71b64254c28887b2a99db305ff6b4ecde7d9a3247a0ac7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEsy.exe
Filesize
1.7MB

MD5
e25d4b29063787d5f2b8bbb70caefaa0

SHA1
8882ad02292d3d72e1fb3cc1f075585a70c8d2bd

SHA256
1dbb2e7c407e8ded2005cf277cb2b3871dd43fa8dd44bd8f2af741bfe386f3b0

SHA512
bc23394ed00b6de9ad69a0e286460296e3375f8624b5cac85e69665369042e25bfdf5c97a24a428a16da95f824757288e1e1b45e698557b91ca1edab78dc9cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMIO.exe
Filesize
202KB

MD5
c6cde5016220caf3dc8acd8a5ab9bc03

SHA1
3d5ed4f847a7905d492b9321986ea6cf75c5f73d

SHA256
e90cb38a1ed80cf183a80e18c0358ea27740114d9551e3de1e1081c7c8a1473d

SHA512
7c1bbaf08c019a02c3613a6ea81152d24a8d55c821f4a166dac3ee80d4b852ffd134b25677aa2a592fcf65a52be93b356be9373734f2567947bb37a548772e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMUC.exe
Filesize
780KB

MD5
0c5157172cb20ad82bcaff313f873d09

SHA1
b9fb4384afc91ee5ba3d06bab05fe4bd6ba48fe9

SHA256
613ca45549e68878a9b9aee710f7478899157c688064da813ef3dd11f7b7fd39

SHA512
94cacebeee14657135fbc0433da0999d3fe908273b12a0457216df7fa380b7bad77b32d5e3f82084bb4c3b48a96d709c8975d70bdcc34ec3b3d4c9e54b6b4892

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcse.exe
Filesize
191KB

MD5
a7f68ce428490f3530a18e6ec9c94d63

SHA1
26da4a20443fe1cf844d5b892d02d7ef8d5e4589

SHA256
92fe0c2a0ea656a3366afef942bfb6d4611ad3b67077c934bb213e8a0cb9c2ab

SHA512
a74a26dc1de2d7e23f08d523b70e756e77f3a26ed3e880e934bd86752b9c770bd95292d09e38ec91c38218143ec7b49b81339af70710889bd321eadf22bbae73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mgcu.exe
Filesize
927KB

MD5
34854a9ba30df5a0f6fc1e3ef1736886

SHA1
12ded2447a82067d04f909c6a2f4194837d679df

SHA256
bdef25d49a6581f9f7d564e81bb2e2b26aff711cd0f877e8eb45f750d5b67f43

SHA512
03f0e70e09dbf3c77b28c0bc9a7f1dda8b37090123dd17a4c8c0439d2dd2eed0d71784feedb3a1c4a4b5520c3f02bd928f7166c4c747d6a75dc88424b5a1bb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkgK.exe
Filesize
181KB

MD5
39fc6ac0283e83e6aced7b7a8eb3d94e

SHA1
51103397f050f1ab970daddfdff679b74edd3001

SHA256
242eda92d6b185f1371568cf248c0fd34c725ae8e08705759e4ce64f74f2a97f

SHA512
b1e444eae4d2d425e76463cc6b5ed8e040d11c0b47d1600008074175336cee103cbf3fd36f0921fba1d1458237c724ded7af840fcd31e7e4a10385117defbb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEMg.exe
Filesize
648KB

MD5
357fe2d270292f4536ec41120ac13c39

SHA1
5625078db42ebfe3f5b77e18848054083a5311c8

SHA256
52a755ea4a83c48703759b068ab4dce65a77cee4a398277609f481a4b748eedc

SHA512
99e3e8b9963ee6227103fa49f0f62906c06cae42289724343948695e7af1327b632596dbb237a6088d3484b71d5c1c6df34f5da8544d66b5c49d9ecb1240d291

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgAy.exe
Filesize
192KB

MD5
36dd2183dce1c7ef5e179cb94bd00743

SHA1
cdd7de7443f0a871115a58fbee0cc82fe153da16

SHA256
e19fe23cdf44f796129741755c962059356d25f63dba3046564e7339a6d655ea

SHA512
b6d286085cc8fdc72c69f31e29a82a6cfc983fdab720f1e0a5715540703952a82be5e50678c8b5b16fd19022f5ef9364ae882b8aa75ddc82a61ab49fdd07338f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgkC.exe
Filesize
210KB

MD5
f5594cebdd9cb35c730c25bca39b1df4

SHA1
e3ce5cf62b079a41ccca06563160e77b8ee7bfa0

SHA256
33204cf7a02056bb502714e02c5e8f2f7ad5656a9dfb81e91d2785f3596c5521

SHA512
59c8afd53e7e93293fa7f9a13aedc338864034e92f9ea5c0711f7a280848905be926813ac610cd16cd08e7317f81fa23c9653a5b609351bf4bfee07de425487b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwQy.exe
Filesize
792KB

