b5f0a7a43983803b550058c2ec3d23462b55cc8c53288f13686083b2723c3e92

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
Size

110KB
MD5

bd8e34969d12e75a6bf77c3752768c9f
SHA1

442a76fad5e85cf85db2b0e2dcf089e7b7471b40
SHA256

b5f0a7a43983803b550058c2ec3d23462b55cc8c53288f13686083b2723c3e92
SHA512

a1c415c85a1c9583f1d192cb5f84be9500ba7b69c3c26c76e6ade306ca1857f43dd3daabc41a08ebe2bfefab70df29f891f78adb3afd3ded3aa01512b777fe24
SSDEEP

1536:g4Y9OI7o2w/k8leKYsKt/Qh+ycTTnb9ON/TWClKxPBqS0+3WtVoC:gXRw/8KdKB27wTnZON/T3lKpBqqWtx

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CUksAAMQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CUksAAMQ.exe

Executes dropped EXE 2 IoCs

Processes:

WsIIooUc.exeCUksAAMQ.exe

pid process

2696 WsIIooUc.exe
956 CUksAAMQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2696	WsIIooUc.exe
956	CUksAAMQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exeCUksAAMQ.exeWsIIooUc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CUksAAMQ.exe = "C:\\ProgramData\\dEkkwMgg\\CUksAAMQ.exe"	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CUksAAMQ.exe = "C:\\ProgramData\\dEkkwMgg\\CUksAAMQ.exe"	CUksAAMQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WsIIooUc.exe = "C:\\Users\\Admin\\twwcsUUY\\WsIIooUc.exe"	WsIIooUc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WsIIooUc.exe = "C:\\Users\\Admin\\twwcsUUY\\WsIIooUc.exe"	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe

Drops file in System32 directory 1 IoCs

Processes:

CUksAAMQ.exe

description ioc process

File created C:\Windows\SysWOW64\shell32.dll.exe CUksAAMQ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	CUksAAMQ.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2792	reg.exe
4464	reg.exe
1816	reg.exe
3492	reg.exe
1484	reg.exe
4540	reg.exe
2012	reg.exe
680	reg.exe
4372	reg.exe
3668	reg.exe
840	reg.exe
3920	reg.exe
2960	reg.exe
3472	reg.exe
2528	reg.exe
1020	reg.exe
528	reg.exe
3968	reg.exe
4344	reg.exe
2368	reg.exe
3928	reg.exe
2120	reg.exe
680	reg.exe
3848	reg.exe
4528	reg.exe
2932	reg.exe
3288	reg.exe
3892	reg.exe
1104	reg.exe
876	reg.exe
4836	reg.exe
2804	reg.exe
4904	reg.exe
4484	reg.exe
4752	reg.exe
2792	reg.exe
5028	reg.exe
2920	reg.exe
3996	reg.exe
4752	reg.exe
4156	reg.exe
4496	reg.exe
2452	reg.exe
1484	reg.exe
1016	reg.exe
4024	reg.exe
5024	reg.exe
2192	reg.exe
4540	reg.exe
4020	reg.exe
4260	reg.exe
1660	reg.exe
3184	reg.exe
1060	reg.exe
3276	reg.exe
4580	reg.exe
2808	reg.exe
3688	reg.exe
3056	reg.exe
4660	reg.exe
3800	reg.exe
3964	reg.exe
1104	reg.exe
3056	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe

pid	process
4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3040	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3040	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3040	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3040	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
5008	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
5008	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
5008	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
5008	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1668	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1668	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1668	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1668	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
5108	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
5108	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
5108	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
5108	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
2760	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
2760	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
2760	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
2760	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1364	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1364	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1364	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1364	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3516	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3516	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3516	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3516	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
372	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
372	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
372	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
372	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4532	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4532	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4532	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4532	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3656	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3656	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3656	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3656	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4552	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4552	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4552	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
4552	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1220	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1220	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1220	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
1220	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3960	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3960	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3960	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
3960	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CUksAAMQ.exe

pid process

956 CUksAAMQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

CUksAAMQ.exe

pid	process
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe
956	CUksAAMQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.execmd.execmd.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.execmd.exe2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.execmd.execmd.exe

description	pid	process	target process
PID 4864 wrote to memory of 2696	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	WsIIooUc.exe
PID 4864 wrote to memory of 2696	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	WsIIooUc.exe
PID 4864 wrote to memory of 2696	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	WsIIooUc.exe
PID 4864 wrote to memory of 956	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	CUksAAMQ.exe
PID 4864 wrote to memory of 956	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	CUksAAMQ.exe
PID 4864 wrote to memory of 956	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	CUksAAMQ.exe
PID 4864 wrote to memory of 2420	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4864 wrote to memory of 2420	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4864 wrote to memory of 2420	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4864 wrote to memory of 2096	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 2096	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 2096	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 1616	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 1616	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 1616	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 2548	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 2548	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 2548	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4864 wrote to memory of 452	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4864 wrote to memory of 452	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4864 wrote to memory of 452	4864	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 2420 wrote to memory of 4024	2420	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 2420 wrote to memory of 4024	2420	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 2420 wrote to memory of 4024	2420	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 452 wrote to memory of 1980	452	cmd.exe	cscript.exe
PID 452 wrote to memory of 1980	452	cmd.exe	cscript.exe
PID 452 wrote to memory of 1980	452	cmd.exe	cscript.exe
PID 4024 wrote to memory of 816	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4024 wrote to memory of 816	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4024 wrote to memory of 816	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 816 wrote to memory of 4872	816	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 816 wrote to memory of 4872	816	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 816 wrote to memory of 4872	816	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 4024 wrote to memory of 2792	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 2792	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 2792	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 1964	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 1964	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 1964	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 3084	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 3084	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 3084	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4024 wrote to memory of 3904	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4024 wrote to memory of 3904	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4024 wrote to memory of 3904	4024	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4872 wrote to memory of 4616	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4872 wrote to memory of 4616	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 4872 wrote to memory of 4616	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe
PID 3904 wrote to memory of 940	3904	cmd.exe	cscript.exe
PID 3904 wrote to memory of 940	3904	cmd.exe	cscript.exe
PID 3904 wrote to memory of 940	3904	cmd.exe	cscript.exe
PID 4616 wrote to memory of 3040	4616	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 4616 wrote to memory of 3040	4616	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 4616 wrote to memory of 3040	4616	cmd.exe	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
PID 4872 wrote to memory of 1856	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 1856	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 1856	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 3892	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 3892	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 3892	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 2972	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 2972	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 2972	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	reg.exe
PID 4872 wrote to memory of 3688	4872	2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\twwcsUUY\WsIIooUc.exe
"C:\Users\Admin\twwcsUUY\WsIIooUc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2696

