1d96ce6eef0d47ba0dd3b0d7205ba1ab16533cdab176ea9ca81d8d7807ae6a6c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
Size

206KB
MD5

10651c37469a05dca5c5dd5ad3b7c830
SHA1

8d629731228658bc85fe8110992a3befcb772130
SHA256

1d96ce6eef0d47ba0dd3b0d7205ba1ab16533cdab176ea9ca81d8d7807ae6a6c
SHA512

55bf0ead82a8942fdd7e7ee1a51a0ff5cf4e0e187e0fed2465a429ea3d6917099469d56d22ad125bbb71dd2880f3dd82ade40c64559b2a70eb729dd595bef24b
SSDEEP

3072:wbCFEsbDdXH6N7UZVPuT9RRNfJ0WQDdsWJqO4Y41KgDbrzvDLtI:ZSUKyVc8d/JqH7sgvDLy

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

flow pid process

35 1164
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

eOkwwIUk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation eOkwwIUk.exe
Executes dropped EXE 2 IoCs

Processes:

eOkwwIUk.exerwIgIAIY.exe

pid process

2596 eOkwwIUk.exe
1920 rwIgIAIY.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
35	1164

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	eOkwwIUk.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exeeOkwwIUk.exerwIgIAIY.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eOkwwIUk.exe = "C:\\Users\\Admin\\JqwMooIQ\\eOkwwIUk.exe"	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rwIgIAIY.exe = "C:\\ProgramData\\iuUMgAQw\\rwIgIAIY.exe"	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eOkwwIUk.exe = "C:\\Users\\Admin\\JqwMooIQ\\eOkwwIUk.exe"	eOkwwIUk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rwIgIAIY.exe = "C:\\ProgramData\\iuUMgAQw\\rwIgIAIY.exe"	rwIgIAIY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CmIUIwwM.exe = "C:\\Users\\Admin\\EYUoQsEs\\CmIUIwwM.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIUwMcog.exe = "C:\\ProgramData\\ioYYEkoI\\JIUwMcog.exe"

Drops file in System32 directory 2 IoCs

Processes:

eOkwwIUk.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	eOkwwIUk.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	eOkwwIUk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

pid pid_target process target process

1660 1952
4040 1108

pid	pid_target	process	target process
1660	1952
4040	1108

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
5100	reg.exe
3724	reg.exe
1160	reg.exe
3788	reg.exe
4820	reg.exe
4608
3112	reg.exe
1668	reg.exe
2716	reg.exe
4420	reg.exe
1660	reg.exe
4300	reg.exe
3236	reg.exe
1716	reg.exe
964	reg.exe
4412	reg.exe
2056	reg.exe
1640
4300	reg.exe
400
4908
1204	reg.exe
1216	reg.exe
3100	reg.exe
3692	reg.exe
4420
4852	reg.exe
2712
2840
4516	reg.exe
2500	reg.exe
2164	reg.exe
2520	reg.exe
2528
2432	reg.exe
2736	reg.exe
1792	reg.exe
4956
4804	reg.exe
2368	reg.exe
4380	reg.exe
876	reg.exe
4000
3688
4576	reg.exe
1612	reg.exe
1664	reg.exe
4636	reg.exe
1048	reg.exe
2496	reg.exe
4836	reg.exe
4712	reg.exe
1484	reg.exe
1528	reg.exe
1028	reg.exe
1848	reg.exe
2100	reg.exe
3836	reg.exe
4712
740	reg.exe
4908	reg.exe
1828	reg.exe
2516	reg.exe
1548	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe

pid	process
3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3100	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3100	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3100	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3100	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4912	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4912	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4912	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4912	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2516	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2516	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2516	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2516	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2056	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2056	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2056	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2056	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4300	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4300	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4300	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4300	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3324	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3324	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3324	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3324	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
1852	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
1852	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
1852	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
1852	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2164	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2164	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2164	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2164	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2868	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2868	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2868	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2868	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3428	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3428	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3428	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
3428	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4456	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4456	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4456	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
4456	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2904	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2904	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2904	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2904	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2584	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2584	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2584	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
2584	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

eOkwwIUk.exe

pid process

2596 eOkwwIUk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

eOkwwIUk.exe

pid	process
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe
2596	eOkwwIUk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.execmd.execmd.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.execmd.execmd.exe2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.execmd.exe

description	pid	process	target process
PID 3920 wrote to memory of 2596	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	eOkwwIUk.exe
PID 3920 wrote to memory of 2596	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	eOkwwIUk.exe
PID 3920 wrote to memory of 2596	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	eOkwwIUk.exe
PID 3920 wrote to memory of 1920	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	rwIgIAIY.exe
PID 3920 wrote to memory of 1920	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	rwIgIAIY.exe
PID 3920 wrote to memory of 1920	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	rwIgIAIY.exe
PID 3920 wrote to memory of 4580	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 3920 wrote to memory of 4580	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 3920 wrote to memory of 4580	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 4580 wrote to memory of 336	4580	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 4580 wrote to memory of 336	4580	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 4580 wrote to memory of 336	4580	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 3920 wrote to memory of 2800	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2800	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2800	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2064	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2064	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2064	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2436	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2436	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2436	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 3920 wrote to memory of 2164	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 3920 wrote to memory of 2164	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 3920 wrote to memory of 2164	3920	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 2164 wrote to memory of 1180	2164	cmd.exe	cscript.exe
PID 2164 wrote to memory of 1180	2164	cmd.exe	cscript.exe
PID 2164 wrote to memory of 1180	2164	cmd.exe	cscript.exe
PID 336 wrote to memory of 2660	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 336 wrote to memory of 2660	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 336 wrote to memory of 2660	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 2660 wrote to memory of 4404	2660	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 2660 wrote to memory of 4404	2660	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 2660 wrote to memory of 4404	2660	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 336 wrote to memory of 3112	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 3112	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 3112	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 3968	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 3968	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 3968	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 724	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 724	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 724	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 336 wrote to memory of 1760	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 336 wrote to memory of 1760	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 336 wrote to memory of 1760	336	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 1760 wrote to memory of 432	1760	cmd.exe	cscript.exe
PID 1760 wrote to memory of 432	1760	cmd.exe	cscript.exe
PID 1760 wrote to memory of 432	1760	cmd.exe	cscript.exe
PID 4404 wrote to memory of 2600	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 4404 wrote to memory of 2600	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 4404 wrote to memory of 2600	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe
PID 2600 wrote to memory of 3100	2600	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 2600 wrote to memory of 3100	2600	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 2600 wrote to memory of 3100	2600	cmd.exe	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
PID 4404 wrote to memory of 1064	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 1064	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 1064	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 3692	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 3692	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 3692	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 4636	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 4636	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 4636	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	reg.exe
PID 4404 wrote to memory of 3972	4404	2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\JqwMooIQ\eOkwwIUk.exe
"C:\Users\Admin\JqwMooIQ\eOkwwIUk.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2596

C:\ProgramData\iuUMgAQw\rwIgIAIY.exe
"C:\ProgramData\iuUMgAQw\rwIgIAIY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
8⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
10⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
12⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
14⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
16⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
18⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
20⤵
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
22⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
24⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
26⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
28⤵
PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
30⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
32⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
33⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
34⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
35⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
36⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
37⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
38⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
39⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
40⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
41⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
42⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
43⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
44⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
45⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
46⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
47⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
48⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
49⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
50⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
51⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
52⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
53⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
54⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
55⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
56⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
57⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
58⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
59⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
60⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
61⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
62⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
63⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
64⤵
PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
65⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
66⤵
PID:4556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
67⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
68⤵
PID:2056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
69⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
70⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
71⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
72⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
73⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
74⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
75⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
76⤵
PID:2440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
77⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
78⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
79⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
80⤵
PID:2420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
81⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
82⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
83⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
84⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
85⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
86⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
87⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
88⤵
PID:4824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
89⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
90⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
91⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
92⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
93⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
94⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
95⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
96⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
97⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
98⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
99⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
100⤵
PID:2716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
101⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
102⤵
PID:2972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
103⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
104⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
105⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
106⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
107⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
108⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
109⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
110⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
111⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
112⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
113⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
114⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
115⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
116⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
117⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
118⤵
PID:3428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
119⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
120⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
121⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
122⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
123⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
124⤵
PID:2852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
125⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
126⤵
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
127⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
128⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
129⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
130⤵
PID:4220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
131⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
132⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
133⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
134⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
135⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
136⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
137⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
138⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
139⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
140⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
141⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
142⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
143⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
144⤵
PID:3576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
145⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
146⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
147⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
148⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
149⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
150⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
151⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
152⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
153⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
154⤵
PID:3800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
155⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
156⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
157⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
158⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
159⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
160⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
161⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
162⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
163⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
164⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
165⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
166⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
167⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
168⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
169⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
170⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
171⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
172⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
173⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
174⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
175⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
176⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
177⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
178⤵
PID:1012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
179⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
180⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
181⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
182⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
183⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
184⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
185⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
186⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
187⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
188⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
189⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
190⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
191⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
192⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
193⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
194⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
195⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
196⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
197⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
198⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
199⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
200⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
201⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
202⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
203⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
204⤵
PID:1528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
205⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
206⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
207⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
208⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
209⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
210⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
211⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
212⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
213⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
214⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
215⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
216⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
217⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
218⤵
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
219⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
220⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
221⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
222⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
223⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
224⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
225⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
226⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
227⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
228⤵
PID:2056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
229⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
230⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
231⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
232⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
233⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
234⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
235⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
236⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
237⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
238⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
239⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
240⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
241⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
242⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
243⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
244⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
245⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
246⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:716