MD5
eb6c91fad30ae43d974b1084decc4cf5

SHA1
65402ddd28ddf807a1f6764287986fd283b34871

SHA256
77bf4f77ffbb9195cc3fae9b1bd65e066060e76c3be94a1533b5af9e6c44cef6

SHA512
230228dad1c9ed1f1894f366da51c50d6e8996402f9ebf0965e3c1f7f50c5ce8bb2cb1f894b75240a89e6813155e0b36dd96e8916d75b05d52becae32c80f6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAIo.exe
Filesize
192KB

MD5
26086933b0fa31e0a01a1334018a45d8

SHA1
25461f237c1f09e2def8b502ac865c25ff1f54ed

SHA256
afc210091225b1048ddc2822303552635c62d2ad9d1ac93b4afb675d003accc2

SHA512
d3ae4fd2072c5ed57ac020745b231762638323afb1927177896854ef06e56ed3988475fbfd212632bc87067070cd7bbcbb13e3ef3b0c51559fae6bb6d2318495

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEca.exe
Filesize
201KB

MD5
dfc2f216024a2b9e704040e4bf85c335

SHA1
da380d07d99dc8f542f907dc0178a20a2662b7df

SHA256
fcfaaa910d7b04b667a59cfd2f3f904496fc0940394033e18ecddcc6d4c32d31

SHA512
2b2ad6e81397483d904700bd4936d08724b65eca5d5166eeea7e7a82c843718570ea8c44e7a13a9ab195bab27cf7f78dd1c055e571cbc538b48109b761cad8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcsG.exe
Filesize
322KB

MD5
2235ed08a5cfb958202cd20d38587e87

SHA1
7fbfd64349a35d4fbef088fa7936952f4d66d4d1

SHA256
3349a7c59d4beb908f8e6c6dcd6a126676f4ac01a66f097ef8eba1f2b06b015e

SHA512
5038939c336166e64070198d90f003ded6816a2baf3d4ce22e3432a3d5cca4236430b20df4e7c37c556d00b903ae852a908a6ffd7157de5c9f6742822683a839

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcQg.exe
Filesize
313KB

MD5
dd9996f9782eb2d0d9f603e625f22313

SHA1
1d8ed135939974fb25ee3b18d343bfb527f653b0

SHA256
d1b3d16d4a7885e0f7e94b5d118fdfef73d85f8d4ce45c4c7b8a11459c484cf6

SHA512
768e86d111dd0ce297c79a1c2c628e4d6539ef4c26a7200f618a8f6f13ed5eae8e055f6abda2ab2325d25847f2fe4238c32435a93270eb2443003262bfc651c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcoy.exe
Filesize
424KB

MD5
c1a6a6f3929b99ec050fcb96d29f3fb3

SHA1
5be7146af8e1c057140ca933a545d39e81a7e576

SHA256
820ed741ab6fcfa1b92c0f666dd13cf9d1ef333b7408b1e93285167387069b2b

SHA512
b73585be4bc71a5e62c32327e824ea1d8e94a7e9a8d75b72578009419cd07100ff234212ac7d9e8f9798587f81c7f68fb59edf797ecff07ee188f88638933cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkIq.exe
Filesize
643KB

MD5
8e5aa405a0e2dc005778b1a445651c7f

SHA1
6818d04377cee3e4777978410b1dbcec7123a3d1

SHA256
52b6fb300e4a104891df90bf3c79a75cdf15b789c5a7973a8dd1d27dff237a1c

SHA512
9dcb703c0b301c5ac667d1a534bd198a2904595a04cc64581fc8b6ecddb0dbe6947fd3b168ef6d84db3f05aa0b0c83e52a5514b3066cde17a493e1ac614a0373

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wksk.exe
Filesize
418KB

MD5
6c10897f0ecd3a926a2f1f445f5f4570

SHA1
72cdfc1940945b8efaca29fc4f65e95659f6e0e5

SHA256
128106a9a2eb9c76e17a186ad243ff06efb3376ab6eea02b3a70fbd4a3736b20

SHA512
7cc7fa046051054f4df13d746973b42de2e557247ece0e31af05c99880fd7b2f56563dc2f90db3bbe6fed29fc82518da5bfb07ae704dc8546b65856e0aba6f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAMw.exe
Filesize
231KB

MD5
5bdbc7804e1a045a960dc23788e47c49

SHA1
e70bc187a0f86bf9175595d0b5fb91f82dc985aa

SHA256
b1e0d2cbd5b0e56fc7524ce7cbe9301f044648d84d2584d574e822af4df2cd16

SHA512
d608eafc8c5f005f44f3fc69a91e1b8ac598683dc6f40d103cac1e92bc5eae08a14aae17c771138f2964406db3cf4d39c8687606c7f1db307d0d45b4a733b513

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAUO.exe
Filesize
195KB

MD5
c8550639a11303663f32bcb61571a232

SHA1
80a2b34e295cef32fd02c6351ad4ce42a78ee1bc

SHA256
4fe51ccf556e5114aade873593b095931cbb0618afa739d1960abd546d53a029

SHA512
33804c15fd89d802467314cf1ceecbf605242ddc7bd2426894e5efdebd8e9975fde6102eced57981414819a425035be02dac78f7ef03d033d0e37b04afcd4b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkQS.exe
Filesize
897KB

