80363080de8ff10d5702532b3e1cb112b848f12cb21608fc4868cc2ae8a1303a

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
Size

268KB
MD5

156c0c82cc6ec79b5e510a32ffb4c320
SHA1

3fba51da6a341e3d4d75342de7bf0765e2fe5fed
SHA256

80363080de8ff10d5702532b3e1cb112b848f12cb21608fc4868cc2ae8a1303a
SHA512

8d636830f305bba2c35b863a8138ac946be8f1278344c22c207fc1bb25391d13024379e7cca98c4848831be54de2ad05432d1cbf725e408db4cee9a2a2e76b58
SSDEEP

6144:fI5amBA/dOi5QBF12xiBS8HP3MHlqngE:g5XB8D5QBF1fU8HfMFqgE

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wUAkMQgA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	wUAkMQgA.exe

Executes dropped EXE 2 IoCs

Processes:

wUAkMQgA.exeQgcssskU.exe

pid process

4928 wUAkMQgA.exe
1644 QgcssskU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exewUAkMQgA.exeQgcssskU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wUAkMQgA.exe = "C:\\Users\\Admin\\IQosogMY\\wUAkMQgA.exe"	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QgcssskU.exe = "C:\\ProgramData\\hYkEgIME\\QgcssskU.exe"	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wUAkMQgA.exe = "C:\\Users\\Admin\\IQosogMY\\wUAkMQgA.exe"	wUAkMQgA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QgcssskU.exe = "C:\\ProgramData\\hYkEgIME\\QgcssskU.exe"	QgcssskU.exe

Drops file in System32 directory 2 IoCs

Processes:

wUAkMQgA.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	wUAkMQgA.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	wUAkMQgA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3872	reg.exe
396	reg.exe
3692	reg.exe
3972	reg.exe
648	reg.exe
3396
636	reg.exe
4848	reg.exe
4088	reg.exe
4920
220
1696	reg.exe
1336	reg.exe
3360
4308	reg.exe
4732	reg.exe
2572	reg.exe
60	reg.exe
2992	reg.exe
1936	reg.exe
2128	reg.exe
2064	reg.exe
1548	reg.exe
2480
5092	reg.exe
5096	reg.exe
64	reg.exe
4720	reg.exe
728	reg.exe
3460	reg.exe
2996	reg.exe
3124	reg.exe
1392	reg.exe
548
2072
3960	reg.exe
2148	reg.exe
3488	reg.exe
2560
2148	reg.exe
2224	reg.exe
772
1288	reg.exe
908
3960	reg.exe
3396	reg.exe
1352	reg.exe
1584	reg.exe
1776	reg.exe
4164
1036	reg.exe
3488	reg.exe
2224	reg.exe
3628	reg.exe
808	reg.exe
1568	reg.exe
3076	reg.exe
4632	reg.exe
748	reg.exe
4980	reg.exe
1788	reg.exe
4608	reg.exe
1152	reg.exe
64	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe

pid	process
4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4272	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4272	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4272	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4272	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3204	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3204	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3204	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3204	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3300	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3300	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3300	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3300	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
1536	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
1536	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
1536	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
1536	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4024	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4024	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4024	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4024	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4040	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4040	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4040	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4040	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2324	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2324	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2324	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2324	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2812	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2812	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2812	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2812	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2556	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2556	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2556	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2556	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4024	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4024	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4024	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4024	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4676	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4676	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4676	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
4676	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2596	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2596	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2596	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
2596	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wUAkMQgA.exe

pid process

4928 wUAkMQgA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

wUAkMQgA.exe

pid	process
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe
4928	wUAkMQgA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.execmd.execmd.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.execmd.execmd.exe2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.execmd.exe

description	pid	process	target process
PID 4012 wrote to memory of 4928	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	wUAkMQgA.exe
PID 4012 wrote to memory of 4928	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	wUAkMQgA.exe
PID 4012 wrote to memory of 4928	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	wUAkMQgA.exe
PID 4012 wrote to memory of 1644	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	QgcssskU.exe
PID 4012 wrote to memory of 1644	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	QgcssskU.exe
PID 4012 wrote to memory of 1644	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	QgcssskU.exe
PID 4012 wrote to memory of 1400	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 4012 wrote to memory of 1400	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 4012 wrote to memory of 1400	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 1400 wrote to memory of 3280	1400	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 1400 wrote to memory of 3280	1400	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 1400 wrote to memory of 3280	1400	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 4012 wrote to memory of 748	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 748	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 748	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 4224	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 4224	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 4224	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 396	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 396	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 396	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 4012 wrote to memory of 1084	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 4012 wrote to memory of 1084	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 4012 wrote to memory of 1084	4012	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 1084 wrote to memory of 4532	1084	cmd.exe	cscript.exe
PID 1084 wrote to memory of 4532	1084	cmd.exe	cscript.exe
PID 1084 wrote to memory of 4532	1084	cmd.exe	cscript.exe
PID 3280 wrote to memory of 392	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 3280 wrote to memory of 392	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 3280 wrote to memory of 392	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 3280 wrote to memory of 3404	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 3404	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 3404	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 3504	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 3504	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 3504	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 1540	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 1540	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 1540	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 3280 wrote to memory of 4108	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 3280 wrote to memory of 4108	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 3280 wrote to memory of 4108	3280	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 392 wrote to memory of 1612	392	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 392 wrote to memory of 1612	392	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 392 wrote to memory of 1612	392	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 4108 wrote to memory of 3532	4108	cmd.exe	cscript.exe
PID 4108 wrote to memory of 3532	4108	cmd.exe	cscript.exe
PID 4108 wrote to memory of 3532	4108	cmd.exe	cscript.exe
PID 1612 wrote to memory of 728	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 1612 wrote to memory of 728	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 1612 wrote to memory of 728	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe
PID 728 wrote to memory of 4272	728	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 728 wrote to memory of 4272	728	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 728 wrote to memory of 4272	728	cmd.exe	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
PID 1612 wrote to memory of 4228	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 4228	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 4228	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 1820	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 1820	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 1820	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 1036	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 1036	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 1036	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	reg.exe
PID 1612 wrote to memory of 2120	1612	2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\IQosogMY\wUAkMQgA.exe
"C:\Users\Admin\IQosogMY\wUAkMQgA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4928

C:\ProgramData\hYkEgIME\QgcssskU.exe
"C:\ProgramData\hYkEgIME\QgcssskU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
8⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
10⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
12⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
14⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
16⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
18⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
20⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
22⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
24⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
26⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
28⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
30⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
32⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
33⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
34⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
35⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
36⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
37⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
38⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
39⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
40⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
41⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
42⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
43⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
44⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
45⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
46⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
47⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
48⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
49⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
50⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
51⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
52⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
53⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
54⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
55⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
56⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
57⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
58⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
59⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
60⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
61⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
62⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
63⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
64⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
65⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
66⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
67⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
68⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
69⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
70⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
71⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
72⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
73⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
74⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
75⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
76⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
77⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
78⤵
PID:1352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
79⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
80⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
81⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
82⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
83⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
84⤵
PID:1888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
85⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
86⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
87⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
88⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
89⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
90⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
91⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
92⤵
PID:1776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
93⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
94⤵
PID:4164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
95⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
96⤵
PID:3612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
97⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
98⤵
PID:4992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
99⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
100⤵
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
101⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
102⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
103⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
104⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
105⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
106⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
107⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
108⤵
PID:1612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
109⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
110⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
111⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
112⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
113⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
114⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
115⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
116⤵
PID:4368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
117⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
118⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
119⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
120⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
121⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
122⤵
PID:3820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
123⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
124⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
125⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
126⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
127⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
128⤵
PID:400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
129⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
130⤵
PID:2856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
131⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
132⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
133⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
134⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
135⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
136⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
137⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
138⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
139⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
140⤵
PID:2396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
141⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
142⤵
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
143⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
144⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
145⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
146⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
147⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
148⤵
PID:2532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
149⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
150⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
151⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
152⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
153⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
154⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
155⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
156⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
157⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
158⤵
PID:1400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
159⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
160⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
161⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
162⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
163⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
164⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
165⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
166⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
167⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
168⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
169⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
170⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
171⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
172⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
173⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
174⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
175⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
176⤵
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
177⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
178⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
179⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
180⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
181⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
182⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
183⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
184⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
185⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
186⤵
PID:1808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
187⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
188⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
189⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
190⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
191⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
192⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
193⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
194⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
195⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
196⤵
PID:2592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
197⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
198⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
199⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
200⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
201⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
202⤵
PID:2480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
203⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
204⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
205⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
206⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
207⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
208⤵
PID:2760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
209⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
210⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
211⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
212⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
213⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
214⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
215⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
216⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
217⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
218⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
219⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
220⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
221⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
222⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
223⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
224⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
225⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
226⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
227⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
228⤵
PID:712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
229⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
230⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
231⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
232⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
233⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
234⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
235⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
236⤵
PID:3588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
237⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
238⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
239⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
240⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
241⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
242⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
243⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
244⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
245⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
246⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
247⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
248⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
249⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
250⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
251⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
252⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
253⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
254⤵
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
255⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
256⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
257⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock"
258⤵
PID:2392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
259⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOosEIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
258⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SusUUoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
256⤵
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAkoIMcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
254⤵
PID:1904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:4676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:1148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- Modifies registry key
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUEwYgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
252⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOQQYAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
250⤵
PID:436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:60