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
247⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
248⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
249⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
250⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
251⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
252⤵
PID:3680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
253⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock"
254⤵
PID:652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCUMIIIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
252⤵
PID:4028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoggcUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
250⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
- Modifies registry key
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoIcUAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
248⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kisoMEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
246⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCMkIMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
244⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:3324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:1504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
- Modifies registry key
PID:1612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymEMkQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
242⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwwEAosQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
240⤵
PID:5020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
- Modifies registry key
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:4356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGAgIYQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
238⤵
PID:2528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:1660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCsUAQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
236⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:4268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgowEcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
234⤵
PID:1388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:4436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:1896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cooEEsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
232⤵
PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:3800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiwAsgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
230⤵
PID:2612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
- Modifies registry key
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOowcQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
228⤵
PID:3260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwgEUwgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
226⤵
PID:3784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKgQcYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
224⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
- Modifies registry key
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fywsMMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
222⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOwEwgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
220⤵
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEksMcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
218⤵
PID:4000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:1148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iswYooII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
216⤵
PID:2528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOAAMMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
214⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- Modifies registry key
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIUQYQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
212⤵
PID:1048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCcYYMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
210⤵
PID:3660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
- Modifies registry key
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsggoAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
208⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:8

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSIgcoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
206⤵
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:2972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqgEEEsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
204⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:3100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcMEwgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
202⤵
PID:556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:4080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKIEQwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
200⤵
PID:2164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:2016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoUkIkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
198⤵
PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsQYoIYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
196⤵
PID:2528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmwwYMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
194⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:3348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKssIYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
192⤵
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- Modifies registry key
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMwsEMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
190⤵
PID:2600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies registry key
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASsUsIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
188⤵
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:3808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuoAgowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
186⤵
PID:3560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:1828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:1724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWAkAsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
184⤵
PID:2520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAIIQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
182⤵
PID:1868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgwQEEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
180⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:3448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycIwUMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
178⤵
PID:3576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies registry key
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- Modifies registry key
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WucIAAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
176⤵
PID:1108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- Modifies registry key
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIwcUoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
174⤵
PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
- Modifies registry key
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgssogwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
172⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies registry key
PID:1660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
- Modifies registry key
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQsQUsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
170⤵
PID:964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyoUUosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
168⤵
PID:1664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWsIUsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
166⤵
PID:1340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuoYgQUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
164⤵
PID:4740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:2164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaosocYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
162⤵
PID:720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:3944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- Modifies registry key
PID:1828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAQkIkUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
160⤵
PID:1664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poMAkokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
158⤵
PID:3720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsMEsMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
156⤵
PID:3320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSwccoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
154⤵
PID:3576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGwsIgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
152⤵
PID:2460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyEgsAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
150⤵
PID:2128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:4788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQsQUAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
148⤵
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:3688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkwIYwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
146⤵
PID:3968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmoAwUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
144⤵
PID:3684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYQwUYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
142⤵
PID:2064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
- Modifies registry key
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAIQAIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
140⤵
PID:3680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQYokIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
138⤵
PID:3436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:2780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMgcMEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
136⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGogcUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
134⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaAsQAgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
132⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:1172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgoYokcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
130⤵
PID:3836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYIsYoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
128⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:2228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaYosssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
126⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCQsUggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
124⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYwQgwgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
122⤵
PID:1420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWccUoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
120⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcUEokMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
118⤵
PID:1404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcMkAEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
116⤵
PID:1384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiQwcwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
114⤵
PID:3724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uusAIggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
112⤵
PID:4088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:3100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCcUAgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
110⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGMQocYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
108⤵
PID:1792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUAQIkMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
106⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\docsEwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
104⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIsEMskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
102⤵
PID:5064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:3560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcoMAQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
100⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEIcoYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
98⤵
PID:3700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:1384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkwYgIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
96⤵
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQYoEYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
94⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwoYccck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
92⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XawYscEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
90⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcscgcQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
88⤵
PID:2056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkIUgQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
86⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:4728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAsYcIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
84⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMkMkEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
82⤵
PID:876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies registry key
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amcQcwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
80⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:4868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYkYokcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
78⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuksUMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
76⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:1772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nogIEUIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
74⤵
PID:5012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwYUwkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
72⤵
PID:4268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCMoMIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
70⤵
PID:3944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEEoIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
68⤵
PID:4292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:3960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wecwUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
66⤵
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoYcgYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
64⤵
PID:3528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGwMwUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
62⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cykIokAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
60⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:1376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMwkokoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
58⤵
PID:1180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMAIMEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
56⤵
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYgAEkAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
54⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- Modifies registry key
PID:4576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEUUEckk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
52⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:2972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSwoUwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
50⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueQMQYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
48⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYEEYYMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
46⤵
PID:3312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKgYkcgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
44⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAggswcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
42⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWEQgwIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
40⤵
PID:4852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juAQcAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
38⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgkIowIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
36⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIEUAsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
34⤵
PID:724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyYAYAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
32⤵
PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwMQUsgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
30⤵
PID:3020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lagMYYIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
28⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoMwkMIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
26⤵
PID:1248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rScYEssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
24⤵
PID:1184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omAQEEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
22⤵
PID:680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIAwsEoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
20⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMwgIEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
18⤵
PID:3808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwUkwIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
16⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWAMAswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
14⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies registry key
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKwUcIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
12⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSgAgUsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
10⤵
PID:1340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGIEIIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
8⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYQwQcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
6⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAQgwUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMQIgAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1036

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
Filesize
185KB

MD5
c4b1e38d9e5d8bbb3fda653d907460b1

SHA1
c66bd55e7ee06b5678754b8cffe1a1f2b7d15e38

SHA256
55ed703711a92d859e56d299b37b7da9813546d23e116b0048b41ef017028d92

SHA512
8de527383904e8d192823d8558ac712d04e3580199b7f0b7360aa91f3d127df4b6eb68f90e2d5341b27a652516a356c1a5f2c8e9b7874ecd5a28c9abbb03e444

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe
Filesize
204KB

MD5
74f9a3754c19b6dee8d27b72109fa76e

SHA1
4e3f2324c77481bab82b970967f6973be919a5a0

SHA256
b2619258a1609c90e8e7b979e630ef51beb79ea64c2ff1c600e1ec4ff5581270

SHA512
ea4f21cd0395d6c8b952c8f21f6221547a757b3cf41102bc78203c1e7ae7b3c7415be6a49e919862ce938c4a22a50d4e9e317f10d0134ed859d41aa1dfaf78a1

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
Filesize
840KB

MD5
ec80550592607eb5603a170384b717a6

SHA1
7a35520cef48e8387be69d58290676d225995ca2

SHA256
438926a6198deb5d166d63ce8206afbc7167ce80e94d33483d6350504619d29e

SHA512
fd10df559f87fa577b2021680c78efef10d0938586dcf81c16523d4105c09f8eda7a72ca5cb0e3c63273c009ed626f2324ef1252211f1636526f307d0a645d85

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
803KB

MD5
dab28b76601e427393952e3c175a64f4

SHA1
61fb34462abecf38fb920613d6e8c1da982886da

SHA256
2b8543b0cb1e12e5e979fe91aa5ad13a91408739fdce0d0962c4f7aea0b9051c

SHA512
7712da46e39ac506d94e3fc041a19f526289264a043e2c71d486feb63c7c4b96446330d63ed161572ca71a03eaf0e54c6c32f8ae155f56af9ba410078d284207

Download Submit
C:\ProgramData\iuUMgAQw\rwIgIAIY.exe
Filesize
205KB

MD5
f821ffc98ae7af860668b9950af2fbd0

SHA1
c3691eea89f261aa17e62e24a5741607148a699a

SHA256
e73490a6efad352b94ec56405e775f27ae8d4079a568a59f73cedbd2f6079ced

SHA512
f1785e8154f370fb8b02efe1ef7f2108ad31a25ed8dde126b9092eea9b215b0413e2eeb208713d3acb6043f6960ca17b99e17162a5b934f797a232110866e014