MD5
ec3de12459b64ed6c48b7d9ab9d4d704

SHA1
55ac1e4ec51010e9e7dabb17f5da0370d9a7b598

SHA256
efbffcfc653de1fc73d3c26dbdc5422b5d011b54ea0278e65f27d3c165e8ee08

SHA512
0782174beaf8d96aea4e4252db9d2a0ca3e73b12e55a874f349cb5915ecfac0ef28721dc707f24f68f52f122a904f3913dad099671e409f8034d56d194c981cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkYY.exe
Filesize
197KB

MD5
bdb5d2bcb1403afc034475e22f798b58

SHA1
2f1df6b5d43d4d55fb133648a1c9d5ec9553aaa2

SHA256
e6cd078ab6c1ecad1ccf92ed586382bb435c3e939e7a6312818ab737117d4c23

SHA512
90f94372b0a772ede434fa4676b4f9e8d9550b7c4cec52ab730ef637df1708e6f1518343f88bbbfbeae115a3a0d2096073bf5d72fc7a454dfb2d3bb2c1982895

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwMo.exe
Filesize
198KB

MD5
ae2d79938a33d95aebf89204016157fb

SHA1
c4b53d8007189d4c94c9c42b5fdf7cfb0061c9b0

SHA256
ee3ffa0cbed8f6e4571919a4361ef88d0f19a01ec5e109e9b27a2dbec861260c

SHA512
c21d594c5e3ff5a9bdb4b22f244c24831d62b74845dc54861016436d0349d15e04799e8dfca87527660a5aa4c5ea9d02e92a95deda0470375cda849d9386f247

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEYa.exe
Filesize
211KB

MD5
637ee45be79ccf6efb07a6e70a50258b

SHA1
55786a814f619db241518ddaf444ebe5c1994c46

SHA256
e28d50cf5ac2d8a95491b19685e6d652b93437772e7a86f83dff555f87fd4827

SHA512
3c3c89af1b0fcfb083a4a5702fa35ae261b66313c7004889054873526e58e19193ea327bdac0aedc0f6add10f9ea874b22856f06b541a6d409446b37f76d550a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYkO.exe
Filesize
212KB

MD5
e8d4d82e713043e52b9af85bec7844b3

SHA1
0c5e197f92d5fb30799c71c7328744814c2f9752

SHA256
9f206fb53d95be40eb919e6f22c696c56e20f441f745ee29ca52329acc193470

SHA512
b574e79a980d861dce6a7a702a51430b47babd14cf721bf21f03ba7d5f7d8af8727ada7b39737fa0f9f9cc921152c95658def4070d8f92a244fb38f39f12a4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acws.exe
Filesize
816KB

MD5
8a6d83243a30aa4f3baaabaa95363f66

SHA1
01e0753ab3e494180a4cbc0576bdf7a14523280e

SHA256
3f797d1f18e75ba0c850af3804c9dd2f0a10cd700b393b9bef74f243324ca261

SHA512
14de6c746b504d7cf0dcb82c336e8c92f86f63e910f2cb87081bf3b80102fe7b9199212378b49e71711bfbf3a0795aed4b86b34cbd6e1826d09aace413dfbe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\agcM.exe
Filesize
184KB

MD5
a1c39f6f9b6808dea7dcbead979951fc

SHA1
1404dd4f1f55c4db688fce184558d75a3cd7bc9b

SHA256
61dfd2ecc60b9012c8822fd3fbdc22c9c9cc76f4010be38508d55321c6809d96

SHA512
08c3a3d55f6979ea71725ccf19e262f9554b59fbb33bf81e33e8eb36941936c7a48d7d45cda162c4454275e72a95703ebf4814d5a327daabf5ce3b61436a8f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\akIs.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAwY.exe
Filesize
456KB

MD5
b24f8ef8b10ee8af170a50562273c903

SHA1
43eaf77c78ae5c1fcd6bc30a3c89dafede24d105

SHA256
ae617b89055297b09f0409e3204bb4fd28a53ccc3326d539affa1bcaa988f8aa

SHA512
3dae3fd9ab0293972167f3c67119fcb9a8adf45ffc0b3b5ab31ee0677c26ee859e47aaf005e90588bb25f113db42942b77682705c8e4a3e5b32e474275fc9ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEEo.exe
Filesize
189KB

MD5
7d1a670d10cedc17ef3b02ac6c7be144

SHA1
abe1ed478a6cf2caec926dffb333b449dc48550a

SHA256
ebf2f6a75e4385dfac484de3f06d12069d1d64cc1a93207ea7fbe2bcaaddb567

SHA512
236b67ba5f81dcbb2ef4b73efd537df937e3ce972ab884da7df3eed27c898b2a38407e984b3502514a9a6acd8e4dc2d523e9614a866a0d47a003609209d58e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEkO.exe
Filesize
190KB

MD5
7aff19fc460407ecacc2001748626525

SHA1
60765715cd721983589592fd93c95357be12f8da

SHA256
5340918ef989fcf4f38525eba992f596b8999245c3592f06c900df509dd36627

SHA512
28dfd4eeb7ab5947ef1cd9721096e69572ea0e1589a93dc06a7f02418cb1cc57b441d866a5c25025b2391bb5629b8370d8984f3b04db90cd32de63e2cf04fe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYsw.exe
Filesize
203KB