C:\ProgramData\dEkkwMgg\CUksAAMQ.exe
"C:\ProgramData\dEkkwMgg\CUksAAMQ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
8⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
10⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
12⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
14⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
16⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
18⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
20⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
22⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
24⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
26⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
28⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
30⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
32⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
33⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
34⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
35⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
36⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
37⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
38⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
39⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
40⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
41⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
42⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
43⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
44⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
45⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
46⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
47⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
48⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
49⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
50⤵
PID:3408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
51⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
52⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
53⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
54⤵
PID:780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
55⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
56⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
57⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
58⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
59⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
60⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
61⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
62⤵
PID:4772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
63⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
64⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
65⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
66⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
67⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
68⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
69⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
70⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
71⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
72⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
73⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
74⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
75⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
76⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
77⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
78⤵
PID:372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
79⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
80⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
81⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
82⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
83⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
84⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
85⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
86⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
87⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
88⤵
PID:3288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
89⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
90⤵
PID:3764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
91⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
92⤵
PID:1900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
93⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
94⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
95⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
96⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
97⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
98⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
99⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
100⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
101⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
102⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
103⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
104⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
105⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
106⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
107⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
108⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
109⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
110⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
111⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
112⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
113⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
114⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
115⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
116⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
117⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
118⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
119⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
120⤵
PID:2800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
121⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
122⤵
PID:4156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
123⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
124⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
125⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
126⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
127⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
128⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
129⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
130⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
131⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
132⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
133⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
134⤵
PID:2904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
135⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
136⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
137⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
138⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
139⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
140⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
141⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
142⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
143⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
144⤵
PID:1120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
145⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
146⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
147⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
148⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
149⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
150⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
151⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
152⤵
PID:1884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
153⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
154⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
155⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
156⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
157⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
158⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
159⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
160⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
161⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
162⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
163⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
164⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
165⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
166⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
167⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
168⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
169⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
170⤵
PID:2224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
171⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
172⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
173⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
174⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
175⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
176⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
177⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
178⤵
PID:2808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
179⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
180⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
181⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
182⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
183⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
184⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
185⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
186⤵
PID:1960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
187⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
188⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
189⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock"
190⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
191⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:5088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:1064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQYUckgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
190⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWUgIkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
188⤵
PID:4464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:1516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYgkMcIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
186⤵
PID:3860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:1688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuIYsEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
184⤵
PID:4600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:1104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:4580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:4424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysUwEwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
182⤵
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- Modifies registry key
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECIEAIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
180⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies registry key
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoMQIgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
178⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcUwwogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
176⤵
PID:1988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:2640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buogAwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
174⤵
PID:3844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
- Modifies registry key
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmMcEooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
172⤵
PID:4616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:2008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcQAAIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
170⤵
PID:2012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:5028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSIkUcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
168⤵
PID:4052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COgcoEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
166⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:1868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:4260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsUkIosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
164⤵
PID:1068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmMUoEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
162⤵
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYYUwMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
160⤵
PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TawcAAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
158⤵
PID:4208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
- Modifies registry key
PID:3276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycUQAIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
156⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- Modifies registry key
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqcooAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
154⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUAkwUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
152⤵
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:1380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSYwYcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
150⤵
PID:428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcAgYggU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
148⤵
PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
- Modifies registry key
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqkMgcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
146⤵
PID:816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEUIIQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
144⤵
PID:1076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:1652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIsgUUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
142⤵
PID:1096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:2416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:1636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuQEQQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
140⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POsEswQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
138⤵
PID:5068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies registry key
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- Modifies registry key
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQgMcoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
136⤵
PID:772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:1468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGwwAMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
134⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- Modifies registry key
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIsEQYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
132⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- Modifies registry key
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUwMoEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
130⤵
PID:2796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAgkUUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
128⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYYgYIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
126⤵
PID:4036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuwcUgUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
124⤵
PID:1892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWkMIcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
122⤵
PID:2372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- Modifies registry key
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcAUIYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
120⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tckwkgYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
118⤵
PID:1960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISAwYIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
116⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeUEskwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
114⤵
PID:2732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:2416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:3224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMQQAksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
112⤵
PID:3232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkAMwQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
110⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOMkMUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
108⤵
PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies registry key
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQMMMsoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
106⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toQIAUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
104⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuUEYYgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
102⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGckgEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
100⤵
PID:748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smQAsMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
98⤵
PID:4852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies registry key
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auggsgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
96⤵
PID:2904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:3608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgIIcQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
94⤵
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqwkcoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
92⤵
PID:3376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaAMQgAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
90⤵
PID:4904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:4776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQwwwswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
88⤵
PID:4768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:4656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiYAMocI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
86⤵
PID:2796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeAYwksE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
84⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAwoYAEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
82⤵
PID:4776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGoccwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
80⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naEwsocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
78⤵
PID:2796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:1008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuQAogks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
76⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:64

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
- Modifies registry key
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmgcEIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
74⤵
PID:1992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEsoksIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
72⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCAgUYgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
70⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqMkgYMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
68⤵
PID:4640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAIIUEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
66⤵
PID:3252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies registry key
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bioAwUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
64⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYEYAQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
62⤵
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsQwQcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
60⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:1576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qscwwkkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
58⤵
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:3656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMkQUUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
56⤵
PID:1240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEcMUEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
54⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:2960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
- Modifies registry key
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcAAQEUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
52⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMwUswQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
50⤵
PID:3740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raQkEUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
48⤵
PID:1232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmsggkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
46⤵
PID:372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGMIwgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
44⤵
PID:4312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmgUoskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
42⤵
PID:1020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWowgoUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
40⤵
PID:4848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:3216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
- Modifies registry key
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcIQUwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
38⤵
PID:780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwIQEkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
36⤵
PID:748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgIoAAUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
34⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:3816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkAsQUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
32⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqkIAwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
30⤵
PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqcwsUIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
28⤵
PID:1404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- Modifies registry key
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMAEIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
26⤵
PID:2912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOosgAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
24⤵
PID:1232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyoEcQUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
22⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKUcoUQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
20⤵
PID:2332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEAEYEgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
18⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BissMcQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
16⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMwooIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
14⤵
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwQwUAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
12⤵
PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOEgkcgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
10⤵
PID:3496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAQkccYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
8⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEYsYAUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
6⤵
PID:3688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYUMIQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viYkYMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1980

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 0c31ba37e5b81d4d729bf146f56281dd S1Ctp4o1KUuaaFyXVJ90+Q.0.1.0.0.0
1⤵
PID:3392

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
236KB

MD5
8bd6c1581b49fbd55f8655f9105725c6

SHA1
327f384b8abaca88680aebbfa3452ae11db48121

SHA256
034edfbace54e57e61a55d8367928c69ffd95b214ec24027e267ea21b7f2df5a

SHA512
e2afd23741fb3f06e8ba8c73b3d577e3ab0c4d690b1a6ef53ce72e1ea1eae03f02caa7ca7b00fbbc26b06c321c07835164a3aacfde1a2c7549d83ef5b480f47d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
698KB

MD5
0b91484b3387d1c03ce231513ded90b6

SHA1
393fba506d5cea1b43d43100b7b29c02f58522fb

SHA256
5e59d4eb7090950724dfcfad875244c5e33587cc82efd258d483cf6510a63958

SHA512
95bb99ed1becd2da23fa4f3f813fd38388746a9b0092866605954050ac11a03430921b3d1447418e5204d62b9b1f4b3ab74e52ba4a6f78b19a28b3befd28fe9a

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
Filesize
742KB

MD5
a1dd88c112a9746fc91fbc65c0eaf2d7

SHA1
e92dc939e9ae4d59d3a55d351d861959f1fdfaaa

SHA256
2519c14c33d4ab55c9943a87eecd0e73caa1c42cba00db6fc614eea177c909b8

SHA512
b251d91523d1f3cdd25e3fdaf710564ef244d92adf48607ce3138892ed339bd680401baee29a9e5f9456f2bb541cf084316d49600247889e12af64db923bb55e

Download Submit
C:\ProgramData\dEkkwMgg\CUksAAMQ.exe
Filesize
109KB

MD5
273cf0d57a371dae0369ca7498e227e5

SHA1
6918dcc91973a29619d76e912ec93b671049578f

SHA256
42241b279f88caac587b1e9ab359f5bd7a9b9138551b9707e2f41d702f7a7685

SHA512
fa99998d23fc787dbf51df613ae06eefb54b4db574eedaeb32917ece2f3ae2c26a1916fda5df8e31b795f8f82dcd34c69a1dc6f5e2e252e49156f8a6eae7bd4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\128.png.exe
Filesize
117KB

MD5
d15eaec9d8943afb95f99bcf7afe7edd

SHA1
9de5bbc2d567809f839ac922b2c2084a860f5bfd

SHA256
3a0e3bf133907ac629fe8777700d3ced3ff71823a7f27aab844b052017b1c898

SHA512
81fec621c20284138eab4614e237de0430c1ac825f03deb92431ac738450d7b2cf3945e1a870eae55d61c4f82e85ab1d989004f8a60c8680a04c16b7b2c1249d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
116KB

MD5
7e3b58424560cf8b9c4fc613abe20a2c

SHA1
ec91624276eb027414d845add42e1c77f14858e6

SHA256
872512e14cf15d8b8356bf4bcf3f489ed5cc9239dbe974f29b115989dc87934e

SHA512
6d4a65f9b599e49cfa77a47f2f0cb67e45a4e9695c648fe23f83c1f3027e80c77de09897e1e66f56f14d0b0d30853839033e064387d702069cbdb12ec19c2e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
Filesize
483KB

MD5
33fc1a65ec3ca103ea36cbd5a710d3b7

SHA1
019aaf4698299ee74a9ceae0b8be16395081e1c4

SHA256
2f3d5c919ddb79755aa7a719ad05e73cd011a96c1c5235416148d75847c5411d

SHA512
ae673d8523049f9c54118818b13df7a02e8d38f603a8951af5a263d7be48b6d97f3917e3707dff914633b7a403342a7861a79d83874cb66818cef5a104f121c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe
Filesize
110KB

MD5
8906c9e2343ea473ebb597104b20ad7d

SHA1
1e1e22697cd0a4d193b959ee7b141545d1eea09d

SHA256
56a624f99359c140684911cb0d5215336da98fa98aa1a1f2a337ad4ab1e0d781

SHA512
433366f37d1cf3c0dd272801c33352fba0b74407b56ed2b52ca7015a662d51c2a2a4da621a1248391992f76c92f6aa2b1ef6303e79d7e62650d535424cf673f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
1.7MB

MD5
789ec9b724aacb1a53f16a7cd552222a

SHA1
5b7260d45384efeb8dd05e9e7f4c219bc8e53374

SHA256
a4ea53ce6edddecd354a52ab78e48d440203f41e3ce765c7438fa4e64dbd5036

SHA512
ec8bd4997a45e3b1cd5a929b51ded66e752f836727bf5a77002cd3701e8d17d6337c3c5186154b678084f6aa94bd0316309a3d6f325eacbf3d37accc0db14e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_bd8e34969d12e75a6bf77c3752768c9f_virlock
Filesize
84B