Download Submit
C:\ProgramData\iuUMgAQw\rwIgIAIY.inf
Filesize
4B

MD5
91f1d3faae46151eab21c9a342fd13fe

SHA1
9a2069503a5dd0d7d1fe7d9059a7c0591936075f

SHA256
67c4d75547e114e661b4c5d45d29575802786ff1cf9cd8ca426c116f15127813

SHA512
c30f13d940565655350ce4fdad7b48a8d8e39dc67fc0c300a62512237f182d565301ae82e690c5afb283d20d5abb702808aa7f678bb7da59e28959c22536fe7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
205KB

MD5
2f12b479e1e52bc9582d27e2ca3b3f3a

SHA1
acbcc2c61e7a712d459cd4d605b206c2d862aa58

SHA256
47bac7062d337002ca8d2468d14e11684cdc9a568d1c6a613480eb948b713077

SHA512
919e1ff9da11c04492305e2aa9c52ca37c0dd66fac021a31cae13d32e7ec9047e9906c0af18127e5d32d316615a516492226408d013da2f6593881b16b397fab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
193KB

MD5
f5b68d465e6ae1907edd049fc5a204ee

SHA1
af0331743a57e5b3a7c4fe643c36d427a307a190

SHA256
d0c3a3e0f8b05d73947598f92ed87b764e5c016dc23d4af530f821b90cf6f91a

SHA512
d29e8868dd630352d060229fbe910c01923095fae74fb5572650dad6d0299a2725c935e0407f62d199085788a608b97dd7bd602bb4f8f55877c51e05279d3aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
Filesize
200KB

MD5
ce161a48566ccf46114ab28a9cfa95ed

SHA1
157ffb7d8f24d1fd04775eb180316f295bacc5e6

SHA256
517c6c5c2b94baee1ab3a98d241d4aaa87e86a866d2ea016b7ade1140d510991

SHA512
3c8f30b931c43b2c2e62d779c7d22c1c64ae5327d5f03029ced7a319cf5fb8e4200b9e6bfca51b55360988ffc1227de566d4fd6e34ebcc6e98bb0f43d79afaaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
Filesize
183KB

MD5
5b4bb6dc145e5933815cfa757c35e0cc

SHA1
6c8a565c50c21ab2566c38cc7d46b66d103abd33

SHA256
8845fb9a82d4621c44ea2bab94a1beb61bce9ffcda9d84f7a0cd5e087df45630

SHA512
eff3714d051e3e9efddebc7cb0b2f4353f7d0974ce892bcd45d7886c077365fa9fcaacd92324cea1d66a8c9096a709c276683a53a0b289c5fecc194b77feac4c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
Filesize
187KB

MD5
8a8eddc8ad9f76644c0dcebbb3a3d41d

SHA1
34a3fa42743ca66de9bc16e706311a9b0b11d100

SHA256
3b1047826abff10766fb69a1f513f0a5d884ccfae9cf52cc09f3550f6ff71d12

SHA512
3efbfb39af9b0a126f835d143a7b19ed282770562e3f0e77da3aa9ce2eae3f681fca5299133abc9aed40bac1886a3681848494193ebc204f9ebfe8303218b21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_10651c37469a05dca5c5dd5ad3b7c830_virlock
Filesize
10KB

MD5
45d9b00c4cf82cc53723b00d876b5e7e

SHA1
ddd10e798af209efce022e97448e5ee11ceb5621

SHA256
0f404764d07a6ae2ef9e1e0e8eaac278b7d488d61cf1c084146f2f33b485f2ed

SHA512
6e89dacf2077e1307da05c16ef8fde26e92566086346085be10a7fd88658b9cdc87a3ec4d17504af57d5967861b1652fa476b2ddd4d9c6bcfed9c60bb2b03b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAse.exe
Filesize
216KB

MD5
eb000d015fac1d06c42f1265cd3bc418

SHA1
c3ec22db2829a7088ed6f54b3331b41a682024a1

SHA256
85c06587a96640ad865e535a3ed7d3c65c34d402f039079e300a8d4268387f8a

SHA512
bc04bbbc158520b2cea9fe77bbc63b143c07461efa59e485be7855e45cae2ddaeeda4a3a38a121ec7f1856c4ca20216cab9efe8f063ed772ae347164d1fe5f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEEW.exe
Filesize
639KB

MD5
fe9de2be8c9089f0c919b6eca424d6bd

SHA1
206d95cd1c3ea3dfe8c46d291634afc523544245

SHA256
90fff29768b8c31e1597cd88eef713de11225f7da11aebdf0a939e65e090e9e3

SHA512
8564d29e88d6f354ea085f6513717f42004bdfa9daf785b14a73338bbca496dc596a48073d76a81474488479a9af590ecfa586898ab78d7860e3a24f79cc5449

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUsa.exe
Filesize
200KB

MD5
1dca1a60078874555e182f177380f394

SHA1
b4714e08cc1860f59c1ccbd5435aa80a9e927bad

SHA256
080d0f7e3d537497350630068365463a06634764faaf5d80c85afb83fc0a4b7c

SHA512
20800db7bae35842371e9e0d8442d569a95974df1c72d9d2cd88f461e66e4570f2f1f63c5becfea1f6fdb03bcd054493af9819919d96d517b883491313cb7eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYgI.exe
Filesize
229KB

MD5
2f0abeeb4bf5c5c30bda7fa620fb7086

SHA1
e5a1d4e7223caf039dd13ad1d89cf206b1399e2e

SHA256
fcbb1b34ddcde26d11e74c3812b0c7643dfe2d1c668cf26b3a393f2ddb4498b9

SHA512
65a37e21d51e1494ea7fe3c8046d1f47636be11d9e6a89827c9fc62ab7134c7567869737e6cd965dffdf49cc978795f8338a17b264701d2a400f75f2fef0cda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Askc.exe
Filesize
197KB

MD5
c708be9ad654dd7292045af1d796f4a1

SHA1
59f24d4e68437f65a210898e541b276d50776bf5

SHA256
007a7eeca17ad7c9b0dbc23a63d9fa0bfe427d8be9dec90f9c714717a8193d29

SHA512
eee06dd29acaa37598e8810fe61c2d0a2b55ef1072bc34b00c8dca0c901bd18bcac87cf3fb3dd7b758a8d2037db2d11a83fbbd6805043f313148bff2ad08846f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwMQ.exe
Filesize
1.2MB

MD5
d10c4796312e892b184e79b7651d74f1

SHA1
1240aea4a1e9660dbe54d83d6668a8244236c842

SHA256
15341cc4ad9757861d747ca909b23627fec0c627b857e49a0b1bbe1d03b488b3

SHA512
d29d7686060e8184002248378b7a6191fc2c3585ff027fefcb5a78f87dbac86ca234ff1b82ff2edaef0eb9a974a222b8e4560cc413ce04af115575ab4c85d334

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIAW.exe
Filesize
195KB

MD5
32203fe7966a4ddca09402cc90127ff0

SHA1
6971ad81f5c97f0441ab24f3f8374a296bccdeaa

SHA256
70ab9515199ba082fa9ef7356e68ba5c0ed3945afc53052f8cfdbc5e2407f6e2

SHA512
ba6d432c68f433f35805990dd55a9d6df5f33161f5c27befd22685f4a435bd6d2e7b98465dae07d0a89b665dab96cfa5788570996ae380861855607faaaa1b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIoI.exe
Filesize
214KB

MD5
4c8307e8856fe26a3654f4c35620b7e8

SHA1
c0e1718228e61c4ea716668e4df25b4c1b8558a8

SHA256
db58b9a3350753d0fcf2e65f6e199feba9d802d384768a3c149f4bc1e1cdc6d5

SHA512
7e7be144014812e3779a9982829522b914ef3b31aed3e8e0d5249c767639d9d359740c0208413091e30944361e5deaa81c98da13718f84c7314ede4aff858d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUUA.exe
Filesize
193KB

MD5
dcb623ab7b640f16d3ac805d59cc6f4f

SHA1
de3e106325ec2ed5993197d6ffacb71a95d325dd

SHA256
b6d8b071f63d24ce3df477be87ddeac3cb94298c06746daa58fda02851e3d316

SHA512
2efe844712602495596721074712e9f6700d2c5aa203a6fb786a59a0de3aefffbafe772451b7e8c0370355691651e5b0ca82fc0e5f998ef7475b249ec8c34d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoUi.exe
Filesize
5.9MB

MD5
22dbbb05bac2e008e5e075e9ed89c136

SHA1
84dce1c58e0955a5b246ed3f993f9dd4c35beb13

SHA256
e36c11210275edf774f0abb4f588cf3a7f879e00cd7b4465b6a957cb910c9258

SHA512
bfbea5a9898c7d790d753e3253117d5e8f9a01c38a11ef3b651cca3643bc6154e0566a012c2648a8040880d9a99e679a7e415ed3d43a1109905da23578bc954a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwws.exe
Filesize
224KB

