0f3b66fece3bd62664a4ae3f5996bfa41ef910e75f65a8725903267f4ef85a0e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
Size

204KB
MD5

25d6586cf3cea9c9a3b7c8d4b784edbc
SHA1

7e2340a2426c74af6c0639907c151ba9b24676b1
SHA256

0f3b66fece3bd62664a4ae3f5996bfa41ef910e75f65a8725903267f4ef85a0e
SHA512

373b15720a3769f6e1418f51fdc7b24f0b719b5a15a17d4e1e3a9a7fe2f02e1bc2efa7f6575ee2449dc6a5633d1b9b3518bea8869591224f3827403954eeb486
SSDEEP

6144:Uq/GqGiKuik1aB+o4nRo0Rc6rNW+ZM7Rn:U4Gqdj19csS

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 4 IoCs

Processes:

flow pid process

39 1400
43 1400
45 1400
46 1400

flow	pid	process
39	1400
43	1400
45	1400
46	1400

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KwswEscs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KwswEscs.exe

Executes dropped EXE 2 IoCs

Processes:

YmYUYUUU.exeKwswEscs.exe

pid process

2052 YmYUYUUU.exe
692 KwswEscs.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2052	YmYUYUUU.exe
692	KwswEscs.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exeKwswEscs.exeYmYUYUUU.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KwswEscs.exe = "C:\\ProgramData\\EUEcYkQg\\KwswEscs.exe"	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KwswEscs.exe = "C:\\ProgramData\\EUEcYkQg\\KwswEscs.exe"	KwswEscs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YmYUYUUU.exe = "C:\\Users\\Admin\\xkcIcgIk\\YmYUYUUU.exe"	YmYUYUUU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOUwgEog.exe = "C:\\Users\\Admin\\UEEUcock\\SOUwgEog.exe"	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oIIoEIco.exe = "C:\\ProgramData\\BkcUEIYY\\oIIoEIco.exe"	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YmYUYUUU.exe = "C:\\Users\\Admin\\xkcIcgIk\\YmYUYUUU.exe"	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe

Drops file in System32 directory 2 IoCs

Processes:

KwswEscs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	KwswEscs.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	KwswEscs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3364 2648 WerFault.exe SOUwgEog.exe
3368 4852 WerFault.exe oIIoEIco.exe

pid	pid_target	process	target process
3364	2648	WerFault.exe	SOUwgEog.exe
3368	4852	WerFault.exe	oIIoEIco.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4936
1468	reg.exe
3524	reg.exe
2096	reg.exe
2828	reg.exe
2412	reg.exe
860	reg.exe
868
4528	reg.exe
4520	reg.exe
3516	reg.exe
3664	reg.exe
3016	reg.exe
2728
2412	reg.exe
2796	reg.exe
2444
3936
4764	reg.exe
4896	reg.exe
3468
2696
1080
1636	reg.exe
4264	reg.exe
1624
3296
4648	reg.exe
1796	reg.exe
2564	reg.exe
2264	reg.exe
2844	reg.exe
1260
3864	reg.exe
1232	reg.exe
232
1692
2184
2004
2584	reg.exe
928	reg.exe
3104	reg.exe
2968	reg.exe
4676	reg.exe
1796	reg.exe
3712	reg.exe
3288	reg.exe
5096	reg.exe
3868	reg.exe
3532	reg.exe
4472	reg.exe
2612	reg.exe
4244	reg.exe
2960	reg.exe
4764	reg.exe
1648	reg.exe
3324	reg.exe
4952	reg.exe
4148	reg.exe
2028	reg.exe
2908	reg.exe
2832	reg.exe
2376	reg.exe
2688	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe

pid	process
3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2780	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2780	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2780	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2780	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4676	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4676	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4676	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4676	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2396	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2396	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2396	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2396	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4992	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4992	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4992	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4992	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2000	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2000	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2000	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2000	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3912	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3912	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3912	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3912	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3332	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3332	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3332	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3332	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2776	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2776	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2776	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2776	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4720	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4720	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4720	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
4720	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
1976	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
1976	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
1976	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
1976	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2232	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2232	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2232	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
2232	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
1628	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
1628	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
1628	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
1628	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3524	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3524	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3524	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
3524	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

KwswEscs.exe

pid process

692 KwswEscs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

KwswEscs.exe

pid	process
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe
692	KwswEscs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.execmd.execmd.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.execmd.execmd.exe2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.execmd.exe

description	pid	process	target process
PID 3452 wrote to memory of 2052	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	YmYUYUUU.exe
PID 3452 wrote to memory of 2052	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	YmYUYUUU.exe
PID 3452 wrote to memory of 2052	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	YmYUYUUU.exe
PID 3452 wrote to memory of 692	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	KwswEscs.exe
PID 3452 wrote to memory of 692	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	KwswEscs.exe
PID 3452 wrote to memory of 692	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	KwswEscs.exe
PID 3452 wrote to memory of 1164	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3452 wrote to memory of 1164	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3452 wrote to memory of 1164	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 1164 wrote to memory of 3180	1164	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 1164 wrote to memory of 3180	1164	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 1164 wrote to memory of 3180	1164	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 3452 wrote to memory of 1236	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 1236	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 1236	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 4940	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 4940	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 4940	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 2996	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 2996	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 2996	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3452 wrote to memory of 2000	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3452 wrote to memory of 2000	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3452 wrote to memory of 2000	3452	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 2000 wrote to memory of 1228	2000	cmd.exe	cscript.exe
PID 2000 wrote to memory of 1228	2000	cmd.exe	cscript.exe
PID 2000 wrote to memory of 1228	2000	cmd.exe	cscript.exe
PID 3180 wrote to memory of 4780	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3180 wrote to memory of 4780	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3180 wrote to memory of 4780	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 4780 wrote to memory of 3876	4780	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 4780 wrote to memory of 3876	4780	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 4780 wrote to memory of 3876	4780	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 3180 wrote to memory of 2584	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 2584	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 2584	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 1400	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 1400	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 1400	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 2980	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 2980	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 2980	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3180 wrote to memory of 1552	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3180 wrote to memory of 1552	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3180 wrote to memory of 1552	3180	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 1552 wrote to memory of 5040	1552	cmd.exe	cscript.exe
PID 1552 wrote to memory of 5040	1552	cmd.exe	cscript.exe
PID 1552 wrote to memory of 5040	1552	cmd.exe	cscript.exe
PID 3876 wrote to memory of 216	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3876 wrote to memory of 216	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 3876 wrote to memory of 216	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe
PID 216 wrote to memory of 2780	216	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 216 wrote to memory of 2780	216	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 216 wrote to memory of 2780	216	cmd.exe	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
PID 3876 wrote to memory of 1976	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 1976	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 1976	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 2988	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 2988	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 2988	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 1488	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 1488	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 1488	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	reg.exe
PID 3876 wrote to memory of 928	3876	2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3452