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmUwYkkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
248⤵
PID:3808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEEYIcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
246⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:3692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:3824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeAEwIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
244⤵
PID:3212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAQQUQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
242⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMMgYIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
240⤵
PID:2120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSIEkcsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
238⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcIsUQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
236⤵
PID:1152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:5068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
- Modifies registry key
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKYIoswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
234⤵
PID:1616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:4692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feEoUYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
232⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dygscwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
230⤵
PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:3360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEgsEUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
228⤵
PID:4260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyMkEYgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
226⤵
PID:2076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
- Modifies registry key
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- Modifies registry key
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMMcsQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
224⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:2148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgAMUIok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
222⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:4836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWwwIIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
220⤵
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmggYcYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
218⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUcIwoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
216⤵
PID:3460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgkQsowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
214⤵
PID:3144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:4436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies registry key
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omoowoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
212⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:2148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIEAAkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
210⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYgwAUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
208⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies registry key
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- Modifies registry key
PID:3692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOUQYkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
206⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqskgYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
204⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- Modifies registry key
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mycMYMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
202⤵
PID:3384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEQwwYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
200⤵
PID:696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:3820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- Modifies registry key
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiMAQksM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
198⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:1352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SugkwAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
196⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
- Modifies registry key
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAcIccYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
194⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POYwAwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
192⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hswoUEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
190⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
- Modifies registry key
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUwIIkcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
188⤵
PID:4952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgQUkwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
186⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agYckUUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
184⤵
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:3360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWosEYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
182⤵
PID:3396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:2256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- Modifies registry key
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwgAUAMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
180⤵
PID:3204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:4416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIEsoEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
178⤵
PID:4436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tysQscgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
176⤵
PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyksMwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
174⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUMcAEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
172⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUIwskIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
170⤵
PID:1288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWccYwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
168⤵
PID:1492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:1120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VygAAYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
166⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies registry key
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:3384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSYckAwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
164⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:3808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMAckggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
162⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQEQYsgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
160⤵
PID:396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygoUsEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
158⤵
PID:3640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUwIwAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
156⤵
PID:4720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- Modifies registry key
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWswUMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
154⤵
PID:4016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAAkMEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
152⤵
PID:2072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- Modifies registry key
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKIYIQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
150⤵
PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWUEcssI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
148⤵
PID:4352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
- Modifies registry key
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emYwIkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
146⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\migYckko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
144⤵
PID:1524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:3008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
- Modifies registry key
PID:2064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McMUoMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
142⤵
PID:696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LewswUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
140⤵
PID:516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkkwAEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
138⤵
PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIgkMIcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
136⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsgMAMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
134⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:3960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgooEoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
132⤵
PID:3612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcEgUIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
130⤵
PID:560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOsIoUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
128⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
- Modifies registry key
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:4980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loIMYssM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
126⤵
PID:2148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkMgcMkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
124⤵
PID:4732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAYEUQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
122⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgocsIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
120⤵
PID:908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEUEoQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
118⤵
PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmgAcMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
116⤵
PID:4920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUQcoAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
114⤵
PID:64

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
- Modifies registry key
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCwgkMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
112⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEEokokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
110⤵
PID:648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwsUAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
108⤵
PID:1352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsgokMks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
106⤵
PID:2416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYkUQUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
104⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:4608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqwgggQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
102⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcccUUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
100⤵
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScEIQsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
98⤵
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:2996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies registry key
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCYkIwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
96⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:1164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vywQAEAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
94⤵
PID:636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toEEgAQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
92⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiYEYsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
90⤵
PID:808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIAkQMgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
88⤵
PID:2392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:1904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKAowgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
86⤵
PID:648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMkogwgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
84⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuIMEQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
82⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:2224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqoYMMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
80⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWYwMgQq.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
78⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwMkkYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
76⤵
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OikUAAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
74⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOQIcgkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
72⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUUgwsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
70⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:1488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyssgEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
68⤵
PID:920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYIYkMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
66⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkcAMkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
64⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies registry key
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAoAkUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
62⤵
PID:648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKEcAYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
60⤵
PID:2996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- Modifies registry key
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeAAwIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
58⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaYQogQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
56⤵
PID:3448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKAwgsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
54⤵
PID:3560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:3984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWYEYkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
52⤵
PID:412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcYIcksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
50⤵
PID:1724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKgksYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
48⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWIsQQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
46⤵
PID:1444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqQQYIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
44⤵
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOYwosEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
42⤵
PID:1184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKAYQAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
40⤵
PID:3588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKgIUogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
38⤵
PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIgwgwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
36⤵
PID:636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQUoIoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
34⤵
PID:4024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMQAgMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
32⤵
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAIwYIoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
30⤵
PID:1460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgUkQoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
28⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKAAAMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
26⤵
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geMEsQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
24⤵
PID:2752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUIYYgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
22⤵
PID:2688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAQwgsoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
20⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huowkQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
18⤵
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmUAkIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
16⤵
PID:3476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwAgQIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
14⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUMQwYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
12⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KagQEMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
10⤵
PID:3396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGcEIgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
8⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCgAccMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
6⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcIcQwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOgMwkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4532

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3432

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
310KB

MD5
a1d416a4cd4a27e79ada7f93be2e8a6f

SHA1
289eca1ed4d44974e75457ca615388f42e0361a3

SHA256
3dd9e10aa7c4b548fe14a6070bfa5e8a0545d1a7867126f1a454ef8d8c7c8f25

SHA512
baa65e9b7cce64af0e2794c3c1341ef36f5abf90dc577b0722333212618b0aad73b712cdb04f1b1566b388e96a1f168df3f9041cc1b9e57ab123baa93d407841

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
229KB

MD5
560f3cd1b98ab7278fcbc3df8b5ff2dd

SHA1
aca26f9c2e62c2338d06e98744df8746485db0ba

SHA256
4c99ac20cad52d1ef488eda168bf6d6064862f37064da3f64b3caf6ccd6274c5

SHA512
50ba37d0686f3584fe8f9b70262f035d2035613a8b6fd95eab7ce0534f0421b75465d4669036d662273033f3119ffeaa0f5a70d2430bce4f83af8600c3c70fa9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
767KB

MD5
c0859e2be63a386ac7f0eefc6c2a1629

SHA1
d38f0f546ea09f216fd55cccce2f3d1b6fc58427

SHA256
f877481b11f1a79c1cae9c88c3d2ef009f492b8bf4ef92e2c301c3c122f85bd0

SHA512
4253963c4ec0626540a567d94d4347e40414d74c6db431aec93bc5c36fc3c5b5826af12df813c01799ebc737d6c3c71d9d6fbacf59b4430c99f3f9e993cdcebc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
Filesize
209KB

MD5
f774c9caf0dcb8d0588bec14da48c7ec

SHA1
7c5688b8ff982ae694d15d7bf401248f20d87a13

SHA256
5a6995124b1ec20111bf312a21ff12a7ac6ffc77e85837ce256901bb43173839

SHA512
5f76bad5f2b0ff5667b47412621b13e99c5450ff83b7d25aee76698697e0b007716cd7491eccabc012eed1f05893e85b1e56e8310e9d0c9eb5c9495d9b074c68

Download Submit
C:\ProgramData\hYkEgIME\QgcssskU.exe
Filesize
178KB

MD5
244d5de434cf8a2cf2300845c57f41b8

SHA1
ab423cc1db99ea3cc9e0228b9b8ac878567a96a7

SHA256
95dccdab5b30b9c20d61441a7e6dc292682ee8f10b71b3c3cb816d23e96cdb64

SHA512
e897d4dfe8a01f21e687f20e6aaebb83823f6a0b7824b880af653f0ecaee81a318b86ac43e03879b1a4fc7655bcb3d5ee61d14982742bac96f3ef8261a1d756a

Download Submit
C:\ProgramData\hYkEgIME\QgcssskU.inf
Filesize
4B

MD5
9f64bad834e087be2932bc325dac4b49

SHA1
2eef859311b31086c8d4c436b3da655220055d4c

SHA256
e4de77712a58493616bb804ef42195ffc32c76b1d6972e520856393096cb06d1

SHA512
67f66fd86b77cda34c32fe344f7d699dd59ba0e32423c632097f9b0180888f216f721800b7f2222939e48145a584f5782ef3dc733dfcb86f68817b17669eef99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe
Filesize
270KB

MD5
737f0f8bb86d1d68a9501287db5e9073

SHA1
3834f1ec7e6f1f2e647b0cff608ac6f6b1cec6e8

SHA256
b141aa0b416d4e034bdd7a5fb96707c8e786416f34b16485056adfff9300b323

SHA512
7cfdec54ab476e9f9aaca3216cab54b0d8284a5093facec17063f458ddaba3428a77df34001e97b2dd4960d7b17aeb7755514a7e7662a2ed463bdeee44fa3c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe
Filesize
200KB