MD5
081759c99661d18acf3ad9a1244d2d52

SHA1
5c9d4c2858f5e2345e36e8ea07bd9235f1315ac6

SHA256
f739aa586aba5142fba08eb9d9ebd6aa25a2c9dc512a1b1d39b15ddcb34c5fb4

SHA512
aa20a0225036eef3452224a52acf6361e5cc903aa5ea5bfc721c663cba3ef9132064d333e3ad163a0d812e567d2830b9d45ae680c16035d9e9abde742b98f5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQIgAkY.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkgO.exe
Filesize
181KB

MD5
e5561c4c8d02bfdfc7071c8b97577003

SHA1
185144ec2d13c4d00264ca0a0b478c000aa254de

SHA256
f5b4b012556975b0bf6f5831bf4d6104fe8ebdc73f8bb53140dc5977d8fd7678

SHA512
f5de5fda4c18ecde0a6ae0166a49c1f4c6cb8b3d6893ecadc734e4701125500f2d8aa69716eaebb7c1c0b8f3d1907ef8b235c2e78f906b4985188ab3ea2ca3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EocS.exe
Filesize
427KB

MD5
4e3faf6d2f45de8fd380a21084c65f69

SHA1
5afb65bbe3b507e01c9842a301453e1ade610b06

SHA256
a20f2393e89d121558084844cb43cce6ce2a1db05878ff48379eb183ea171170

SHA512
f365f7d5b35aca437ce23cee9bdf2f766cd0ac1ccdf4c189990358a889dda79542b3a1e729ae60acc66eac1f84af0cf6fe59a9cc9e5ab7e9ce781280d502306d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIcY.exe
Filesize
1.5MB

MD5
d5ac1873fa477491572259e0cc8eea4a

SHA1
e3938c50dcc9bd60defcb9b603374ab50614e60e

SHA256
8e352eb266e17bd80259ad62708a2f03953b082ada48704f8aad70d0fbb20de8

SHA512
cc15a9727e99bd9e5f420ab4f4b4effbe0349f79a9f216ddb64edec69276b97c2c724afed8f4d62256fd3ff5bda554942bf4d8d2c293c46d2d12c55534eb8143

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsg.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUAO.exe
Filesize
205KB

MD5
99d37ea419dac39b9de649a849a3c002

SHA1
1832939a8c50ca8754f95e9f0b4423f42cfbcab0

SHA256
647ac19d7061894e518cfcc51b21090a6da9458c6d5f80f8ff08423b551ba2c2

SHA512
6aafe3a0b1f3ee8ea6b8fbd7546d69db916655cf85865009efdb2e8d2d7d332644f5781ddbd6bba85b9b86adc683d96f6184bf91b19f08841c576afc01b83926

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcgw.exe
Filesize
314KB

MD5
05a8f83ff36056bafd5c70260864a583

SHA1
1215cc6c891970e1abdc72094bd1ab97864418f2

SHA256
e109eb6b8e543e503a6e8aa168bf39716c8352c09538e81c0a2f35fc3edec80a

SHA512
86885d23855eac770bf73f49f2b0b290a65a03c497b1d67ce0c0f687088db2a284283eee4ae1ea608918bc0ae73d53410956a7fa3888bc9968e52c81e193bb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMMk.exe
Filesize
315KB

MD5
b9957a3142f70d728a36bbd78e4ff0d5

SHA1
67772b3c8ad7890042c16476ed1824701789ec86

SHA256
2ccc16422cd999aed368f7a9ed1a8659b48592466c139184c2bf3901a1d92de7

SHA512
b541c3157eef621fe60b04176c588cd483c1a355244e2e16193be3e7d2419bdce2411eda349a4ca0836d6e873db521a571e8f5c8f33a6d01d7ad612136576ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgEI.exe
Filesize
198KB

MD5
11b69090a8d52447003a5ac920b79fed

SHA1
8dda6104cfdd2b8836c349f60f3e63f421c69754

SHA256
f34c3adb4a512eebbc4dcda5cf71a53235489e7e1e859e5879ee0ffadb6ae09c

SHA512
33f2e644cbdd1faf0d22e533ce955c19fcbf65cf0f6dd32ecc802c9d0ce2ab69b29694875044ea3a99fc0c879c10f97f1d675f771df24424def547aa5c960fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkYI.exe
Filesize
191KB

MD5
840a307c2e9bf6651d3b4727d9caca1d

SHA1
9bac37fb805148b52ef1f5655b2011aa9680ac55

SHA256
bf3993ea6b01b80cb315152be2f4b9d44c736c7d57f0063e073a29608f67c4c8

SHA512
7a7d7900499fdcafadf30f276ea38f9bff9052a356450df69bbbb657cbc3a109a0ce3db760ef70dbb3147e566723689626035b31599c20e027d63e6fcff90d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwwM.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEwG.exe
Filesize
197KB

MD5
a83e6df55ef4052363a894e5694914a6

SHA1
4485eaa251eae659cb3989eb6d52e4ab63613e6b

SHA256
a8dff73d09fdc5a84c70f3f02024f43feb415d73b6d677bc5f25f0a91f484c49

SHA512
4507cfc5ada1bedbc94842a40456f9687ad480d955547d491a7702366adc98728a9510388402484144793f71d61befa0f5c2d91e4af32dea12a69533f0077719

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQIY.exe
Filesize
216KB

MD5
81d94c357446065087af20767121a166

SHA1
bfb2d6c517031dad6fcd6d58f8eeef9675e7d553

SHA256
dcf4165a319e20abfe95360afde3c62d1e66f88b088bd7f7fbe274b05aac5a56

SHA512
100f623ccfbf686d5c456184852ea5efc30fa112c3a23dcb29ad474e5c9ec7e7f46e9ea533be715e831752016c75abf09e61d9c1e385b84c65592f1bae217874

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwMk.exe
Filesize
5.9MB

MD5
0a5b9f5613f74716200962bb6b508b45

SHA1
fa6750b85a8238eacbe21a14b41ad0934251f81c

SHA256
ebaf07dd6068866d2761896bcbd72a3a19ee4c8a4d336fcaa039dfe7f7731306

SHA512
6e677067d8515acbe82d14773bc3ec6736d966a2295fde9387ce921738c3754f83bfb7196015673ad571141bde7e6d064f6084abe5b215f37717d52cea5f678d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMcA.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQUi.exe
Filesize
574KB

MD5
7f4f61b767b3c1cc192e900b3848c981

SHA1
d0d577663896e91d80ccb4bb3a625636f9195b41

SHA256
36490362e22c0ac86ab813931ac2282c7815683f07bff39d3c75e64efc22f03f

SHA512
4f0c0d5074164f36ab4954cde92aae555ecb8c60001ce7bcf69f8484c024366bf7eaec454480dcff209b5abfce94a2ce49d32b15e520a2f080a9a79e46e7ea6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMoG.exe
Filesize
397KB

MD5
ac3d3c9b43fc53e001d152484fc6381c

SHA1
2fc230c4314c32781dc5c5b74f945b39f59755bc

SHA256
08e38b8398f266243aa6f4af6f6910a80d7c2838cf79f29410ae44cebf3718dc

SHA512
7202dc795b3eae6809dad4ce6efd3f79a5914ea6cbc1aab68e447fd9a85ff273f491061f04d5f4fde3075d416d2f2f4d5e72a71a5677216b6ec774d9462fc932

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQsi.exe
Filesize
198KB

MD5
8fec7c6785bec93fab2071de28a3c98e

SHA1
fc5924ebf291f8094e81370e3491bdfd9439ee73

SHA256
f79ac48d01058d9908680dcb3aa7cbc4b1cc6d2d834864e247e5e91913c4ed53

SHA512
396901d1506eb636f5feed083d0a917b350a2cd56d78aa34242fcc2fdff25483771ed66f58cdec7e7a3ea425b04e992109633b0f06085ea1f3f5958927ce5e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcsI.exe
Filesize
185KB

MD5
bc56205ae486b1063af4505cf2ac6c12

SHA1
a86085587cdec86f0b2b445793415a98dec4ed79

SHA256
b91c1d837414af55851bdb97cae97abf8f200178feb0de6769fddc2d44cb6146

SHA512
30137533ba443bda59495a111af5f281f7bcdbb30fd6756d0e30ef28f7a5402bc54e028f8192bff2aed47be36655bdeb8f5c854517a1f5a42b68980566e821fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwQm.exe
Filesize
224KB

MD5
7f0e0580327abf159ff5083721df1b02

SHA1
138c21bfeb18782d0a08e3e1bb827c73ed7a1984

SHA256
663cf4d0024d6344ea1f028c4c763519873563c3e7a928a257a483986597b275

SHA512
67a15bef23429285a1b8c70026859c83068112a96797d853ddda3459d603c1f9ef35f202a13c9e41553b3e845c18a4f9760b3944dcd61558f7a5aaa4a3686889

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUQy.ico
Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgkY.exe
Filesize
671KB

MD5
e4c6f70d2dd5ba908ff7419784a4ae42

SHA1
9a2343ad2c00313db64ef864440321b2415097dc

SHA256
fd270d87facd1cef29477cdf666f8eb26453ed7d15ca8eda012e0c973db501f6

SHA512
23b8fdb9d765a5eda8901d11a76d905ad88e00b13c5508a533e78b3ca1eae12cb187b59fdefd93d069779ebadd8eca60a7bf4e11bd9cae2ceaae4e741a703201