C:\Users\Admin\xkcIcgIk\YmYUYUUU.exe
"C:\Users\Admin\xkcIcgIk\YmYUYUUU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2052

C:\ProgramData\EUEcYkQg\KwswEscs.exe
"C:\ProgramData\EUEcYkQg\KwswEscs.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
8⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
10⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
12⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
14⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
16⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
18⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
20⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
22⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
24⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
26⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
28⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
30⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
32⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
33⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
34⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
35⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
36⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
37⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
38⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
39⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
40⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
41⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
42⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
43⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
44⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
45⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
46⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
47⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
48⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
49⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
50⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
51⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
52⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
53⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
54⤵
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
55⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
56⤵
PID:324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
57⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
58⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
59⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
60⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
61⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
62⤵
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
63⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
64⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
65⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
66⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
67⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
68⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
69⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
70⤵
PID:3648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
71⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
72⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
73⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
74⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
75⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
76⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
77⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
78⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
79⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
80⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
81⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
82⤵
PID:4196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
83⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
84⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
85⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
86⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
87⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
88⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
89⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
90⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
91⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
92⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
93⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
94⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
95⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
96⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
97⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
98⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
99⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
100⤵
PID:1876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
101⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
102⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
103⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
104⤵
PID:4692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
105⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
106⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
107⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
108⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
109⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
110⤵
PID:1432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
111⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
112⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
113⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
114⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
115⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
116⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
117⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
118⤵
PID:2528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
119⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
120⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
121⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
122⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
123⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
124⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
125⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
126⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
127⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
128⤵
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
129⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
130⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
131⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
132⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
133⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
134⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
135⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
136⤵
PID:2672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
137⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
138⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
139⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
140⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
141⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
142⤵
PID:4060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
143⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
144⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
145⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
146⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
147⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
148⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
149⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
150⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
151⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
152⤵
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
153⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
154⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
155⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
156⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
157⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
158⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
159⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
160⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
161⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
162⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
163⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
164⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
165⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
166⤵
PID:3304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
167⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
168⤵
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
169⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
170⤵
PID:5116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
171⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
172⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
173⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
174⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
175⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
176⤵
PID:4672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
177⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
178⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
179⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
180⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
181⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
182⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
183⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
184⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
185⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
186⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
187⤵
- Adds Run key to start application
PID:1584

C:\Users\Admin\UEEUcock\SOUwgEog.exe
"C:\Users\Admin\UEEUcock\SOUwgEog.exe"
188⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 224
189⤵
- Program crash
PID:3364

C:\ProgramData\BkcUEIYY\oIIoEIco.exe
"C:\ProgramData\BkcUEIYY\oIIoEIco.exe"
188⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 224
189⤵
- Program crash
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
188⤵
PID:3832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
189⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
190⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
191⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
192⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
193⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
194⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
195⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
196⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
197⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
198⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
199⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
200⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
201⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
202⤵
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
203⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
204⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
205⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
206⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
207⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
208⤵
PID:1156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
209⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
210⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
211⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
212⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
213⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
214⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
215⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
216⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
217⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
218⤵
PID:2696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
219⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
220⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
221⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
222⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
223⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
224⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
225⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
226⤵
PID:1636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
227⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
228⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
229⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
230⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
231⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
232⤵
PID:3872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
233⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
234⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
235⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
236⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
237⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
238⤵
PID:3452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
239⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
240⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
241⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
242⤵
PID:2152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
243⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
244⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
245⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
246⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
247⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
248⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
249⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock"
250⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
251⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:2084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSQUMcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
250⤵
PID:4852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scsIkUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
248⤵
PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
- Modifies registry key
PID:4148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIQEAoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
246⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:4512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wksMYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
244⤵
PID:2304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCwYkUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
242⤵
PID:1432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqkEIMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
240⤵
PID:1232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgMUAsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
238⤵
PID:3960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:2648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogUswgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
236⤵
PID:2092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAsIEoMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
234⤵
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQEcMkgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
232⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSUYUQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
230⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies registry key
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- Modifies registry key
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAkosQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
228⤵
PID:1260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:1276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMkQoIsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
226⤵
PID:2584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiMYkgoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
224⤵
PID:808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyEgEkAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
222⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOMwkYsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
220⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMcsMYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
218⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:2500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIcggYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
216⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsckEUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
214⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:1804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- Modifies registry key
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMUssQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
212⤵
PID:4676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies registry key
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:3832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuwsAcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
210⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:4072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCcUQcks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
208⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYAQgkgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
206⤵
PID:2688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
- Modifies registry key
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:3052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcwgIcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
204⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMwMcoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
202⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies registry key
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
- Modifies registry key
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dosYsUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
200⤵
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:3104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
- Modifies registry key
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcMsQkUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
198⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- Modifies registry key
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoIYEYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
196⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKwkgAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
194⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCMkwQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
192⤵
PID:4560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMcwAYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
190⤵
PID:3572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
- Modifies registry key
PID:3664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGgEgcEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
188⤵
PID:4992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEIoMoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
186⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmoQAksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
184⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSQkMwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
182⤵
PID:3832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waEYsMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
180⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAkkEUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
178⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- Modifies registry key
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geMAUgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
176⤵
PID:528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:1532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQoMUQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
174⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:2584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMQEQIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
172⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyUEkMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
170⤵
PID:4504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMYEwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
168⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoMYAAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
166⤵
PID:3368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:4256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiIAswQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
164⤵
PID:1488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
- Modifies registry key
PID:860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUQsYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
162⤵
PID:2584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:2564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUYsYIco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
160⤵
PID:3648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmMQEAwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
158⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:3572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKkMgscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
156⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:3600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMwEYsss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
154⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkcYEMsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
152⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
- Modifies registry key
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqUQwMsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
150⤵
PID:4196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUAwIMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
148⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEwkwIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
146⤵
PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies registry key
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMsgIIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
144⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGIkkQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
142⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCcwcYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
140⤵
PID:3960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeMUYQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
138⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuwgAYoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
136⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKwkwMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
134⤵
PID:2984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- Modifies registry key
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwMwgAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
132⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQAkEMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
130⤵
PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:3572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqgIcUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
128⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcoYYgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
126⤵
PID:1804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkYskkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
124⤵
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
- Modifies registry key
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCEosEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
122⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
- Modifies registry key
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckYQMgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
120⤵
PID:3104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQcUgYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
118⤵
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- Modifies registry key
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcAkYwgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
116⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcgEUgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
114⤵
PID:1964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKkIgssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
112⤵
PID:3332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsswocUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
110⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCwQcgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
108⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:4748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- Modifies registry key
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWwogMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
106⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scIYMogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
104⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:5116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQMAMAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
102⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQEswgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
100⤵
PID:4256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOQkUcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
98⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sycUoMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
96⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOkkkccA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
94⤵
PID:4668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkwQsAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
92⤵
PID:2376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
- Modifies registry key
PID:3516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWAoQskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
90⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies registry key
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bucwYEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
88⤵
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmcAAUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
86⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DewgcoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
84⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:2744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGAkQIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
82⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies registry key
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiAkAcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
80⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIEYkYsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
78⤵
PID:1352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCYEYsss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
76⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMUsAQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
74⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rawAIkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
72⤵
PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:2964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgEUkswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
70⤵
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqEMswcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
68⤵
PID:4852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyMosgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
66⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmAkssok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
64⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:2964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqUUQwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
62⤵
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:2016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmAYUkow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
60⤵
PID:228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKswcMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
58⤵
PID:4568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:4812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XowIMEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
56⤵
PID:3288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmksQYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
54⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQYIwoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
52⤵
PID:3368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggssAAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
50⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
- Modifies registry key
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmkgAsQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
48⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xikYUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
46⤵
PID:2696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:1400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQcokUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
44⤵
PID:1100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOsIYAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
42⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIgEwwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
40⤵
PID:3572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wywMwUss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
38⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScEcIoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
36⤵
PID:4920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IggwIIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
34⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAIsMQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
32⤵
PID:3648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkkoIIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
30⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAkIcokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
28⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NekksoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
26⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmsMgUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
24⤵
PID:324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uigUgokc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
22⤵
PID:756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:1636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUsYwscc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
20⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwgQcwIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
18⤵
PID:3044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AegEQkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
16⤵
PID:5000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biMMEcMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
14⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies registry key
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIAUAUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
12⤵
PID:2012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGckokIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
10⤵
PID:1636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEEYQggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
8⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kowkkgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
6⤵
PID:928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkYIgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yioMQMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1228