MD5
2d5956ef498495cc7a38412ffdfd4346

SHA1
3c7626c22ec64975f716993a892dba864cd38a9f

SHA256
22abfc6349d5cce9670ab2d3c7b0cc39a38e2d7009b97892e981d6ad25def1e3

SHA512
0428ed8cadc92cdccba5a6b8357b2a2566824f67e859ac881d9d2ef53599fbdd569671370f70d4de26869d9bd2b5cce2699fa97c8bcee1285b5fb05acfc4a837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe
Filesize
206KB

MD5
1da10c3395b7703b1c0e53388153efe4

SHA1
9b92ffdf0a83906506c2405a76fa78ad0cf064a8

SHA256
05f56114f9a64e1ba22589266c3ddfb56bd1c263c2bbf7e025acf77f5ab4e01e

SHA512
11d87647c81d94ee1ba02eb4d779db30970a32d6243632c62ccbfdf040fb65e91491b39b83957bdff26bbec032acac970c2ef4ba17511d12d43e14a5c2cbe706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
198KB

MD5
931e39a4bbc0a79628c62a70dda2c6fa

SHA1
5d00a8aa535cdbc59ea3b57084b0b77c470c311b

SHA256
fc5bcdc98dd038649aa21f5cb6ec43155bf0860e677393316a7ca76f59525bd7

SHA512
a9223b851314f99f556320bbbf58edffe7e73c55ac52e42d13163a2768983bc22d747cf9f39ea72efb88544150f2cc0a8b0e1160beccffe3217186fecb902602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe
Filesize
206KB

MD5
8bc08662d491d2d265d6048a5adf2b1e

SHA1
359698b7d899650e4d33360352fac25bf428b49c

SHA256
65e496237fd03edde7c22491765387ab01edeff4a911e35be8e0dc9039f29875

SHA512
3eccebb420a5c4c5c5e40ad18ff58173f2cc882a396186162aa380ec0a2576bd51e572e92ec48956da473881f3d81ba25cee66f793abd1e546db642dd3eb8e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
Filesize
196KB

MD5
2e0ffd1f96860cdc101ca151c79a9346

SHA1
b97ee411b607f7480238de32a0c2ce871573addf

SHA256
6bf1f5bfd847f494ddfdc773bf95852c9a8c627482d78df1cbbeb27df795f870

SHA512
d1e862c8408fd5d0f2f9defc5c174c3079492a6a21ba741ccd283b2f703337f0c231c57ac568ed3320ba71f89ad423c273362e695a1a4a2c6bd76e127b9026bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_156c0c82cc6ec79b5e510a32ffb4c320_virlock
Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIY.exe
Filesize
190KB

MD5
d107538fa51fa3bf47dbef3db3289ed7

SHA1
ed199fe94950c4e0ccdd73d6866cb63780504e22

SHA256
e5c6645ec539c71638a8322bcda3383be6acc0bbbdfd87e858c93e43fbc8befd

SHA512
721cc035db32afec0b8277b1f00de18bf74ae6ab3aa6baf6a54bf320ebf9cc132ec0dc070ba9c5331808983ca06f369dfbcb753097c7d7ecc791b047e3602e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUkg.exe
Filesize
1.8MB

MD5
78f09b806ff5213386579b97ba7bbaf8

SHA1
55000f07c54d20b05a6c547a3ee8d72371d8ff78

SHA256
a4f8ed99d6718f63469d413d6f163c1b9424057c934ef120b438d8761aaa88e6

SHA512
25b1aaa4ba3fa1ec00846f3e0dcbdcdf36630c45c6a3fd85c125d237fec76dc57089634df43fa3a5055a54e990bf92f9ac94f826039d156f19bf524ce339cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcMM.exe
Filesize
1.4MB

MD5
d51da03cea41cef0fcf301781a380aa6

SHA1
59035063ee6fa5561513ad79b07525e89646256e

SHA256
2efae16f646a6f012f42b3cbca62e805164c4bcc89ee4253f124f8453915a3d8

SHA512
ee7715a78b6ee6ab6bc6a77f9fc88d3975be67c20f953d91746a1a7aee437a0ba94f997f56a5d2c2550a607c8425062353387dbbf22323cd9f5c52044e967e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AggI.exe
Filesize
194KB

MD5
c3cb47f6267036cd0b9ca0f42b3e0b06

SHA1
b110aa7177be453c0031f1b71e554c490a26e07a

SHA256
45c5749ff40b881f118205b9b5d504c3354422476787e15dedd6c2ffc8088d25

SHA512
9adbd479ade912b5a3a24ad2c1656616c370997defeac99635699d98cda86b6f1bc3307a99c8bf8a8e3bf18cc6c9895f3261881969c6241e98422e98884f3d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awgy.exe
Filesize
579KB

MD5
e35a91ac0f0f22dfa0351b7ab4cd8e6a

SHA1
b4e028beb1ddbc74fdbbc210dd1744ca475a0b60

SHA256
b50571fe016e951bbfd62ca02785ea33d193596cbb8717f07fe8177c7308f1f5

SHA512
f35505575369720adeff1cdbe2288eb4233a6dea6fe9d2ca9d8b238cbbd857e160a2e7f89521701e5342aeefd44c96df152dc0320c654b7c7c7a348c1732c63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQkW.exe
Filesize
182KB

MD5
005763c3f2860ff2f2b184c78a23e071

SHA1
7a7a8310fd11513ac8db69648d4170c212f32ac7

SHA256
e123409c7507512e90a9cf01b19948a75bb1b1e19255cdfcb86a06db25275b3d

SHA512
d85ee664d0c1c1b1cb369983079aee6a7a5596791c3f2afeac1273e4895f75154f962efb10ce4e08ebdf60d488781276b521c2ac080c99d991ddd2b5d2188220

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcEc.exe
Filesize
191KB

MD5
f0900dcc49b2772527466429b3e1d254

SHA1
28c418c2a20bd743673e85ea155caec4ecfa11ee

SHA256
121d08842710235373adc014e9f6b066d8df30e47fbde6d9d7a6e91a0dc77f1c

SHA512
31b8924c68e13b6c8bf32bdf7d206a99f7b45db6a8dabf8b85237f0702690701382456c8d04e9f70ae4eda8c43a1f7ebd54f982c72991c035aa13124aa4525af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcIG.exe
Filesize
5.9MB

MD5
43265c9b9c61ae623cfc5404b0145b6d

SHA1
e44327be50b7c04e718fc0fdbb7e5c723a694222

SHA256
641f5c1710380f001a5b4d6df21a6b69172be50953e26bc05c003f9a5873e6e4

SHA512
dbd1d763469640bdb92f9ebc7f3d853f7e7621aecbab8b0d20a4c894f3466a0cae7668aca3be9322ea72d702394d7e720d77c402086a3285fa3137f6b08342ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcMU.exe
Filesize
191KB

MD5
ba76b52e8ac999847f95c8237a162ae4

SHA1
3c0bbd5f7eed56351af934857cf08bbf9574ee95

SHA256
9f78076e58d642ad5b60828735753a2956f3e04f0586c6bf2c6318e451070a64

SHA512
573bbe0ec5d21e8ad2138eb29cc947b009782af6c4bb892ab05f7d33059a12ae73708c54e5d1f86311c90083d07bcaaec7d1aae2836ec4646116ee9bc76eb840

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgkG.exe
Filesize
209KB

MD5
ef72c32c6e4f138c3264d59489662fac

SHA1
8f78f046f83bba7f9f3cc2949182bbb45d9121ed

SHA256
16fb20afc2335789168b85b53a163c956ffaa5ee2ad87f9b38166250f36715e4

SHA512
d0cd27c67e678dc23c7b6ecc3e5b88541f2f483be59c47113b8f1f178b24ddcf6cd46986ca29b217ee0437d98da92d4c86e4b3ff53c84ffc4931e397721d958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwAg.exe
Filesize
207KB

MD5
f1258692714c9c89b38959b07bc6a432

SHA1
580a673d63c742fa19d88421d6fcffa59de3a77d

SHA256
79789e68ba3fb8cd14ebe8a6a80035f6aa3f4d7edc71bae27658551f70680b84

SHA512
338f1fdf9e66fd04ec24d919d34cb9cb8145205b1c067d33d4ca439f20db27c443d96d202c9658f2478ccf356b1dfad59e27c31c614fbeea336dc7e0d144b89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYa.exe
Filesize
522KB

MD5
b71a817cec423eaa35febf6568258cf5

SHA1
a441116712b19dfeed30c97898717d3febdab130

SHA256
10a537e8e6c5586ebae03f77dd63950e0873f686382f456834be564a54c7900c

SHA512
b1af75725d70f72f0fe574919b6c9a34761d12e064b89a1475ddd92f3fd9fab2386d208f7299208cfc8bc8608fcd40f693c2a083559780ade52b2997bd749f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQk.exe
Filesize
645KB

