e7ad178970d44d41da1858e77587156dddceb95301c6b33a59d7888d8aec2785

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
Size

112KB
MD5

d7b6e79357ff8169e09b0bb9957f2cb8
SHA1

388f60d0004f86147b9cfa0a7614e6a7d4aa7037
SHA256

e7ad178970d44d41da1858e77587156dddceb95301c6b33a59d7888d8aec2785
SHA512

1b7104a97e76c4fe097d59cc914a580c9f3f09f283d66b61f42df6b47384e7f39c6ea15f1c389c8b1548e0915f4ce9ceb46568c3455c52b39360b2740b7b6a51
SSDEEP

3072:RZ5z1+TdvOTOhY7YyqKYbLJmIBgdBC7CxzyQEOfPpzt+uUZ:R9gWTxcbKwB6jPXUZ

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qoUMIkIc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	qoUMIkIc.exe

Executes dropped EXE 2 IoCs

Processes:

qoUMIkIc.exePuUEIkAw.exe

pid process

2964 qoUMIkIc.exe
4060 PuUEIkAw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exeqoUMIkIc.exePuUEIkAw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoUMIkIc.exe = "C:\\Users\\Admin\\hqUsggkc\\qoUMIkIc.exe"	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PuUEIkAw.exe = "C:\\ProgramData\\eosIQUMQ\\PuUEIkAw.exe"	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoUMIkIc.exe = "C:\\Users\\Admin\\hqUsggkc\\qoUMIkIc.exe"	qoUMIkIc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PuUEIkAw.exe = "C:\\ProgramData\\eosIQUMQ\\PuUEIkAw.exe"	PuUEIkAw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3148	reg.exe
5016	reg.exe
2884	reg.exe
1092	reg.exe
388	reg.exe
4404	reg.exe
2792	reg.exe
1568	reg.exe
5056	reg.exe
2368	reg.exe
1664	reg.exe
1208	reg.exe
4488	reg.exe
1596	reg.exe
4424	reg.exe
1356	reg.exe
1152	reg.exe
1008	reg.exe
2264	reg.exe
1088	reg.exe
2656	reg.exe
4628	reg.exe
1984	reg.exe
3176	reg.exe
1492	reg.exe
1252	reg.exe
4304	reg.exe
2620	reg.exe
1764	reg.exe
4552	reg.exe
1360	reg.exe
1156	reg.exe
2596	reg.exe
2784	reg.exe
3148	reg.exe
3644	reg.exe
5060	reg.exe
2480	reg.exe
3084	reg.exe
656	reg.exe
2784	reg.exe
4988	reg.exe
4376	reg.exe
4360	reg.exe
4588	reg.exe
5096	reg.exe
2836	reg.exe
2484	reg.exe
1232	reg.exe
4992	reg.exe
3612	reg.exe
2128	reg.exe
2720	reg.exe
2412	reg.exe
4716	reg.exe
2284	reg.exe
220	reg.exe
1956	reg.exe
5004	reg.exe
4360	reg.exe
3568	reg.exe
760	reg.exe
4364	reg.exe
3972	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe

pid	process
220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
2268	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
2268	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
2268	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
2268	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
2288	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
2288	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
2288	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
2288	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1364	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1364	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1364	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1364	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
216	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
216	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
216	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
216	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4956	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4956	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4956	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4956	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4284	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4284	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4284	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4284	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
668	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
668	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
668	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
668	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4500	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4500	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4500	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
4500	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3692	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3692	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3692	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3692	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3536	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3536	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3536	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3536	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3804	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3804	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3804	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
3804	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1100	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1100	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1100	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1100	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1180	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1180	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1180	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
1180	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qoUMIkIc.exe

pid process

2964 qoUMIkIc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

qoUMIkIc.exe

pid	process
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe
2964	qoUMIkIc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.execmd.execmd.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.execmd.execmd.exe2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.execmd.exe

description	pid	process	target process
PID 220 wrote to memory of 2964	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	qoUMIkIc.exe
PID 220 wrote to memory of 2964	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	qoUMIkIc.exe
PID 220 wrote to memory of 2964	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	qoUMIkIc.exe
PID 220 wrote to memory of 4060	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	PuUEIkAw.exe
PID 220 wrote to memory of 4060	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	PuUEIkAw.exe
PID 220 wrote to memory of 4060	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	PuUEIkAw.exe
PID 220 wrote to memory of 4984	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 220 wrote to memory of 4984	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 220 wrote to memory of 4984	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 4984 wrote to memory of 1244	4984	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 4984 wrote to memory of 1244	4984	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 4984 wrote to memory of 1244	4984	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 220 wrote to memory of 1628	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 1628	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 1628	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 1232	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 1232	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 1232	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 1208	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 1208	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 1208	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 220 wrote to memory of 3152	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 220 wrote to memory of 3152	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 220 wrote to memory of 3152	220	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 3152 wrote to memory of 3148	3152	cmd.exe	cscript.exe
PID 3152 wrote to memory of 3148	3152	cmd.exe	cscript.exe
PID 3152 wrote to memory of 3148	3152	cmd.exe	cscript.exe
PID 1244 wrote to memory of 4444	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 1244 wrote to memory of 4444	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 1244 wrote to memory of 4444	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 4444 wrote to memory of 1460	4444	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 4444 wrote to memory of 1460	4444	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 4444 wrote to memory of 1460	4444	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 1244 wrote to memory of 4248	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 4248	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 4248	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 4640	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 4640	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 4640	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 3392	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 3392	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 3392	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1244 wrote to memory of 2676	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 1244 wrote to memory of 2676	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 1244 wrote to memory of 2676	1244	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 2676 wrote to memory of 3140	2676	cmd.exe	cscript.exe
PID 2676 wrote to memory of 3140	2676	cmd.exe	cscript.exe
PID 2676 wrote to memory of 3140	2676	cmd.exe	cscript.exe
PID 1460 wrote to memory of 1700	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 1460 wrote to memory of 1700	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 1460 wrote to memory of 1700	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe
PID 1700 wrote to memory of 2268	1700	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 1700 wrote to memory of 2268	1700	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 1700 wrote to memory of 2268	1700	cmd.exe	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
PID 1460 wrote to memory of 2324	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 2324	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 2324	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 1568	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 1568	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 1568	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 2308	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 2308	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 2308	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	reg.exe
PID 1460 wrote to memory of 996	1460	2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\hqUsggkc\qoUMIkIc.exe
"C:\Users\Admin\hqUsggkc\qoUMIkIc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2964

C:\ProgramData\eosIQUMQ\PuUEIkAw.exe
"C:\ProgramData\eosIQUMQ\PuUEIkAw.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
8⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
10⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
12⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
14⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
16⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
18⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
20⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
22⤵
PID:4424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
24⤵
PID:3660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
26⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
28⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
30⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
32⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
33⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
34⤵
PID:1964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
35⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
36⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
37⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
38⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
39⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
40⤵
PID:844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
41⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
42⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
43⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
44⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
45⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
46⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
47⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
48⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
49⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
50⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
51⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
52⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
53⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
54⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
55⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
56⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
57⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
58⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
59⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
60⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
61⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
62⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
63⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
64⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
65⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
66⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
67⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
68⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
69⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
70⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
71⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
72⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
73⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
74⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
75⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
76⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
77⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
78⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
79⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
80⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
81⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
82⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
83⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
84⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
85⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
86⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
87⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
88⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
89⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
90⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
91⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
92⤵
PID:4696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
93⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
94⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
95⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
96⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
97⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
98⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
99⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
100⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
101⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
102⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
103⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
104⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
105⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
106⤵
PID:764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
107⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
108⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
109⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
110⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
111⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
112⤵
PID:1464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
113⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
114⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
115⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
116⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
117⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
118⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
119⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
120⤵
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
121⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
122⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
123⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
124⤵
PID:1940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
125⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
126⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
127⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
128⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
129⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
130⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
131⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
132⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
133⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
134⤵
PID:1596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
135⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
136⤵
PID:688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
137⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
138⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
139⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
140⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
141⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
142⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
143⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
144⤵
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
145⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
146⤵
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
147⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
148⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
149⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
150⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
151⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
152⤵
PID:2044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
153⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
154⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
155⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
156⤵
PID:2036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
157⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
158⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
159⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
160⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
161⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
162⤵
PID:716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
163⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
164⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
165⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
166⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
167⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
168⤵
PID:928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
169⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
170⤵
PID:1144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
171⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
172⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
173⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
174⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
175⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
176⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
177⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
178⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
179⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
180⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
181⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
182⤵
PID:716