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2648 -ip 2648
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4852 -ip 4852
1⤵
PID:2096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EUEcYkQg\KwswEscs.exe
Filesize
193KB

MD5
23a6f9aa99c15d33cc335b0f13d3cf2d

SHA1
98758d47b19faf7b0b5677cde5468162f28f70e8

SHA256
0ce65239488655dc2ffafe09801a585e5ef0b359609bdc08a16373df3b8a0073

SHA512
fc90f864cde846036f1baee5fccc8c49158d9223f94cf40cb4b32319683d0f71e7e287c84ee57b7bd326e63e32c541bb16af4ee5cff5fe47f66d9e98679ddf62

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
223KB

MD5
68fb6e11c9bd7df576b78b97698df870

SHA1
875996ab0da07f065772b1154e205025f0cced90

SHA256
c9d598c65d0da29eddfce794403003544a279f22077decdd04c725c89d8a4eed

SHA512
cb03ca3663ac19398786578e38099bfcc0de1d280bcdfed2f21afa6d576deb44dc9c0c748b59917c2b17d672fe530abedaabaa0039e4b3b2668d8c238bbe3690

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
227KB

MD5
e6587f3c22b13b43bbe980a3cab6b044

SHA1
4046546e6eb43cb72fe5517975a541ed6ceff262

SHA256
0673d18575877eebb1e6a5202d5c0b9fd61082bc4d0b9b50a935671c178b5b27

SHA512
c27622b9668eb6378bc1ba16505a47cc0fcc688ef7951ac24bc5ce7c431b037a6461e9fce025d00ce59cc1d7e97e9729ab73df18b009215b9f354560f1d98b41

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
224KB

MD5
59eca442808abcd0aec4a2fe921117ee

SHA1
d342f52abda7eb7c4d8059ede49e951d518d56d0

SHA256
33882b2977d0b099e2ae19674ba25e93bed5fccb1ce3f18a727260fa575e91d3

SHA512
69822fc3e47c9d8d78214c66fbeb6cfc466241e093a51d4617aad075bcca463d46c3459173aa3e6afdcdf3aa5df4c354f41bfd354157608ba1b148f084172d9a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
773KB

MD5
4b9b1446f2368225adc913d1e88104ca

SHA1
6fb58d65ae6f629f986f83bd24a74c697235c47c

SHA256
11b11a439d939fe149c90fecc24613be348942d8ba7d31c1b7d838617a6fcbec

SHA512
58951faf0cb9b4b7ad51b44eef3b6eecdf7e246fbf29de2673c021ff1995bbd6be16e76f4585e4fe91333c63cd30b5151ae787f734b98e393a418d130e79e0fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
Filesize
191KB

MD5
5ba99964b43575880848b870d8ab8987

SHA1
1f2d1977aa28e4443f291bc1a25d4cde8cf9f4c4

SHA256
d5dd270960bed9aec25c8a873145284312261aed847b4b7b88db3222d64cab7b

SHA512
e94d14cf54db2552f512968e81d1a533a6806315432f692bc3158c36fdf68bf499b333c8addbef101e1a99fba4c42bf6f61378742a6dd7ac2d60618fef768d95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
Filesize
179KB

MD5
a09bac0377dedfffb0ed5072bb0d9005

SHA1
5e0dfd0c68781465ecdb1db52f2b980307a8bae9

SHA256
3b7c85b2575ff20ca2df1c1a23a6c4f73318792720ca83f0eb44c19f7b342aa0

SHA512
7dbf0bc2748cb7a89ac6d67c9e87d23f0c10cb7b2b2e350cbd905363f6960c34a907627020cb24c21c375f83d7c06f8576e66d236c74b4b9aa142121878cf664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe
Filesize
189KB