MD5
68838c79d34132b027276490af8bf492

SHA1
c8a67f8d5d194bd938f0b69b3eee267b6820f479

SHA256
24854e85c9f857ab2ded864c93dcb1dc389590abdfb7d575516067f0e242c752

SHA512
61e6da4143450799bf8dac789a4c2a2494a03b8ff16ef2a19c25b5e5138aa662d9af88f73372c303f12e1764d19b37400cde72002b806557e399271cc5c9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUEY.exe
Filesize
185KB

MD5
6c3c47eade5ff4f9a49c1bd70e64e1e5

SHA1
eb58a34542c455cc4e28e8eb7474fe1ec6e0d463

SHA256
4d5dbe0074c872248328b31fcbeb7879e3c1a9807daf78e2abc9e34af11cd1fe

SHA512
39667fc1ee8b5e5c6a28b88416dd72d60e9d54a1d9f6d03a769191b542d0f7beb35a0d9a1089b965f40085785c672a750194e560c4b12af64f77ffc87f1aa66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcUO.exe
Filesize
5.9MB

MD5
39a8815d1b6eb99cc7f3599ba85bb6c6

SHA1
9a1e9128f7a5c79045aa0015550d323084fab05f

SHA256
5feaa537aaae391fab2cb687a2688a225939766b7b69877bc617b6a566ec88ad

SHA512
57e6a2b3711d93ae38f8f004afe2b0ff643fc14e27992a5666b5c9b16e5b701d0f567270fe170cc049df0b209a2ee6e70426a661f0f5e6cf914fdfd1a2914bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecsu.exe
Filesize
227KB

MD5
9f05fdd80495277fab0140fd6c203a5c

SHA1
342bb879d247a4a40e0e986eb829d7c7e4e7bab3

SHA256
ce27c000bcd970acdc5f631d865c62f4517473e6534edfd95fe7774ef08cb022

SHA512
78c7fa9324ce69cfd4fa955c2076f6ec7aeef71e959f4c9337916a81d3ab82944a51dafaa4010dfef162fbf0a6ba1c98d39e285af5898160aeed766e586993c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwEE.exe
Filesize
725KB

MD5
3c77c448e0f18c22f7dea33c6fe058d1

SHA1
95b234d0eabbd9ea63ab2622fbfea3cc09e5f5b7

SHA256
c0e90a451a6755ccef43a204b1a0d5bf6c9bb404e7ba99b98df9fca0434552ae

SHA512
1716defd47ac7eed8b7c85715fc7a55b558d34dc64c7be23a02676a89890f0d59986f31fd929296dcd588bb1cff0e196ecab1aae40dd70711785db174a1465c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC.exe
Filesize
194KB

MD5
06834f885e7a97bf267acb8407eb4012

SHA1
717b400e87fdf81ac16e5afa47e34505560bda29

SHA256
ae99949bf02d80602e6a1cce81ab38a6b4eae43a4c7d23b751aa3a6f98406509

SHA512
aceda040383503ed48e802c2fa1a5b63893e8c625f479cd74c2a60319c122c72379da2c2c9ecda75368094c05b75e0ceb8c1530fb52186a3350bf37339615031

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoIE.exe
Filesize
186KB

MD5
401c0b59cd92c9671f8686fd8fc06284

SHA1
712d270a64fdc7f0ec4fd8e6e740c61a7028b85b

SHA256
e77d0fff957aab71c72b9f35840638c68e0566a4454245af482f6322b07130ba

SHA512
c0c3327c20ef043a2e54244b652be0ecd49667f61548788902afaf5c6713ef1cc91eef12556284d33fe3dc27d60489705caf117e4c93218ad28cef313b138eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEQW.exe
Filesize
185KB

MD5
5d817f847566b22fc3eb5b88913d728d

SHA1
8d534bf679b95ff402ab6aaba4260db0c244d68d

SHA256
c2cb0a748974781e2c065ad2d60d28d9842f9156eed03ffd9e58a9603678b3d5

SHA512
06c83229104d61c5df36999773db2fe9207da5356e3cd2701399d92c393b1eb65b2d2ef3944aaef17e2fa28d749b0fff3a4ee068a742e7e63adb9030635d5701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkq.exe
Filesize
225KB

MD5
111f2f69ba7fff46fe4a18d54e369bd9

SHA1
ad5c01fbb7294699119422d0169a70a6c661e5db

SHA256
082661b238da87515ffea9e570f033ff4a17c3ff5277046aa6891c0a425aee3c

SHA512
8df8a4edddac46b1f43a8eaa2fd35efbf42bed9569d1d4b5a06fdf9f2258003255ea53e8df0ee403e3eddae09688b6eeb8c3f2b6a17b6530cd468f5ca5076516

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgcO.exe
Filesize
228KB

MD5
4b1d8c4b051e93aaee674538d3cfcd11

SHA1
6451b3de02d62a6c724371828eb456fe9f7b7620

SHA256
5c041cfd194c68fcdddf24ae497c280257a39b4c91d711e8d9a334ef1327bb9d

SHA512
8a546398a5bf84577170240bfb9a4208a9daa5c5bb27e1930397fcecbb75841559b1c363cb388b0a682153903de483f561c909b206133c29fc3922d282d25d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikce.exe
Filesize
648KB

MD5
07e410ffda935f852dd1105090de18c2

SHA1
16711d5480e816578413742daf021408e65f35f8

SHA256
3e1f051bdf3d065d8ad5ac382241e3b50a43e51601580c52324fc86c6c2632bb

SHA512
a43fe2c16abc10e97630c9104828603b39821b9cb7d6b7d12f95b80f665ce249a05afc5c740f17691eada1ed7ab686f3035faf9c96eb834d89914d9ebf77338a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwco.exe
Filesize
716KB

MD5
645307357b7f6987dfaf76545e907584

SHA1
6f925be0391f6b137d1fbda8f5cfedf499123a86

SHA256
45009021ddbff99a3145286c8749069d89169c072d9a4707e588a1a3773062bf

SHA512
2508c82e690c834c58d20f767c609c94e912ddcba641d882a8fe512ea02b668724f9f09441f95e60958bce767413cdb980143600b5541c6a30d170f0a0a0aa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcoq.exe
Filesize
200KB

MD5
58b20cb60411caef8736d5ebfa4f13b7

SHA1
e08230a05b7389d5963efbfab0eed87e1c24b096

SHA256
2be0d95b11a0bb0f1fe0deb9ebdf8feecc7eb828a28bdfc570b3c62b00824b45

SHA512
c109cdfda73f945c54231107d327ca7856af3aaceb86b7fca3f9f8031796b0d46508d6d32b6489386ddb9dd76d3d1f2de007cf76dbe2ebab88fcd0a07d09f676

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwIO.exe
Filesize
205KB

MD5
ce1b64990c368633530c82570267152f

SHA1
b6f10ceddd1939e9eee28faa0197c4f8f214f99a

SHA256
911ceeac226ec687d91102d09ae907ba597848af6725e18dde51c9fc6141e04f

SHA512
84c94d15c268dd5128671e1fb17796b657f31c475dbcec111038193fa7910634147c6c4beaa43ef40396d9cea8876d246910b7e71899502af9660db620d31b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUkK.exe
Filesize
183KB

MD5
51a00f14e52057f3b8c533a45932821f

SHA1
f3207c39e05d8042b7617fd2fdbd6c14312f2a53

SHA256
c34e66d5720f98e127752cb1862e9cf25187f522e02da8a3ba42c42095dd99ba

SHA512
efdf60f8251b251de2e7702fdd732df5665093ba4551f7983d1bd22816cc9edf69ba853f6c3a3619e5d3b4a5188d54bc06bd1e99f6a37705fd352b0862447cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mgcw.exe
Filesize
386KB

MD5
e4e9edc84f00f231996117cf40f9abd0

SHA1
a0f5d25c372c54dcba2e2692d567b643f086548a

SHA256
14c8ef002e5629509b4608ac11b6bc6a9bfd45163cd69505d3ac5b7afbd29d44

SHA512
a1d24122e961d670547ce9fa3e63eedefdaad26d876ca6645c20658c10f2a5b4131d0826e835724ce29fe9663ef1520191849ed46c6f0f1b414e33403a67384f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEYe.exe
Filesize
197KB

MD5
8df8cea66a020921707ab9577863cb9a

SHA1
1d4a70baea5fef88a514b5202b98323398a6cfcb

SHA256
fcef2b3c37431a0323cd120d7c3131e089d9a01954d16ee969da9acf63089f53

SHA512
ab88d8d58b42e12b3fcbb8ada2fa76f353b4702feb7c613f1e4c91480b9912f9ed86188c2ef8429f30eb5f4ff2bfb1d240969c5bee5ab144dc6f804f4bf9460c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEcy.exe
Filesize
647KB

MD5
41a49dd3327df716a0f551580e58777f

SHA1
7dd22dd9e9ec844ce9e6d87af4e2ec11f40b4201

SHA256
321a40ec7373aade87637ebc757dd7d54170e4cfbdf5a008d51b5b541660325c

SHA512
d99d62615df0d00374c5036f1bad7c308f8dbaa6d797302c61d3256d5a47bb0a79d68718def0af19d811af22b328772493269e3a3d6c71a16e3b7db0072a417e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIss.exe
Filesize
642KB