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
183⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
184⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
185⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
186⤵
PID:2124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
187⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
188⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
189⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
190⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
191⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock"
192⤵
PID:3728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
193⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
- Modifies registry key
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:1152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIAIoEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
192⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQogQQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
190⤵
PID:3764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:5020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
- Modifies registry key
PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCUwkEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
188⤵
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgwgYUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
186⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:1984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
- Modifies registry key
PID:2480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgEsYkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
184⤵
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies registry key
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOYsQgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
182⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wogAMcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
180⤵
PID:2928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOEsQgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
178⤵
PID:4148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:3328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
- Modifies registry key
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuMUIoIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
176⤵
PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqMAMkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
174⤵
PID:2600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGkwIkgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
172⤵
PID:516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:1964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EckwoUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
170⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGckYoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
168⤵
PID:2304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZigoMMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
166⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCQgUYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
164⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:4364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUIoEAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
162⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:2904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FccEAcQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
160⤵
PID:3804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkIMUsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
158⤵
PID:3440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckIIocwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
156⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
- Modifies registry key
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaswggYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
154⤵
PID:2304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCUQYAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
152⤵
PID:4764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkgEYEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
150⤵
PID:1360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByQgEEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
148⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:1532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:1568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwIcgEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
146⤵
PID:812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:1416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:1672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:3160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyQkgoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
144⤵
PID:1144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOMMAEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
142⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:4136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:4120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKgkUEoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
140⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:2316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQUIscYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
138⤵
PID:5096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqUogQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
136⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:2128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGYMMgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
134⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUcUEUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
132⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgwQAwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
130⤵
PID:2420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcMscMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
128⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeMkYkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
126⤵
PID:1416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuUQgAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
124⤵
PID:4776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMsQAgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
122⤵
PID:1964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:1992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkQMocAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
120⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUEEQYgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
118⤵
PID:2348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
- Modifies registry key
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kagIAUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
116⤵
PID:996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWwAoAUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
114⤵
PID:960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- Modifies registry key
PID:3612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMgAogcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
112⤵
PID:744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rScYsQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
110⤵
PID:4828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
- Modifies registry key
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqoQAQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
108⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUkEwUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
106⤵
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mskAkcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
104⤵
PID:3456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAYMUQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
102⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSkUQMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
100⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JykoUYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
98⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwoQEcAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
96⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
- Modifies registry key
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkEQAsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
94⤵
PID:1992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eegoYgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
92⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:3972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWswYQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
90⤵
PID:3148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcwkUQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
88⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- Modifies registry key
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsoYIIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
86⤵
PID:3728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKYQoAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
84⤵
PID:1152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQcUAQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
82⤵
PID:928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQUEEwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
80⤵
PID:1356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcAsQMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
78⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAkkMMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
76⤵
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIgQokYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
74⤵
PID:1396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGQQosAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
72⤵
PID:4228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKUYMccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
70⤵
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:2264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgMUsMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
68⤵
PID:3400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuEIQcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
66⤵
PID:4444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:1580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoUkYQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
64⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMAMoEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
62⤵
PID:1208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giEEgMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
60⤵
PID:1608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwgEgsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
58⤵
PID:3696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- Modifies registry key
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biYwYMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
56⤵
PID:736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEAkUMMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
54⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:3400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgwoUAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
52⤵
PID:3504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imQEIUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
50⤵
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIMsMQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
48⤵
PID:232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jasAcUwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
46⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:2264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMAMAscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
44⤵
PID:4696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCkQsoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
42⤵
PID:2384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYgEsQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
40⤵
PID:4616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKsgIcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
38⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwwgoEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
36⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQscksko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
34⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
- Modifies registry key
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyAsccAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
32⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaYQAIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
30⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWIUsIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
28⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwkswYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
26⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekIgQkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
24⤵
PID:3544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGIEcEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
22⤵
PID:3456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSoMUooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
20⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqQgwcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
18⤵
PID:3932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BakQwogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
16⤵
PID:996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCIsEIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
14⤵
PID:3812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQEsUMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
12⤵
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEwAMQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
10⤵
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwoIskMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
8⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUwQQYUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
6⤵
PID:996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqMcMQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmAUwIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3148

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4500

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv +oeFwBTIGU+ql7A7drCLbQ.0.2
1⤵
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
154KB

MD5
a9ea015db4c8732584e6abd77767365b

SHA1
aeb90bdc6cb9a28acf5b830316de5c37bcef135a

SHA256
694028f51005288307451fb49b82785190cdbf7272c01c086064ffc3dcbaa62a

SHA512
8aea98240eb344bcdfebc195393d769f6980e7cd3320ce4d1a66b71830b91260d0fc1da90c0e6a28c686d20fd17c6b6577323ea4e63f4cc61ef7d2281d6c6865

Download Submit
C:\ProgramData\eosIQUMQ\PuUEIkAw.exe
Filesize
110KB

MD5
1cbc46b7df0cc04c733061ed47cd4869

SHA1
4cabdcf224999be95783dbba238ef5ab68c86c25

SHA256
32bd707ef28a62cf2fadeec77c011ca0067396049f65ea3c845a966c421aff62

SHA512
fd4f180b3e969eb097c0a4a509a85509ad50dfa6d61b87314488825b6ab973aa46b9fccf81108b567a02d7e6b4d8bbfe050d4c888dde0eaca92168f7e7cc930e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe
Filesize
111KB

MD5
3856972e56ec61f4543de5ad51b39110

SHA1
83712a1b8e236a37129aced28c30b0448d0d60ec

SHA256
9d7ecce68174273e7ce14a4d3846fefce7a8620e38a675f1a34b66e827c6816c

SHA512
94e4545af5b497c56496bca3a53fa870d13ef2c7010cce4e9cb646ce0b5282007cf14ca4abe08151bf3c2369225528d2cd073bd338628da1385cc87434690c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe
Filesize
111KB

MD5
e25df21c94175ce19a6dbb4ae1e68763

SHA1
5546d0c3f3e68d8ee97240caf634aba6dae7e222

SHA256
a5f71e774d4d763a581d48c7751dfc3a1391b81a4fc1f2a99f5fff3006b09732

SHA512
5f118b41ff2349cac8dd28c0496037dd0e5dfe013b60e520cf03c4a40dff4926f6604ffacdecd3b21070ec0912b66db5c447815efa526ece8c50c8849c921f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe
Filesize
112KB

MD5
4359f3f7ee08721b474b4ad5abf43618

SHA1
d113c51e1a33e1b36a4c177bbd5ae5e2079ba7ec

SHA256
4c48a582d897df83d0884dd75c2903126463899b234a24374374e92b6ac6862b

SHA512
f20c0336bb3624b13aa2c4a1225f74d5d8d2bd1bfecff69e529180a21d20ecd6e84967df4870cf9d7cb7c63eac1633e61ef4a481c3eb20f5a0eff17d4a368d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe
Filesize
111KB

MD5
ad4badf6a4b4e806a9cdb65f452822b4

SHA1
ebdd7b1300e799a6374b157e45c2c944d09cfff2

SHA256
b9e86f65c615d25a52dbb0545bc6bf5caa362d33f94e81fd79586c72d75d2cab

SHA512
0e119607f58ebb59ade5ed3d8041c0f229bafb24e897aed77902e3fe224766933f6f64045c69e821923955ed7365bbf6d30603526e8693b3795657555e6364a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_d7b6e79357ff8169e09b0bb9957f2cb8_virlock
Filesize
814B

MD5
82fcea1a20250c6943e1542f233bf848

SHA1
c4b4be0882d43c9c9f516588177d10703112516b

SHA256
2d0a2fc18aec63afcc8b579b23ade273a2394b9875c35367690b6a293dcd7e6d

SHA512
fd4e160543ce50343be7d1ffe26c8b4d841eccea985f4e142091e1cdd72a724d6d84071a62cc4a3dbae6eb51924ef9f0631a09f4a15efaf4e79d21f3c0f8fd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEAQ.exe
Filesize
111KB

MD5
5baf6e28a222df14c6a5cf9a73a2592b

SHA1
dc1c0a6505de763d30c6c340d476209ea5e25d23

SHA256
7b0be83d774630bfb178400eba999ad524f7efab5eb52a63b1ec784a5410740b

SHA512
c7b37f0fe3b64aefb05df264c88fbc6f299a281fac98003f093906bb1a749be81455ed4911b334e5451033a6130eb372c3b3ee31627043babc8e9721367cfac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIoc.exe
Filesize
670KB

MD5
5db15b03e7a50622b25708cca3569903

SHA1
2f05006de3f586e456e48ce38350e430d9b414f0

SHA256
59ff34f3e2d7d34a78e55fafbda99d468148cbfcd71feb41b8d695a4c087400c

SHA512
ada18ee7caa3730b1abc01464ebf0da83845d1552a7ddf475bd3fa081a21dd1b2b56c28d8e425c87446f20961c72234e9ba256c4ac559cfd8415f4c9b87e36fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMQU.exe
Filesize
113KB

MD5
a0f00ba1ffe5d50b880b9086f1783afe

SHA1
53cd0ba38c688ba065424c71075ad36fd98a924d

SHA256
ad8eea1236805967a0dfcb8f15618407f9ce386a4e6ce8a7e4e88e7ae6ff53c1

SHA512
f898511496564035783e18f3642f21b4a5196f2e42991a21e18ddb30b49964a2d9d47135a967816c6b178fdf773fc24557ccf09d4d454e6a11c5d936788ce28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYYS.exe
Filesize
556KB

MD5
53d00eb44767865bd59d36c58591ebab

SHA1
bf0f4f61c61ccdbeef290ee0438fdce69061efe1

SHA256
ad54c3b611ecbcca2506b56efa65e33ee42b1762eea965766929357a8f2666cd

SHA512
92a75d0648d94602f6a8196821564f8b96ea1acf3ec4080a471e7148723de8744e63123c3b2b47876eb91b30d3e0d520ad9ee7b62fbbc983f774a4dd84a09e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgIq.exe
Filesize
302KB