MD5
1fd2bd4cc97cab847e38c91a539f3ec8

SHA1
161c4132dfa2c1fa19c2d44817d50f479146539c

SHA256
106b5310be8e3cbf1d43e0ff0d9a2e1bb0aa67b9b731924896e72f2410dcf84e

SHA512
65096289af0b91b01580db3f99f24b0b3f44e0bfc3187f73a28bb3380cd66c9cd8538e58d0cc39e3888d0d53f23f05ba356b124a95e3f5c5a82e4e9d5ca52676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe
Filesize
211KB

MD5
722f964321ddab0f2b2271c4aa03dd90

SHA1
c5a7415ed4a54512ca2ba93d15716ef70c8e469f

SHA256
ea4a4ec19b226c2ab98bf45b0ee4995239f5ff3c82af1ffc09f9f54013e8390c

SHA512
6f7197a07b8373c105d8e7d678646360ddb23ac4f995e7f633a26b528eb6f8c372abd6322fbd8b6cde618907699fcbd3fd00edbe9aec2fba3b3d2b92f234676c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
Filesize
204KB

MD5
18ec436a112ea40d45e8da754105e4e0

SHA1
b77b30e477a886a763feaeb94e49e2cd3ef89340

SHA256
5d423a28670ee7887057345bdb6c3426b726114b77752895fa865beca6b4b61d

SHA512
377206f34da5d54bd611ffd7d1f2874d4fa7c19f59fb90cc5d2f97c2a5db296e8f85f8f8d66c59320e1d2100accf9c8915b2a7c2dc9b2be6b810e4b48b96e541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
Filesize
185KB

MD5
369797705d1fc226b31ad5bbb750a89d

SHA1
d2c2263f8d67e4676133ae23c479a53ef5a36019

SHA256
2b858743384f549511fa49c334c68a39b53fd7e96e46e18f46e9bb1e191c912b

SHA512
697688d4a86697d0856b6da573ac896a23a5d3a059997fdde95e95864fde6a34445259187f604aa3828812418097fcac43154d9a2f8e9d62cd0eefbf00e87f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe
Filesize
205KB

MD5
8a6d4d8f011b2e253fb6bed67200f4e2

SHA1
681741efe93962d0c59da7ef4081de18e8a26932

SHA256
d47401f9717ae19f9bbe5e1fb4aeed394377c06004e524aa3278337d2691ae34

SHA512
f71ffb5015849e8db986bd277012ca28a7dd8460260395d06ba9bc19e8fe324faf140b46f24a350c2fc56c12039f7d5ebf70166755e211b7796ecdceda35f29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_25d6586cf3cea9c9a3b7c8d4b784edbc_virlock
Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMoM.exe
Filesize
191KB

MD5
45c15bb19344899dee14a2dadd635603

SHA1
c04111399d4c5465ae47602bc9447e02f5117a3c

SHA256
9542da8f740d8e2e7b0dab5c2023e5760c4c798a2bb95b4d809c3015f010ef87

SHA512
c42ade7eba8cf7d64dfb809416b03883d343d070de8853d304cf87001ef7e146ac7f2f3b4dceba3805b65127ca5d3cd982496bda8cd9188a2f70aa33bed673e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUIK.exe
Filesize
202KB

MD5
ae20b437b8f0d34a96ddf2bea7236c8b

SHA1
beaffd224f4b1d00b38e0e7026abdec8fa241e12

SHA256
ada1ac0adf48323aef29c51481b5d470869013a47e91f16a0b5e8072cd80bd18

SHA512
f1073d5977e581e143b89ee8054dc461ca6e8bd32ef98238e71f46f21888d76748f603f95bbbde02c1573d9d8dba8b9e738a9dacd3a265e529644fa711d4116d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUG.exe
Filesize
208KB

MD5
24de6fadb19d3ae21d04ef9b096e5b37

SHA1
cae7d35d9f9a26131b6c0b87106718b33bc58723

SHA256
a01b34d5ffc202cb6968b5317a52bd5820b89f4c20165852d3bd3bdf2aecbed7

SHA512
2f28f2591ada07e4aa4ee56d0e4f0a313970a3194b8f7369409dda0cafea758054c6c3e84817bbbcf07913156f0d859956ced98011ecc339ff3b2684dd242613

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIgY.exe
Filesize
5.9MB

MD5
e92ec43290c3443bf24bff1abd21a492

SHA1
6dd56c912cce0b923f985b949af53dfc6d8051cb

SHA256
07679074255e24bc66b6505bba02ebd77bbdb6a3ced754632fc781b69e71deb9

SHA512
117a000756f69b1c3af5532bbcde1672bd45f2062e86ba45eb9aeb11485f9f5abfd49004055be001df915d007ae8c6cc16c660542bfbcb15d7b2cb82fc196627

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMsa.exe
Filesize
231KB

MD5
a67880782116db2edd0ba7d19ea8d29e

SHA1
bcdb70d87820a9b074e9abb9cb626c78d8b05711

SHA256
e57faf383208fb63ebf3b9bee78994935003b3d93117651fe824e7654d1d5c1e

SHA512
bb2ee9feb3ef1222af27225a9959783c8fc40fee83ab77a01edbb4018f2415fde0feba32919c9b5ede41a9f418b4cb1127911ca4f0735bc65d3b8adb56840ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoAM.exe
Filesize
214KB

MD5
5c1071f176cb2c6a028c6ba55729379f

SHA1
e06a2c2c462be46d0525c539212e7eb73a4a92e2

SHA256
6853fed78c9a2ab9de2ed568b1b50b0499173dc47476d5dbf583b87ccf805c5e

SHA512
b5e056d400dd41a18a0ec5d87f48174cde5580797af572f840e0e8a17d7d930c91a0b8e749fcbc94c84ead4d4317d191f97e63c6ac83317dd5e6ce445af63aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooM.exe
Filesize
1.8MB

MD5
da48eca3230d38e6f9c413a367d98a3e

SHA1
3019673f8dc4f257f79bbae816c2588c11f88eed

SHA256
487ca793880ad7fd282b862c4b772caf6d3d21ac5a57069d9c17dee489277472

SHA512
e76bbd58bf8fdc0ba874507384b7a0b9c97d6eb09cb80783cd5d09e21773ff8c38244ed035a4c44af7a28a4255a6d224bf5e7cec4a6f2ff3066adf018be9f5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAYI.exe
Filesize
263KB