MD5
ebd6ab52cd8da04e824b5fe981eb1fad

SHA1
3e6ca6d932f97194e1a50d3a15e55b11047e6c2c

SHA256
fd666d07e8fd24805416ac1db93b363b72c20cb5ca0a7b0db1e63312457c5302

SHA512
2bedc02e8e30c0d2e87eaca5c1d33706e60562a466b16ef1770aa660a196170400f3d543918d57efce0b3655c6b19797f2aa078d35ece36a16cf0dca69418065

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckMM.exe
Filesize
185KB

MD5
bd866c2e3f6b913f291a9b3ad152fc76

SHA1
45b0a099f23fb7e9f2b6f3e4e4088a2c3aee6ba4

SHA256
18d2cf4938ef005aa5b9389024552c7798632d846f30eaf7e855834f278f93d2

SHA512
98d7ee914a70d21184d2384d42922e9f3317e1027e2548e21f3a59bfdeda4e7693c9b683533667babeaf5346dcbcf1e20e4e14fd1ccc3cfc70b1071dac620e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQgE.exe
Filesize
201KB

MD5
b73a0ed4a72256ed03c9bc3a33c456f4

SHA1
f75008c31ea225aa894addb63eb1e05571019eb8

SHA256
9ed7d129d8de1bf257ec307061eda581cf7ad5eab272ff9f3951389d66905154

SHA512
3fd18de22abce175f1bff3b54a7cee6fb9a257a75c304d8e4773a584e7e02dd966f373a065705a7745e64c4418c702d9bbdcf2295a8b3bc1fb0b152bd0ccd6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYoY.exe
Filesize
826KB

MD5
c7e08c104d541180182cbbc2fd4f1f02

SHA1
9c78d5659c3171327a816f22f332cef574961cb5

SHA256
c6806a98c492b32a1d3fc2cf6417e226aec679cd359307ec85bd7a62a7413674

SHA512
0a7e46329603dd0aa294ee10bed0e944995b962af43b6c8676d6249fe2afb4f39a1e407444f024e8bd9058c3ad639af54259e50fb8c9cf3d09d89e58365581d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\egwI.exe
Filesize
187KB

MD5
f34b51f9ab93979276957effaec5a690

SHA1
55108b54277fe926d55e17e625a869f143b9431a

SHA256
3c76a5b4812922a397ab068c98b8ade2b15a82931a4f14fe05c48c2937956aee

SHA512
08947cc78b25fd61fd949ffa936fe94a44097692e39dcf3e5a46bc726d4f4b64ea3c0d62790ca27e147ced5bc76add53bd7554d2a81f36f4b691bf1c445c45ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekAC.exe
Filesize
633KB

MD5
073b5a7f1423676f66b2a64c66fafc9e

SHA1
d6455900283526490d226927b04e4db8d3e2f2b4

SHA256
c541d64ab3a808177568d9455520e85cbe270f7a329673d2e290ebddad455b75

SHA512
fdee48b152d40d9efa6d23e9748014865d5b08ecd15d5eb9c8dcb590503957cb8d7d12530cea231ce685e3cc61729afc3aa9fc7153ef611369564b7e48413c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\eogO.exe
Filesize
1.4MB

MD5
2564f4de188e0b6654dab7adc5833aec

SHA1
56148dc5919a6ffe2478be1427949204c7e27a33

SHA256
1066a7a7208c6f3ae0979ba565cbac31582f9368cb5f4e2c8fbcb06aaa990b87

SHA512
4d85f70e7510b988d7d8ab6c9fe19a3ff1df3dbd949f900d7245b0e6b301a0780deb937eaa1f0fed2ba6836229c48b46c32d5269bb9f33e390a4b0f15b7b89f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEMA.exe
Filesize
198KB

MD5
6f9c19e6a972c0d5c2de930e4fc4a3fe

SHA1
0b659652f67d8370ef1c7078290ddab5221cf638

SHA256
95ba16464aaabdb31cd8707eb555c3939ff521500fde9b72914ab5def923f200

SHA512
4ddf94316c0b332b84d1ec29a0674bbc412df797272c647fe9e2999543e9a4b5640422f84ca32523bb0c555cb2452464efa22a5c38753ff08792e382c2c28df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEYE.exe
Filesize
318KB

MD5
66305d8568cc9b04256a9b942a4edf2e

SHA1
5831dc44311f70d7a10382dba1dc66abd80d8be5

SHA256
4796901f0bce9c9cf997de80c50e300b1cee17366cdced1cda9e2ef51474ba7e

SHA512
7b078d430d36b8428f3695850cde32d169f3d816eb238887ce29130f985bd20a05343d5b9def30688c17b6059594a95c0589dc09105760b7594f4f5f450a36f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMi.exe
Filesize
201KB

MD5
b617f01a2b35856223465f867d87c4e2

SHA1
d7f4777a4c1ca01b6f6b9bd041d128ebf33ac0f6

SHA256
69e302be68a70a60dbbb35999abae406c6b834ad640c5bd91aeadbf831e8ad5f

SHA512
e59a1cfef053d30c2e80543c84cdc62b5ded77922fb1c5d4b50835c46f0e8d949fcf08699d4e119bbc9030ce611875f0e2678672b9312f229eec38a13daefad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\goMQ.exe
Filesize
197KB