MD5
be53fdc20cc045c00859bc169681efc7

SHA1
f34ce23fad93259adb75c8c8b0c98520da4f30cb

SHA256
229e0afdd0dd46cebd9558a32f516f5bdfe30a1e97f368785bd8607f0a9b079f

SHA512
0ee6256da1d74ea56c69fa1b3cbd2af933759896112663335070607a0ef97bc23c8ddcd5e7f3ca29c9e5f0f8f6bc529e0e8a8679075388e21bb2d98e7fcb7171

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgQK.exe
Filesize
115KB

MD5
e8884659228855c8dbeb870213866651

SHA1
9bd706850e2c11e9f8dac434f4389e6f8240d450

SHA256
8aa4642c63a6f3ffbc69f1be7b894c31697327d0a34f9c73f9fb1c52bf810933

SHA512
fa9b1ad3e042183d8cd2ef91faa03017e6cb227aa5290e0fcd1ba02119776b516cf0dee648f26c28a4f7e8411ead9b54b44a78c34d009f41faa6f7d06c0555f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akwk.exe
Filesize
564KB

MD5
cd65503aa1d29ead42b44cd00b4ba24e

SHA1
c0b346e87fe71ab19709ddca9c894a4e1435f7b3

SHA256
c5055a637134b2bdf55cc5955f060fd27c7e774e92a47b09e810966c70f9a463

SHA512
0bcdee9ba0ac1ecbc6335937377aa3b3d092ba5a110072d2c5f9762a2b4c2d775acdaf525c2047b429a825f8da9ee1cf2fd82a0d8fba38577b3525874056016f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgQM.exe
Filesize
112KB

MD5
1781e41c9ba76e1f727960f677ee93b8

SHA1
0ba752ed56058087cdc452a9bebaddf6a625676e

SHA256
fe8e889a03987a7f246519c34a37f89e6071a945a49ec1cda36539fd13150456

SHA512
afaf620e4a39cdd908d60c8c07b509fbd56137282834f0e5e96ad18fc288c0f0b88c65dcaccf15e48784d533b59e401462389cb88f45ca014db350c7ea1a597c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CosM.exe
Filesize
112KB

MD5
af878e25a249b1b0f42781d5e65c2580

SHA1
3c7a43c67f17c7b3d70c5017c9f67b5ecaffea51

SHA256
4c9cc750b05ca36b785b6680f898ec5d7957d501b0c9013c49ef2217dc350955

SHA512
56ea738d36e5524db62f2bdb8019ac5135c2c46919a3c78aded5af455fb1d6a6ae446451ce5b2562341586a5147a8525a5bd9982284c18ef9b777850d0504566

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsAK.exe
Filesize
377KB

MD5
e1b897c0d5ba399b39ae4d68ad6f538c

SHA1
68a98f2155a4fbd104c28a89f304858b41595414

SHA256
1badc672ea8d5e3cc9057fd85549aef2b903ece1a3d5df8392805de4db7c8f2e

SHA512
51d3030c11f360aa1de87c4a9d24637b02f24590f973830d051a83c3832bebde1a05e234e1c88cbb9affc0c425420053822c013b695578fc51ba41955f9b6147

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsES.exe
Filesize
119KB

MD5
a700a070674d80a49e056124e84d86a9

SHA1
6281206ef5a2a1106eeefc3ba39a04602d679840

SHA256
0f01e87c1c070d5acf5038767f36e3e8ffc2d8fb471672d981c4a28b8077f0dd

SHA512
efb9f2cc96f62700282f0d8b9c45fb1d8b6fa3b3d78729c180f1a813cc23f7a69ed8c496f2259882651a0268687ece1c95f753ec3471ddc4d93ba65d27d4df17

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQgg.exe
Filesize
110KB

MD5
5a35b21ac67922d57f68c3d46b4d4c57

SHA1
11b6eb69afdc1b492a876c83cc6cc646c63f414b

SHA256
01bc3b6a8a2e19adb8b0e086946869b059b69c3fb7789306753c78abad295f94

SHA512
25f38444fb450d5c4379f52151c47fcb0eb5e609329de0910386ec09bb0d05320f8754a99e83a2e3e11824f11b88f85880d15979843b73b3c2d2974ef66fd559

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYQg.exe
Filesize
724KB

MD5
952d9695ba3e186d47f75f4894e59bb9

SHA1
ea6dc6d1e3153768b9f42a1fc2b585c4d1b86a75

SHA256
69c5b5a9231a2c46063b24e1243a35ab6d266388b634bc7361346a316584f6da

SHA512
2d8bfa185a352b07942a8da9132fc6449efc5a7bc3bf0baf73fbf38d19513791620716171c6e8a149c0eeece66ed6292fb8f563fd838e5edf5fbd6289a6a72ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQm.exe
Filesize
110KB

MD5
1f24672dccea187ae34fa868bc9a8d3c

SHA1
1e7f22c1fa2d703fce30e3a353ccf3fcd6c76e63

SHA256
0e48bda5cd0ccc480223dcc24b18221b0a152a6e31e4a1b4822e996a61b03efa

SHA512
7d60265e27d49998bb24d072fd23c60d8932129da5cf4c8c75d85cb1d0e92212556be1d3de7a20dd64eb4f07b68025e7b5a2de1a3ee9091fc514c9841729f981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eksg.exe
Filesize
120KB

MD5
424e7edc1627aea040d1390b1c544a83

SHA1
87e2a31746c5581323222c61d64c7c60334ff9a2

SHA256
be13393e619a2fa94b6b504d2e72fb1b77d7fe1e5b8aa54409ec5c888d63e5c3

SHA512
cfb7f0d64833875a21acdd043ae969ab4f3e024037e32f84a62d089b4ee328713ade7d20d809cf26c14e1835f612bbb7e85bd9147979a4ef1e9cb9f276fbc331

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwu.exe
Filesize
113KB

MD5
157b4f51b63d63b7e7b34f4a70260f7c

SHA1
32fa12e7d47a91893fa67e3b5b933511af12a0d3

SHA256
e3f19d816aaea9a08fd5e583b13e3b7a6e7b0b1713c42dc4c5f27b55b0db81fe

SHA512
697762139e61c701774667970cca459fad0052b547e22b0c1f04c84de1cd21c298550f5880b4268635602b4e1978fdf66b7d2b6776fb68de04730dfe6c54fec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIMg.exe
Filesize
122KB

MD5
cfa21568ce148f211bbfd88dddd0db65

SHA1
92d8b0554d0f4e528fede32bee200d8ff4827fbe

SHA256
ab3d101385c9d7f747c505be6b411e6f6a10566a9a4bba50991a8ab857c90235

SHA512
dbce12ed90df31cb6b7e827e688a9c6b76f8ea1e2a41388449074f60865af4b5c00c34591769d2c4e8a0b7a1de9c09ca7019e6567bbe6fe8a9fda2888423660a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYoW.exe
Filesize
111KB

MD5
37f2018516d496039e19c3f5fd7971c6

SHA1
60763b27fec850933aa9bcef57f727ee4e121332

SHA256
eeb34fa0305cc644f5bc43b6c90b8803bb4dc92e19cf4344cf10a6c1db59e321

SHA512
1fcf555e40e2bc717de83e84255b821ab84cd7f786e858914383b71dbe64268f3c169ac568b3e99ce1f20c161bbd2cb2345d75c578d0976bcb783fb1160b1d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gooc.exe
Filesize
1.1MB

MD5
de6abad1e09da5f1904eecf3b93e53d5

SHA1
50f8ae2709f54c0719054a3437bcbc5aad433a8d

SHA256
e270dc631884468635e7a114e30d9c6a62c7de906f72592537232f7a95b928d2

SHA512
4662194032086e641b3f231ef752596c5ef0db55d6b077f4f87bc8c24a1c1a0a21edceb30a2eb818488f2a3520137f48c37eadbf2f7d59607a58de15f7e35ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEYY.exe
Filesize
634KB

MD5
67bb5aee4ff74e020e70a9e17503288a

SHA1
93c75a5cef52226c94499fa8c0cd82bae04e1f3a

SHA256
d010f75a8c43b0abfa348b99dd6bb4f346b73738988e0963bb8b35ba7f3b9ba5

SHA512
1e48436a0a4e564f9e6e592c241f7b906f6353a899e783f12d1bde0936387080be1eb882c008b66a0d284d01f78e5c9b3d327a2c5b5d7e44c31bf52bd7104a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iggg.exe
Filesize
532KB

MD5
792831db88a5f92314b81b7091e756e9

SHA1
af05d37a22d220fb3e2aeddcbe997ac37ec2c758

SHA256
0cb2667569567bfd3abfe6ad254691a7c698dbc5d0b1cc59e72d1c43c0c8c508

SHA512
1b61825ccf51a8349ad89577a97f75c9e1faa472fbd62aeca0f1d72fe507864ff51d4b73dde89d2c43ac05fd695791239270de5e1a57094c99ea1c7336e780fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kscm.exe
Filesize
111KB

MD5
3f7dd48523975274cc76a27758cf39c9

SHA1
fec0eef3a5acfc0bc6c97de1ca94cfab9abf67fa

SHA256
efc0bdbc65ad3a4c4682d94d8820bbff143c3273299ed04d304b7519498856c9

SHA512
65a9bfd0de5d469636cc0bb227bdd599298fb0fe237e08de86a6a7fb84643315ce17de6c438f76fc7c311f9941914be842dc89402d44e033c5056c2a508387ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMG.exe
Filesize
493KB