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwAm.exe
Filesize
202KB

MD5
ea1cfec76338f8e7d08b5afda5b092f5

SHA1
9ba5a376245137584509b3e0b2ff4c083fdcc488

SHA256
8c57b506e75a5bf7d58db6ed330784023916da91fbe7df0a1c9e6d1f6029c3b7

SHA512
6a4bb65fef5112825b0be74e7d6e4fc29139d9d0e2c165bc48a4ea3a188f95eee72885a255ea2a7c1a1c4b57d773e2881a8beaabd64d66cbf1a558d698dc0093

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwEM.exe
Filesize
203KB

MD5
8fbd67bfccadf8f5849d4b48a3c9ac0c

SHA1
2cd46c00876512a096e1172e6ee8b9f15068c941

SHA256
7303c3c079d8ca82f3c9ca0010abdf872345b56c3e67ef8134850ec517a5814d

SHA512
0fa0a85e5eeaa290026ca9225bf231a6890a98cbc66be189e58968fcc2d4f187a571f88e996dc518c9e0f8fb316dec2c0e4c71235ce4838081912f7cb1135dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYY.exe
Filesize
202KB

MD5
1a984267e0b68ada571318be8bba06df

SHA1
cd2e7b9d5db6a9fa2edd6c5d2b2568ab37c7deb2

SHA256
4dfb54a39dbfd0a591b9641471998464ed648375294292d2044db5a6a863a851

SHA512
fe55c247c259aa8c55389f5ff71cd36395db38f5d5b6ea938607a8e2ae014f0c696d9f99476108c2fa1a38e3e0148d7c5eefd61ab1cf805d61e9846e4b32afeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYo.exe
Filesize
204KB

MD5
75d724c13ed1f4b7e75b5c49bd5d1b42

SHA1
d96962ba4075d33486b603cba70677f4b0061c1c

SHA256
dba1642baf4af4355e6ee57eaa7ccaf48f2611cda647283d505e56886af0ae7c

SHA512
8c671d66cdd8193ef4cf6f736a19454a179b1608caef7891306c6ed6c13f88a7b73713ae0953c2aa93d6cbcf2d17bf90b23e1e1d6f7c5e11e8c38f954b79acaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgAY.exe
Filesize
226KB

MD5
0296da51395e94c2b3c78c7fd15c756d

SHA1
d8d0fde78db435bdcee2c8db6cad58ee8af2f734

SHA256
cfbbdcc4d49cdc8e70439977ce4c04bd3e075fc1003cf8e8086febea10ddc3c1

SHA512
d0fb0beb3113ddb83189a8f3339c2ba726e2e57b12873866972ebb070e7e7a68e05097d13d7222d634452e4b904efa3bb28026bf11ad2fd7b5cec1f14cb0e00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skcg.exe
Filesize
193KB

MD5
8783ca3c5e773a09879cd548fae86821

SHA1
94e4af9c4ae03ab0ae43090ff96404ebaed55d14

SHA256
c8e2edcde8416f3dda495a0000caf79d4fb7cc48aefa0b1aaf3ada26908b7b3d

SHA512
8963a07ecb0f1c452d2c22de4028f7292bc640ae9c46d43d7cbc827e318cd216616be8b20bac1c4237e58430e748aa99928d42a4a2a62aad71822321edaf1596

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwQS.exe
Filesize
806KB

MD5
2a69d303c880a2e02685519e1545aaaa

SHA1
82d80045b1e7794ad1842e846dee0ff77445e4c4

SHA256
fb813ef6324f775a639919779794a8bb4feea1c15dadd1c03425649eacea6c76

SHA512
35a9a30c75e276b4f6aaa5191501435de4592ae40b62a3179f891293ab99088857982dc67b3fbec3ff43fd4716b3035e553599fb141fbea167a49322d44ff8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAoE.exe
Filesize
209KB

MD5
f157889d52cad37ecc85646a4f70413f

SHA1
cdecaf45e3de75d558d922496e3d2dbbfb9456ec

SHA256
b9b2da30b95275ef2f7844019a98fd3b0d514719c45428e9b61472a48b9a1b0f

SHA512
ae0dd078df06e413122743639e40650e574aed2cc5ac003e338d82cf9c12d696a299730d62db3811912a0dec887debef3389102e1eaa9ffd2b2d0946db598e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukwo.exe
Filesize
194KB

MD5
062dc949b0c19cc564ab5efeb7d35099

SHA1
0f4b37d23d4fda8fbb133279aec64a77c83ecfb6

SHA256
8ae5fca1f5ddff42b761bc007b36bbdcec51a63da016937241bd47c01b73e7d6

SHA512
7746cc43651778e3db6567b6efc73824b3753d39345dbf38b9900d53eaac761189a9da9d0bb1f7034748f681827e990a3d1d81f004a4c8cb8355b647075198a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoEe.exe
Filesize
215KB

MD5
01fe3381556df9813ace0c168923612a

SHA1
6d4d16f3effaff852378a1763fc0ff14707de50f

SHA256
bb222e1b489c9421fa5c81f2cd023576b5d5cfdd5cc6b2871877d9c9a2f501db

SHA512
b9dded7b514664d0c9eda8c6de38603d1246fde8e395a7a8e988ea216eb6152a3c0cea64fab40528c16efc04980514e8f360c4c8536c5b49ef7401dd6e712b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYYO.exe
Filesize
795KB

MD5
e01eddd80e1b04994df23abeefd4fad3

SHA1
bd12eb44b60aee785efea7555395e0730da95cff

SHA256
e95f4135e273f84f225f28a35eb70343274e23e869b41a90d39fc89ff9da17c5

SHA512
6bb9d18265b5e0a421f765c1e6edc61bcde6b89b3d36ee2e6268dc906fb1c29b8388ab0bfa680018cb9ab2190250881b25a8987a22d9634cf439535b22c3919d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYy.exe
Filesize
236KB

MD5
0ff5f6bd77eb4bd705d7faa9dcbc65cc

SHA1
3e98bb1909daf715c4084528e6b1271d0aaab5eb

SHA256
6055392a9f154170aaa72b8de0dc147a3a69824bc9de4dab2a25ea17a02a9d5e

SHA512
19be376cc4392d3aa4c185635317e5f2d239c9cb63abbbcffd778493731316e7c5ba0534adc92ccdbc401d8ae02120d7f520d685d79cc817061df0de393c446f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIcM.exe
Filesize
200KB

MD5
ff5b8e6168d3270142a940c30649d0aa

SHA1
edc268de3b69b43c643d71320bc155a0c8571b08

SHA256
24208dceb5fffd3f36df21010d70c5015add0304b6194e461ee0271efd7722ea

SHA512
ba8b95c9fdbf6f7c160a9ed12da228ad327a43d71f0391f104879398581fb84c4aaa10d871ba2f3083e2dac3fb6909780756ba11f5033159f38f945e0eadba9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMoS.exe
Filesize
1.2MB

MD5
a9cfae6534c41a754d5ae26b3755c758

SHA1
a0363db90d48839dd2fac89995e4ba7f3f32d131

SHA256
4fa09a851371c644fff6256cd3ad9ad667bd47fdbbc105bde98d75209503cbae

SHA512
9a745004f0bdaaee4920cb6cf5454f91bea1e060d984d9986f48ec48d98e436c78174dedfed1d5c820b31e43a0c028dd4002c420dd89d4ae14b41851ad35c965

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgIK.exe
Filesize
225KB

MD5
b92a65352c39c2e2e0cc35aedaa859cb

SHA1
e24fc7a4627055ae2a1707cd80fd04749e3492bf

SHA256
86a09477625d8d24dec5882da49572f056d43881c2821190a9cdc6edb9e6128c

SHA512
5141c507f71bb0e23bd595a7bb90f32c3d76f499859da229479d3c397011ebe490162de28f0356ecbc70008dad5b206c92f86c3aa131f3aebfa06e2b64a38950

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUs.exe
Filesize
202KB

MD5
a177649254502877940488f14d866d24

SHA1
abbde92430f83d13cc8b287def8a5cfb2b392d41

SHA256
4f523b88451185de5d39957ab1ab5c2c6b2c24d0939a136bfbdccb0c7260b5a2

SHA512
2abb05612918ef408edd4c967d98afc276bf2c6bf22b2ee7f79ffe332bb5822ee206e8ef90e469ec575e11be1bfb4a39309c62b0e61c1b171f0727e7cdefe533

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQkk.exe
Filesize
190KB

MD5
7726d380e028f8e81f94e3146bc480fa

SHA1
65520316986fd559311a4a141d25d1878cbcc217

SHA256
85306fd2fe5edd89579e93d7c278649bab2ec6fa1528c776f1d417c732ad1feb

SHA512
b8d4ca3ac38784c149e464753682461b47ec1ec9629ab41e5903528ee764d40964ba9aa554838f0f8cb71ba0225362706b7b3deede58e41ed931e6dc13eba7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUQE.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\aooY.exe
Filesize
182KB