MD5
b3f57ca90447df88643f25b6de90826a

SHA1
2a579540f1abf636c471468ded61480453e3dd91

SHA256
31154c38900479c52ec17ecbb92e6b4ba3b6c766a6d2e35f7a46d064e290bec8

SHA512
e511bf036595a4042131ca56f0cb3d3db082827f93f7d090b649429e45aca032c75610a9534af59ab0776b125c933c500ed4032825a4a1fac81d0ca45afdc31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAka.exe
Filesize
918KB

MD5
5525cdfb2215504cfeed25337a67ef64

SHA1
55ae09e3edd121dc69b132a1247d5ed867c8e16a

SHA256
81b996cb3ef728b58283791f255c141ec38b104b0b36cad8ae4dc5f4edfd7850

SHA512
3f9dd3e7cfd3a506cf8c00be0544186ab13e4fc05ae57a2e9440bd43a513af66286754825d5663c661b4005044fff1bcfbac82c93d0a988a19439cd6b29a4391

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQAi.exe
Filesize
206KB

MD5
ce81ad0e8c25dee2c4e01bc09ab7bcbe

SHA1
2eb2bf9ef32007503a565343e55197c32b73ad6c

SHA256
da490cf8e0b368832446e09f82a0bd2ef83ceab7cda614ff8f0e49446aea4aef

SHA512
740ded6235387f800949fa032bf9b3e81825884d210557202ad6a72c38ba4e1db07af9bfa4ac80ac8cca2ab8c33d43008a0e61b58cadc5cd416e210da3f75db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUsa.exe
Filesize
191KB

MD5
3f9c03b8d6610078214cc2679fe622ac

SHA1
2e0b9d9f5e1fc9c40dc6423238e6dc62d6e2f4d9

SHA256
1f4a12a406ef3b874a5bc38a81f137b84c1bf71d9580674e145033c01e2b2c00

SHA512
18c3b7520c1247f5f5182656d5847926cf215aec4b2a2279322e6911e8715bf4d3151ef0660561a109ae81fea2573284c7455e69db060ef0e0586e175ccc6b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eoca.exe
Filesize
774KB

MD5
d5dd7fdcf15b7d5ff357ccc94729cf23

SHA1
25b0bccb6fe3117c9dd28df44c42e032d4184137

SHA256
6c6530ba8acde8194d036ad4c46989a455bd5e511d144f3d8b784d0d5297d581

SHA512
cfd9a25adf7591a8366b41204a517abfe2b043cdbeca354531a54e4efba628853f81781eadffa1d6874f59d124b48bddaf2843d1652a804c77d20661b473cbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EokE.exe
Filesize
188KB

MD5
136e6623cecdd5068d631f49688f22cf

SHA1
96781de6e6637763e3ac90b6d686279b6d33936a

SHA256
b3b111281813d84fb55fa89141e3b5fb1a6ba7cccb866b323ad88ba09234ee09

SHA512
4477477e9e8334aab8a3afefb397ea23dbe596149f214040d5f9277b843a24d2d074cc7540ee87bfcdefb7f02cde3ad013b1b8f5ed76d052a5d4f8608e9face1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsQo.exe
Filesize
199KB

MD5
e40d12ab4c2e4aa1fbcc8ab0e0106905

SHA1
c9fc0cbf7b94cfe0814021b6dc42d4212a63b14a

SHA256
290c3578514a251d3e83ddf76a275502472e2cd1e2d5c1e7bc0de7f8fb62860a

SHA512
27bf81fe13f27305f449eaaff602a1dd9241d1f6c7bd0958ad604d4a6b5616b8d5dfc3699b1b4d5895178d445f1335feb4a5b73294d5b1a6e33cae0fb114b557

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwQo.exe
Filesize
644KB

MD5
6e64fcc6be0e6f06c8445ad6aa2bac5b

SHA1
20e57280ae98f0ca73c4f2ff620894f5bfbee38d

SHA256
ef64be82609f23e4a053d8d014b0391253bed3d76ac3591a4d47677802b7dba7

SHA512
e55bf5d1ba2bc371a6f7f8776116b366ad18be9a5e3097db22495d4eca7242f07c43b156f228755bff1f7f859ba1f1bcd3bb19faab0d5b83338712f983753c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwgC.exe
Filesize
797KB

MD5
c36113b0072dd29d33a929d255719f2c

SHA1
70e8e6980d44030a95d1c94f5b7685c19c446c56

SHA256
895d7d3f56dc8cf1b8e7b7e2dce41d7ac08037d01cfcab59da2358602f06887a

SHA512
33e01af9370cef1da51e95b547c208dfb2b20c943b4f67e388b9b0dc2462df501dbef05fe65fa5a5748f943b3cc4f0a493335db69e95092780834a46ec15379b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQMw.exe
Filesize
195KB

MD5
68e32f86760ccd717e7a4b39a560f39c

SHA1
a06e5c03746035d11155ea947b2b48b40b1c483b

SHA256
3c30ca08d7dc37ba2fbfe52382c5d10f84efa9656fb7311b3f257639fdea5eeb

SHA512
25d526e4cd9b02b28083800d7b0af48899ccdfc5caa3d21fd0f688c931b9ad99f7294ef280d055d06113c8c5f052094a5451a1d60519e17533053315f201f5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkMc.exe
Filesize
212KB

MD5
f47b3aa9956bd22099115f00492f671e

SHA1
afb1d3e58cd31e3804b23b8975adb23e78eba1a9

SHA256
db1f927dc89eee17573ae677e447c2254b9b4cd750819698f266407b0c1951f9

SHA512
a5e8a11d45859f22c94fc1cc247f69005c243170dc81b751bf4c2db7212a06df9d6f1213a87eab5a58079d1f49956870fca93ef167c8ea309c567bb50dbf6882

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMkQ.exe
Filesize
737KB

MD5
ed1e8cbd4363883ddd87f705ce9803dc

SHA1
4be60c9d98082bef6c5be0bc235506617931525f

SHA256
7c24e73277dd6fd46d395a5b90baebda298ba09bc25dbf465e82a580029d7287

SHA512
e1f076ccf1b37e2fa3efb0da117464cc5864555eaadda5072fc3c34422cf58f93a645fe22240d3565dea48bdaacee9e0dd68ebd65e6f274f3121b4100ffbd771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMom.exe
Filesize
645KB