MD5
15084b6cb6a5d68e028729608ba4adaa

SHA1
c9583d6f0fef975b8775a3af30be9c7f8bd29a6c

SHA256
9d752ec60e3c8f500188bbf92568bf9a6361dba70c90ae65e36cca7fc29b728f

SHA512
12b55e5c423bd2feba393c657543902bc547ea578156827d4addd3ee2935d36d1feb69e85805ea1a810938d016e2a6d057905c9b1feb40ad20221d2005e889f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMQi.exe
Filesize
112KB

MD5
fa8ef28e127bf4add1b1eb03b85a09a5

SHA1
1a8253456e5e3eab427b3f287e80e8fc98c73b48

SHA256
1f3c0e59f6bed4bb562ae8ebb2b7efe060125e4049c8b52f0956c30934b7575c

SHA512
a75caa6e6163531d9630b44c17d397fc3f01b535a53187d6891e956077689d24a12a4b1820a1f42f5bc451e4041422f345d17762f3f51c35d965f122a27fefab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUAK.exe
Filesize
118KB

MD5
0204f417cd4b5a4cdf7f520bd00ef887

SHA1
ce054ac0f3a541e6819cf6141de9f381a82815eb

SHA256
39554e9df55048be45a394a0b14d255b20f23e3801948146ef2dca5386c37ce9

SHA512
ae6ce3199d1fef0fef605f73e114ae858892504f2128d094ee0c77e66505af92d59dc5369f159c04822375eb76fd61a4d5cd437b967658f83e642fd881db14a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUUo.exe
Filesize
139KB

MD5
c8cf9d70e56e4dbfb6bb82cdf8c3aedd

SHA1
5310ccbc061e96e0390634a0e4aee262540612e2

SHA256
977fbcb87dc2da991df3562dd00a473aa526e466e50fd22f14f1a58805522e4d

SHA512
26ac1ea5f2614b57631f0905cc8a445a7f5e3952526a612e527f668f23b2a6aec11a2b7717e3b68c21afe30133cdc0f53063468e9acc7124bf29b69f4f21f56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYIA.exe
Filesize
120KB

MD5
b5b3aa7b33a80b7b21356f8605965373

SHA1
2cf003c4bdbf2b343a727732b0bfadee92f2d105

SHA256
854de112981c153c851b256318e95b6737347fe819b756a5b492de9a461f02f0

SHA512
56b427036504ce7942085158144dd053f1a8358c8a8e4be817430834e8b88d2d91b1570c58a5523fcd2ca7dcc3f54c044d8263c649b6b5a69d2018e3ceee9b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkEA.exe
Filesize
619KB

MD5
aee0a9d6ee5c28989fccfc06ac1177a4

SHA1
1b614525b3fa8d22319caf1ff80ece78956a333f

SHA256
36ce7b7d993841ff46900dd01d9d1fa1d8a12ac906373c8aeb7bf7a90b490a8b

SHA512
8ab8d775a722e6858c394174e6756fd1cd07ae573e6489d1234f5f4985fd0400932d6cfe722dd9ab154c9d9a2283652af94f7144a903326f6afd6e767b8b3e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsgK.exe
Filesize
119KB

MD5
2104ae5447ab7a11f0c5521e09df5c3e

SHA1
a3ea80847e3552caea5f5a76da3b70fe0ddd80e8

SHA256
dc22158c633af9d7f0c3df4c8a7656ba650a901e64ac4b40276c2a8ab0ceb9a4

SHA512
d7ed7b489c677ae032ede30bdbb31df6c7db1bbd4e4ff03de1899c6bee841a181b1cac003e49821f1c2fb06463a4d2cb0747d2f3ab9bc33daf831268dbea9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msgo.exe
Filesize
697KB

MD5
393c5d9660a6342cc7bcd9dc6d65465c

SHA1
e93de8166e2a7b6f791d7720db934bc5d1f616f9

SHA256
3d9b02e2e9dca81bbfc2fbfb2f2a70bb58df3c556fa11fca31a2b1c7097e2e4e

SHA512
0d62fdf79672c712a3c856d9be9ae2a93abf8433bbf54a3982135f149c7a2cbf85c7ec53fb5cafe226a9daf09637d2188cc7d6a77b37cd7bef96799cdb873faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQwI.exe
Filesize
721KB

MD5
7c037f6fa40abf0d4420ab1126080992

SHA1
1f9a3073d443b1cde8b5ff4983d0367e5a0d9e94

SHA256
d20df2edb201c2f8ae409596acb4ec7ea23d129f93f970a6dbda2e56ace5ea0b

SHA512
676581d669dcef1b5c05a9e720ce04ab2c2a35aeac6ff10b1eaa30871db534854de23fb68973358553d19b689100cd3bbed2dee7889c7ac2de03a493f50a69d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMQ.exe
Filesize
116KB

MD5
1330217a0ead896dec736f15057bd037

SHA1
25026f5423657799fb49f2c86b4ed68f6e897971

SHA256
c958172f8322307490a5e0734316561a930ce22532f8b900ac4b087f43aff6ad

SHA512
5ebe4b788f320b54995d47d8822ea3fcc5df54f246470c618af5d8ae7644d00b80db745b07ecf53cf9d323937e61473454077689247a95d21f3d26dbf7313633

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMYE.exe
Filesize
117KB

MD5
7c8380223fa3e49e0fb0cf244e8b05aa

SHA1
35304a54d5d3b944015adf93eeee305768873abe

SHA256
7dba8e583fbe48d2e5dd9b0c6034930f0b07fb272ca05de22a10d2f5464dd50a

SHA512
184326195c1490da04016ef7e4ccad1af09437e0d300e84bb71a673e79421fbffae946bb372288b67696fd219c5ec71d83c56ad661d2acd4dd0232b3dc75378f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYIA.exe
Filesize
110KB

MD5
f522816641f21b6b11e28ac6a30a8188

SHA1
6e93622350b20364ca22686d9e33b533170340ed

SHA256
2164dba7f191f7e53fa6e216b018e6f851c106204b7cab3640507a1336f100b7

SHA512
c8abd764667797d2e6662f5abd0448095ea517d10616062497dad8ce771714479a6d2ab2dba5f2f1458caf55f4050ed353a012fcb9113a013b7ece60f2f28c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYME.exe
Filesize
113KB

MD5
41f1bd49cc4f911263edb1d6505ea7cb

SHA1
26559d40bc635aea32a45c0680382ab47696574c

SHA256
952d30c00fc3668fcc413c4c90b4be0d48c1599662621637378f627e1ade941b

SHA512
bab5be61330a107bf779abaa730f67c5c94dce204da4e9404f6a7ebb4f355719457d637dab47a7ae43893cf52ac3f24b697e0c6434a5b9861f290f08e396a798

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgMk.exe
Filesize
143KB

MD5
5147035ab29450b2150b7ef3d42e3cf1

SHA1
ca6af3576cd6e25b20f618b5b7d6bfbddb42b87e

SHA256
c384924d6ee2ce3aacae87cff2a950f26e4ad0f74f6ee680d8dc6969cd7c0ea7

SHA512
47723b857809cc91523b6e66f5a14c7258cb259449296a92be6b0a025f2af8edfac260fc9725ddb3b7b1019b3d1f5e1192d393ac6dc367269579d8361816fe53

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAQ.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\QocC.exe
Filesize
345KB

MD5
7e9c3e691479409323f9d02373e613fc

SHA1
fb51dde0074c29e3aab7522a691ecd0a9bee619d

SHA256
df9c6faca8e1dd08a9aecb404046d0deef1c7783c6aad80acb9a70bd628887a9

SHA512
1d3d7c0e11fd8d201faf62543a355b4cd34592d83e68f77c501757534bbeecdf9142ee0ea694501d9fc436549f0c3284d76a0fc4268d8fce1016b5c026947a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwge.exe
Filesize
352KB

MD5
64377f37944c80c9ceae9052b9a98677

SHA1
a59570a311da865af56b59e87a4efe06b7730c51

SHA256
9ddcf0b5b6f965a33236b89d22c67670778896c68a22bb686501e29f92788b98

SHA512
25ff0ff19e6752cf6adbc6f3cce29509ef62465cf39cc401422e542c4c32411d8f54e71f87ef9c09349a83f452d0f4dedbae3e9c01b013549de9434e042b29eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwwq.exe
Filesize
116KB

MD5
6e0d3310490e42bae123d6355492ae61

SHA1
4138c92d7d6b743e28421acaf2f98f8841646f90

SHA256
4777dc44d23fc275105ab05e76893f75c4e287a67f0c3eeacf47bf0c4a08134e

SHA512
2e7f440b20af5b5ecfae52743030e7fd0f40f5805a08df709b3232c4ed1b3c10cca4449f55b3aa0dd4a4559d2a7daeb6f0f31dff28b574c8f2d7d185be8b4c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIcw.exe
Filesize
111KB

MD5
d369288a442497e8469144e306c80ccf

SHA1
0c8528c247915479c43435d0c4fdd294198db052

SHA256
b24ac7adea1fab660ca2f57647740978b62eb41ecc173a924d39ae4362a14029

SHA512
a3cfd2d5d9b685af69e3492282c1874bbf5bdeda1028e217f56fafdc3faf8d873a21d09f0326c754f457e896294628d1b9f421225cf5b5f46e548610a9e5eacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEi.exe
Filesize
236KB