MD5
540b5e792e4a09b6af2a4362fb2b78fb

SHA1
26268a6c8de95b4bf0d5a97f02e74ba34acc5c08

SHA256
b1a7e8a341a1f795f0890116f68368ff4bb0f1e0ce73691719dc24e3927463ad

SHA512
a9dd50a06ab714ac6940e9ecf6d7e61c85fc5f81607abd878aadc38063f09936fbcf1304052029bd67a9beac6c940f8fef9e7621c277c8bfd67296f180a288a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYYi.exe
Filesize
1.1MB

MD5
4ffee9d7a8a662d60d9479356346a140

SHA1
028fa60a12490aba36951f9c81cfa7b2a39ba623

SHA256
61d47d76df068b64a20559b67d7744517ae4f6588300a0ed467fd50dfbe130b8

SHA512
f15af674eb43457f3e2ef123de3850d13154de58a12cd5396835916c417ea5128f7c38750dc4767f933ddab0c737e1527cde62f027fc61a3ad8fe5bf19606dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcwC.exe
Filesize
113KB

MD5
ded76efe671ae6c42a69883e0d3048ba

SHA1
2cc9a2819a1ff6bd5958fa44e57a77817a3fa020

SHA256
26ac39c7882943fb8026d62994e2aaaeaafc28cd08db8b2bd28f023060fc32f4

SHA512
b9ed18532a098dd1ff66d1942c6e8b2cb2b836361f895425bb611c7ca30aba0655114bcbb15de7dcc0863a101987d3a02fb3ea70909ec45b7198661c54653575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awwc.exe
Filesize
120KB

MD5
21756cafd07423e9e568206799b43a7b

SHA1
d96dd7d8c326831dbffcda067445af340cb30b8a

SHA256
aa1125d365fa1884cffdc4fb12bfe492b4c6817d49627e360fa619dfc2d63f0e

SHA512
8d24691eb122b7307c6284bf51d3b9702f2053810a42b49353e8e202606a045ea41b68b6d1a643f5e32cfb38d1bbff70b62cb0089433a287cfb25e017551c933

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEgO.exe
Filesize
116KB

MD5
1433f8e1d9e6b608b565c6a312680527

SHA1
c2d2081de95c1adc53c0da37931609e4cfc5df34

SHA256
1c82b21e5bca6ec94ed6d7342d79de987e46938d7e16f1ffa0769c04b99943ba

SHA512
7f870116f0eca5ec8fb9b3fa538155fd9503bb06741bee66c146b9b774db241887f0c96f50a59811879361d7e427489591c66015b601ea410cb67b7449825685

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIUa.exe
Filesize
850KB

MD5
e2d2eae271b51efbe1ec2473aae4f59f

SHA1
fee0ec18d4a53d0604e1b9b7c7d832d6539d5027

SHA256
23f5b4eff094afe250c626e21e5706bcfefa9b341c2fa3fdcc0442db12f18c1c

SHA512
3583064e80d779d6b0a7f63a4878edfe3c2bd896547b86d68138c99e0054f0e9d10af2871c52b7f227c6823ee53eada78f39b1c67df5051bf381648734aa7de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgMo.exe
Filesize
110KB

MD5
c5fd17a34066fc114bd3e500f0c678ea

SHA1
9444791fc57dd6a4af97300209955e7712fd4cb3

SHA256
ffd2500cbcce989ac7b10960728097a3d933e0770cde222727bfd982b88eb62b

SHA512
946777d240e37df7498a28d1aea268801278d605ab71088fc5a39bb891493564ec48126ce3fec5bab5ca2c8173b6bb3f56aaa36d271c372c7a6a59d9125d2757

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAcI.exe
Filesize
113KB

MD5
9c846d1fb60b215b2615df36c503fed2

SHA1
147f5113fa142b9f4dab7d5a15d067e221f81f19

SHA256
a81d35c76a132dca8df9b83f3b2ac5e43ad38f1a4bf07461c0a3d621a24123da

SHA512
f9f87f1f00fc15c9395354e70b351dfc065fe8f6b1eb3dd90995cf234f68ac69c6ff6fc160de7a1e9939592db026bbc54e0a0c4178dabba11897a6716bfc2ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkoO.exe
Filesize
112KB

MD5
9f3821b1dba1cade35753a00464a89d3

SHA1
82cb1e1b3ae9be19b2fade1140c36b0131ff6411

SHA256
e58507e9638a29b0c7c8be5c7ce09f1a0ace9b2124df276f2c8e904440b4746b

SHA512
9f7339c05b2545c8a2d2c812befca65ebe48067b1d18f88b68c158d7ba6ab8202f6a8c3d41fe370d2be572c21fc940ade7dcf22b1382080e00aa153bc8e30965

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esse.exe
Filesize
721KB

MD5
98a363e76f435d11c0142eef1b8a8f03

SHA1
c92c097ad69c0171017fe06bf04f3cf2ad1193f6

SHA256
166abe7515174b510275afe718996da7bf78af1723251599775f62ae1e087c15

SHA512
6b8193a095cc0e7765aa73518a069353c53c9128ce145f120fc9419e750230ac3a9767632264fbefd6150249d6414b9953a2988eebc4f5acfb2b78ba948628de

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYgu.exe
Filesize
110KB

MD5
e3c7002344070e9143e8cc4c266e02ec

SHA1
add3eb9f3a202b3c6244b3149785115835bfd93f

SHA256
63666511db6c20f9f75bf555f879bc9cccc713c2148e0cece61ce2c16bc78fd4

SHA512
59effd97b1f93f558f0fa1ef01ae7f73a69903e3a417b3b2e06954b4c8e462f38f129c6141d5c05525d2aed02ac937077a3030b0fdd17803085e7ff4cc6d5de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcAa.exe
Filesize
122KB

MD5
634d2af5b3606b1a05d6a02af25f2890

SHA1
13e8d587a2afccfba0eb57d1cd92f1adafa68961

SHA256
4e0204157d65e483d4106bdf20abe07a47c64033814062d5a7176ef711440f06

SHA512
420f2c332ebd282be94cfccd6adb59c5789b01157d79f77e36317b6ad090d445b6996f30bdd5909044bd50de280650b996344e790067c4d0b4ec642cbf42a930

Download Submit
C:\Users\Admin\AppData\Local\Temp\GssA.exe
Filesize
511KB

MD5
77e805a23da893c75987807c9108b68f

SHA1
2a72d405551c04052942dccbed991e10b931499f

SHA256
a1499bc914eed77d8c2ac5b3aa9afa33965df2a6b948bf271a6f598d5ff02011

SHA512
d539a08c4c5d9e2dba56919bb602440c31e7decbaadce4eec24a6d6be7d88f997fcefb3c5f4fb28ac0f5d2a88f43c44a416a53fa74a9e2b7a58bbeed7428e06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwAW.exe
Filesize
113KB

MD5
0ab4deb66bdc83dd39a5f61ecc80f9c7

SHA1
e51c1400bac3418ce2b12b5c490a5a7b3ae8550b

SHA256
0489b2431784922f1b9380ff60347717fc93af0ca2efb63d10dfd95bf20b09b5

SHA512
00676568f693fd53b2465be63d6cb8b8a4fe5036ecc1bc42ac6acebeb5d0ea1fa688fab4f3bd7439cea4c3153bbf8d039208fd14f9d35ba87be7207083f27e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwAy.exe
Filesize
702KB

MD5
a16179299076e1410ae725ea08adf1c7

SHA1
4a5b85a3c755205c02b6536f6cd589c3691279bf

SHA256
c454590421206def6a4fe1039292836495b6df3bf6b255657be82f950fd421be

SHA512
548c76897e922e27ccdde1a7b1baf28b17cebb039a0f85160cc397a71820223522617518a768c3ef2c37fc8983b838ab3f62c27090c2dd6d5e2dd193ad28b427

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwos.exe
Filesize
720KB

MD5
95c43a00cd67923f9490ef7c3d343c16

SHA1
f1a35ea8026d07c115e7a783a5bfdedb7a535e36

SHA256
6fb5487d907b3fc1a2da3f883a7233347c7b875d8e4e692e6f041be6da552b42

SHA512
e8e6811b41183b1d5dbc68d91cdbea10251e2807d36ae706cac02c7b577810fbac1d513980cd23a3fe4738bcaa27e18f9e7c50db5f0546e55939a08e57f4f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYU.exe
Filesize
115KB

MD5
6077697079582cd466734dee212cb715

SHA1
ea34e72c81bf992f5b696c11977aaadd6bdf7440

SHA256
634744079839208ee5e17b54b3debd18886f00ef6a997a365f09011532b5ec2f

SHA512
59e5d756acc4a1d9422fdc7dc45e076493c320a2c0df9c6b7e9f80bee9a4e8efb5b7aebfc2e26a7aa980ba28139317c6d0b664360e50bbfb0c458c2652afee1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQsY.exe
Filesize
116KB