MD5
1aeaa5fc77bc33840839c99fb8ca3daa

SHA1
c413d9c58fcb40eaee3b610661f47fd4ffdbea02

SHA256
1f9406dc132d74a3d578607b5ffbadf34976b6c9d8e9960ee08f457c482d365c

SHA512
d1d58fb9f1680f3198c8a7650992f21b8ab24a57fcff6b149d24542ba2e847ea9ac2dc1475c28f038452f21f0d796c9787f30c5686ea49830002628cefa113d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMQG.exe
Filesize
563KB

MD5
453558803dedd8ea3d1ec52db0a9a3ee

SHA1
76f5056ed50032109e51a8711b7e28fd03bfe1e0

SHA256
567d367fcc1c7189bb3a4d58508a1bf9db60e2566271c22c860d25b73b8a4955

SHA512
cecd396d3b69cdc3f0ba2b8abd7897d6f5ae1d73f169160bdc72a931e1dd69d794392f7a512f4c5bceece2871599a127cf4a3b1a4ad8de736a7ce098bf4ef3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUAW.exe
Filesize
311KB

MD5
b523999b5e97db51530014d46eb25051

SHA1
f36f0f4f4b95d6a9d47ea39d1209401006245f04

SHA256
b7fb14ca156894720132c911525dd6664cf078ea6e5ead84280bfd62cdfb71c8

SHA512
b347bb8a332c7f72152b78503e6e1e73ee97fa7693853460734930ae094fc0cda99a0ec92e9326983e31b25f2664d345d29784f53868aca3bb9a6b6fb99297b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYQK.exe
Filesize
189KB

MD5
e655b59906d136810f25a3e5aeac43e3

SHA1
659e73a6414061b1d7766f6e3b7ce2acee570c4a

SHA256
9b5684b0ccf0d45c5321a5eaa2329c2e392875d9cbad695f4a1ebe685f6fec63

SHA512
ef10c58246fa9d5a702632589b6c0b6e54b4a81976911ee5aad8c3b41d21d279571b316bfc7b6deed9324e10ecd27fa08034d15ca13f27f73304d8743c7836ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcwK.exe
Filesize
196KB

MD5
e5e957ab8a13191671073809d1854466

SHA1
15fd06bc900d535c1dd50cd1b9adb907059f365e

SHA256
bbcdc8b2a3103ee2684052649ec5d3594d90d87d3d5b9851ccbdc3bac861b406

SHA512
0af9730db0088223bf664fb8a153552c5abc2d7eea92e09bf7bb7cbfaf9f89d0078d795a141695349855ca93164eb5e27bd3c5c33471d126c4f35f3efaba748e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYAK.exe
Filesize
194KB

MD5
a08ae9faeb0a241ac648b78514ad8078

SHA1
8d73bf96dfd453f8c0b8becb6f3dcc439c43cf1f

SHA256
4827f6c2d1718de1edf890c2f5ea06a7335a6dce43a05573fa74d9ebd6eee92c

SHA512
5280f596a20793cbc43b548c1ed3bc07928a35412efa1143a07eac89c82b9ae70dd173e0ac25acf25cf2c99f43642d8bc08bfd953a52b917311848bf60085e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkcs.exe
Filesize
207KB

MD5
e9ff0d735a5e13db9a65c388945e36c4

SHA1
f3f5be0c41ed328cb3b0bf8058e3cefe20886b1d

SHA256
0dc4b308da0d49da3db283180d0155ff8f53b0eb8bb62a312b544291be589692

SHA512
f21517d2f12303590d4f2ef373f03d03a28e5f829fa36799a13efa9d7be164c34a7b243316f88d0da55d7622a2c1491384db7c87a699b4ef999e5db791c9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQAw.exe
Filesize
307KB

MD5
a8d25d3e42bcee75613e973e717971d5

SHA1
6737fb5dc3579c8472ca47ea903afa291afaeeff

SHA256
a50964b77c33d9ddef0786f2ca2cb35befd6192459a31967a33dad1fb57afb9d

SHA512
943064991ae02492ab87d211a141f05848df8a3e7a1d7922fdc5d853b279edc0afb809639102ec3db0c013d64ada7c56f70f1efafbb9cafb9be012f8741db2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUIm.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYIE.exe
Filesize
203KB

MD5
59fb4597a29eafab239aeffd4ca662d6

SHA1
a4783251844e67d6c555dfdfbdc6bea1778e7576

SHA256
2642dbb08242a5d312bb885f06f0ff3119b1070b086f837b4e13c87166f0b39c

SHA512
6a33dab49b721b61f1db9db3eebd25602172502c5bd969616ed826aa9f43ce0d650049be57971640cf06173e10d2fe1f54aa318da244c5725d02ef556430420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYoq.exe
Filesize
196KB

MD5
90f14ee1ba0bad1205a04943ed963839

SHA1
37af2399737cf0e2166665279db8afee26945049

SHA256
9e9f4fd42b9de259a60ca06c7db0a83aba9cd5bd65cd63fec874ad1116073a63

SHA512
cec624631a65fef0e2bce9a4ae0997ecb60ec5b8183ca465a29479432ac4d664579951de3115bcb2254f28238d814f635d24da5c20d275b025b416f3acf64f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkAE.exe
Filesize
211KB

MD5
dac526476d391ca8e4a6d748509771be

SHA1
3833fbe835bbe94a2eb1a10fc74ff7bd1294db79

SHA256
f46793b35ee973241cf347181babd8ca30f11036b9ce4c670be985914ee96760

SHA512
5a153f7ddb7ebbb686c7ece71be4deaf1a82229d4433e6d25848451f08fe716c03d71fc2d65fb35173527cd6cde7d199e6f2099c1ccb6628cbe9a32e498abfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgks.exe
Filesize
193KB

MD5
324d2fe198c35e9445e9cb161c987a92

SHA1
e1561de52395e503db7635348223953a079d5da0

SHA256
d659b326b1d5f4c1b175eeb59830d05d17003a7c563bb680d50f4137d5d36e73

SHA512
b43f3bf618bbc98aa1678d6c4caea20cbf92c0e3fc4100a72bd7a79a461b7402591e5a24f48fd273bfede804a5022536b1b2a1250525a01af3a6e977e6570bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAgk.exe
Filesize
203KB

MD5
2368f467c1116612f376cdb0ae403c98

SHA1
297188389746af6cdf3f6e97c47b3ab4eae5f102

SHA256
d7b18b0c1dcee435d08de90eba3f0eefdd823f678bb581a686dc10eeafe391f1

SHA512
20408d21be0ef1ab678194df4bc00feefccd0914b240e097ea067ae6d61ae3d585c1bd182f76a67f88db2a2399de629a766dad4c90ab9515e710279bb2bb10b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMMe.exe
Filesize
204KB

MD5
3dbd9d52992e36390c382bb10f4209bc

SHA1
a21d38e143975d171681b587cb6ed925f9433aac

SHA256
038b2f43a7ceddbcbc55473d0f172b1124dd66cf53c3c379fc18a8430ca0deb0

SHA512
291b9ba913e7a5db967eddb14493fc9668f22bbd43adb8e598874e182b2fa7e128bcc613c475ea806306edd2b0673b584ac1be13bc30d5883fdfcd7541fd906e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYAm.exe
Filesize
212KB

MD5
2d34d1d01d24f1ddfb5d1297815c9e45

SHA1
4506761358ed1a70db8c5b0bc3644dafcb3e708e

SHA256
c288fb7b632b21c524aa46c0bf487bf3d317dcc453b81d8d647c7b4a827da88a

SHA512
18577fa652b42fdc08bd63e70497af0d0c3c79b7961798b88a39329488b8eae95ada6b6258df5017ba9bc7533ef8ea47bb423b6072fc3fb1ba215217e1a88ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMsy.exe
Filesize
211KB

MD5
a6e11e123f19b343fc17a01a79700669

SHA1
53f1576abf97176e168ab16dcb3191349199ae54

SHA256
b91b498522a1f7fb157c0b891001f8d9543b22903532155d3d2d2b23d2580835

SHA512
4aa3d58998737190b7be0976fa3ed7b716ee823545a76a2337f3725b94a964df854e869c45f483d20ce92d55105a3eebff30e7792650efd87bfa0a478e6c8d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQke.exe
Filesize
198KB

MD5
3cbb007bfd963bd8e878d90d092bf27a

SHA1
0f7d4ac0ef16c1f51275e5c91d7eb08e72828d27

SHA256
75df6e848b92e60307e167c31e7112eea69b9dfb3ec8f82393bde53dd79a0f76

SHA512
19311df453b48cd7cee97f40eab2bf86a159b4ed289a680ab789b9ab3675e7e28d650e40bdb23d44615f32a273e0db716071bbfe792e7d6767a494cf323b68eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUoe.exe
Filesize
187KB