MD5
81b3934093a1af06eb4ffa9e87f17cf1

SHA1
a37a5e7121056b07a5979dd1e002aa422fc164c0

SHA256
56e343ad257789a160de5ef57763abb2cee485a474f453e460de16550a5d9951

SHA512
90b0831077995626d3fc670aa628bdf832fdb082729e20ec8ddfac3f6ce6287c2506d6d5d8d54292b52728d9eb929ca88b1caab6928cd1d6cadc151abec9b3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScgW.exe
Filesize
112KB

MD5
415f7a4164383e0d5a72f6f0507c7c7c

SHA1
d95ae1ee81f3b3f61027b001946ea2933ea256e1

SHA256
5c22c40e5c3a8d2d4626a6d50fdd46e8e4b9747cb0feb466369d98d3c90dd12d

SHA512
a0d5d3fb73433a8b304ff21ec299c9b5b79818285a5ea446245a0674b050da194496eeb9f569b5b9b82dee14ddb0e0f1472ba0523a55e36cb03547c513740b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoEs.exe
Filesize
111KB

MD5
79825ad9c35ad58981e8c6bbcfe59851

SHA1
75cb9df632c584b4772afcb174beb9214b59a0c5

SHA256
c50f8f0c3aabdd1800bb9f1289e9106a1825a2f136d1e091044b20bb09dc854a

SHA512
3d1face4c182c2417f0e54ff29efe526b1e4bc1eadb7929e580d268ed0d1b0476ad0483bb985735d1e903b6e830cd1594323298b721718ff79bead7b0f67595a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoMm.exe
Filesize
116KB

MD5
70438c94f5dc819f54a3e75e74eff0d2

SHA1
4ee8a1bcfec60b39c15fd360431be43c5d90ef4c

SHA256
8a87abead8a63e92e3d8978c0855ee86168cadfb04d974e7c4a078a725b05a33

SHA512
ef6cd30ca03b1366f483b9f2d79d8e53d3fbc65575e254f63de3c80989abb906aef75b1ccfa94781c80534d81a8b820b82b9f9e011f452334ac9098e7d410ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsoC.exe
Filesize
566KB

MD5
773035ed7d734536f82c78dd7fbedf45

SHA1
b18476b9f3386f2e21b874f62cc76e80d900d772

SHA256
9288ee03c9f54896b1ba79c4b6dce718b80daea8e017198e25563b202ac80f6a

SHA512
4784d6419515f86cadb9d66f27f2c1723c9e6d8965cb7886f96afcb311787b8ec4dfd0f74045c918ec6fe7befd7f334a3579b645430d47dfea56f9fc8fb9011c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAkC.exe
Filesize
111KB

MD5
1be2a9b641d0d366f8d1014d124cecbb

SHA1
46e0a47c4b7d611ca89c1f908c6291d1003af7ed

SHA256
e733a90198b719f23015af970c163b0f7515d0cba7570aaa9beb2cb9cabea382

SHA512
effe40d05c9183e26ea171aa9bbb019a502a63ff07b41380cdc2df3da673e712f2758f252c701cfbc3f3c908053fbb39065dc9b10719468128731d43cfa5e35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEYo.exe
Filesize
111KB

MD5
543eeb83396ea524abf6a6040a9ed475

SHA1
afdbf634c47394a333ed76bc627db5a1e98329b8

SHA256
012637f060afb7fca4ea2881e0ae4817d86a2ddeb841559b4dcfc17d4916db05

SHA512
f8cfbb1224d031bde5feae6b01efad44248e9943aeadcc61893f3725692b67de3fa55cbe5861e116259492423f1b97705bc2e112a40eec12b735648810e6ca12

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIki.exe
Filesize
112KB

MD5
26673d938aad13cdc07acc9f446cfdba

SHA1
411f44a3ad98996fc8d091425b4997bf9a506869

SHA256
4244084c932393654a9a4e37db0fb330208e39d9cb81b0642829d9b061adf427

SHA512
3cd608d5368d9e4e42930e94e35aab8ad222d3a10574ffc1c89396c841dc72806ef8a1fc70fdc5d9eab67bb9cb091b6f91ddeeca592058242c9cf51463930203

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMIM.exe
Filesize
113KB

MD5
885782fbf155aa31d6d3092c3f2300fe

SHA1
bfda143b522ac40c1145df1427a2719d285945c5

SHA256
b4c28ddb93e8f85d92cd897e0185d6e339b8e8a6243db54dd6edc26a026e9244

SHA512
acceedad9e8ad1b4c43f62a28caa09c062025ec3c6a98a167edba91c0c2afff5cc615cd155c5e432c92a23ba546c3c6ab7df2e5082f400ff26d21704f216f786

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkAo.exe
Filesize
561KB

MD5
db94d764ac7d801a08c32242b8b21b82

SHA1
921415b6dc11b55365418ef17611a554b58781d2

SHA256
8a048d0156248971a9d1e97dfcf2ea3536e845d0ac56c9551a6b11a6df639ab8

SHA512
f1da25098783ca8fee0f13d764915b740868d04e05c2adc0376a890875b9413f93b64a321f461333e86e16c1e0f877b9f4ba77ab84c97a00d756f6f4bbed1a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkUY.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsYU.exe
Filesize
119KB

MD5
ba588511446780e89121bdc5351af071

SHA1
5dccce3394b0963d174b59ec74b543117ff3c489

SHA256
a197d81c0db4c4ad021e1c4eee3e68d922ab0ecb1fde705d8596984b690ac385

SHA512
857b7ac38b73d16380df7cb4b16c391b7e79a59d91c1875d72060affaed7ca753609d9fe68d128a21fc6df2490becf9d1b716879c78c4c207e02f3c6998678ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEwq.exe
Filesize
351KB

MD5
07d0c7b0197301f7c97e41faa0eaf4fc

SHA1
9db37c5af11f44f9ac8d6d74ff6b2e20fdc08c26

SHA256
a8e1b12b61c6554d699e01b85de35310dc33b7c32419e24694a39ae494998b9f

SHA512
b49a5f2444faa188738023917110a7ee4d2c1f69b908c2745e8209d36d0d665128dfab2aedd5097cf729e0de73758ca3bf8759f7232d5ef76a70aa08da9e57e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQEQ.exe
Filesize
483KB

MD5
2356ec4822d74d098f9d3d1682952d1a

SHA1
e6a5f91e8e50d31795e29f718f80a97e98707c7a

SHA256
57954a0beed1f0d26111a6388e5b48a0c3e742f176bb47056d7cbcbdb793ded9

SHA512
6089e3db00d20d6159bd30a496c6d8a64ed49cae51fd6a22cce2521213fe9a026b95fa805736a7eb4c2509a640f770d8b93eda4272168b34f6a02ec9017b9c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUcI.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYMi.exe
Filesize
512KB

MD5
3d686211302e41763938503d89a463fe

SHA1
0f67202937a52d8779140e9cf17d73691a34a275

SHA256
5d9f2397adc835d65942f89336ef714b5beef27b83929336edea12517396dd6b

SHA512
a7f16a2238b85e2f976c7d818ff457e6e60a25f37d823787082688616c50b688eeb3859ba52c4d2daec32108cb178bf7897099c0ed9f3fb2f3044df53b5d2cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkAW.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkMA.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUM.exe
Filesize
865KB

MD5
521a6244d386b38d739cdbd058824bd7

SHA1
8cb21e08f8134bc772359bb390277e7c59f8b3c1

SHA256
0394301a6c453fe29d246b8d8f9fa9d2722b2ae2927f891efdf2d25fb0a90d28

SHA512
959f35d4e143eac66699ccc37104ce26543b1254adfdf7bc64eca098144d781bd8530e8099639989d421acc2e2c728cb5df6a6da2bb29574b1093ce6c98dc486

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmAUwIII.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEcA.exe
Filesize
430KB

MD5
cbb2152472b00c6d10b0af3080d515db

SHA1
b6ef131cf6aaf053beac6d48bd5d8f80978b2283

SHA256
4be8e611dddfff1043e9258fcfa405fc7cc89657a840a58dd9bd4f706c3ccf96

SHA512
cc8ec01479ba2e818c30e4b44cd96b1cb5a88990c86bd8d913e4a2b899d9fdc24b3cebe6f35e45104e5b655d663b55a67de96f5c7e6a4b3213ee322f2a5d6de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQsA.exe
Filesize
554KB

MD5
08f726b2382b53a79a4ffd3a99cf4430

SHA1
6a04e2c2dff6664e9051eb0078c711f6d1b92b05

SHA256
02504322ef0772457cdba6a1e3d182fd05c0a849b9b5328cef931f1e0df76618

SHA512
0563abbf9fbe44e818e5fa36745d7d17c956a961f1d309ce5c4277c059bc1b0a5e5f8421317006362d4e680a3801ba1ee3a48b9bee944b26f966615869a4a009

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUcS.exe
Filesize
112KB

MD5
bc3839fe28e92d293bd209ceb33cbc7a

SHA1
76bcad8b7b5bfac944b4dd78f015c4878afb9ad2

SHA256
25ef66c32003dca34b895f82562953a5ea27f52a32b00148aa9fa1625ee35e18

SHA512
9c4e39ed00a64963e69956c309618990f9aeaa568b93b6c59b3b90cadd3d99b0ae6b1b7bdec81f655fe0c4d52ecd4390011b9e855e56d3c577b0e770836c7066