MD5
af465677ad92c5b2e86ab7ed7a4f6456

SHA1
880a055dbbc5f2c73a521eeca2865b24973259bb

SHA256
683c2701dd42f3721118bab47aac958473b1487233f297f3db909cb1dca28a3f

SHA512
751ec7bebba099c844c72e4abe8b466f4867a0b6f3e3230865af7f2388488bc401fe20c24e69f1d549c8035bc28e8a5cb6fbeb682a238a3a8534c06ebc7382a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAAc.exe
Filesize
5.9MB

MD5
3642c1240a2d582caf15319516bb32f6

SHA1
0b611585ec3294d32bda03f9bdb8e5f197ff30ae

SHA256
b81c5831a125f5c0118c1ebccb0f4086ebc11d0a403f3d5cd7c29f372f5241ca

SHA512
7dd8af4d053647052c06e75b8738fc62164d0ffb6b8590358fb5ff89249bf157f9187adbcff8bcec8edf46b9f7a363e724d11cf953ae92e3507a44952020fa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUMa.exe
Filesize
195KB

MD5
12ce70e8b4d46d13668d3a431ac86565

SHA1
39646cd6dd1e6f92e1aeda82689b14afc42899fe

SHA256
377fd7ffd573f76074a96b2328c01bdd82ff18ea5777910728f8e17274c40652

SHA512
5ea93a0a00509aeffa7f9b09630de084b328a47fa05191853c6f82f133de0226bae7629bed8f71082dd09fe95adcc91607c27f07c0712313ae20160f43781adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\icMC.exe
Filesize
824KB

MD5
2db7c85d7dc808f042a2887301944696

SHA1
ffb913749e52fd2bc438b36468adf2439b38ac33

SHA256
476cd33ded41539c0866007a7d19ada9c77affea1f542d155ecdc3ec1decf1ea

SHA512
fabbf24053d84e3a9688e5f43ca8f98559ad373b9cfd3d33f4d1116d0bbbf3f2d41b7a83371570b6e325f7cf08ae83944202c2dc553a00110af85b894c0328b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\icwK.exe
Filesize
194KB

MD5
cbd056c8f35df7ea0132ab7f5b776a1c

SHA1
62b06821feb523747e8cb92a1e54df3ae5ad71f8

SHA256
a0766ca1f440cb717747de195b5cc6b0b122b5634b5ccc78feeea7f2fe44da3c

SHA512
803c58ed6855a2106a09117dcad6624de32e5a413d8278103b432eb6039292f8f4f62c2c825c3c10b0308a367628ace73ab52624d1b7de2971d9cf83d7b311e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikke.exe
Filesize
247KB

MD5
ea40a50782f68078e4be5cc2afe78473

SHA1
76e71e62eada5b567c4aeb2b4042864812c17fd9

SHA256
7d44448a92f5ac53a41df02b18bb9bca82b8cb9d078bed6e56395196be44a916

SHA512
6ce75562969ba771b292df856f2e125a2b42166b432273e1a711b3bdb5e260815bb8c8013bbc352d3565103c023f0a3e98f724255f41224963dac43e915e23fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jicQwUkc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQgS.exe
Filesize
694KB

MD5
7a4025fa1ed5d231de620ff8326122fd

SHA1
4d5e6febb57c4794b93086cee0ad601ce1bc2851

SHA256
7942e89359cd9756111f9decb8d87210994c32c9d63971599284165060b1a745

SHA512
3585cf7a2a0c8a417f592bad85aed0ede200100b39ac94e53699c36dd7dd3751dae6532e54f6c149257396a577054967c8f398997a9742a3954c1ee9fc7b314a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkEm.exe
Filesize
198KB

MD5
d9100e6b7a8a2ac3154f01ced39b39dc

SHA1
c345a748acc0a77054fa48cbd6c6b87ccc3fae54

SHA256
3e97daede6fd90b95ac7b98120ef2403365ad13067d3918ac66d6b35c50d029e

SHA512
67f38f456a8f979ad509832fc5ca8875697d0408cc8c4903c604d6927ec8ae979b9da6084e29a4c38608eba5310d79d64b079fffd463488db0ed480b1fb382d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEIG.exe
Filesize
189KB

MD5
2f0e3c963042fd349c44b04b70643215

SHA1
a5a9cde34d9a68a8b7ce9c01e450c4d98a2f9784

SHA256
d03ca89fe975bc091b89884f7b970c042ff900075df2d26b517549014b531b0d

SHA512
3c3b464541dcfd3985f46d3a67fe1ad995af197041df260031d5d07615284de84fc8c90cfd358c87732c3f9903cb013225a1a0c9b9af7cc5bcb9d6ec3d6b996f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEsy.exe
Filesize
188KB

MD5
1aef3352467095b417220af421eabf45

SHA1
5f539012440477d7eaa5c1e88e273f47eaac5a07

SHA256
e0c97200b3301f3901aa2f586a0e050c66726973751d20dd2c50d901b65a197a

SHA512
c9df8f11c5d944fe5158dff85e910bd6b425cd41f58729c9254c4e49c5ecb0b5c886812664ae5e6226f8fd3bffff277f68be1a108c5e02b4d01bce0495f6cddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsW.exe
Filesize
191KB