MD5
0abd659143c1c87204c60e383141e9ac

SHA1
48137fdd8b4abce0bf6906472358f847354bd532

SHA256
9411be717375cb528b7c146fb8f861e9e2105af5ea7f325e82894b7bfcef447c

SHA512
1450697e8ea2611459ab19ecc69d3acda1e8124c00e96e6925cad6ed6cfa0813b7015c318d3d9fa2a1b6a6fb38a03720a7f77db44ed2058c575a29bbc7163ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Igko.exe
Filesize
219KB

MD5
fd7f37d44778377dd237b1aefe3b4ced

SHA1
22ef48ac6b29f62feb431c774f468c85d73ea0a5

SHA256
8a9d1b3dfa53945c94b8b6a06c626830c0896b5a8281e65ab36426313dd67662

SHA512
9555be3eed900b558c2f19dbaa18638a0832eed50a2bbe2be37acee4df1a51e82ea9c120f909741adf1ec903cd8263d4cf3f5be9648873459a8aba522c5b76d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkIU.exe
Filesize
186KB

MD5
b9b5081040cfef279d371890bad0f659

SHA1
35ae08bab48b5f0844c14431a55900dabf54f1e2

SHA256
d2ab6e0cbfd4b170d7abf5a5409c4d1724488b2d666e2023480233428d5f3701

SHA512
1e8a42bdee5564be67dc8b3465328c53a19bb2183d0f91bb473af31a89455b67f74e27ced2e983cc27fbed709a4ed4c52ab1b6c066a58a203c9f2d420aff8167

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAsy.exe
Filesize
193KB

MD5
ac2c1e3e1c883b233a68098944e900d8

SHA1
0ff32fed049a7c064bfd74e6d0fba55937d617ae

SHA256
b9d8e1fecd43f321c5f947a4b1bb9dc343d814de23f3af2d06c7b7dd9d087ba1

SHA512
db417327a0b7b94cc6a1d9de7392a549a354d60d6baa281d2c1c8a58b8f0687e67e9b4f6e1e53a1321b1087effaa40e4bee926c07e357e04ea53ae296b059d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIE.exe
Filesize
181KB

MD5
ae327ca731e8ecda1b9d73652ff3ab05

SHA1
403f14e96e7058407fd0c2a36fc755b6c3729736

SHA256
d7cab83fe1b8470e977b02ebbdb7fe0a68befe5f9ce7cea0430ef988548b9618

SHA512
7a72afcc6e06f674ae3a1f9897c1926d1a251bfff9ec9961e4ff5f1a067a3fab702a788907765bf290bb64eafdf8595b532e1c523f73178f4900298edf281935

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMUy.exe
Filesize
185KB

MD5
bec8fae98fc38f4729b0347062398b8c

SHA1
f97e613da022599f67dbf35cf0018223de5cc537

SHA256
5c8549dac7c5ebad397228ad2faa2f289fd7ffcc4351e7f36b9f439f5bc53786

SHA512
9f0e29f2b605a6806aaf4071b8c7f5ce9838c519065cb40a6aa697bdd36d19462d28c4aef040d08ea53ac5576c6a548c73240f752bb9c0a09f8c6cb6efc1f364

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQK.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIUA.exe
Filesize
795KB

MD5
b6d7b1b4bcc1922ff45c8c51b90047fd

SHA1
71a75132377f61a185bf506963bbfc43d6558ebb

SHA256
dd2c5ec525d6fe62a2cce6829dc5560d1c3bf2f376da46fd88cec80675c49cc6

SHA512
fa442d994b498c37f39208407e037d92ae4e5ae05dfba63637611ca949a385921fcf1758c812829cc6248251c181ceb5db3b1d07e95809d0514dec6a6551784b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIgo.exe
Filesize
199KB

MD5
66591ef46b384a906820934d3a28fb97

SHA1
2093262a02a2dd210fce9a294920713a315417a3

SHA256
765449088166fa9f6d3bc472f29a8ee92d3682f3c2c5fc84e5353708fff64595

SHA512
b8e820633f408754b5d28f47ee05b40aab743e0a9df128b81b3f4e780de7d94e8acd2ec4a296b7bcaa0f754ddc524549c0eec82e6a3fbf221b64f0de962267af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQMO.exe
Filesize
184KB

MD5
22830d69c941b944b1ff5d604b72929e

SHA1
d6d66f2322c38e6d5400ecebfbe7983201ca92d9

SHA256
6e7148f177a21851377688b58037544cf1538a334e131ada10ee906a5dc9ae53

SHA512
b7ac1da7db9bba1feb4d484fcd83a6552181e7fd50420c5ec2edbdadb2e1a3fbd76f75f55ccf1400ef132781743daf70ea942c2b797045643929274c92a6419c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkAs.exe
Filesize
320KB

MD5
b872cc80ba0cd9de48b625e354273457

SHA1
737c6b44c610e609b629add82ce9bcd193ca6403

SHA256
2762c73995001a7dd6351cabe1e5b636d745cd8975504e689c164957cb0ae81b

SHA512
bcc2f4b191af37e899cfb8f675231b76c332415a1d4591a3523a8d3bbb523d43ffce3ee4cf87c034f403c62c6042f16abb70ce1ff293ac98d03220556371166a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYkq.exe
Filesize
201KB

MD5
20fb3de1d0e9aabf573f9aad8c465b2b

SHA1
3d452f182223fd9fafd17a4c3d9782beaa113107

SHA256
174ee881270146f4ab27581eb496df576150ad48ca855c31ebe16ef5d9b6e45d

SHA512
14acc5b354b9b5e4dafb7de2da38d86f0ab03658f6fcf9c0de8c14988da5d9c48f7d941aed35517bf5d56a99e2356718d1f9c2b994f7db822739770f9bbd3290

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwYI.exe
Filesize
187KB

MD5
42bc78cc7bc73e255b4141a7601dc02b

SHA1
b7ddb0b087ba4541f1d429af110a08fa3b189a9d

SHA256
4904eb030a6aad4fc04f5175d516834f5b81dfe88dd9d83bb168865052edd30e

SHA512
f070566910cdde713c8336b1123fc27779549be00323528c0acf0f2d31e3298d4878390eb0dd0b67f27b5d066f5bbf529a6e2f219221308c86679d9bc0ed39fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qksc.exe
Filesize
242KB