MD5
bf592cb957a472a3d8d5df0370418089

SHA1
3b6d7458279350b5e4daec0e737bf94a9b2fa299

SHA256
f77b127cfd0df413e44153cbfa93d57eaef3705c8ef18df46e0b4be582ada5c8

SHA512
1632f6c308f6f67a7d8406badda7db01d380378521886b645623f16023e678da1d828c94782702459468b7bf906f3d263b4ffe0565e079d833b8b364e1146dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\agEG.exe
Filesize
306KB

MD5
2bf18f9f94ed065554d4f9af89a6d1a3

SHA1
99cf7016a6b384916dd3e54fa120323f96a7576b

SHA256
df81f6f47c975c22aae20d675a0bc63f0d65f09c0d591ef23a49f134dd5eebab

SHA512
9828a0360cf934912d1be050d87130c4b703b64bf274709a7b7aae2c73016c6252a90d4eb9e5da1d9c006245be5708bc14d1800b6e8072c489f9ab2b9846a913

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIkw.exe
Filesize
195KB

MD5
74b72ace2211cbb49c7baba0d64868cd

SHA1
c80fe50ba31b6fed905da8286754bc9dcadb0ec8

SHA256
26bcfc6c52a570670fd4bb72a22e99b9b82c560604c80afe28a29823d22be6a9

SHA512
307c2175801259c17f9e8b3d8bf9c1f8c244dfa7e34f3d1a2f3d7b8bc473bfd975a7c475ca6d50708212ba923e7ba8d90838e09bcd1020aaccb6549a90645086

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYS.exe
Filesize
183KB

MD5
afa6e8b9ce71e6e13c01674c0cb094fd

SHA1
424b000dd6e8e21367468758af31d783ca33e955

SHA256
9aa587a7f13038716bf610d51d64ce4dff4c9cfc34247a3c0ff7e3badd031f23

SHA512
96d03d70f930250879f9a064ba0a86ce23730f30d960b9c6c1d1995b8541900718a546506e4f23169a322ac37e7e6f0f23a5635b42d2193eab92d40228aa78e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAwG.exe
Filesize
186KB

MD5
9718a9f6e6a37b162a69ef2cad3d2cf6

SHA1
5a57b5cc1ca489b0795a23560a17f84b4d5b8c69

SHA256
46a8291abe462a327309e2a1b4c1db8c8b3724933ca2375af684f076bc888c51

SHA512
ef52dea960c20764e20fe6cc7cebcf7ae1e779e000e0a59cea1783225e5bfb73f23c412c3066d2a62e8a54ba381516354007b0f715bfc184931ba8e5ad436147

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMAc.exe
Filesize
199KB

MD5
9ca560c1a6352843854c65aa41d33abd

SHA1
b3892e68cdb909aa7e39ee12c1e76bb839a6f9ce

SHA256
256f6ddaec08bbfa4f0e0b5a91030af386115f0243593764b3e2f84f64b36b4b

SHA512
d6e64368acd44457c3648dc96bd9fe6fd582fe5774915c5187cfac342aeed1ef26cb9f7f28340525c150e4740ab50a08afc0b0f64f1f487f9248489a1d215be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\egUm.exe
Filesize
199KB

MD5
a5c607bb195a73bd344e6dd2650820df

SHA1
66d05088203a3636c4050fb3b4a984e63366bfa5

SHA256
4b0c110fdc2115c649606b931025d8309b95c1b2ee86a1150886c1f23d184abd

SHA512
32148c5f3b55653d2c1e7c0710c22bf79b36e4b72f75e20465f0ebf67ed33e9cb96eb365eefa3a377f510bda839e426f0cde5e11a80902a2da5410ce811db052

Download Submit
C:\Users\Admin\AppData\Local\Temp\eogS.exe
Filesize
195KB

MD5
8fbab4d965d051d7f09600262497826e

SHA1
3080ec7d89160b9c78cbb51720964b92fd5b74f3

SHA256
292a2e06f9be05667ba59b8c5b3545a03758f697ce83190242ca26f4644efbbd

SHA512
06052aedfea3c90e2f5006bff4b9b3d7c6a36e73bdec0553de5f8e019943887c7e1721003930accac1c66babba1c8c456c1239320fa1702dee08dcec110fac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\eooE.exe
Filesize
203KB

MD5
aa53f0858b1c42441beb408ab5e57963

SHA1
0e7ec91586b3a1e9a47644d7d98c7cd4209534fe

SHA256
8e005f55d1d7330c7502e89d0aa3cad04b09a970f633c5b9da0a122d5ef2652d

SHA512
029363bdb48b0e663118c99a6bd4f3b4179544b323644c62c628f9a7f866183fbabc5857b0ef9a29ec556dbc079ccb6a5e2803066fe3e80559dbd28e2dfb04df

Download Submit
C:\Users\Admin\AppData\Local\Temp\esUe.exe
Filesize
199KB

MD5
7cde57a36da4471b582bec8cdb73c52b

SHA1
c103cfd3bc35caea991daaba6df9d45f21c9de7b

SHA256
02117ad5a40b7f1da2508cfd69af5f32cc49244d20cf0c549aadcff65ee06da6

SHA512
c062406a01f240cbb23c0aeb1378f1a3e802190ee9861d9a44e994d9bf1c71c2e59f0b9501a848ddda04c81a56168ef9e9952ab47f310fb394aa43bd2a8eace5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewwA.exe
Filesize
796KB

MD5
87c7a1aca140d000c98d9ffc419668ab

SHA1
f2a1d9b603bc621442ad097c798b0f0e7d059b3d

SHA256
edbcdffc13f8ab2a33ccbeb4f8ffe206b38f67e7c4e5b6ddfedf27d78f0b4330

SHA512
49b0dbe368512d47c8aac2c616a1f90ebf87a7103f4e50133f4fc4245ba82dd8e1f172276499249f41121fe6ed450ea2d5f9ad04afd328986210128f3e734499

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcE.exe
Filesize
789KB

MD5
e637f279c74e313e7a99cf2333ffdca9

SHA1
12cf4e9abf79acf1df1222b6e4528e76d43e551d

SHA256
b891d697e1275e3ebc76fc907ef3c4c513a03574b83d53a1abb1e9148af2daf9

SHA512
8a2152a278158db85985724763b4694a9ef893dce53ffd6d282a685d60ee7f97845c893a028532db0d96794a14361999fa438f845376f5b9218e68e1e5840ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcm.exe
Filesize
237KB

MD5
458e87169938b5d31aefbd6b9ba6882b

SHA1
bfe8b3af00b9a5d2ab2f7bafbda4878241d9ede8

SHA256
8e02c9e014117c3884b188f45e8d5e76a4efc423c81ace7e581b0d7c49d01c42

SHA512
755cd500a4e313a645af23d8b575b0167da55fce24306a99effbbad54308ead00dddd43c6047e554140e17167f3d22aea9cdf7c17c5d4b47aa8a2c648bb4f510

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEgK.exe
Filesize
199KB

MD5
2bcf9898131b38d480b7a8139f16910e

SHA1
c8b2e6488787ba88e13428515e86acb3a152c930

SHA256
75bfbaad6613a0809086c650f2360187466c1de723c146d10e80e18fcf2586be

SHA512
599af99d8f53edb38011e81d47a021485c13e6afc913b360437b0a86150f816f88b665c023b4bbd92fe83ead349e5b33ed1f46f60dad90dc816cb8c5a6ee95f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEwm.exe
Filesize
5.9MB

MD5
464d4be63839b4018e44c5ffd9914f1b

SHA1
1e79d02af0590e619a439755303fae2e5b97a92b

SHA256
c69951ea008c2264badd880a4862e30305212b20521513cfa07da38d118e0c5a

SHA512
f25c956fb924ae063cf271110a105793ea34c73fb514ebf960b2b23e4789c5e3db9a04b9fecbe6e13bb74223f92f0322305c18808a0e8f3c554c7b8d9bdbf965

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQEq.exe
Filesize
195KB

MD5
1100c7aaea8b6cea0f1f46a4eb067894

SHA1
4805c36ae3c3c255bc3cae7c83fc91d99f61d921

SHA256
6fa44c04244b096540ee15ef87659c940469544bed96fe8983185a0c4a9e4433

SHA512
110acad1e452a937e049ca1be1094d870602a620c066c2e92f900f4337d882e37c36dae6d1f1d920628efe8b0b98c725da477b820a56446531e90b0918bfa94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwe.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgA.exe
Filesize
187KB

MD5
d706b2f202e94f845380ba9d21f4f927

SHA1
3206e12d1c6223069712ef2f78049e2636543d20

SHA256
a28d48a2127da26305c8a10615a1c2a67cd72d4f762404263378fceda376c7fc

SHA512
8e3ce5cb56205c59086421b7a206fad0a9d6c2226d2261b394e0ef70ae039cc015ce4c948328fcfef20e5dfdc870f281cba2a0af4438a176e50b1dd9ea793c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOgMwkAw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAsY.exe
Filesize
204KB

MD5
e06dce11ee5a20f3849c8cdcdfc16a6f

SHA1
abd683b1ec94a10d3813488f4b77589d6cc96f86

SHA256
5c37d089eb18326e8f8f4924979d4acfcbc54095ab48d9936fbf0211d0f37ea9

SHA512
4a0f0ca26e9451d4258507d8cc8a497ad0c07255974e0dddfc1aa2ceaab4374d2f8e7ab2f57aa3da4891d6acda14edf98898f982cc02b3efe836280ff4ccc7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIYA.exe
Filesize
983KB