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgwU.exe
Filesize
599KB

MD5
7a6fc8ddc0b4c40535ffb893652d953c

SHA1
b0a1a8ee7b75d90cf06a1c6c54454d8fd6449e57

SHA256
6148fad7e27fe2c8a6270e9f5b56127c020a65b23c096d525242ccddd281c7e2

SHA512
f0316bc65d7c596e1a40b737b63394cba066d6e386ba791ee0db80ec0c42d2c025d7bbcfa0425fb372b69f277eb3c6905f6170037c2f69954515ae128323467c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwEA.exe
Filesize
720KB

MD5
5ac493f320fbe0e9340faa7725299089

SHA1
be6d6e524108ec79dd0bcb0fb29f847c66393e6c

SHA256
f0e65f48625fcdf5494c11201c7de1724f2c7ae3135d35dfd5a0b0460240f439

SHA512
4f09f1e4a8d1659cf93cfe8876704b7297cd48bbb77160b8c0c2686f71b64a879dcf76e73544c1c2700365894730eed0a23e08160247eb62be7d0fb8e165c8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aggm.exe
Filesize
745KB

MD5
4fad73591af09ceebc3ead9f894c9db7

SHA1
f97f56718ba0fe08e44310779a5cc03ee01c49d4

SHA256
3ba63aef7a911c79f02c0e8710c79fd75e99bf9e67c161a48909da7a50654029

SHA512
a7cf476242dd0089816eddc00f2fe5623ae6da87cdf0c39c29f274db373131763cd73bab83041e87d81e5a75777efe56237e1b99a52a732e103b6075d0aabc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoEI.exe
Filesize
115KB

MD5
ed220f93c10ef5cfd85a9bc8702456fd

SHA1
5473f3a64e5fff0b6a56936b667ede8d1ea6448b

SHA256
4d34b20e4af0981f24d896c65c691930e9d79caa7fafdaa70785ebb324145d64

SHA512
8b231d397edb80efec14cd61c5f1b2f1706da4bb1ebc2a0875f700e76c58b0e476023bd1ac49f797b76243ce6116d1b6357a8c4c649263de2f919cbab7c01b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\asAK.exe
Filesize
114KB

MD5
84ccc69567f65b2d01a9a08e3e6d5d9d

SHA1
33344605ff729cdf538faa8ca556afe901a31928

SHA256
fcb613ddaf6eb245cf31d6a759f732aa68e8931fefc5086f07c1613aa496dee3

SHA512
7b19d965ebc55d4f7679ab8def2e4f51adcefb975a0ba938f2728d5a3e8f7dd58c8111aa72c813fd6a3b2d491eab6f6b46e705306938be8594860208c1c16c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEQk.exe
Filesize
110KB

MD5
d48c124582fd475171b7eb42bdaf0311

SHA1
f81c0a7b58ae978d05dab717f4b361711f4caed0

SHA256
a1d4c1553a5e739b62b6516bad1204e359933acc4b67114fd9abba30fe1abd2c

SHA512
7b638ac79797f0be1c1e952b51e648bf468bfe738a6ce9b523bb9a8f45cce6474f6c419fbd283b4f0586c42fb026ea8a286083cab6ef3c4e174a5878c7772128

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMsi.exe
Filesize
149KB

MD5
5d4a0bed35724b695f84490dade571af

SHA1
0692e9be6e6a5fd26d20e9eea5782bf415e2da98

SHA256
0746e5b52505a2bb44541abc2cce57daaf7d243a2ddd23c4e8a54947a50187c7

SHA512
0ac180aafb031bae8a26fddbb995c5e06ec44ee0bf8a57f44471dfd0b39c9b4dc9c2a3cfef6473e95c3bbcb773cbb974289e6139237a1bf5c887a244d705c80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgM.exe
Filesize
110KB

MD5
35d665c3a076f8984770375e05811ed0

SHA1
c5efd6c1ce6474d8aafd5d11fe894f4e69ae7a23

SHA256
14f415a61885146225b164796c4dc54c97db52a949621fc9e5cda461e0043880

SHA512
47894895c5da6d82a8235ba1bc0abfef4a560e253dd52ad39ee0789214accabf4057012ff593b7d0c1540f093dc34de988f07c6593e1942dabfabcf89f62b15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYwM.exe
Filesize
111KB

MD5
df5ba7c3f7e9687bdbd062b97a7ef68f

SHA1
6869d53584b65d4e951d9f31ea53b7807876a429

SHA256
fd9d57f4eafc9f4677ddeee3467071eaedf92bc27cd58e7a6f531313ce60b401

SHA512
b75768ed9f5a55385596193621bdf2eb7cea27ad0d1015e0b7812407137074f25313e4fef9bf169181f8b624f802e67dc072dec7ed8a271f8bb3af5e73556814

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEe.exe
Filesize
148KB

MD5
d880fe4950294304a91cb67cb50610ec

SHA1
c8210fe8f773df2297d1a93ab335bd05fb65225a

SHA256
6885d566bda8eea33c2942d6f3c5a52823720ae39b3ac5f3d653bcdcdc483c49

SHA512
c833a0b5d625069b4f01edb524b647d6d08e0fbeba79495d184b0bf70be688de4810c89139522678b2a2bfedc6ca88423bdcc52f171dc740df3ce96d1ed20942

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIck.exe
Filesize
153KB

MD5
090c8f5e98408ad3c143771333aa0c96

SHA1
4659abaa66aebaa8940dd6fa93e59099ab247be6

SHA256
ce43d1b832d70527ea3bc13736e269ae58ff35f6462be60ac6a636a156b0bfd2

SHA512
9eed0a5fe0cb1f254e6f630936a5c924813ef7420a750911995add5228349c5a5fce30fcb8299838eeb96123cae32f296bd89588bebccfe521333fd1d0f81bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQAq.exe
Filesize
112KB

MD5
294c80ea878b98899b4eca918af86716

SHA1
34e578c18ebcfeeb28995c83b0653a477fcbcca7

SHA256
02375c97530f5d5301a7b73219e14c8ad75e1a2d4da92f758236563ec7c3be5d

SHA512
f79688ab3412fbcd59df50e3605de127524c689c192ed82aea2fcb80a6ced691623b528fa2ab97ae0951febd228d02e7051f9ae0d3d015885890b3500649d177

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYgY.exe
Filesize
567KB

MD5
546f411311e9a3173878bbbd8e373e3b

SHA1
3d26f13fc910e831c9120d9faf3208902ad62aaf

SHA256
bb3968135941e66b878f3f71c74df028297c78027ed94d36c095b6b40fff7782

SHA512
a705f805e18045da853f8953eabe33952813969a9b6f186bfd046425569d43b8e188a45418ae79e3a906dd9a6a414bb7f7e989ad71637a3d84bc5904899d9faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsIE.exe
Filesize
237KB

MD5
61bbf77014857154d9a45b425133e093

SHA1
9d5c55aee2366c8e53922c1eb89b0d4c8d810e01

SHA256
b793e896043aaf604fff5a093bcbbe29963fc95852bab48fb0a320d6873ee532

SHA512
178aec3b6fa9d0797e06d3a40c8e88b7a22855c48f79e411dc56baf8ad277b94d8a822f581e9389709de24876f62dd4886eaaf8e4ada75b48e7049ad4fc9caf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscq.exe
Filesize
235KB

MD5
035ff5852cec92bfb7ef6b488c5a8528

SHA1
1f7d551626870b867a98921c7d86a24d7d3cf520

SHA256
538f70e264bd5a0ca0c58fd4dc6e05e971e5afcb701d3a714cc2ab529045b0ad

SHA512
9e43cb0fd580e6bc4ede9b1d3b0ba415391354bddda83d83a01dc11725ece8eb13cb253e4990093d41048d7988dd1b798b86b7bd848423813891531449bc52f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEsK.exe
Filesize
116KB

MD5
beeb0d98246f7bec994150b92e2c6816

SHA1
374e9ab5a67b42c2885cc5ff5d688eac30e3ce46

SHA256
afb5a634374f3c728d2507cf577256abfc66f6e1a0fad12e9f5435a9348a46f8

SHA512
2d440ee0bdd9c375323bcae6326a255c7872facb28e52443db0ea82f2d5bb69c780f94de09e37e82ad2b814ffbfe55dee4699541c2809157728c13a4f9f53c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAk.exe
Filesize
135KB

MD5
1f5c5403120ba7f29b9be79749cc9ce8

SHA1
144744f316ad808199eb590ff774187785af98cb

SHA256
a82ce6211b3349e4a40e448de3e88a7da87d64797368ead1630d39fe15f503c5

SHA512
90e60d0b197f8fa264b9a4ba3438cccfb5a2ca66f9f064234110ec6c55dec44ddce93c585b81d9654747ac6a74227f8fd9c5b8aec1ee28f53dcf207c81583a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\igso.exe
Filesize
111KB