MD5
74dfa899895aa2002148500cf2858c61

SHA1
3f0176a762318838ec2307bdb412a39731101417

SHA256
e1e26e8559319dc02f667d28b67a7d60d3663b73cccef15f6fbe3820adbe0018

SHA512
a2a367fdb2337d7b71ba873fcbf625d0b70a414fd196290e3e254f4a674a363521b1bea0bd9a2b5fd1e68c73ebe7c4171d6797811af8b279d2380d76257ebb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwwO.exe
Filesize
204KB

MD5
4627b4e1f3343d2bd4ba46dd17ea2891

SHA1
82f2062b25fd87d35112476d3695400f68049347

SHA256
7b784acc1eebb142fb5249bbed33faa22bc58ce76b22fb2281e11714775c7a79

SHA512
67c2dac3f4b2831a1da2af6fd9d35cf18d1ea03a98d9807badc82ebdf89724a73b0b7b92ff014e414a1a85f5530df98a1efb685d3e07469d4f30dceb9e736d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwwk.exe
Filesize
185KB

MD5
8d99fee42b1d61b1a1c3b345c0065fc6

SHA1
96cb389743fef9a94bb53aab098e62d1d5e474ce

SHA256
7826246c2c4fecfa1bedf389a9f9c5b28ff797fe5cbf47937ec6699779e360f3

SHA512
fcd99f74535d3f00f15ac54c5df029f3608a25f004791073742e498136ef26175f0a0fb7671e92219ebbf8b8032013e120e39942a9a834318f5f559e35f79393

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgg.exe
Filesize
577KB

MD5
d616f8371805b0461a12ac9d352c9334

SHA1
f702d691e07e4ddb13c987689f090832b7e53676

SHA256
5735b0ac22cc223e78b86a6e91d71cc68918f1d753503e91e8c51ea65d1daebe

SHA512
b06e3bccc02971a9faa72ad24a750c822060d290b57d1ba974f97a5884cd66416fc5f9915af6bd448941436209cffdb80ad985b7be392226e7a43a332d833263

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsAm.exe
Filesize
648KB

MD5
ff501b51bb29f3436ef68b442fd14e92

SHA1
fe653780125643ff0596d2d7094331e351d3485f

SHA256
90ce260e50a1ef68942bc223a4d419f0a7ce4094ca56cdf107dadbb740ac6395

SHA512
58c566c003282a1c68faa781574b3b869b9195ddce0689c33b03bb9736d5c4ac1ad7658da7e37f033d062b0e0d6b9658ba0f9779ab8d292fb512373450d5cdd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsQo.exe
Filesize
386KB

MD5
113642a59523c11a3a3ba0d93640a2b4

SHA1
9d97da53ed43d5c21e51a2fa78fa6363ff51d887

SHA256
79909c281108524ad45584c85c477bcae771e2ae9bfc5f0cdf2e94a1c9f9434e

SHA512
3369ceb29615661e013532452018838f9e5f0607a78debefc1d4e939bc298042e962f9186ed450b5519aea5129316925a7fb1951f218a8a54a26088a30739b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIMY.exe
Filesize
195KB

MD5
80ade9144ff6cfac95003ada414814da

SHA1
75648af23ef53beee42ad52055f3e2035cb5ede3

SHA256
b28bfa85ebdb7cf4b80e7ed191921aac90a8b61f36b160f697302ee57bb7d736

SHA512
e38f6ac3c27c3761d8d7c98abc5d6d5b3a0cd79dd9384ed76667bd38fb2550624ccac6c4b5b8979de05780a9791ae8eff07e25e3f77373978daef7af4cc8edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMMk.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMgU.exe
Filesize
644KB

MD5
2271d26e89721765200f476eacc8d59b

SHA1
f19fe1cab9002e2dbd16b9ad6aceed4d64cc2c90

SHA256
8fdbff312e0d3daefe0c68ee9b5a9deb8beae494302db0c0ef697a92547284e0

SHA512
571537f36c6f546ef6af889965be4a47eb27b506a524e953897fcdca0f02836107deac9c9bb7ebfc8b2caf242fa038455b45018bce7f034ae0e942fbec621ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAUc.exe
Filesize
182KB

MD5
cdb58cddf9c0922b46923e09be6ea9b1

SHA1
cca8a40133631026e1959a858d50ab2a517c7a01

SHA256
fe0ee42afee929ff57cc9753120d6d799f3fd0ef6a20b2be7909345d6536db4a

SHA512
1da40f737a45936260ccf9857e8627b590c15fbf741a62b82a1c0f7645fd00f3eec0ccef6fe7b2f29ed4daa624959ec8ada8cff7738420af023655e633e78741

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYUy.exe
Filesize
433KB

MD5
02e4063c77c35f9a62806017d233359e

SHA1
a75fc22c55b546c7f33c372a47a18399e2b11dc8

SHA256
e2b45cff2a8bae68cf3fd1642270734973b9afc4239ae217ac93a305093868a3

SHA512
c43ceba26f66a0f41bc0e5c1a07883df99a6806352ce772b8a9dea438f167731f8132183311c7cdf15a307d67ab375c753bbca2f6cc0d31ab66670e5d6c15b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcAw.exe
Filesize
317KB

MD5
21f3ad2ba5516e193fb43b4ffc7e0c15

SHA1
cbfb9b4d79ce23061144c4a6c3f049d6bfe7900b

SHA256
1f62893856a0af6941c3cf03a299dee512279b9aaf21443df10d0cb020b43e9d

SHA512
220f8084ffaace8d55e5c276992b6a676455c378913c394360667372510475d8f2d63e4767e99bd42f29ab70d7d89e082e8ae95e33bc9721288c507609cbb428

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcom.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEYy.exe
Filesize
193KB

MD5
b8f3991d1c144e31bbe63f16775e5677

SHA1
0f724fce374834372cf340809f8afa95b15f8178

SHA256
b07690745786a8348b6bd3e45c15639bbab4e3368e799c9ffc2e2adea8ba59cf

SHA512
4ab9021afbd1ff2c0b7a887b9ee375a6370ddce77b5bfe929a2c89115144b1c8e59b52d1035a031e0dca0e4558c7bb4d62749a49f5af81a7019894950f563b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIQQ.exe
Filesize
201KB

MD5
ad77263faf7d9d98be150a0f72b46acb

SHA1
51d5849f54d4ed3195bd9e5e76806eb5f0ff0c92

SHA256
cbcaab44e4f0a2730525e569c4ea9dba5cf7f96188590423780a112675b3ef42

SHA512
4bcbd821cdb66d0c441f46d8d19e546ec8197d1b70b179c05fca050d9149283337891961fe25f8eac571370241c3036a55bc9acec78a16932fbb11db06ec8f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMsW.exe
Filesize
197KB