MD5
d88b0627f1aa2c3d99bf3a5dc37a3fb4

SHA1
4ebddbc546573ca064b181c2fa46f6720d0210c1

SHA256
cdc00a8c5dd6e519a0da4536678fc90f8822c7e459fd9da4793b1cab14aa4faa

SHA512
180902376db54ad3ca7c85cf318f495c6875024a6925ed40de77a5dfe4d58b6fcbd24f81c02044fa350fc299c10ee01b8537a6f6a945b5ecba93009cab84ab33

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIsS.exe
Filesize
428KB

MD5
63f9a5f96c1ded872e8933556c8074c5

SHA1
a15927040f4954ad3b2f9821b00d7747d4bd2fcb

SHA256
f25dc46fd4f85e6dcb2ae74216eff1eaa0bbe158efb49bc69dac2e32c45385de

SHA512
42b1b3a4942aec7a35f908ad42074ce0d6e296a8068435de3b5676d000e72b05acab00bbd8a1a129ecc61df5eb43fd3150362da33f992dce05c30231c879c1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\koka.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEAK.exe
Filesize
795KB

MD5
d3942cef903355a220404db9c39d811f

SHA1
3ce8b0568320c55eef5381699e5d709a0de65ced

SHA256
4609637dd6eb67403112ee70211a68751df18909f7216d512cba8b8b9d06cba6

SHA512
83c6c3c0b69933bd11d2a7caae7351f5c92b92b673380ac9d7cc9e80491c6b1083881b9c6df54aafee1ad2bfdb9597048d8f90d187aa963e2449f9b342837f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsm.exe
Filesize
1.5MB

MD5
2578a76169d1cf590016932259bf3f72

SHA1
71a5c6e1c4c010369643da4b598dd9666aba0482

SHA256
972b9cf4dfb1bd2006630055e18287e7b8e260c6ed78df215bc7de5285195d4a

SHA512
81442d21534fe3b186686191d79366dbeba9e69a640795e94d0bb0ef8ec81aaa9c0a5cbba1b6f2edd0ae770ccb4cc7dbc9dd2e866cb0a20642c17e0dd24cd0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQkk.exe
Filesize
196KB

MD5
4271fbece9231b4842fc7cd73aac9320

SHA1
3f77785a98c7565a9ed9eb4a098d5582e99de44f

SHA256
67422f7055b75df764d8d0584f97f455d836b1ec0be7f9ecaaf5248ce89ed87f

SHA512
7a3eaa1ccf949cc4a69da7973010cef5d3bc797459afc8d3aafadcf5b30935aa6fcd4a8cfd90448994d7290e506b7f5b7ba016463b3d0e59862a3e87e561a3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcEC.exe
Filesize
205KB

MD5
6127405705ea55bdfde7a0237ba56b6d

SHA1
29aba661f7ef9e98a8de1e1a83ef7539f6f715d3

SHA256
1258ce1e4e396c3b423412b3de20544b6ab6c6716078b5ff0f315f7fa8986dc7

SHA512
067e8ea4e2a89eae36a5bd7d144f58ac22fa008c8bae866db8ee768dee05dd18469bbc4b00d6bd5d261dc768ba7d4240913ab6ab7bd6e5cf6b2985ab52dc6346

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwUk.exe
Filesize
825KB

MD5
087cb4e2c902d58493ddf105809dadd9

SHA1
de89b283c7f9dba7de85f2cb9e2b44932da8cd9c

SHA256
563c13e98f01ef886376ebaf33730bf5e47358f466290bef7f773579c186d233

SHA512
5dd0d89027afa44e0a78decdffdd30a1413541e1cf8483443e88218b94ef3ccdafa4d5444f72b7409b7357bb7d29c8c5b02be414cc62a90be519787545e7691b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEQq.exe
Filesize
196KB

MD5
0f68d315ca50a3cd10ea75f8107fd000

SHA1
5fc2beadeb7dc7fdcc29978b26e8f62097579a09

SHA256
434899496990eb9588e1aaaa6327adf042b03dcb5fb0048091efec486f63e81e

SHA512
d92760c2ad4d09e1d6d9b4b8d6e000ea5557ae0eec5e43785b7ea4534253214573f5d34139ca2b1e332b8cb8fbf54d37e3cfba74a8a5383e73d392743b1d37f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIsI.exe
Filesize
218KB

MD5
e1e7a937a0604951cdbcc561714c2f1a

SHA1
ec46448ffc2ba8f45d923acc510ce46cbf4a820b

SHA256
e23d335bf14a6cbb9635498eb8fe2aece605e9d00e59aaae3521b10fac8427a2

SHA512
c9c1ff89c5ee10b0f2ddc41266ecac0e55ee1deae4aa2542a9518e8e5cf20a19add8266bfdc2389733e663f0632078e1d4bd18e15593c0c1dbcd9c0596a0499b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQsU.exe
Filesize
208KB

MD5
a2c608001743f522af98db2d7a1aad0e

SHA1
82ede6445c873e19606585571ed922a65b5fe051

SHA256
80f8d73e891d1e69f24a6ae191124cd8c3e2bae289006a39ef8206c5b665b766

SHA512
7150ee62266f79bfe30c844be04961470b8d7d22fcfe35edbeebed0bf9621afdfc7efa4580813897ddc56581ddacc71a619cad5a77ca5c7e21f745dd054e9aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocy.exe
Filesize
1.1MB

MD5
2be20ac1f546ff471e3f8545bca1313e

SHA1
bf413fa082fce977e251d12d455eba3c71ecf0fe

SHA256
c43a50201dc567d594829f24ec3907a305ec2225d0ee7074b9467f07d09a19cb

SHA512
a3a6c6481b83d5d4d3a60258bdc86849a44018faf757ebd3feaa50af5fd60df711b3ccf1adfa2103ee226f1a5cbe9899053dedbaad4367bc65599c56f2b43672

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQoO.exe
Filesize
187KB

MD5
0c0924ee2d26cff9fb5dbb09a38eef6d

SHA1
10e309e33df86692def52891a9e74683d5708771

SHA256
d2d9de33b6cc21ad4a06b648dc3ce7437a8240998504a383eaf9d32c02e61481

SHA512
b979c618f366dda23e58af9aa26655fff7993f6e8a7d3b8b33b06fb16fd3259e5a3ff447917c307287dc6ef30d929a810d9638fe7e06c7f4c1b2c9efa5f21712

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQw.exe
Filesize
181KB

MD5
cb8f0c0a637e80dd2a1e52c2d8951d79

SHA1
5b8d2c7776d93a657d4ff70e8766c7c9a842562a

SHA256
63693559253d8b726a46d9ed89798c241201f5e5fb1daf3b753ec63a7b8cbf1e

SHA512
8e3b95b31a42876821a5d4eb09e87dabd0678f66222d54d2fea5d520b7948ce90d80a934640538eeba6ee5299fdca37290ae098a939b43fd4a94f0684ae23ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qskO.exe
Filesize
186KB

MD5
e496d5add809b7029691700f9e89c78b

SHA1
d2f80583b461b6966c374c3169553a756f1d6e27

SHA256
8b4ce8ce043703a2c7cdc65b37f6a0f8634569edae72b113a99cd485828509de

SHA512
1908096dbbba0649d4238e96aacbdf4064774deb6091f2a9719209ac704e97facbc4b973929a750730f5740fa5e25fd6ce24f6f242a3ba3cacf28eb36a7b3464

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwEM.exe
Filesize
193KB

MD5
12fcdd80cba995040b5a3c5a85350956

SHA1
6130b749d5937ee80daf9ccd29a7a156be2cbbd1

SHA256
887f07f22cd5681795dbc7320f1afdf9c0010f4af8a886bf60be40148a9c9aa0

SHA512
8d9b20f346aca228443074399091fe5b094981798e51a9d6460f88328f06240b38c4dfa9774bf5e7831b3a6010b57e557dfeb662d10f244c4d09c20bcac6eb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUIo.exe
Filesize
194KB

MD5
f78585b141de3260a2825b73b3b9b145

SHA1
9b41e39fb9194aba06560c1b06eb3de9a6dd7c9a

SHA256
28a4f83753e5a1641ab93a729c7b29c987ce14513955ad731282779d60823b94

SHA512
1aba2778dabb92d384abb8a3b3bc1ac251780042b33dcd7383483fc43a94a60288c5e0146efa93c09e973f307ffbe07f40b5416f091063c8f200a057ac740c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEQO.exe
Filesize
202KB

MD5
e2e939ab79c9b532ec7ef63a64a81f3d

SHA1
cb3c708105060067e74046afc95325b668253aeb

SHA256
c9c7d5185a2bb3da9acb038d3e9a7da9f12519572ffdb6a49c69b8c4afe86b0f

SHA512
1dde88bdb7a317d8100d1b4bdd89ce469b626701b9ac3202e73c90b39b961be3a6f4c0bdfc3ea60b4ce616a588460634e5b587301065419a5d4031bde51da671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucUY.exe
Filesize
484KB