MD5
043274b7143573bc8dbe271ad978c4a5

SHA1
b2ab9e095e95324542be4b8f22cf73871cb6fc9c

SHA256
02150a5392a5b9a04bc792dc19f3a9af01eb98022d6677dca3f963224f716bad

SHA512
002fa72a6ee2079abde5a48338018d24971eb17b836b78cba51d2910675d48fbdd02f2242a3282a75751c06ba5e53e12cd01d35555ada547f0a406ef4eb627df

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYwk.exe
Filesize
111KB

MD5
9493092db1ffd0bda346d88fdcad9b7e

SHA1
317a5acbdb562ebaf2377135633b93f195f8504a

SHA256
2e0c864d6c92b35bd4f9ca9b3828466e35831c485fbd0f6e19526756322cd7be

SHA512
6d13f9bcade8d5a917b4238431ed70bcff6bf0e87b7dcff0d6436d61feb09a266a27947905f6553ba7b92f443b034440d5925ecbe3e9e192cbf98c7bb027e806

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMU.exe
Filesize
116KB

MD5
6c4e3875eb282b910aa44972aca62f62

SHA1
39db97b1a5c732bfe289e26cef4088b765401c76

SHA256
c12bb4f01d1118beeca697e519c9b092ce6333f3542889c74be5acb560570ec0

SHA512
90319ee266523819b719bff2c07a06c9e62f436ba5e591e4aaafd7d7b3f3660ad3470e847dd98571c998e54222d559e3ef0679b1f60cea9474b2f7975af39c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEsy.exe
Filesize
140KB

MD5
e6ac12332ed09073ddb2e169d0af633e

SHA1
282380bfab9c7bcb5e56494f89a70dc5b09a0abb

SHA256
21fe31eaae19265e64265ae464335180b43219077590e0856b65335b8575b297

SHA512
1ecc145506c1f766fee4f1b1805c44fd78bcd44c26f2b481a3201ee5cb8f40ef24bc2f6eb86d0d1edebf6afcc7658b2a520c7ffad06541962752b6c603f54396

Download Submit
C:\Users\Admin\AppData\Local\Temp\MckU.exe
Filesize
720KB

MD5
c4da0560db38947673e0ae77c73fde12

SHA1
887a326b824290d67b6f074c563c3fb831f1411c

SHA256
41cddb211e39f48d6fa577c9729654f9d3a13e1f5da358fd9e6e1fefb52d2751

SHA512
db46f5fe443a389ca95a09accb5760d99eea280de412f66ff60c9b9b7c519edfedcfc9f498981c0d07a7505f8fbc8f421e51720ba71e1789e3e1498c49a9994b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcsy.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgYG.exe
Filesize
151KB

MD5
69a3a6bea9154767b96e5367963dd77d

SHA1
ac88b0f84cbc95a39d46426330631c14368a34cf

SHA256
26b9aae11e5fd628c90df86339ba9f6808a0cbbf8fa500f89cdf239db54982ab

SHA512
ddc7103cfa5a1e8a7a0cf570f786e5bbdac0b651c7d5e72443c0adb59e90cdd0017c244c582cf72b5e3ca0d7bc9165364e27574a8e52b30128ef1b5f55419e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoAo.exe
Filesize
148KB

MD5
f6d6ac1ba3e8411fcf24a1fed19ceef7

SHA1
b0751f78723917d18babe276ae1dbd64c350fe71

SHA256
1794ebdb02315494ceb867e46bfc8d1a12dfe2967d0eff2451bb1eaa88a43182

SHA512
a302594715589ad4eae8112fc18a57fea8b9d5e93d609b6b1729e3e9cd8ee5c8a86ff4a92093094d9b7cf87b1dfe2019659c63f50b744580159a52403678bc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsoE.exe
Filesize
111KB

MD5
e9bcb9c848b2792a74f9f9cf66ec45e8

SHA1
cce214ae5568b88756fb87a08e88b1cc63d4a559

SHA256
ea53079cf0fc70007a58532b8f19e0a00f6f1ede1540d99c84fc5a02867a73ea

SHA512
5d8167fb2e00f17b74c539e682c236fae7d001b23453269ceab1cbf10e61223ec58a8d0109438b71f55f6bf85f0c3310eb44d09b2cc792c290e6252be5e440c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIMg.exe
Filesize
566KB

MD5
db539e3e2a326448b0bcc041b66d8175

SHA1
384c4179de99c33b98902ca11b623d5d64ffe53f

SHA256
ade4731626dc2977389f634779497a283df97ffc51e9d2faddf1d604077f9f16

SHA512
09f88dddf094b020dbcedb6623b78534a92b1a8bb12abaf3d464e8289da6541a0366c5691ce3060f3152d7ea39587bca69f9209f4b533c4d9ac80a0aceb8599a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwQU.exe
Filesize
116KB

MD5
ced9c0b893d3610d578ef62e3ff6e875

SHA1
b4947298c878f96a0dc9ee55a145c5468d587688

SHA256
b8ad370dfe5270d22c05c7dda1552a4ab412bf96c7d3114fc101c40b6e446c6e

SHA512
743fcbccb663221a393c1c714016ed6706d4f1b08ac29d2ba49aab41a804b6d0ddd74e6af945b180aeb9749344881203343b6db149ae98c931e70980f0288733

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwoK.exe
Filesize
745KB

MD5
ac690c553ad516effb5135a978147fcf

SHA1
beee435e3ce92fd9e39691b7ce1b4d3e74814331

SHA256
403427eca83fc1a3ef6dbdd0d67348516c0976a444f0e313f18a09811bbd530b

SHA512
4fa70b02e30f2d1688f3de570f0e5c05968d4b92831af5b227445d4deaa4be45e2a141503a22549370ed77ac2dbdfe6c96a879656601f70fb171154c19b5a9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgMQ.exe
Filesize
119KB

MD5
13eb53a9fc161eb2e384719f6c7806a7

SHA1
60975ea4231301e90816d5cf9265940060b519b2

SHA256
70e621f9884928b45dec85eeec7b086e90cb18ef84ea2e81bfcb3cec83cb698c

SHA512
a2fcba3ad8c8646f8fbd89dab07f5baeee2541a0a4f4fdf97582e54267e944155ac2c517c9c18edb53a948b42e99316bcab140cc56d2198e0d6cfb12aa0987bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsUe.exe
Filesize
137KB

MD5
4d36bf220960659794da18e9537167c7

SHA1
3f1aa12eadd806f7b18b556797812511edfc0781

SHA256
e744a4f46a8176ed31ddf6722a2e7f3753826299ac6bd8dcaa804df0d5f8f97f

SHA512
ad2a6b98bab0884a68f9c624f4d506945f3dab645333fcab7036ec128d3c218cfcccd272abf1f63fb380317467d573252da8c37577f53c318f2ad0140610afe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUYK.exe
Filesize
112KB

MD5
bd982660c6f435d5d5c8dd5a4c9aaba7

SHA1
d809bff7bd6159a94506dd7e6d8fffce19d6a33a

SHA256
a7785c7bda144c778deae8fd66843519567c95b949d4f224b41ba8c09bcb13f3

SHA512
48829cb2b7245a293a2e3dcc8e91a68bbe045f8880289e865346f6e57140d709abc2fedeecfebe76502dfe8e44c2235eec2595a140a5f5eda0934cca377831da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugok.exe
Filesize
111KB

MD5
733f8bb1b9898e6ebb4b3b2d35e5f9a6

SHA1
e7b2229e1bc95c0fd5091d30c273caf052f00674

SHA256
2d8d55c9d85fdfadc5d8eeb98ac4255c390c6fa913032d0d4e1a7dab010f8eab

SHA512
7164b0a736ebf3b18469a0fd904c4c1bb172d4fe66ee78d9140654824356dd2900d0468fa87821b2789187aeea5ff03fd85bd6831a7ec0b83462edb1119966d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkkW.exe
Filesize
576KB

MD5
639788c8bcf1c21bfcbf1f74289ad9cd

SHA1
a7abff3d737286a10c96af6e43b84d6a62859eb3

SHA256
f57d70cc1c8d25d84cd8c15366291029f293b8ece8559d57a86c27c4a0c92bb6

SHA512
cc9c308ae23afab3a41358cdeb564556195cfa361df1e1d0b91b57cce49124388674324320229d38c6d75134c39002dbf9792d05b593dc961506e88f0463e069

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoMc.exe
Filesize
299KB

MD5
e09299977caab5bf85330421ae0d1949

SHA1
1caa66fd114f360b989825a735e2d2106776defb

SHA256
da35dcc515036750c36cec0fe0781f2c43ec35cdb744590923ff1afd4b7434a7

SHA512
461a5015385a5ee7624e49b67aee56418f01d4096dda5564002f0d962e20cfc485ca066a628c8ab2a10e05bae6b0bba6c33c3a925294ccf1841673f1a8a0ea79