MD5
b89cd34fecbbaf959af9291213e3848d

SHA1
235eb499bec46fcfa6f3c049c60720ea419e9885

SHA256
ed8f889d83418e913a642ab5aa9fccae7bf14a05a375da65c15f00fe02045584

SHA512
d1ac6e0a13934907fd5648937e114b16e547956669965d39ed1f8a69687ff4fc13e66726bdba1478d6aa4f783c712076c0967c7a683d2da91762769e3fe7032b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYy.exe
Filesize
199KB

MD5
f9f58ab6e40a3250c9740496118f95d2

SHA1
816c9e4d9110ea2e1034408804d502c2c7225064

SHA256
bd819cdc04a74ec6e07896847a4fcaeeda7562c213155c503ceb8030192ae681

SHA512
8dc099189d4e423456146bf856d88b789af9dbc6e4dd9dcdcc7c55a2a37fe82e950bee159ff7cf8f91589a3eb151ebb9f8853c9e0a1ee38c9ccd6273bc674c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQsS.exe
Filesize
783KB

MD5
8b9b59b7a67755d138f006294adb6e2e

SHA1
2d22bfa49b2f6b01f8d5272d7c4e1208c1e2eabe

SHA256
2f244da4a15903bdf64d30c4396a7bba7daa71581d1c2a80400983de38e22c8f

SHA512
03d055eabc40691e69561ff680e7e05692e97f90363b52da97324eb83c780d70b8b7851be159ed805d54c9cf3e11828869a54014a130cc0027e3061775010adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogq.exe
Filesize
187KB

MD5
c9ff99206a87485941097f0e6e86a663

SHA1
32be65cd127b5cabea8141acb6c6472dd6f8c8a7

SHA256
c104c8c0102a979dd9d5308f4f3aeecf4c55ce68033176d9483b318c49678fae

SHA512
a04a0272c7e59d34e24c87e759c5b0d57713694a1a602008df041ee4d2df57b4dae3828b4634dd35e710e7dcdb0ae64ccb40cf9b96a8607496fbbd15f016a8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIgY.exe
Filesize
629KB

MD5
c659d6e7888c0d9118645b228bfa7484

SHA1
a380112a229239946e646893fff6931ec9ac78b3

SHA256
ba74e836269b5ed6c626974a13878ac37dbce7a1ce8cfb1d1688194fa90da534

SHA512
935f46c4e3304d1dd6f8e934c6a5b1880cc0a1d9b72375c82bd978ff90da0264d7d801fa53a7e56e4db92020cae7f506a57bbea71e515847f99334c64f9b3ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewMO.exe
Filesize
189KB

MD5
fa75a7131dff3db9c27e5300da74d753

SHA1
178049b6d15d1468d1d54b59edd627d4d7076b60

SHA256
1b7b0943db2c8512893cc6b4a78392e30f0c38956b5ce36d4dbea99d7e2452af

SHA512
697a3479dd43c8a888ade0294f21fa37e2cfb3b73f5b51acdb810ece43d2a6270a473dffa5c75ee027998b2aa51c021ba0d4023e73f51be04074faeb5ad5d77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIAW.exe
Filesize
205KB

MD5
145488ea6d4afcaf1ced6c72241bce3b

SHA1
0d3554ce8be8d7edc4d058bd387125b1c3bc1949

SHA256
3c1d8c8f2c30936eec9267336469688600594a96509a79fa59657139593f6ecc

SHA512
b126a6553cf08ee1ee60da38fa1892dc09fa6e3b1152c19567ef44e72d1fb0b46636aa240eac0c374d73e1ee4c7ec79333296298d181a21bbb5239f77a621237

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIUO.exe
Filesize
209KB

MD5
fc514c0248ef6e2f2d583a253e5a6d3f

SHA1
bccfe9c4e95b7dc30d03a218f4e829c41cd57624

SHA256
cd57f0cf45b3a40bdd78610498a15698a4126190160b928774d0e74b6a0a4a04

SHA512
3b17740b1c9876239da9e56d366ab6bdfa15c24aaa178d4311301cbb3a6f9448202b466afc6bcb94176046325168266433ee0338b04c617821a868c002cb35d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUMc.exe
Filesize
212KB

MD5
92e38262dbfc532c4a18d7328c8b54cf

SHA1
b5263dfa74bc8a39e31cdab76bdae21a84de9d7d

SHA256
9f9ae48b769e4c12f5019680af265d063bf5f1cb6e3c11863bc2a958f580b378

SHA512
394dbd1b55b0988e31b64646ea4f31aaadfa843718d6e60f1a20bde5f76576e31ab7549eebb2fe3d739f926cd62f5a7eb240fd706ab0052c6387ec0718ab3add

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcYG.exe
Filesize
197KB

MD5
1770d926e20286700fe398b171b16df1

SHA1
9429e4066112e8314d11cd7947096132dddd2012

SHA256
2d50cfc121efd8b8a012fec32a2cde6b08d8b052e6bc86a7073046af4705d6b2

SHA512
79528df506658189acd8c5a8d487378deabd7e577bc500c762f032b56d6c88d756648610e7ec53853262c04865a4f1ddaab0de28c83ff378e8595b5a88a2be24

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggIy.exe
Filesize
187KB

MD5
5b6a042ac11771e2eac3e90a41d0db76

SHA1
f573a12704ce78ba3227a32275f27b33ce4793e5

SHA256
464f51e5b6bc5eb6d5698a1031124e1a9bc8ff9522b40cd6e34a86fb0dedfad2

SHA512
727c718a45919c9a23d6d9d220470ad14bf8a9c537f592b783e2fdbed1c22f9520d089d2f1e73b2ef316c0061415a842512e5efc6d8b2757e57cdf4b2df9c836

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggsw.exe
Filesize
200KB

MD5
1f31407f4fd9ad975506991cf1732e2d

SHA1
e281e6e738b9012aafd9d7b8ef24ecdd0d2fc53e

SHA256
fc24e3bd65762ec2b045f75c858a4ec132686ffbff910917d7ac1b95f5187e66

SHA512
2cc3b142d33462dfbccc955d928670b54ba003ebacf5c52a262efdfd6739152d488cd44f8937d011b78ee47816fe5f481d09f22748e626c8aa8c41239681a757

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkEg.exe
Filesize
193KB

MD5
339f981fd15d1efc0fcfb2bd069708a5

SHA1
da578a47da986e1c933742b5be19c77cf46d8b56

SHA256
09b303e2a395ed200c411cab650ea6e0f5bd510ec66332e39c9cdf8ca9e21972

SHA512
73c1a46f383911c5345b431a1b0bb570c9996be4dd3dd647d96f57c393e88c013fbad74904e80824e22bb1f01df05df6f06def8afa39b32050ac4c461dd96e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkMG.exe
Filesize
192KB

MD5
e57297929504a0131d1a12d232408c90

SHA1
6f83f8442476144ffe4eeea5a0cf75159028d43b

SHA256
63f40c478ecb2af6d31df66ad147ef57e79f421f68787b897773fd381242caf6

SHA512
44059bd6e4e638c9868810b82c858a1ae0d776f73585d65af2cc16dba72574409b1cbdca89e5655eb1d18567f6eb9467edfff69f2abea93223f992cbb636c0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAUI.exe
Filesize
192KB

MD5
1344f17ab6452baf545882b64a22f5d7

SHA1
49d21e70799c8127c2ddccfcc756420f45a3e654

SHA256
b5a6d8e9d879ceb8b4a61aa6b146e433846fc5556d8d294f7768142dbf661fd6

SHA512
20c743031b2ce85b7e4958dabcd4094cf03d7efec392af0a1433d6e05a804a622168ac61a860ff5c5f7462ebcb3e17f7dc8780be2caed5371500f5df7c51669e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQYY.exe
Filesize
641KB

MD5
fcdf8bc2cc49a3ef23a4aeb74547d239

SHA1
07f0d40e25ea927a63d06f6e4f8cc8f42877bd99

SHA256
cea304374ddb23cb587ca4e2a0b742cb18614975176d51f3b9fc595dc32ca6e4

SHA512
a7dccd334394170975f48db268bc566bd579194bdb69e320c56654ac208300c4bc48611bf183b35a7ccd35cc0878406efc105de24c2b9545370fc7be505462f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYIC.exe
Filesize
198KB

MD5
a1baa3fa0e4df2360ac74b63302bf405

SHA1
ae64500da940fe7ba983fcec1bcce97b212257ff

SHA256
840b725a5cf7655d152c431a905c166f31ae74a2a18d11ad9ef7a6a0dc5f77e1

SHA512
ed1dff8e79f9c21eeef3f91068d95fff2f14a4b40de81b78f4fce5da202df4275edf8865612617ed641978189093c74cff8d909ba782bd228fba48ea7ddcfdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAW.exe
Filesize
323KB