MD5
30c7a3c30ef1e02b1780c3b36273fd85

SHA1
63673f1f35cbac8f406696a0d7a504d2adb92a3f

SHA256
bf7641d109bc70437e3a0e2322dead453f5481fcb6375b34afacd74ea19e384f

SHA512
2f731636ef18f05e644773c6af9c7d5e49467175b0fd5f156defa3ce21b497e1af5e3537f5248e51b8312b419f1ff301843eb0a99bcaa8ece93331a3859819a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\usAG.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQEe.exe
Filesize
212KB

MD5
144e072c6c1af4ee253590ac952b628a

SHA1
cae5ff689345b4bdf6a7f3aaceb9e79d888e86df

SHA256
e084f2c943b7f2c26af80f950dec8f6f32bd8f217b689aef2fbdae9789a78af9

SHA512
ef668ce1d14d6964708a22b8979a7256f2551d68c33209d47d3c17b76fff7728a2a213d92653ea275cfddfacb5c3bb3b465ee10dc3d4d7ba75949bc9f499cc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMa.exe
Filesize
198KB

MD5
8c87a7796f64abf22e9da73878f7fcc9

SHA1
762187bbaa217dcbfaec1db8c5b745ac701f60da

SHA256
5ca3fc6c05f4138b57a232a64eab002e60ad7b43c4467bfaaca11e0ab8864aa5

SHA512
53bfd5c3b10a3b7f7cff003d19bee6b35deddb1cb2b375691f41514e5dab7a12de4431286ccf5cd724b6d652329ce69ad3290c65e0c91352c486b6a4235b2d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUsU.exe
Filesize
822KB

MD5
518a895572d2207a4ae15bc9628f02f8

SHA1
da13f424d3fde8b6419d9afdce8f989145710927

SHA256
c7bf3a22f6f69343fbfd57adf83e53d59bad59e63684bce952eaa8af2b2bb817

SHA512
29eb73eda5a8d7ddab4d27d36a1dad64dd26d907da79c4202924e6e1e270f67af25a56d863a26a1c52990ea7176c4ce53c50cb8b6a9a913d6a8b2ad638418dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAwK.exe
Filesize
208KB

MD5
fb3cf32dc4a32a6b911c260e8b383b6a

SHA1
7a814ff43fbbb228cd0f64b304e665e20dbba6a9

SHA256
0579f313848f6bbe5bbd9447d49042c25f3391c9bac0d9c2d70a0750ec1adc8c

SHA512
da4dac7637575744b34a3a8fbf4791cb676c372da78234ca66a13f0259a8d29c46679cf38c07bbd0193b319fab7103d47b8a652ef32ff5c76d9807d30009b964

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEgU.exe
Filesize
654KB

MD5
4cf731bccf789822ff4b7984bd676d20

SHA1
d1a04d84aaa9b0d8b998727635ecbdc0f404726e

SHA256
bcfac665aa07381e2361f6e083eabaa76354ac8119963970ff1278c105b54065

SHA512
a84f049b0da8b1dc65f3a107c8aa38c2320307f407146e460a5d5f9f54a1f42b63804117717ec7a51988fc20fac3467cd004d0e0b20996bbb93ddc49c8d0e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIcU.exe
Filesize
542KB

MD5
cecf2f2c02c541d719ea56731cbd919d

SHA1
d27c7120fcccf60c0435f537e0c034b03587b803

SHA256
e83324879b5533f38280870747e6d602bb607b9e76d5212339011522965f39fd

SHA512
fcdb4e52f00b01c84de942980c562a22d86f96e669757e1d3c79c3b380d9bf1aef941bb61fe2693face33d6f632afb03d2db825bbb1e3df23a1b08e830a1c676

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsc.exe
Filesize
808KB

MD5
ef2fb653345ac1e87dba72581899ceb2

SHA1
e9df9e70117ee3835fe854a34bf8b652c1315339

SHA256
2cf67330d16ddbdcb4151e0d22c8aa3dd52750ba3698dc3e99393f52b70b57ba

SHA512
d9e1e905349b6ddd0945e45279b51e8acb29ff48a1dd9ea1e3174aa0db7f11febeea0fa5808b8232717f7ee6cd73c9d51962a9298629c9c45567490b3ad57c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYy.exe
Filesize
1.5MB

MD5
b1903a07ca964de97a417060f870861a

SHA1
40e5bf718f696812e08b0361845756fb932c19c5

SHA256
2ddb7afb95ea0728938dcaa6c2a2b681684ef02fa3ff29c8bcd5d19d0e315c17

SHA512
4e3ae0088ca53f18e0a88cd420e1ea89d8ac8eb2c779cca80acd61ca784e1210e866d852af9fcfa68cbd7175439e0e7488fe4c89d1f61ba4f76fc57add9c4732

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycUg.exe
Filesize
221KB

MD5
13f0890f009d3de71c17fc96aee9177c

SHA1
eba56550ed8f7d6c07d03a4822644e05d50287a2

SHA256
fb884837e51f98994a0a24fd5f695be0a72933155e7b0e1e9b2aa23481fd1005

SHA512
5785f77fd766ca8e2f9f52e1bcbf1f123ea86b84454f9fec5b2672f0540f57f34997876750ab6e01b2e504300c0c373bc441c7afc22644ad58cbbec3ff43b3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykIY.exe
Filesize
198KB

MD5
c2687ccc4884efdd3a59afc0f37bed00

SHA1
efc5795685c8c111f9cf6220eb26397a8debe3f2

SHA256
30513463951934792a9c414be8ffd1dc16d8162d6d3878d3df707b12dd72acff

SHA512
011b456eb8b975db2de9f2e75d2ec9f3d0d1ff8cb66060f21500966418fb8d1aecd34400079b839b05f99dc200b127ac998984aae69f3b2a0ce5957cc9e7d195

Download Submit
C:\Users\Admin\AppData\Roaming\RepairInvoke.png.exe
Filesize
1004KB

MD5
1e96fb097c643d4cc4d25c8ec16db269

SHA1
ae4ed1c30db2862ae2c5049e4f1cbd48cd93f195

SHA256
73cc8c5115df1df7c6d4fbae48b10169d37dba30634b05dc21d741ef88690eee

SHA512
4142536c1c56f7dd9e11c8410854f91f355c0cd7528a526b0be4ce2a9caee02a13829a3b5111302892c94ac54b2bafa2de68497bb53b9dc236eae68d155490a9

Download Submit
C:\Users\Admin\IQosogMY\wUAkMQgA.exe
Filesize
183KB

MD5
56b8c6d1c5f46444d2a3abdfe52a2202

SHA1
b177ba09b764e65994ec9c2f5d459bbf3486a395

SHA256
820b64a54ba4acc29cf5d91cdad7a9eb65638ccd68765c626bb83639c6a8227c

SHA512
695ff925e091facbe09599aa17fbba4edb4e8ce9148d7eb1de0c2f617dbcd02c09a696b30da43b55849e715c452fc29eb8b12fe3cd4547a9c13e984cf38af55e

Download Submit
C:\Users\Admin\IQosogMY\wUAkMQgA.inf
Filesize
4B

MD5
fcc4e2c5ac4bcdb55296282e27f4d22d

SHA1
a54014c2bd7fc22c2d3b5a963c77805faa1e166f

SHA256
9e9371813067c21a1ee2279495c5a1f64ae76b702da3fb46bf3a457877e414c2

SHA512
1826605ce3d7063c9c95470048547989f68df7619c039265dc7a238aaca0f46223b08d45587486f5f56cd4842a3ed1bbcfa03c2ac7aa5bad908564c92d1a0440

Download Submit
memory/60-446-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/60-435-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/516-296-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/516-283-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/540-218-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/540-203-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/860-253-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/860-267-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1120-381-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1120-368-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1400-541-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1400-548-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1412-348-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1412-362-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1444-520-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1444-530-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1536-108-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1536-91-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1548-463-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1612-45-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1612-36-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1612-257-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1644-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-390-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1696-377-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1768-324-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1768-313-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1804-418-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1956-372-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1956-359-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2032-556-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2072-409-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2072-396-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2324-134-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2324-145-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2396-490-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2396-483-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2516-414-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2516-427-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2556-481-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2556-169-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2556-154-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2596-189-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2596-207-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2688-304-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2688-314-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2812-158-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3120-462-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3120-472-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3120-339-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3120-352-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3152-436-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3152-424-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3204-71-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3204-57-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3220-500-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3220-491-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3280-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3280-33-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3280-17-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3280-95-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3300-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3300-67-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3360-526-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3360-539-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3432-331-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3432-263-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3432-276-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3432-343-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3520-454-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3580-400-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3580-386-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4012-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4012-20-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4024-121-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4024-105-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4024-181-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4040-117-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4040-132-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4228-272-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4228-287-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4272-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4420-510-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4420-502-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4512-334-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4512-320-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4656-305-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4656-292-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4676-193-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4676-177-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4808-229-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4848-512-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4848-519-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4928-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-232-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4976-245-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download