MD5
8d5b86c44275768a9ecc56a97e618928

SHA1
b3a39a44ffc0cdb9da02545501bcace4dd25a164

SHA256
332ddae9c08850542ae01163ae86ca25f3000f89e1ff45369a0a6fbaeac13f14

SHA512
89004daaa26507146ff103db051775ac1ed0b30cde4d44290f0a782e07e085920958910610393a473236be3c3c9949dc65f9df7fadf9b7626ed9ac8be6453c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMG.exe
Filesize
180KB

MD5
dddd58281667e6bbe44fccd063c01629

SHA1
52ea6960836237a7347006d354629ce2699a3cd7

SHA256
0816a77ecb41b03408a375077338ad9301e1f6cc20e83c066bf1ae05f3520768

SHA512
e0ba8d4a4657ab1b40d6aa1d7ab90c0d4e13c777ce6c44d543b8822c5dc684b889d426f844bf90816be870fe31051613ddf9ec0be44665aa35430120dddd39d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUos.exe
Filesize
202KB

MD5
4fa02d646bd28a2843b6525d1913ec97

SHA1
24803eef636606fad959dd60fefc18f1fed28687

SHA256
40ca2753ff2050dc243745a5d12fe9280d8be887b0a796104259404c5cf1a83f

SHA512
cacc704649dae67bbeb4fdbe28bd1fb41932ae5907178476818c0bb5b33fbff5b62796e31acf778e65692b41eedb291fdec27be10367b82ae5dde514470ff9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mccI.exe
Filesize
219KB

MD5
c94a8a50dff9c60b13ed6124138c1615

SHA1
0006a00a356b960bf85cd3d9110e378e61e57a79

SHA256
fe190d0f057177b8355edb726c406ce7c7f7d25f2134da49acd2f02e23944699

SHA512
4c7f4b539b9a78ba48fda9fc62210dc0c80eec5ff30992a1ca21fb53333a70fbd357aa688c4179f60dbdaf54ad53f517c4a4416d43243001f3925c9b549c80c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mggs.exe
Filesize
653KB

MD5
3c902641fe1e12e9a37d2848a2c8da27

SHA1
dfaa3a0e988ce12ee18e1d0d217103540b079be8

SHA256
03da07b160290adce7346887726c434c9fcea696212e4d6e53651dfd2f92f084

SHA512
8b0ee9ef6559742c4111aa638c321743799a7e233d53ab880373c2460032075ce160eb4542dcff9ba5f218e7ade93999b11d671533e2d85d73e400b1f012af6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscs.exe
Filesize
195KB

MD5
3f11f8a2848da27633b5b15abe645ca0

SHA1
0c297fdb11a61c76c5df75323e9752ac8cfbd227

SHA256
2fecbc99c92d481f718346cd90801aff6b7b8196dca9ec29de1476963a1f3b2b

SHA512
68f540bff4cc2ab0fd4634c965d5eb8cfef00f42c6726d75dbb4f70b2ae7fd947d59c401c2eb36c55614b37afedd5f91ada55927a6ab4c108306703368604146

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIg.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMYW.exe
Filesize
193KB

MD5
5f2b03e08116705357b4937afb77f7b3

SHA1
63fd960603e40a3f472e919b5afe1c06e516a9fb

SHA256
f4c8d7da44d596a59467a088f1bbed3057560fd82cd0b8ad26f5ce8e9057328d

SHA512
cd1b8e2bd6b0bed0cb396b0b73914d4b07d940950334f42ce156b4935e4ed089c6c2cf432619abb98ec6c877c0f92b50080ebd8fd10919d305e7e55606282dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQYo.exe
Filesize
196KB

MD5
9c5bd2e6bccc6622a05d8cfafd1d907d

SHA1
b163f18b85411b8a492f527140d82edfb82c2317

SHA256
fe291522df27094343db158abad58a75abff3f8f8eb9b4da0fb8f4173e257ddd

SHA512
f47b4f6e8076ce5d32d162b69bbe38e107783175f99374ee4acfb58111717691b04be6ef522a4afe2fc969597532e8d50c51919754e7384133442478e1a3d9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocMG.exe
Filesize
1.8MB

MD5
14379a3a881f330c1acad8ff996d2faf

SHA1
578b2bb6fd58e5679690f5e519ecb970018919cb

SHA256
fd3ac10b144ab34017fbe82b0bbaf75ee9f3524c6cd8c02ba1657ac9805dcd9e

SHA512
3b4dccf017f886b969e9446b24e7e107f8f5b459528b8bc26a0785938b308809eb08a3fd3f5c3ce32e529b9faa51129fa020ac556271b6a0d890d657b4e1ca11