MD5
3e99b22db0e8df4f27e46cf2862a78d5

SHA1
88ff7a314c7ae8065423e3e7196eadbfe141e191

SHA256
6159c709ab2bf9827a72c2f21cfd0c272853edfe00a78c9544b7824851c9461f

SHA512
d5676f8b02556a2f7aff7af8b73004c406d2c0457d1a7fcf15090421d055323106c489df370ac4c9d9f7469231dc8999e7e27669a54cb35360151e9f0f3bb97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\igQO.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikgo.exe
Filesize
1.1MB

MD5
aa7ca9e797a02d9808df2bb6620e7745

SHA1
b28d0cff474dc1ba6042f1961aa478207376f557

SHA256
38c87936a3135b556f96e23e747e3a141832e5bb0cafef79e726c2e8601cf6c7

SHA512
28f5ea8de540c35359ecacdca41bfffbbb8e2095b65bd11357e38b44e302c79935a0ebbf816e37c29d37fa121c1f2143f3b093351295ee2484f626912475c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMEK.exe
Filesize
207KB

MD5
9fd9ad72ba321bdadb97e5028d7c870a

SHA1
82d3a626f8ca32c4d4b67df5e266dc1152c7a2af

SHA256
bfb73b6e43a1c72344799e1cc5b11283bfa756f41a6f969985f431bf608ae4a3

SHA512
68e082b8aaa9ee853663bd20a337ac55011bb189a21068277a40f8bc52d65db631190015891ece1f570a95f098cc2dd4c960abe0eb71a89790805351e246fd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYMo.exe
Filesize
957KB

MD5
7436782bf3871fc7ab1a65ca3111dc23

SHA1
2246a54634b10a4f3feecee6fc4401a473242a0e

SHA256
22e5c4614b6e656a043bd6906dd5404d39cf260b33d9291f9ab1c9da5f7f8338

SHA512
b37a201235a23fdf0e7190bfdfe32e5b86e71d819db24340f25444c904ca167405cba1898396df8fc8ab1cd832fba5696563afb304c2f53849147658fe746b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\koQq.exe
Filesize
184KB

MD5
b9780f63de4891ac08110be652e16bc2

SHA1
ef21680ca697b5ae5d40e9a5bfdcaa3cb82601ba

SHA256
a6f48c05bc951d6db4abd13fd8999be6003ec8043857c0290cf9f279381b0128

SHA512
c0848e0b1e27bea47fa3820bacf0ab7a6753dd4d3797835ad8c872539d5940f92ca72602c6fec868389628d296ceb851353ac3ce47bef10813f15e086dec80ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwcS.exe
Filesize
225KB

MD5
70dbf4d395308859e9fe4a747933dac0

SHA1
259b45025f0182020d04eff3aa5d29bfad8d37a9

SHA256
973b7f2b7073b1163aa17a11595fd815f433a4b6918ec214bcac4a664a4cb829

SHA512
2b5315cb8c7f7ba39d93b1bb3c9343398d15ae1a34a29904fb3874145bdb9f4bcda9bce01e2e6a67596eb5c805369d08c81d551d0bec0ab2b97267dde8bb124e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwcW.exe
Filesize
197KB

MD5
6c2c5c82b90752bdeebe8c224dc6a112

SHA1
8e093db3196ccc24c541e45edc5bdbcc90a40f3e

SHA256
726d16f16d6658134c7a03e733068cfeb0b0738953f4e3f39f7989d865686d36

SHA512
6ba15360f002d28464a1d83d7668f66f8bb7b20e03145857349d4eb3db54a322cccf8d1ac31f80367f70b3619f2232ea660985b390024200529f70283d3df4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEAo.exe
Filesize
1.8MB

MD5
4a804ad1c2e875877914553c08ea848c

SHA1
82c30e876f1162f9a5165f6c7ff6230f5f6704cb

SHA256
8ce9c6d0c2293376f0da5a374238feb1ff4522e28392876d800833fb676ce43f

SHA512
8a6b4e55f48fdafa9033e3c0e28054e4c07e61751125176946f70b75061edf536b64922ffc6fe3ab0141770d39c079f4b7ca7ca8cc797431dd59ebe927ca224b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUQW.exe
Filesize
194KB

MD5
a7d6a68f5292ef3b039f02072e0c18f8

SHA1
2633b31ba61960813c742c370f855306a7f07594

SHA256
b726643b72d7baa1177bbc208b7969d06f6f7b444b2981af71505a8035fab0fd

SHA512
79a33d4cc80dc7208592b2946c2170f23ee8e469f48b9c1f1562ca52389228a1115ffb69fa06d91362d859fa365931e3e2e0d31fb5d5ed16e08799807dad4a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYsk.exe
Filesize
185KB

MD5
cf20879f30ba8dad074eadf8dcf3ee87

SHA1
a58d60d0f6a9c5aef0eb391c1e30b547a9dfab7b

SHA256
236aaa167e9449c541d93a241fccd408f24314d538fd1c6da7a29cb39af0b5f4

SHA512
e00f95e9bbc53f0945603745bc95d6de2e1130c4f55fc284b57467da8e763361958f62943e371239c7a6bc558b3dae84727b3360ae87d55d701b3cc814aa0577

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogQc.exe
Filesize
1.8MB

MD5
cfdc0293da85e878604ba2205f0dea50

SHA1
83c61b52634e7297f7c889bdc479119469463e57

SHA256
ea158cbac1bcdfaf705f00b5648b0a3c9e02510fbb00b717a857264bf165dfb3

SHA512
240ed16c50c1e46e4c590b4c4fe1d8f429d05e9d02e5ac3a117d574a7c4de2aea888d9507b80558aa2af2bb302412cf497fea48dd9b1efd76d6cfd1920aa21e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\okUo.exe
Filesize
201KB

MD5
d534e3d6b70b87a7bbab716a4542c5d5

SHA1
71e1149ec0548b50e1f63a5b315d046d1b279350

SHA256
0be39b75f494b6380b25875f60b4873c1e13161cbbbfd4cbddb18cc78e1d713b

SHA512
5f4cf7e24b64a9cb7de07c45653e592b5cc6765c6669fa47b463e8cd14e846bfee5cb929ee0dee0fe19c7954ff197181924296509805e2c7713c1fd08173d8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossq.exe
Filesize
784KB

MD5
9316c76d8e08c6be8aad46c65c898cd4

SHA1
5e11fd4ea79c5a153602bc58c06a8c1bda122fe0

SHA256
e2e5f465fa1b435744ed209d954c6f367eeba0c95e7ccba3355df6efca412baf

SHA512
adc2946a9f31ae11cd767f274ff08bfe5922449bb1b8504fb6e4d8b400c327e4df94ade5c05253663c31b76ad8021cd68b06a0446aa70ee383b5d132396d7279

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAsi.exe
Filesize
644KB

MD5
8a8ac5538793a25061ed58b009975590

SHA1
2750f1afd92ce8aa61b708d4fa048993b2bfb1fe

SHA256
4dc78582b5055b7b3d6ec6f3f80f7da546a9ec7dcb4339a43c067fa688697a69

SHA512
a175cd2eb08afa72e3eb0fe51f5ceb693afd857001173d92db88ccc62d1077d65b066fec2701542b18ee66e5749d038730593a5abfc090566d3073cec3ad805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIMQ.exe
Filesize
195KB

MD5
3d39ab8e31b776e9da77b4d37545d1b5

SHA1
e55b88a946ea85107a4e34f8945febeb709c916c

SHA256
8b67df416e9db1e2d002de6714bcc30fc6bc257f6f9edb02256acb1a81516771

SHA512
5c2bbb544d8d7b5c95bb001ab589225029abeca52647a1c59dc270bed0ff31e8176a200a3b39af00d4552b4719f98135da9812093e58abf2507c8bba1cd9b3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQIK.exe
Filesize
197KB

MD5
c8c08d15c85f881e1d5b5d8f99e237dc

SHA1
f53e9d97403c4d689aa1caa846a091df8f6e572b

SHA256
90f20e506c5e30af0d632ed9e278d4f6d2031d63b37b7471d9bc03db19149f3e

SHA512
34468acb03d263292f59f048b711588b3b08d899be4183cd2325acab9603a372c6cbea52b7c6826d87952ffe34ac05967f8a37590e92367da89e03e5fe87b03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qccA.exe
Filesize
196KB

MD5
74bd82b768ff4566eef3f87d9f6b2b7a

SHA1
0d43ce8e16f1850435f3510a8418a4e41ee48bff

SHA256
708ef648c2e943f54ea80f2b003a31035fcc787a073a9c2e3fea3c250cbefac5

SHA512
8101f0772f4ad35bbe877ae7cc6c6c9e6384c65dc9916bd38065c3fb3643dce3b1b302884f9709c73c9154f261278a3a1b524eb7c13bfa5f9286b178b5157df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAYY.exe
Filesize
185KB