MD5
863b9a43504370d7383db4582269681a

SHA1
6d5cc06f1c107fd5b95e242aaa3f3fb95d910f13

SHA256
704cc48842e44fe4ac4fcf3b4b90bf37540a22d8e3ea36dd79386f1ef8c33fe5

SHA512
ea00c5fd21d59fd42c069e3eaa4f122cbeb81bbc05b17ef9054b7361f2541af3f072989e39d1f4372d112751dda354e8efcec95397b81737207f5d19d2877e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAsA.exe
Filesize
115KB

MD5
a7184b3a1c5a52266ba593011362c3a2

SHA1
38e00bbb6ff2790627201478a00d40d4cbc9999d

SHA256
7eb5fcb290ff5eb6757fd1bc9f6e107f0772104a419be9ebb4218cddad708b91

SHA512
444b9870aec8c1dd6399545dd8624831476162d7cbdfd5db7de6d41816bae4915e872536ba7c1c5b8ac183a2aff28ad5a2865f95c2a8d5c91d0d6a18d17e798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwK.exe
Filesize
110KB

MD5
1d2c6221e12109d8f34c0dc0e080f204

SHA1
58698923a718828e86b0e6a6adae9b466b55a5aa

SHA256
cd8fa255553455e80ff2fd3fdc9619475a1e537343b352e3f8b17be9e8b9ecb0

SHA512
76b87d0b9f926d879737085b336ebbd251294d0d30aa238fef21f82b031db9f9fe258c11132f278c43e65aedd0813729618ed2d70a58a581a6ae3bb029a1ea49

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgoY.exe
Filesize
112KB

MD5
e41c1ca766727316b54f9a5f94159dd3

SHA1
ed54ad55d9b1b630dc5d47401c828186a09c6126

SHA256
5af698b823c86ca164bb3fd39e11b0f67be21f206e81ccf2346e8c4b0f5e4ea3

SHA512
498e175cf5ef787d7f1f8a9c5dc797503e8f76266ff3ed3f83dde731c2e8b5854bff6415c8def78be1a2919b59071931cb6602f62693a37fae8ac7f4009197ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkUw.exe
Filesize
446KB

MD5
83229251af3818ef85f6f5b3f087ab8c

SHA1
0459e9d286f122655b0ae18b034647be0d82be86

SHA256
a24d7b3478e5c38cc3511f72cd86480a50c2a18b3bb0dbf9bca3bb5d1291e9a1

SHA512
78ebef42bcef437135296180b63f7e9f2f2acf813e85ade69cf45606dd83f7178bfe0b620a43849510fc28e8cebb5a8825d4561bc5c200c5778d17f4456749e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\moMo.exe
Filesize
113KB

MD5
9147640a39653f97cc702ee66817c978

SHA1
6aadc53c05c8d833fe16b6ce88db4e5b5f4a0f8a

SHA256
789354df83a80a99e817c294cdc71bf4d1b0ba1123c8a14a62b58faab536cde3

SHA512
a0030ed3f5fc1095e7ad416db9fc3c51b523b02af2e28f7e4261a0ef49cab547353c460cbd0829d5c3ac1a77eba1cb46adf0f284c53d74f680a0fda522a6d23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwQk.exe
Filesize
239KB

MD5
bf06f1f5779ea53f38636df0abf9ab90

SHA1
70aff15d0d718dff56f9a9cb95a92a594b209cfc

SHA256
197d116fd57688b81dfece82f64e82d20a6bf036b36c69a3b0dbaf3d6aa3fd9e

SHA512
9ac0f0198e600fdd1aa2d91d9b663adb66cca37344f525b163a2fe5f0fddf6056b2732e65631de0136e3bd719e9dc8ec9036336e3a26357f27d86d6a49f7024c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAQK.exe
Filesize
140KB

MD5
549ccc4037b32cfda756c25345d93599

SHA1
f0e7c5ed4c5dc8ddf1bc3703a535957901482c4e

SHA256
893b456373270125f3e8b6d1388f85e4c4341625c5f4c1329796a9d19936b404

SHA512
e1232d60cc814c880c9cc571baa30c81e29aee068edcf07e99a6cb3aa577ce735ec5fddbacdf79a7dbf77c1d7778886ca38d9ac9fbc8b2105d70b1c1d4eb9e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\owAa.exe
Filesize
871KB

MD5
1ace799c04903a9ce5a4f1578b5e98b5

SHA1
48a9b6fcda712a721bb9d3c307a7b1e988340de5

SHA256
31986ad047a8b50499b354acb5b6e6e2d46b7546a4db59794162ff39d90cb322

SHA512
24f840f96b087fbdea505bda328a581576b86b5309338ce3919023c6ffa7f3fa880ba6f89d008a52b1a863e1a4a615d9a0efd41aef7c7cb3293e3dce13eb88ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEIs.exe
Filesize
112KB

MD5
d8d70e361148078d9500b6f5439caa9b

SHA1
cc821cec6f236db201b30ec72ee11b0bcefabd77

SHA256
3a63901818c5bbaa8cce9fbe045dc482ae6cc74cc1fb21b43f2d1d1b0d65a6b8

SHA512
fd107012fc02189e74a6e8e5aa8294d8df578891a2b49d36daedb5c5c9d6be657df7bf7795dced0c13af5983f9500e06a78c40ecb4c6fcfb6dd869b6b008d7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMka.exe
Filesize
111KB

MD5
dc32beca44254a609e23bb9b2707fdfd

SHA1
6fb0ebbc7e5245608e95129b7f2d569f52237ad3

SHA256
308264bb4b133192019511ad94d43ab54a15e23ca6e8fae16ede4ef03f98ae46

SHA512
fbac7a358dd5bfae44a4c0316e6023bb21d2fbe41c43a8ce1042ab9b5b2fba21f7b259a3bac0d42b4de9b179714f1e16afb413ec3865f333617676bd5352e559

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUYm.exe
Filesize
131KB

MD5
449c620914eb2842e59879497f963082

SHA1
c697cfe7dc46852cec3f7290b256b9ff00ce56fd

SHA256
4cd0711bbed879d81ffc1225f08a5d8e7847d5933ba26da09df4575bdbd55f3c

SHA512
ced25d708bc49fd60c3faff706ef1c83cc229e67d82924c22da751a8aaffcc2ca4bfd422ae07fdfde8e14a392a788f13552d8d876499ba3a7a9b1e26cc744481

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsIs.exe
Filesize
109KB

MD5
3a7ca429dc86011f09acd4479c5948bd

SHA1
83a73451aba78b9d2c0ad7381f704cb8d4de70ba

SHA256
f3f0c84f96b024ced213394cf32b715fc22e082f28b0f562cba388e64cc98d09

SHA512
ff06adef69e42e9518be49ec918822a7f387d86ec2673bcdffaabbdca75f058ff7dba17369333daf8e909aee69646cde38eb7c565e1052248908cb5217590154

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsoC.exe
Filesize
117KB

MD5
80c78fd8e59af2c6dcaf9d683c38049b

SHA1
2d48137270f2f8085a79621bf01f742c9933a5b7

SHA256
566179632e1402e69fd4af5171ba2801560d8d61259fedb8c977d0b026b23282

SHA512
3695ea0b9e4e9ceb99fd341069c96c6ec6ae2944b513f41a9dae75ee72352afbf46356de1667bc43ad1d55d7197625004b3623be52bab9bca91498f57c0b42b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAMK.exe
Filesize
112KB

MD5
f6a12ec8f913b256a5a2bb81f16b210a

SHA1
0c3ae8e00418fbbbb8d5252cc401428c3cafcc03

SHA256
55c9eb9bfe1eaa5fe7d631aa0cd6b3e15d3f1cd123d1569d3565cacd7937db16

SHA512
65966c1fc79d28df4729afad9ed81b112e000553e9cb487829a850c8b9e523a1127aad529f681a47b99091723fb63f27feb51e8649ecde6596f7fed02dd1bf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMcI.exe
Filesize
744KB

MD5
3489c3f252ce47734467fe0f75957ef1

SHA1
b081748fc1765fe2fc87610425c49d99d27117f8

SHA256
f96a46311fad95e8e274b8f3c55b34842de81ca0bf02183b499a5fb2cab02056

SHA512
195a516b8f27dd956cbf61e25e0a240671a3ee8006a4427227168c67cbc35681fe48052c87677ecd63aaa9c0db71c220a4af15107603f069b3874f1a4ce12b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgoi.exe
Filesize
111KB

MD5
9cfff3e200478b39ea00caad53a0db4c

SHA1
fa3fb690f933b0e060da387b02a33f5a79ed47d9

SHA256
4c1add3ee3748364aaa3b5d6cb20fee544e1e5bfd75157117d7edbe58b2dafe6

SHA512
7a2131040158aa784c35c1b2cabd5c25b7dd871499d7c8c2250b771c554cf5f4080d85d3bbd98845dd46352dcc3df67ef29ef1c7dec6371b87400ae6dfef17a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sscy.exe
Filesize
110KB

MD5
597bd4a7eecf2117a6381091a8b8023d

SHA1
e965a4515734376e7c844b711fa60808c8a74a48

SHA256
a8299de05afe928260019a3f9e3c0dfa6c8e8d11e9018291ec71d31ac060efb9

SHA512
f0a08040e08a34f3c910054f07102eabf8db0712278a75b1927731556885a64f8a1eacc53946443d7030f2eb78acd8ad9dd766e9a19b06288f34a29005612d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgS.exe
Filesize
121KB