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIIA.exe
Filesize
782KB

MD5
aaae55758dd443e5b469296e196103ba

SHA1
c2fdf912a57b69acd4b3bb54261874c1e9a2aafb

SHA256
4abd4029f903ad8a549cd5926b4b514fe2c199231d919df6fa71df2431904c45

SHA512
a6a5d54a32b18a512e209937a620b5dbacddfe96d50adcf762cb1d4ca1f82d44a7c2fd72a8495a43e963f950ac0db3da00f4dc78d27e60ae7b019e2e14235ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoc.exe
Filesize
206KB

MD5
fcea1be84f667a3f644d30bc4aa20ba7

SHA1
3f1ab52765ba23abeffe46ead5f97972f1fb7cdc

SHA256
3738b1809f95b1332d16d23261aa14b1df9cc7e9a89a269159cf98927d4c3f56

SHA512
ef165f658edc4fa6c2199d0c4f59eb0531c1e55a2572ec379c57d345b011483fdbc3383506e65f5ae4c14a5e77e06a97c6f419c5e4e6620139781d6eb6015888

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUMu.exe
Filesize
196KB

MD5
c2a8461c8c66e956f23d55db948fd0eb

SHA1
77335c7dda167969f60903b874981b126a6e7736

SHA256
7cfa7984e0cff2bf25092d5f68f9a6b2380de4920f30fb33ab0d3b530f06abb9

SHA512
95a20685c69057e0a2ce2b2e68de57a2d07ae70faac1712a7c09d8f38b394b9f9e0c5cf9962f6cec3daeb4169498dc17aabc93d963f556eb161f69c82e24aa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwQq.exe
Filesize
186KB

MD5
694f82ef852b2cdddd99edbde3dbdd27

SHA1
e4bc4a54e1f4bf1a694b2abbfcc2fa9e733c5918

SHA256
57e440c882fbca2aa0181e9091f8738d37c9f76da6bd25602f5c65527e1894d5

SHA512
31004c0fdd389fb167f5181b71d4718692c588bd0bd7fbf4590cfb3f9997e943b7ca6ed93996723ba10392f1243d0711ba494c7c8e6b7a37e81774e7765b341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIAA.exe
Filesize
197KB

MD5
df2d124ea781b143be5a884e93b2fe9d

SHA1
969a286ebae0855f451ff388598d67ca92d498eb

SHA256
389e44c8a34ae9e21a16c8a15e42ec2930e3b4e724db1680c1a9018bfd407232

SHA512
8c88b69af8b658bc574bbf1cc9be0a347fc8ce4f048c1161ca43b7558cd6d105110c400d4ff21dd0b9767b7b393d31ddab95e174b648c4897ab88adf00fd4ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIIC.exe
Filesize
308KB

MD5
049130738e01fca8621cd827869e8b27

SHA1
afb736c22f94004ea192352e00ffab3b93a7aca9

SHA256
e257f4aae9b40c0dd8d105995a48a3e8df3b4bdb29e27be44e0bd34f5ca64686

SHA512
4a7b6a3470e1a5babb8a1eab94e011ab80481e38a56f6d1d56944e8e18a3510fee4ce9cd978fc58608e1f712a0f0fd82c93c1bc62d4cd91ee46758de4fdbdd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYEw.exe
Filesize
544KB

MD5
a089e4a791e58d39d1c1b7c5ba7bdba3

SHA1
d344b9344b09d910d8e12d051a4533be6897246e

SHA256
931ef4df1a25e175d3ff16b5c104dbea494f604a00a62040da0e46989c3b8859

SHA512
3cbe9adeed12f04d03a5ec6c5dbd42472153be8103d81b914130b8161af1f64f9496a84df72abe957e3aaafa454ffa4585083b41a02ff195b2f97bd9365038fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\soEU.exe
Filesize
199KB

MD5
b185b51ee96cdadecad468cce76909a5

SHA1
6d689619f5a2a79de645930a857bd45f606474d3

SHA256
5e4ad2ac33deb1a7f9b2a2d1891eb4e1dd1d04b69ef8e264dd0b4704c5d52c0e

SHA512
25957c0cacb4a5f76c91307456057fe437b553233a3bd1c56a8f2890c0c036831b36e25686cdf0f119db90362e72278ceac67f78ba5be6a25622da2e708a01e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYQG.exe
Filesize
217KB

MD5
c9701813da2a26546b0d8ba73fe0416c

SHA1
43aadd3e5213a1861169a27253e4cadd2a1d3e84

SHA256
988fce417b06ec65ff63da219824ae4d945744f94f3f94ecd232c533fa1f93d1

SHA512
b71d415dc8e5a0345f307543fb2aad39032c8340540c340d5270c2e769eca3ef7a043de3198b346612581fcc10700ebdcbcd111a25acc816bb4bf88308f0a065

Download Submit
C:\Users\Admin\AppData\Local\Temp\usgu.exe
Filesize
794KB

MD5
817501cf1c8fc009d94fda8a013e54bd

SHA1
2c2dc39b20d4aecc1843e34edb9ff5d6477d9350

SHA256
76582c230d841c6bd4a6b4a29b5529998e7e21101eabd863d94cc268f3d512be

SHA512
18dce84fe64100ba6cd9700ae9c4aff464b6ee07fd9439cf90961a4a16f24191d673ed94716850f4051c1cdf7b2d527b454ecf49bbf1baa8d16ebb725d89cfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwAU.exe
Filesize
190KB