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsEQ.exe
Filesize
111KB

MD5
aeac53af024f17f7d853d8a85ca3e634

SHA1
357284b8aef16bb296f2e0003a06adae9ff2dd1d

SHA256
a3c4cdf70de86883ae748c3b6ea3a0dff90d96ae59e59876bf9712095dc24ccb

SHA512
ab3c20e8d9edb26959115a69e01d15a4b71c583a079bd2e0835a53f2aedcc0e236153071dd0582e4a652e909eb5d82f27bf88177973a485b685f2db88a1a6927

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUAG.exe
Filesize
112KB

MD5
00c05ea1bf0deb570fcb5d4baace4359

SHA1
883726055e6635788c865493024785e7fc7cdc93

SHA256
c57e7f3b9e6c6d3764f5b4049aa3398b8acaee8c95171cce381cacca85ad9c55

SHA512
6bb33cb616ff0c4fab889c091b1f02d5f21d570a7afd596b2cf874f6dff36c20118504da999ff9db0f70b50af5fafb8fde062272272d9422d0ba9b72a5c9b054

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUe.exe
Filesize
557KB

MD5
34a724d8619b97925b5ac5c3aa436a81

SHA1
c1e78acb64bc727c082713052a3d6c22ecb781f2

SHA256
2b62bc39d4b6641511a0006da9db3bd8dfe732624f13fe626154d4083e9de4df

SHA512
7611f9ded5459aa62b61d5c75b2f5e72aaf8614afe96fb7609dbbb58faac6c39a6fb6c6c5685bb558ee7c7c0d4d8fe0d5ca3366bf0249d2a6daada3127a94c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkIW.exe
Filesize
111KB

MD5
438c0a0ee77345479e7e28f12d3d0e33

SHA1
b28ef4f560f4d9ce879046a6095af9755ba3dcea

SHA256
7b334ce7b365788fdeb7d15bb3380304ce422efb90897334f6a660f1d851f925

SHA512
45580e497bbec3f09552d11e11015a8181dda3078f1d35c2388d3a54d1ef6d3a8fd199555af7572c68ad60acd166a54accf0b33aeb565afb536794b14b4268b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygwq.exe
Filesize
639KB

MD5
5301def1bb97910ac182427ff3782750

SHA1
8b8e12b5133bc8195c3f4da78acbe744626d3105

SHA256
9fec4dc58396976545b339a71fd492c80d2de24617d15f0a4dcaff72267cd34e

SHA512
979c5307b44d6eee9bc08b11e27f7c59d336c6d96912a1a122231e4491aee1d7cdafb20d645723c1d811964f285407c61ded948b22b31695d6221f3af86b4dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAQW.exe
Filesize
442KB

MD5
f065dbd76559375b5bb9ca9a8e852162

SHA1
315735891774d3a42ce038b120800217be83d99f

SHA256
48d6cf9ee83bc16c0d66ddb9c8669bde0229be56724b9755340d055dfb3a27ea

SHA512
f79e3e3a3cac2c6e91110ad2363d79f081f949ecead8b365f7757601a3c8fefd13a2f52719021db2c5a317fcc6b55df21b45a5946ff5c9d106e0a1a88a8c490d

Download Submit
C:\Users\Admin\AppData\Local\Temp\agYs.exe
Filesize
115KB

MD5
50483b340dd05ffcc821634c15d95855

SHA1
222da3523210de7ee1db33e931e7bb5b1892b15e

SHA256
8662b62012710001d9f069c5d7679341a1df620c3d375cb68ed71ef619c7e634

SHA512
c4068e3b70a17af37aed6f656435f346794d43a209b2a1be7e177099d443880525274e011e0a5d17daa900640d2e6deea6122f1c65fe4012c909ecd2ad0105d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEIE.exe
Filesize
112KB

MD5
865b47dca6b51146238c5090e9047ac8

SHA1
11fc5dd2a9bba2d0d8b59d4dd54a85bc6f643941

SHA256
716a5b1623906d84c512a523d592efbed0bf1c9bf4adcfe8c2e065310753c807

SHA512
d774d2c43c33a4b38b4972a3c6dcc0dd415abba68983c821485f8bbcd2c50c33cbd49746679bc4bd98bbc715785c2061cba8334c6125730fa3dadbc0c27f36a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMgO.exe
Filesize
112KB

MD5
dc7182cb04c1d33d62687a57ddc690da

SHA1
0c57264ec1ec4d0ed3ef18ffee4161a0368481e9

SHA256
42b00aa51fe17c30a86eb20c35c198e8f704ebb4788d58fc8f64b40a9b237a16

SHA512
5c5e6b39145e96ccaac79771981eb8bfc5e0e4801ccdcd0f4adcd05d76c5a1a4e0cb02715f075364054b72165abf98a3918675537b4c04732779fde07cd0aa6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUEA.exe
Filesize
121KB

MD5
2f9664d11b799ce062d64bf2dda82fc9

SHA1
0ed4fd43eca9c90cd9e4da20ac9caf0bab54ca5a

SHA256
f2bce13c88b0dedd4ba5c31d5b6b8c118d8ada745eaff34cbb43276c59e9b487

SHA512
72d4ca482ace22e09755a580f811d5f40ed5fef4578c613a8fe1ccbfa50773c3f913973a49d963e196428c16f9f983604451b33542c6a1f1a757a572c18da1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYkw.exe
Filesize
121KB

MD5
29b501aba3c292415212eab0b3bcd9be

SHA1
72f6aeadd4ad6c1295dd87db8081478ec5301d6e

SHA256
ddb01108c21363447c1b00e30ec75c078cfda93ef8f785e62365a98fd0dbdd08

SHA512
b78be1a3e92a7e891b40ea06839884c037e04404eadff11ad8df038de88a0453a28583f2a3c7f7d0a6e43b98e760389a7c37087e0b85eb1eaf1f6a4f365288d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\coQw.exe
Filesize
111KB

MD5
d5373db8ae833709efceea52930e8dd0

SHA1
1cc49f328ecffdc05367017dcd7c2256df071dce

SHA256
b5b1afd641b83cc2532166489dc2e6b49af1f164f3dde7d341d5e65be95cc850

SHA512
c111e32633a25d60f8a777db35b105751228b1c259942a46db9df9f321dd49cdafa414ab6533406ea764d56412b3f8bfb48b9fe80a9b2d20321e075bbb750c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\coUa.exe
Filesize
115KB

MD5
0f012a5816ecdabf21ec9d9cae46bc6f

SHA1
e3ebaa7c9f2cd32dcb8d4ffedeba843770e1851e

SHA256
66c3a3beefef1baef6406f7a5b0efe9be2e9806b174d1936085eba8207cafcc2

SHA512
f7d3faf7074a3ba30b7aaa7dcc1ac39b2c17551035ec3ddd40269993c3b3f5a293b89a0000ba2ea23797c5f3e68fb976f2ce74ada1c98b7480dfe77b148c506b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwAU.exe
Filesize
112KB

MD5
4e3a5504e64a5e5bd4f95873c6ddded9

SHA1
0fb964dbe2b20ef494ad14d13fedd3454d3f194a

SHA256
1ae5faec936effa5e9b4daa4aa310cbf33be956e650b8449e59fd775b32bf521

SHA512
de4f7db36c0ffbe618a2bf16e581a9b88a9c2ddb81a8bd53c1bcde338c4f454c87397834911d2c8bbe69265fb02d7d51e1595811a56cef191c3253d5de551b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYcA.exe
Filesize
450KB

MD5
75185d1fef12f053e90448ff36d7475a

SHA1
b624cfc497633da03e79078fcd49e79ab4c8b5a3

SHA256
8efbbd672269e063b1c4a3696f4a99b35718370f9c6ad98e6dccdd8b5090e6ab

SHA512
9bdaf2f627e64fa6859836944f60213e02c30738ca8f4368777381d4e3888d92cfd4aa6ee09c4c3c43484881ed4261e336ce94ef45096d834cf5d3e18bcb6988

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokM.exe
Filesize
113KB

MD5
1311b1b1a78a27a944daa5df209fa4d0

SHA1
7bd9c011ec887882c9fde7b16223e9e1b2d234cf

SHA256
807534c43ed447207dc3a192cc1638153be18e7a0693d06439dbf6716780cdbd

SHA512
df0d3e17d6b419b542e6e83d67f4bfedeb0125d0ffb8e9d55d9fd021d0489dd80249a550d8ab77f6c45deb7c8f74008fce26ea923a6f5667cd232784eb7dc136

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAe.exe
Filesize
565KB

MD5
13b2a7fad4d80b6bbc00561b9408562a

SHA1
733945d32d670c6806c3db5c6d756ff41adb389b

SHA256
034b5fefe1efb896e3bda54c9dff27665d70bbe6f5b446250c56b12679d97a1c

SHA512
d830f09703683b85f0101efa0a5db0090c886a4ce80c8b8f39e8936ae99bc1ccdf259370753d26fdd2a5652be9d8c267da3dd8020c8b827f545b74fcb1cd49da