MD5
bc99bdc715a7cfc01fc8fc8cbc4d7308

SHA1
13793832ff9f9465e2d3b245527153b8ee5be095

SHA256
42a2cd4ec5dedf95c3af8217f7c08e932751db55f75f3e8804c8848079af0fb7

SHA512
049413adeead3453073068546b002a0c9e00784c4c7881c256bbf18387adb69752db27148ed676b15eefe0253d4de6290303761d782b8bcc59834a4dd535919c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sskc.exe
Filesize
111KB

MD5
64594f25ff6e0337369e71eb5ef9068a

SHA1
c6624fbd145e14ca348c299a3025e501815f7290

SHA256
b3455b8dfafd2ebc012eae0ed216c575983b11afd7486662b123ec57713b5c2c

SHA512
b108124d787de0b548207248d0e9cd5c1ddc1ece1c5f5af18ff83df2ce4959c2c9e36860e1efdaddef17d1e192120c743691ab32cbb154aac17db3f66b417368

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUEW.exe
Filesize
118KB

MD5
261ee0d716c24baeb8ea2c1c3e245d8a

SHA1
1ac18b20781e470edb3c5d9854221d850f27f938

SHA256
3cfb5e9d8002d7ed73d51bc5bd0eda4297cf2e9093175d4bd70bb2bba2858829

SHA512
743f0218218a7d762d949201a9f41d6e736caaaa7a7abdb3551f273371aa571e17323529353cea07ae3b2af88e02670502a6d6c33bc59f63f76afefb8ea1d95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucYi.ico
Filesize
4KB

MD5
915b89b32206268168c5789d7c55f7f0

SHA1
37aa8ac4a21bfd3756457063f300caf5150d9cbe

SHA256
1aa540b0acfa68f313963ae32ca68a5b3cefb49217cbf3b9e0b9eb98b9b94b6a

SHA512
35ed5562ec9fcefca9bc1644dd8fd7c28ead223eea2100eee38c51224332cc071cb7a122f750144d1d2b38b3580dfd8025cc59e0942a97f729ac39bf3fbfb9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukQw.exe
Filesize
1.7MB

MD5
bc6c8a6947ce77ec4b2de5b5a2f4d86f

SHA1
9ba192a3f26de6d196698fb12e2316aff6c4eae8

SHA256
5a649e696b2026200c696e5c1b3525f8d6467a1f82723dae108c313d1e26577f

SHA512
13cb0db61fe046de8b342324e9473c9482804c2633fdeda3ecacd9e5d09e25d5e1708f3449017c2d4f5e89068957e6d7c9c8032941740c9ee4409803ff01d9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMMW.exe
Filesize
287KB

MD5
b5a7e04d87a96715bca2026484581ec0

SHA1
bcfb90dd7b148338d84be68fbb0b0479277f134d

SHA256
60ed522aa43055c910048a163caf31e43f8d77401813ddb6e035c792a6033fc7

SHA512
18864565f08d597433cd74e911195febb99b26b19a8d94fc5c4a2f8a31f8975376291c596e4f1223026a36a6a2241f6611236d4c31bb4f347e635224c1a78c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkcY.exe
Filesize
698KB

MD5
ab637606f08743f6f868b52ac467ef28

SHA1
d835469d64a739bc7a4e54a99f43bc47599b37f8

SHA256
e2580bbcbc21e96cfa8e4849c35b64964ab8065281db90c941b17ce7e897f74b

SHA512
9e1d799b73442f945193fa03c7fee9ce815bae1c5d801b5e724177127bc448cba3630b5109f37f1ef72c308336dab05cfff4acb15e254aee4ac062c2c99f8564

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAIs.exe
Filesize
140KB

MD5
55297d3528bec0ace032a7deddc29b31

SHA1
fa1e57361577e8ef860d04d6f3efec6c43c4932a

SHA256
17523292ed6d4d0975efb421c88c856a335e80bf189f18c2ea78b3f549c47022

SHA512
5678bd3cf7d1403df1e35b3be4f8a60662e684f75969de1034e69c7e1c8562fac499dc075001876245457dc1dbf7bf517bfd2fb270c6284cb9e3f2cbe384c986

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAYK.exe
Filesize
112KB

MD5
eea24cd76d9f63c518c087bb95fe39a7

SHA1
26c1d9076d9efa2a7e68995b20a842fe8e90b2b9

SHA256
e3380c8278603c0b38ee121e77a8a40b52f9d08e7a7b6b14320b8573a7881032

SHA512
e8ff14ac756b5e4fcfd858a1e31c7d5866e27c18c9d9a011d8de710df5b184666d1d1b346715b3c0e9d4d251ff6ce5d7ec8258ed8749acbe2ed8b40975a8e459

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycMW.exe
Filesize
111KB

MD5
f8bcc0d7d7c5eee328c07b1f206a0013

SHA1
60dd576fa97788c60fc94e64ba94e0c3ddfbbd93

SHA256
f4667dd9a8ef074b8075b3aabf6a973a5a456d09c96102b07746a94abe3b00f9

SHA512
0ee05c726c6a85571eb24c1f4cfe30bdea48db37d2a0483690d2a42b59946364890ac4f2c90239ecc7e1c8dafb1592f061f9d7b96980f16384745082dd6b9bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykUM.exe
Filesize
115KB

MD5
f1aa36c43f2d2819abcbf86844e408c4

SHA1
54f47cbb43b6dcc8b16474e1064dde7bd359d690

SHA256
46efe79414a8035ff3aac5acaa4e94e66d3106d1f674ede5cebf65015b5a4428

SHA512
b0743102d6ffd41b86dc2b9c4f77c3a19551218aa9d138eec02bcea96e2dded3730621febacf543fedefd6aacfee07a9cfa9d7ae1716b856465baf3234a18c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykok.exe
Filesize
122KB

MD5
241f633da4b9a7d8d81d90b0c7928c9d

SHA1
380a665f1f23de252541e6d046f249d148bf28e2

SHA256
4ccb3edb89b8f72727306f9b65b22ad2de20e1e54ece1e3c5ca75d530c807ca5

SHA512
7002be0b8f34239f9fb1d49ce0d7396c9091030cb81da604e67e9b4731e30b5b5281fd3feb07272e7bfb1b2c15bdf1621c38942c96686d731f0488cdccd3e61a

Download Submit
C:\Users\Admin\Desktop\DisableSkip.gif.exe
Filesize
577KB

MD5
3dc0f3a72f588b8c1b87391d1f8d6f75

SHA1
d6239904ff5899caa924d3e100912f43539da0ee

SHA256
c8b124fc79b81986972d90427f9ba6939055a2f46ea3aa50b49e2ed6a041ac74

SHA512
0e4a63cc0a9bfa7841df26603d02a03aa187d00570588ad9f9a8e4fc6cbbf27fcda76315ea41a82caaeb5ab8883289fbbc233b97489b36907c68cb6f948c839c

Download Submit
C:\Users\Admin\Music\SubmitSwitch.mpg.exe
Filesize
575KB

MD5
98d2594578db71930627cb6d92614216

SHA1
bdb111a20a4d9e09459fa7b843607341af1c3a60

SHA256
4cc15ec91883d898d493b2b6ee157c5ed9a90e043a67813f032e46108badbb5d

SHA512
d6f8c36c986fb6010e9dbfa6afc64f7162a6985659e4ae49bea1d5ed9977a5b2432d0464cd0acad4ad2719f760674d7612069eab0a05f67a86e571456eebb33d

Download Submit
C:\Users\Admin\hqUsggkc\qoUMIkIc.exe
Filesize
112KB

MD5
2c2f35681563db290b038e45fbff19b3

SHA1
beca1d3cab7084beaa1b1aecd11dabbac1b734de

SHA256
d0bc5d791004e1d5710380f5fce0cea8aa0a27acf28902d4ccfbaafe10eb0ff4

SHA512
3d00381bc9bd5be7749d27aaa5d1328eb3d1ff81802cd4e764c7f199cb5623b19c40a6ce92d9acb2c74d874b1012d83d6873247793e1a5cbfdd1e14dd4a616f4

Download Submit
memory/216-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/216-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/220-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/220-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/668-112-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/668-128-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/764-474-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/764-486-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/868-370-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/868-361-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/916-450-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/916-441-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1100-170-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1100-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-414-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-406-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1176-397-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1176-384-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1180-182-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1180-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1244-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1244-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1364-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1364-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1460-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1460-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1556-456-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1556-468-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1564-464-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1564-477-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1580-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1596-422-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1768-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1768-273-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2152-335-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2152-342-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2228-281-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2268-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2268-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2288-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2288-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2628-494-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2628-324-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2628-316-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2628-503-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-423-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-432-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2964-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3184-431-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3184-440-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3316-244-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3400-513-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3400-536-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3456-378-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3456-366-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3476-315-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3536-162-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3536-147-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3692-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3804-298-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3804-174-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3804-289-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3828-325-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3828-333-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3856-379-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3856-388-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3864-290-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3908-396-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3908-405-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3932-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3932-233-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4024-512-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4024-504-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4032-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4032-255-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4060-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4228-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4228-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4276-482-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4276-495-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4284-116-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4284-100-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4384-343-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4384-351-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4468-449-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4468-459-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4500-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4500-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4628-222-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4628-210-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4908-360-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4908-353-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4956-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4956-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5096-307-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5096-299-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download