MD5
6de76d4f7fc25bff66f3b708cfac0fc3

SHA1
4401b05ff8229ce3b202663ac8385806c422b23e

SHA256
6e4a8fbc0a40f94d1950e0b9307c9c5f215d964ea7083bebe5532a3855706697

SHA512
208c257d6138969859b7d99b0fed95bce0e6c16fdd4f2beb72776dfe9c3454759c6d1aca47da2ebcd1e47acd7494a3ca8b1025f68a33a7eeab7bf0c44186e862

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYk.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgsK.exe
Filesize
189KB

MD5
0cfcdba4b108e92598b5252defc51ea5

SHA1
c2f93b7bd4723961597277e8d63cb38459faeb2d

SHA256
1f24b35bd6dd8256fd11002b62bcdb85ce48183c59be882e33f357c9ec444822

SHA512
e0d44a241cb7e83534e4b7379bfff2ca658a95fe07606a612d933356c8f32d4e3cc4bbb73aa0e22010e233057d30715478894b221ea99fd855111188d5933af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wokK.exe
Filesize
200KB

MD5
5be922cfa1807dce3503e6a9187bac37

SHA1
a8c5d5c4e84b8eed7c5af854b4bd4568b187762c

SHA256
fce36f35bf3757c93c0f95f60e2d9ec4978a4020c7f257ec054e24d3a55c7ae4

SHA512
62b6d4e961f35d9993802e941fad22b388ec00709ce0206db168efc108a4e2e2bb284d32a8a02dbdac7e5eda2d6332692c237a11a7d142dde044832229526047

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsYy.exe
Filesize
188KB

MD5
63e4858f903be3559db396ef73277b2c

SHA1
74500ade4d2a65a752fed7d48b91d6550265f221

SHA256
d07975c98992abf2d61f372a2f0cf9bef811fec68638badda9788d51850a9dd3

SHA512
6d06cf0ea9616b0220aa27820ce7cb087397af9ad6b48a2bc7782676d33d460ea18c1c5b08fea198a79cb09f5a3961ec58f252e22b45138ea4f68d20f1b944f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEMi.exe
Filesize
202KB

MD5
da3fe57aa0ce787cfb8cafa33977c5de

SHA1
a5f89ac06d577599ca7d2d6c56f33e6a464fd1e5

SHA256
f3c008affc73b6285daebe9dd335f6d3f500f2ac5967ad16175fe36ca3a64c05

SHA512
33261e7c0599fdf5d0982c56bfa45b1d78a24caa3cd879f34cf560733ede27daf22d05a2dd409266fd1f6bb44d44dd4fc6dc0a15c197ccdd19c9c399cdcd6eb7

Download Submit
C:\Users\Admin\yMwEcscI\ZGYcggIs.exe
Filesize
196KB

MD5
4c3ee83155932d3485e06290a1a11c59

SHA1
cabb5845b143258435e4cf93254a8d42e647bfda

SHA256
2902260c8d4825f308a655203b785bd55a7152ce37daa7b2e93c753a4b7865e4

SHA512
726d3fac98d0adcbb39347786e673a989f122f73d651113ad3d4101318bcd7ffa2c1b98239f07466a471d317284166fe148acedbff5d4fd1eea93fea794850fb

Download Submit
C:\Users\Admin\yMwEcscI\ZGYcggIs.inf
Filesize
4B

MD5
db6f8acea3320814478d0ac8590fa6bf

SHA1
7fd24683c10afb91303f4f9e04ff78e569f9fbe6

SHA256
96c9f28962cba45fa0ce54284a9e59c253f9b1c3849b8e58534649cdfe28f205

SHA512
79e57d05e755420b05c3d3157ed8e733b852260d04685fa91b1323080104fed9d47689c18fa87eb824df668e4aafdea82158540e1879f00bae3c232ea3e86f08

Download Submit
memory/208-121-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/208-103-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/804-339-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/804-352-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/876-418-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/876-410-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/876-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/876-95-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/956-495-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/972-505-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/972-496-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1172-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1172-129-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1176-430-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1176-438-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1208-296-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1208-304-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1208-358-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1208-372-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1416-267-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1416-254-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1488-181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1504-157-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1504-141-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1624-218-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1692-330-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1692-343-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1864-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-170-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-153-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2292-12-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2512-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2512-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2560-476-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2560-468-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2608-541-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2608-533-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2704-532-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3144-377-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3144-389-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3168-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3168-83-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3340-402-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3340-409-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3396-323-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3396-310-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3488-448-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3488-457-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3560-447-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3560-439-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3584-477-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3584-485-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3636-295-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3636-285-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3788-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3788-59-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3800-305-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3800-314-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3992-276-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3996-193-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4056-467-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4056-453-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4188-215-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4188-229-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4204-542-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4404-419-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4404-429-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4456-524-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4456-514-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4536-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4536-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4552-230-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4552-205-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4552-242-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4552-189-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4556-348-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4556-362-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4560-400-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4560-390-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4688-117-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4688-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-334-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-319-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4836-258-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4836-91-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4836-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4836-238-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4864-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4912-368-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4912-381-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5048-284-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5048-272-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5064-513-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5064-502-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download