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMwm.exe
Filesize
112KB

MD5
aba883a464422936b0d417db76464250

SHA1
daade85082cc14d64cc63770426cee59c3e1eede

SHA256
107a5458c483477bf3cc45e97db7ae07ca50e3d46036bba9c4910a43963e0a2b

SHA512
1bf375c38cddb5d1f88f9de74df2b9e7b44f8ff5ca40342a4d0a266f97b2bee115b8c6d0f528d1341e0f84a2913fc7f5389a598843b6de88967a814c8fc64489

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQsO.exe
Filesize
110KB

MD5
2dbf81270166c9067e911125eb159895

SHA1
e67802c04005231ba811cde36aa69d051752b006

SHA256
5fc7591d0d80c286cfd1a0c32064dbc1cbd89135555121465d4dd17b16eaea21

SHA512
34494341e22776fadc6ecc6d5d8056bb28a9241f9ce4b950765d0cf58237fe4472aaf309d44aaa89d7f6080da4f0273a0435df664a450d203d39f6672731e50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQwq.exe
Filesize
111KB

MD5
ac11792d0cd2450e3c59e589dc9c767f

SHA1
3c0233e55eda6e4f929370810f8e8f41939524ba

SHA256
ecea0381acb8dc5d6e331027f08ef663ac057514ac3073a1430b2f77e3f9bfdd

SHA512
20ed9ff7fcf58c9c0976c899b376f85133f29d0a6508f90c53bdd2dfba891747b1cd0172b9961af5e98d5d1c665de1f20d88433a73e9d8f5b63eb40fc34f4a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYEE.exe
Filesize
237KB

MD5
d8c8fe2ddcdec95ee2ea572824233a7a

SHA1
257ea8b30496f96cd953df9b5fae7f2620c064b0

SHA256
5ff271e8aabb571690bd1c406f10d51be5e10a5d5f1ffb14dab515afca09fe78

SHA512
7906aa12b0dc7f65923601f94a0bd933fac32b249dcf0206a0affb2f6bf33f2fcab38c632e3abaef18ca1a3503301582650134ab3cfaca7789fa1f404e136307

Download Submit
C:\Users\Admin\AppData\Local\Temp\igQA.exe
Filesize
112KB

MD5
a152ef36ff19f63b5415dbec9a0d00fa

SHA1
c4fdf96aac1ac1caa0753e04fc990446a6ad2355

SHA256
6e0900fe1158f0f283868df52b6a97d8fc802fe30b250b8e1f2771479d02f8a6

SHA512
c914e06511fc9c5da83993c3d4b67396df092cdc6f6adbb95ec5da16f0ab4de0276f974e5f70564e4f94a6746737312f054980eed19dd5873f4e4d6b72dfa5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\igoo.exe
Filesize
113KB

MD5
a072919fa0f43557f46d8fa43373002d

SHA1
02cb9728885953f87873bf2864351de59eb95791

SHA256
a20e0a3a1118db4ee1e5c0ea6570ae4b1abbce9398d2019f7630c56a61b544a0

SHA512
e34f2b73a352dd65ee3296512ea84c7b85fe801d5374355607d6c04a5b262552e070ce2196f3a63d0c0958bffd9d27d0c0c4d9b14d65136a7bec6acd17069a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\isAA.exe
Filesize
114KB

MD5
da03669dc56f0d7321bb94ee939947a4

SHA1
3e822ebf254ff901ed4ef080bda2e1ca56d4154d

SHA256
f5584b34acafbdb5a6c3017fa2a2c50b641d559b45316b89f8b6de5ee15f077f

SHA512
09e21226fe8d445e7bc6dbc2dd063dae829922385d6683607a51e3ba8b38d2cc79ab9f80d99ee52e254f290474cb897ed3bd48f1b17d84480f6570e4a98dac7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQgy.exe
Filesize
556KB

MD5
3be47ef39824be88fb8d209b6eb1938b

SHA1
cb98352e58dac6a39df5e0e853c1bc332153562a

SHA256
2ba98efd84480b26ef408b87224f7932be9b03f43dbffc37d0cb2701d2fc65f0

SHA512
a84eee3bc4e6da30a7e27fbadd20ee0cd4a76e5c75bd723d28f5bb13506d89a315b0b502e8b4b334c8f56712bb89e8295b51f50313f30dc2718d07ace073edc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUgs.exe
Filesize
113KB

MD5
7547abcac1e9fb0c4e5d5c97953823c4

SHA1
98cbe8556a50f4c2f482138a64c78ea5a329d18f

SHA256
ffd11df6c46bbb8a429dabf4d27f2ac06ef57f7bfa3b3b304911f7a29240e409

SHA512
80c169c1f81532fc484882a5d9ede487349d4b95a33e379dba679aa1396c6ee9da28dea9279deff56abcb991e906542bcdca2a0f82dd9aded7af4785b8ddfc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYsa.exe
Filesize
117KB

MD5
d124892924c7d3a792f67e947aecf6ae

SHA1
857aa6fc1af7dd83230c6b6ce6d8fe53ba984995

SHA256
e20375dd89a67b9ec7c2b971d6de2e72d22bd5c9f661a2f6f6c34509c233da49

SHA512
bdc6576d0c37fe1b48ad5fa5e91cc054f5b63cd4b797e280dd258640a25a6dcbbc4a973a3dbd8b3092439ed3f901bcce161745b013eb8459771ebdb5030a4d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwQk.exe
Filesize
112KB

MD5
52dc12e22a6dabf98dac8f05b5fa561b

SHA1
8ad71d5cd408ab81ccdaebf4b9e00d9b33420232

SHA256
a61c6c2a8c15b305592eece0e6a1d24d287eb2fcdc5e9f935d7a70a5914da363

SHA512
bed689d98ae20fb7f4962f23581bfe78fa3f170a992a479c71707693ca43cdb81d0e0012be630533f1ca13e199e245754d9608df8c990702f871951a1e12652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAwI.exe
Filesize
238KB

MD5
cd571afa68ce00d8cf97083782e3bd2e

SHA1
d13ca1ec74b2c77f0082c2695ce96b2d499c2a0e

SHA256
97673c3fdbc2dd665d6ad92d2de2a6fe44199e9c1e24102963bfec852583887f

SHA512
cafbff90b2a313921e34c33879ffe20e17a62bd00fd1dda5a5baa6abd149c2d3b129a38631d678003d7134b0ec938f8302657021940d33d0a0cdc8f92ca47dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcg.exe
Filesize
118KB

MD5
675e057352148f366e04b53e6eaafdae

SHA1
010df22f554871fddd6369c7ba83ba11919731d2

SHA256
3049b40e2f3c3c23b245ef7a0f7b01921b4caeed13b0def083ba82eb64b68e63

SHA512
0d2b5b1897b71c793377c7571e88f7f6913ddeb4c6220d76c5c74de703e88a908135e3e99d00ed4b5fb1c7afd76fb65ae1fcca055df9230e581ca88c38cf294b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgUS.exe
Filesize
111KB

MD5
9b5cfb18ef84dd194974d4e3c0de7f7f

SHA1
6dad1ac8aadabef948f9b3ee5c5223e7178702d7

SHA256
d625dcaf83f627c96122686168323f6dd2463ba1e8556c8ec5b43c2699c369f9

SHA512
f85dc1f5e1652c07356437d04dd8268ead21c010a206c90c3f0f14cc5037b0d982310c580fec8568868ccef59fde9de352cfccbb708f713be7600fd6b281a2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkoS.exe
Filesize
118KB

MD5
3e34ae06b23262a44c0dbeafe6a2b809

SHA1
cb45807d33f3d2f16db659e660363e6589acc7c9

SHA256
1270ce97ba6094b080dff431ab52cc9a810cd52a79ca7b54a116f2b63f6d8359

SHA512
9ea0f212ddff62d695567bf1fff7dfa0ca351fa3f2af5188baaf49604cb92ee91f0c1112132de02281ccc75db0e7f58f93e29eaa24ac54f85264a0fe32742275

Download Submit
C:\Users\Admin\AppData\Local\Temp\moQS.exe
Filesize
564KB

MD5
2e0a68f08090db889ef89036e7ba3964

SHA1
b8d085621a0f50574326f43172623f6f336b48d6

SHA256
1bb976ed16a90e09891840d7a8bdbdce085a879c34cd417a476094d8bbe2705e

SHA512
8bb2e63d5ffb82d2337a70e74421fa3f5bf8989d075a72e97c19d2a8b61f1dfada40e028090232e9743f0f6361d922dac2e342fe2706c1f57e15fa69fd5809e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAwo.exe
Filesize
111KB

MD5
480a05d4662c070da9a87a2ef05a33b6

SHA1
8057cddf85cff243ecdc71e28d4411e19107e464

SHA256
c95d2eb1459f494cfa0928e278d8c1cfe11510c1e10f6083239a8c92317c0e75

SHA512
ebed0ce1e293f527bd9b929034a68db9c97b6706ff7599026bb81545be85a6783ad8076b9b1f06370077bcf56e8048893b9685988c44e79e017938c18c2227a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEMS.exe
Filesize
137KB