MD5
cbba6ed3e07689cae7488223afba7fa6

SHA1
f42442c57b7475122017cce9772f243ef9ce4cd4

SHA256
904d3b10516211ef02aa0c59a0f9951f2d6f06ff49ff7e8af8b998ed9210879e

SHA512
19ca4547db327221a93325fe142fbbc87c43f3fea85477ca4076f7af9767c409b2976202707e777a50b3856d83082c615384a56782a98ea7fbbc6fba86edaf61

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEO.exe
Filesize
638KB

MD5
b980b1a94723e41699939406d846216a

SHA1
90184257563900e3bd573c1a700725ab71135781

SHA256
a3623ece273b997ddfdb744c095ab55eaf55a01735b2072c3b991d2deb21dd7e

SHA512
f06ed9edbdc7cbe516475108334af016abcd31a23c67abcd6c0313ac8ef66d805eb01cc912751212eccc87bff94b9c1bbf33b8c0d6cf5cd0add161fefc46bec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMMk.exe
Filesize
436KB

MD5
2e294bcdad57f93e71b1b8d66fe55eb9

SHA1
081f9dd477aead87e16d889fdab255d45d638db8

SHA256
992b63932755a2664e46b354788ee17b12cab24adb57cd02a29fafe138b55442

SHA512
078d2ab8a393757617b135b6d9d9044d2025eb160eae584b59ac4c168366301e7bff74f8abbebf448bbbe104d5e9fa5536dc75c77310b33fc313026eb17cebc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYgM.exe
Filesize
197KB

MD5
9e46493dd8f8ef6c0fb34e7dfe004c40

SHA1
631cb03a2a56840ab153fc6dac0a9a2ec60b4734

SHA256
3c467fd019968034a262875cc663ba763b2b15db02ad99aeb588a8c8d165f88f

SHA512
1ecdf5aa3ece38764e2971cc124390adef44f13b964bcb9f41874ca645949e1bc35867f55f199f3532f49683601c2aeffe7e80aa306b97627bb20af59092319e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucAQ.exe
Filesize
187KB

MD5
859df89b71628e095b54cdccc2bee1e6

SHA1
6344a8c4641c1744a415dd6b241b82ad566ff712

SHA256
fbad1e7592c206b7540b3ecc3d4b733c048d917ee01f426e47f3688bdc8846d8

SHA512
0c451de117d437a924fc32b94ae29373ddb0afcd19bc745fa5408c6a1421a04c2913e4f667753e32c30510a45656c488b9df884ea061aaf797d594ea8171f896

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukcA.exe
Filesize
823KB

MD5
9ac3dba3c05cc597224e55f459d0dc36

SHA1
ccdd2f4efb1108cdfe5378be45b07bbc3e059932

SHA256
97603b5d9b60aeb24eea0d94193ecd64e313c1f50277241e3e04395b190e04fa

SHA512
95459e321aff029803aa53d2e583932c16817842c5035f99c462019e4af12c3b506b73c619af6f31798f57ba266a0b5a16545b781b01c812c3f0399cffe082d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIAI.exe
Filesize
204KB

MD5
41d221fc5f4da8eccc9f51615db45346

SHA1
a4af4bc7b1b42a2f5f73b3f8969d435f4dda51c0

SHA256
29e1233b29f938f998037a24661f35f3d369178a6a2914e3be2130439dbd4e25

SHA512
4bb952b10a41b93704b25f111153137bfec0522d911c128f0ae18d7bcf888ff9660d97fa672e2efedf3d47ff705d29e1b9df3b32f406a572ed2c1c2388248283

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUwS.exe
Filesize
200KB

MD5
1cfd04514b08c8adf6178d73a64346ee

SHA1
914093c3c1729bab3d540ae78e764f252c1aa5df

SHA256
659b2e5641d3cd424674816c20d2b2a714d193d1a047f00fc6c40ec338b043c1

SHA512
bb5f0cbc0da1dd8de1970b4b39b20914b5d8a212dddeb0097f2ec2412f76ba1c4c49c0ef2575c0928d03fa9472d33369d42a486b9eab9f11ec9ada89d194082c

Download Submit
C:\Users\Admin\AppData\Local\Temp\woIC.exe
Filesize
5.9MB

MD5
28721013f6526603b88bee334daec364

SHA1
9f2bb0900232e938e9fecb663ec9a440878403d0

SHA256
bf4bc1e635d612df1e5e87097aa717478ae427ff7369f0a00b2dab4901580dd8

SHA512
c276c4adfc0f215dc91514a7d4ac9f6303f6fd3ae53fb40408dca722ea39fe6a9d3c08525e77ff5d536ce6890b422ad984d709248621ca7c1f9006dbc85b831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIQK.exe
Filesize
249KB

MD5
8ae6892206990dfd02a462406573b055

SHA1
6b7eab529f7bce7a40771dbc110204c0c0d6f6c9

SHA256
8365b239a42d4b95b953e0b1340d5db4295e8d95db72045475e08a988b8e19f6

SHA512
05fb320748b5c75dd1adfc5bf09d6097e9e2e3241cb4c0f877cebb5dec5a80bdb507239e3f3e153e288a3c7b199a62f0439ce1ed61299f46c35d03e73354391f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykIa.exe
Filesize
1.9MB

MD5
60be5e3fd9e8c0f04707113b084b8bd8

SHA1
1a0eb904ecd830a34703a1d987a5ee791b931a74

SHA256
240fc540aa3469d8e15c7a0a627703f4af62132f8962ef183a58b603c49c99bc

SHA512
eb4dce2c8736b6f828c8c95d3583eb56e3dfc9805ed9aba54ad264886438227d29029ce28b00e85c1865be0f9efb83b5768c1fdfa6fe3d83e01637e5457485dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysoI.exe
Filesize
199KB

MD5
544d855d2381ad760eecc024aa7e3e2a

SHA1
d84a8c9aa2dcd497430f2e4f15c1d718a1ef08b6

SHA256
ece84fe0733712be0ca726be2311ee3fde76b6c1ac4b08dcab5f1f3a7456e3b4

SHA512
0f23649c68ca8d22e656406cb27bdd0dddea0ed81c2dfd0b7d576b7c75478742c7cd853115e00bf8ac8e8e4c836d8cc3626c02c7a1dd98b0074b2336366225c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywkk.exe
Filesize
325KB

MD5
25afe31f5a3e7c4e2ec5c26ec91a9b9a

SHA1
d7037a6946d378e0e89beb9134553b443f0a426b

SHA256
33c18791cd5750b62072a64dec74545f396717a4891c5501341d4e71e41deb49

SHA512
baf4352e51cb1fceee49a35dffcdc49a00792ec51d0685c0f3c114c6b90e4d3c12b3e3af78bafb90aec1acceef81bd2764f3817e8d2d74f799ba90495208f076

Download Submit
C:\Users\Admin\JqwMooIQ\eOkwwIUk.exe
Filesize
205KB

MD5
ef6a940fda023843ca9cccb807047b02

SHA1
5e5381fdce10e4e2e324e413f9f05ce67de4d20c

SHA256
b3c37ae852802242f10e52ec87e92e09ba650d9e2998a6078ad214eb797a471c

SHA512
3ff3adf4619fd3a3d302df9ebcebfe40f41dd8bf4e7c0d77d74b5f7ff3d2bff9b4a9f88eb9502a2333cb5d4b96cae3e16a7dab7c150eec5a08e48e490b39d882

Download Submit
C:\Users\Admin\Pictures\SplitInstall.gif.exe
Filesize
1.0MB

MD5
7490efbfeac6429ee95780f2dceb8a5b

SHA1
a6b690a7e4ce1feae7c091c98ac644f056a3400c

SHA256
52ba1628478eb215cfc5475c554b6ebdb024bfa9227ada8092498a31c58e11ae

SHA512
d95c9ad76db2a169e3bdef9b3cd220a06dfac567f427693d3b86a1b314b0643f2e3c414e864734ffdb15852dd9ea8bb3f05b04f023b7fa0fa909fff0be724547

Download Submit
memory/8-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/8-462-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/336-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/740-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/740-373-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/888-499-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/888-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1160-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1160-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1216-300-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1216-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1340-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1340-518-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-453-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1528-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1528-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-131-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2164-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2164-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2500-481-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2500-470-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2516-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2516-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2800-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2800-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2852-471-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2852-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2868-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2868-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-536-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-524-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3100-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3100-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3128-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3128-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3324-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3428-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3428-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3688-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3700-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3700-498-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3920-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3920-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3980-528-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3980-519-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3980-489-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4040-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4076-429-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4076-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4088-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4088-241-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4168-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4168-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4300-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4300-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4300-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4300-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4404-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4404-29-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4456-163-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4456-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4724-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4724-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4800-433-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4800-420-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4808-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4868-294-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4868-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4868-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5016-555-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5016-542-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download