MD5
8e2a0a2b79cdbedc362823592d742809

SHA1
06e2de8b14f066df271f792e7c6ea1418fbf2f01

SHA256
7b43e1d2519c602904eb6d5247cc34a866ac51ba9b24fc477e41cf3c0f5e4bc1

SHA512
54f8dddd2deb9a9ee259a9f1c591b58903086737b90c54334fce925a2eb6861066960799238a0e34fb7ef693a1b5cf3a5bc712d2d9519e13100e420ffceea35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgk.exe
Filesize
110KB

MD5
dab65c2603dbec3a654d03667a5d7b4c

SHA1
3171e6fef9e5bdc498e9025d1b41efec3e935ba4

SHA256
747778eff59f28e61caef0329467b842c0ba00eccc5c9c4244b3a63f35b224a7

SHA512
fb5831d9e84327e86150993c288df5f4704538de190b47f68c7fd6fdbe4f3ff4899ffef8f3d69940e9ce1a3bf2078d197a2998079899d27f4b6868a2ddefada7

Download Submit
C:\Users\Admin\AppData\Local\Temp\occC.exe
Filesize
111KB

MD5
32c378cba19fe23672551e92046b88f7

SHA1
b9790412a6ec4f73d24f864f4f015bd7696a60ac

SHA256
9b4971c0c32daa78147c2affd01ec94e303fcea44adc32887720c2e41e2f4170

SHA512
c7d7c1728cbb1c05c8756d004278740d103872d6687391f75ac7392625a1309480fd58872696f575ec362812da8a20da8e280007a3a76a9779ab7f44cb5804c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\okUu.exe
Filesize
138KB

MD5
8962e2a18f7d6bc8fdc6e7d0e8585d52

SHA1
c22e4d7bed5f154ffd31cec85318ffc2d16120aa

SHA256
cb3ff1b166408ccc5a9beac190050376c415d2f2f6b26df66e0cea84222c4c2d

SHA512
4a347d6aece7d64731224470976bb7585e17b9e52d2973bed6f42754557241591f1361fc61bd7da6639847dec6568995a4d1c00143bc20b2b7386bac7891f1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAUu.exe
Filesize
110KB

MD5
4aa43f7302e62452518ed83ecaffef10

SHA1
07984cdcc5a8087f6f3596a05488ac3881a6f0bd

SHA256
5418964ec6fec4a943db5c2bbea4a88659082005da06b7abaea5feafa832e66a

SHA512
a6b844f1a6f0df13946224f6ae4bc88719e806142071fa64d8efd2efbf90e865cd7bfd79720c637ebd0c7e85a109af7cd1707fde5e0ca7531a6abc3941a79a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQk.exe
Filesize
112KB

MD5
4d293ec1a30718797f2672a7662f8ce0

SHA1
b08e3afb8d21d37d9ee0b76e18e9fb15e548ba32

SHA256
3fa48745bc1dd6486b684ffa1d33c40ea8ffc2d565cc7b74c0d12626f26408e3

SHA512
247ea67d58f60a0a0cba66fc98f3817efb2a3f527e7963ba152f3dc37f93d6f64d7dcac89b256efcf98b03924e9f7202c198dd276917d5b56ceb2c0adbd27269

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQw.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQIi.exe
Filesize
111KB

MD5
24f5f71fa9847287956f757346502cde

SHA1
ffdaa06c4875b39b7bd52eabd5d64691d3552c8e

SHA256
92bcd0f5397a93bb1c87beacc029f6a31745130ac797c4e1e779886a9a89781c

SHA512
217fa04580c4073d7463e6eab3a1619de99d98b9c5c9ac4e04910929d9e3e04acf8f50fd812a1b5baba37ba77994ebd5da2dfbac171075729085d7c09c88ae23

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoM.exe
Filesize
349KB

MD5
6e95d2a3355a3ae036a424f0788d2748

SHA1
1d2b95674ee0080ed107af0edcc67c113ed73495

SHA256
6d779481a9ad1ca6f9dbc8e9d4a48feb69ae2d68511771de94aea1c1b5961a9d

SHA512
cf3da74dfaafd0249e5f9267e755756833c8b0cd6d3d0505ee76be032fcc3161674eca8c55972d1c894e0618f142685025a9bf84dfce5abee2fd0804699d37a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEMY.exe
Filesize
155KB

MD5
616c2317610eefe52c36dc5de490ce72

SHA1
19e5dc10e2cef919765a8d65de553bf901b0582a

SHA256
940699dedf8b979c913e50a6dd617522d1508f87028086b5f69a3481c278637b

SHA512
5003c347e11eab0acfb3535e5346af88dc3ba3d426662ff919750d46db4fc4d3d82d90bfc018f35d2cb8c15cecb1358645328146021d50a667fef94d447d97b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMcK.exe
Filesize
240KB

MD5
9ece49e4c8510ea85321f19bac624ca2

SHA1
0777cd453969f5918bba88d9f5102332995e5041

SHA256
f3d5d055feef2f019c771eafe4070bf745a7fb102a90c648158ff5fa04e6e177

SHA512
9b46178996de86e6b8fe70142c3e248ed3b244cae760d56eda5db9c7b16c9fc53d8b5973a82197b96b7c3fc7888e39267b6cc6654494f3adfb36a983ca108810

Download Submit
C:\Users\Admin\AppData\Local\Temp\scIg.exe
Filesize
617KB

MD5
728faf1b1cc1a669a9d0cff166c9ae8b

SHA1
f0a11517ad9d74b624c541609ea353b9ea4c268e

SHA256
6e80a7fd3946bb933e90a9f35adf533348c6c7cf9fd504d244a07ce9b91de8a2

SHA512
0c7e5123e4d59043a3cb81bae7e70a57865a8fbf4cf9c5da2096cd9a6c2c9e7e3a3e18a440e62c2d18b76e933b463c3045e4058113de933de18a73deaa2af899

Download Submit
C:\Users\Admin\AppData\Local\Temp\scky.exe
Filesize
119KB

MD5
7eeafdb12581cd22da0841d5808cf2b8

SHA1
aa4f1a7da7fac359a7ed4800554ca7c16d9c32fa

SHA256
442cce5b1b22ac460102a30e5f8e4f4e204f0725f55e87ea09b7b9d2804ee2cb

SHA512
f75de0c8b25736d617542ac20e7b1dbbad37519e7062a92e943aeb0acce1debfa2000d60c51f7e33c34e6ae313cf1c0dcd13eae4cb241a36a53f56df9da1de83

Download Submit
C:\Users\Admin\AppData\Local\Temp\sggC.exe
Filesize
126KB

MD5
3f3ac7f96366c5f91df1a0faf328993f

SHA1
90b1c41eb40a5f494e3c2bd6c1ef222cb2647464

SHA256
c042b30583e0fee392533cc082b15858d0bc5ff11bb5c519b1396b217db0d6ec

SHA512
1aca57502817fad7862f15170c4dda2071e07f0bd7c4f954f605f2797d602d5ac60d10aa40ab6f8b862a631d1f671455cdf3cad3c59a7f6434cf0a50c7846c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sooG.exe
Filesize
110KB

MD5
a776110816b9837b4e17ab2211ca32dd

SHA1
e7cefc714de007bb6b7e86d236bb712dae12292e

SHA256
82cf1eb3f0ad5d93ab1b999b222802bc62434170cabd7d4313e4614d19d505ec

SHA512
3e293fd2403e73690c513ce0cceadb7c17f47e0a45312375dd03803f57cc55e21e5ab6e5e1d10d86759862c83bc9f893d62d9dc3581eca4ca05d877bfd8e6453

Download Submit
C:\Users\Admin\AppData\Local\Temp\swcG.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQAW.exe
Filesize
112KB

MD5
789228cfde5c7762829977ffa04741bd

SHA1
65b301eca37267d0454ec2dbd76da905824a12da

SHA256
74b0d1816cbf5270e7b28b84b53786eb23f6d7d1384b34314fc33e9a2a87f56e

SHA512
14f72b6a9136b50a49d4e9bf0372df295903e19b71e90c7d68037eacf23e8ba386f1d54cc338d1c39ee5d00d385b063df27541d3560e2fb2e9be03e79836eaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUgE.exe
Filesize
739KB

MD5
4111d47a8349489c63f56f56ec7c1dc9

SHA1
db6c661dbd65c08cd7de91ede9f6bf8d715fcfbf

SHA256
eac1eddacd78a7adf9f5b27ef4f4a7add57c042b3ee672ff3f53087e7a5d0d7a

SHA512
5d827934c514920e23512ad8836c1e65d715e572f69fc5d4ca52dab58e569cf01bcec52ee42b4ca09247a1085b2c02b426b9e848d8adf2f3b1451c83cee4e112

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugoI.exe
Filesize
155KB

MD5
c16b3fa1d623a7cc25441d582cfaa4a1

SHA1
1396f5f3ebee305f7bb6f3c910082eaaf5832607

SHA256
65b4986c75a1449ea947aff7ff0ecdcaa7a0de87ed4a77a8b93c34933c23c9fc

SHA512
ac598595768cac5f1852078b6152e32a371bc9a03123f7604e6738f08ca179aca67820cd212a67cbbc69b2795cb4289cd8006c7d7b93badaf3345bd607865d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugoe.exe
Filesize
5.8MB

MD5
5cdb36c052ed401e68da501f55980adf

SHA1
a8c17f4c852fbb54704d09466f4d6cd8c06d28e5

SHA256
cda16e1622f58e807afd9ee7d35e756637f1168ffa022aa093722c6cfe811d04

SHA512
d016e0ea6775a62ae5f5af70f28fe25896b0ea4796dd9538e5ecf433f293ed217860de609dc43c6092c5734e5abf02f4b0959b0eed447ba8d240d889ce23fd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoUQ.exe
Filesize
114KB

MD5
16635bc362d8585478ed96b07ccaedec

SHA1
2d3ce06fdea9beb7ac01133f74025ed161979974

SHA256
6bcd266af692e21d9196b43b4ec7eaaea48688bc207099231006ebba945694e7

SHA512
e61a714178e3a09cc04b82bd56a9ad9acb2b64aa6dfd5ff38230869f3bbd400deac2dd518db99c1038677428843ca8cf8400f960e1d6113e803bfece11862adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\viYkYMoE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIIY.exe
Filesize
112KB

MD5
ebd4df4bb9f9c5c869bc0b523fd7eafc

SHA1
fca34515b15c77b0f39f6ebd6eee31c659e6a929

SHA256
9a584e572dc76fc19251d24978cc339e43a087110b92590a0609cd83ef6d499a

SHA512
ea4dcc321fe8e955c286e1bead3860399d135da3d29a04c3f4daaa963c265aefc0e5fc140968581d7fd8a05eb2155b8f0d1b8d29180362e93f5445fc499a6174

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQok.exe
Filesize
112KB

MD5
3527dbd68354972111bba7d0df151efe

SHA1
e39ad2eab9f2f0fe98ecb661c5b9e6e1942041ed

SHA256
07d09747357b8b478eba8abf8cf761a639eb71f10703d8693693f33e80b19531

SHA512
a941733c9e6f33c55e437a99e060d6837ced560d36273dc5ab964df0a16551673bf00e7fdd93734719e8f8323552aea6c73ecdaca7e42763786976e18171a2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUcq.exe
Filesize
856KB

MD5
46d65357c047189f7c0afee583eee487

SHA1
bed4ae0461125bb3f03171e5d4785f73d2a98726

SHA256
ccab29b4c8d622610535d96901e885767b63a0a3ecf8e344ae294c1178cd65e3

SHA512
cdcd0edf40f40d6ec18887b5421ec9ecb18f84d4b6991238897507488652c74e8d277a0ca1cec7bd996cf42ce6edc5f3c84fbe5b188593e6e7404d94b3ec0e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcIQ.exe
Filesize
112KB

MD5
4935a26d7807a67f95e9b6e69c48e00f

SHA1
b363d2b1c042442d19013b27f400c09039ecac88

SHA256
4ed07a51ad318969358a22f618903925dd07a09ed97258dba96bfc55dacef79e

SHA512
9ec7987c0992e28458e7c3d0378a551233c9769145846891a87452d450e407dd087e0883749c4583ece5b4fd28b422bb8ff078eb14dc45a82b44163e00c9cf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgAI.exe
Filesize
118KB

MD5
88425f4a5dc48452bdb61d2ed17d65a9

SHA1
1cb798b3c73615e1fd8830936f6252b4a7c7cc65

SHA256
f5c81b768e8f948cb890f90506d4fb3c49c6b3f5dc6c97a1ad667d060f3eec30

SHA512
a2a11c3794d5a071147bed7bc3d37d227099af5a76733a92243d4e12b7ac5a4ad4906c72e43f9c4b9afff082a4bc403536731324ec8141bfe6d4f7b371f7c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkAu.exe
Filesize
1.9MB

MD5
f2f9f66fe2692b984062e47c2c1115e0

SHA1
b7b3c0034852c6750d068bcf3a93ebee0e3d2091

SHA256
7ebb0ad55e7bfe99e894aaa944ba8a99d9773fbd0f753274bd499dc832bf285f

SHA512
234fa7fd27fb9da00832e1519e1f9e8d17a1014083965264f7d723e55fdaddeb35dfeff2d1c5e14a47a54f66cca9d82cfbd54a3dd659936e1f8e523f09b2988c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwYy.exe
Filesize
111KB

MD5
319bc40baee0708ad196de0c384fb638

SHA1
106d816525c0936713a24952758c76591c7de13d

SHA256
1abb9660e9481b700003468497b29b2e61bdb7dbcdf9e5435a59f436acf0c8c3

SHA512
3a1e53e0f0738047229d06400d5c650235c310a15c8c56ab296d63f2741d767915c09a08a1dba48620ab7304e389c4f4c1a2a1d3e56685c715387d164b190e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQUC.exe
Filesize
469KB

MD5
71ec4d8cf68d3528690f503e8f503a77

SHA1
abb08e498a184ee1f21dc5b752c44ba5310184da

SHA256
68dd18ac61f3ecbeb23cf82a5b65eb2dfc28d34ec412da113f7769ea83971d90

SHA512
a5429dd522080dcd7c3edc7d328472f764dcc59843536632d316671ef4627b27b3f03733dac116a7a0892a4d45eeb2f37ed4c9e966694dd1bfc71e91eed65658

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycUA.exe
Filesize
135KB

MD5
4597967dbf119eb46b0ac67e2114a0dd

SHA1
714a7d721dafe72547b44e0b750f4802b6ebd6fe

SHA256
65b3292e24d14bf16f4d6428b3e6cd987672a3395a50744c46bf2b9465928c22

SHA512
cae951b52e39452650d99ebf9b0ab6d5aa5bea7daabbb87f2482f716206b176587617b62cb97de49111354c95bd026990851fadb63b3237f9a400566227ed64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoES.exe
Filesize
111KB

MD5
7601ee226142cfb236b833ec4dec1f16

SHA1
cda3806dd72967aa4ead93ccf0ed9a322261f23a

SHA256
8bafafeffc306baa7abe24b5d96d5c68e57cd00e5b5a258805347e5d177950d7

SHA512
4d06b13465f78416e6024f64d020da762ddc56784cfbd0920e62a42268320373a6381927594238b4d063bad673427ccf1fd8888260fdf4ece8fff3b1f235e9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywcg.exe
Filesize
113KB

MD5
b6f872f6fa6516bc6320d11358aedc75

SHA1
078b5f3bd4d98bd18f1659324bf3695e871fa953

SHA256
2069f459d2cd92615654b573a5014efd8aa9be16e7918e26843efb7f42f5f2a5

SHA512
e0a051966fb4b9c55b262eea0e69a0e1a05b93f0421257159611d0beb4117a515c30aea9af41d23d8f431ec05cab226d8c41c87e5376b18c380d08d376b48364

Download Submit
C:\Users\Admin\twwcsUUY\WsIIooUc.exe
Filesize
110KB

MD5
19113c1dc33196a7dd5bbc4a6444dc67

SHA1
341a97c5745d2f3cdf57c9039f1c120d3670dfa7

SHA256
1a305d203f4da16cd2938b8c356754edd85d5fd5975dd924fbca698a80814dfa

SHA512
2f81c62a43ccaccc5bc5c5a57e2322def4861107936696e97e066ec82d1095a141010008fc30bfd67aa913c773a94676ef49be06f9d447b2ad1454a92ad4db17

Download Submit
memory/372-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/372-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/752-475-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/752-487-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/940-208-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/940-224-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/956-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1008-354-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1220-176-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1220-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1364-434-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1364-116-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1364-100-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1364-426-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1400-330-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1400-321-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1636-212-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1636-196-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1668-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1668-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1916-355-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1916-364-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-287-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-461-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-449-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2368-470-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2368-462-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2416-502-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2416-514-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2696-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2760-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2760-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2808-312-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2944-269-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2944-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3040-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3040-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3084-417-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3084-425-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3088-320-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3472-338-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3472-327-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3508-400-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3508-407-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3516-128-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3516-112-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3656-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3656-164-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3704-292-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3704-304-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3960-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3960-188-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3964-248-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3964-232-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4024-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4024-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4160-444-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4160-435-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4268-220-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4268-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4308-346-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4396-383-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4396-390-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4460-479-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4492-441-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4492-453-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4532-152-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4532-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4552-175-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4552-160-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4600-244-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4600-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4624-373-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4624-381-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4724-497-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4724-506-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4724-372-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4724-361-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4752-416-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4752-408-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4864-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4864-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4912-488-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4912-496-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4920-398-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4924-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4924-296-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5008-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5008-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5076-278-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5076-265-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5108-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5108-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download