MD5
def02a4647a8513215a4b5ad0398b5af

SHA1
e0ec712b4fe8f8a5ad372cd19337abb07d2bbc9e

SHA256
58f665971e7cf67444cc56e1897d3ff42f527ebd25b67d89415c8cd318fdb05e

SHA512
b9bfb01ef37378f38ae3da5c56f8a00b288959c615fcb1271d4993939d683fb65a6cb3219e982b46c332d1d03076d3790cbc4104102218586989a9f780f81f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQoI.exe
Filesize
309KB

MD5
aff798417d92ec9918a778b79ceb2b53

SHA1
11e1efb9acfa716c9efc87ca779e08a15aaea58b

SHA256
2f7b2f3857e3fcd1fae325564c55a7a585da7e03a462762d3e7cb826dc2a9f5f

SHA512
6ddcae7baaaa5f198b94eae6c634481a6e26fe8beca8f3850529fb514989993f4ce78c64371dd7ef95482be55a462a730b086dbae9f05b5b9e9bfaf481615f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcgE.exe
Filesize
195KB

MD5
c1f8082b2df28ece437c2497ffef53d6

SHA1
ff76f4d702ae6a9a2f8ce1016a93f8698ff069f6

SHA256
3c0bb8bcb63dd50586384d2f0a40efe5abe45399228dc86435702988e868bbc7

SHA512
84ef823c43f0c93a59225e9a80c03c5955d5d6b6f18355bb1647a8cb3b8fa87754fc96bcb8b147b0fea1df1be5d7dade001853c92b9cad6d5b5c88805bbe6ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoUS.exe
Filesize
5.9MB

MD5
01d8dafb22ca9585c6bb7cca8e6a06ac

SHA1
8c24032ff99bfc2f286d087b06f845fff0455e15

SHA256
7c99143d843b82fcd195cd856bd6839d8c7f1787d28293e089eaa0640beebdef

SHA512
9cb288fb4c1d425fb73665571d011f5086a456a38c543fa1d1934b0732f5ff22a1e5db42e9752ae71478f877568a60d7ddd74ede7aeeaf682aa9865c00a363ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsYA.exe
Filesize
194KB

MD5
560a4bfa87f9285d73bb49c6f676873b

SHA1
27e18e5dce0a955b728f525f75f428638c63d281

SHA256
c220baa844912bebc91fb60288b7070a5092b2c8e762e0f094fc6ccbebdeb3e7

SHA512
7c8f2496204f22961c686426497694feb197bc8660beefece8858fd6c44f0e4ba43fee218c15937c996c591ed903585cb31683ac379a82099c9aed50664bbfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwAi.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEE.exe
Filesize
637KB

MD5
e6d19936233fc34576b684516782f681

SHA1
a07adf315163f62b414978994cae731d4edf4a99

SHA256
312fab38bf18f54fefca3d87e897879a8975d50c85b454fdcd2c56a0a78d411a

SHA512
496f4aaf9cd18058e592a4f09138529d6dd8424bdec4abc1ca64b328d537e15da6d3c4e11431d3b716236f71349352c856ca0e7de12ed219e2f4922931ac217f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAgo.exe
Filesize
641KB

MD5
6bd5bc5bd73605d176c85618290b71d4

SHA1
2a550485f692b402841078e045c414014fbe0e8c

SHA256
12cbe036b64f1d52a5ca532588eabbad5193e7127346ce98eb46f084cc64d630

SHA512
b06891625247563ce96a7f1b056c5aea0f5a4c541401f2dba2c8e7465a5d1f6f71320625543fbeeaf3249d1a7506fbe0edbbd72aa37dbeef3b162fac54bfad0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIIY.exe
Filesize
191KB

MD5
6dab19bb7d2f2652794afff8819e4fe8

SHA1
2fa9653bd24b841957068143937e2b73b5b4ed51

SHA256
20f00ea15bb8c6f53f7ea0dfa9e77254258aefa8df27adbe8e7623cdf1f5af81

SHA512
3d1aca2e299daf0ca28d1bf895254c5d28de88e49573f9757202775d4e8b23cba0bd4957d89088538263c0b504408e3a198cbde0180afe2da3a4c986c2158ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQkA.exe
Filesize
186KB

MD5
3275720fce934df10d9010b9fb2f23ad

SHA1
57b5b856d4a011437433a2784b53251c6698b49d

SHA256
c0771c0c37b6bc2671d5d1aaf6e40a524de991645a0023995b81b33edcd9eae4

SHA512
a5a03e839068829c987e5c8891bd00cd8df7d9ad529b73852134faaabdb18150e3cfcc2eb4fc75a6d4d398b20b650ec8f0c538fa0a2e8237dc45910bdbf70d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\agwY.exe
Filesize
414KB

MD5
869cd63c384e9038df9af740df98b4d4

SHA1
0e953c00d1c41d4ff493d6346e3c7212dcfb6503

SHA256
46dcee2e7806e8696cc105e2ad0e3ef978afbc7c6bfc277f8ff3d5e7afca2545

SHA512
60a2fc6aa4c446c31baa51dc63e7b3bef92d7311a55eec4ae1a5a163f3b56c1b6f7235bb55c9d2797beec122cf08eb9f3892baa335a3ed368bae6836cb315b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgwu.exe
Filesize
318KB

MD5
15e65bf0e4fa0652bdeff7efdf775f89

SHA1
cb9406527193e0aac77ff45ef48574c99c18dbda

SHA256
390efae53ec13b5b14d9962913866bd0747585336826f78bda1d92df13ed99fe

SHA512
bf6dad08b495639d6c8d3ee46a3dd6dd1f6dc976823264fe13c28b219f92d3b0ae397f477ed334ae9494f3c036cba51951442e04ecaea603db23073d8b98e489

Download Submit
C:\Users\Admin\AppData\Local\Temp\esEE.exe
Filesize
191KB

MD5
acf8cf8c0957fe07d94d6444c3c0c425

SHA1
70dced4a5085dd4e65fdfff41d4f845d4be15cd5

SHA256
5ceda31cba4bc55433967eaa1829fc9c3003005a213e8587a02ae86c9a11f53c

SHA512
881a5427cb75ada97e49e4b3bb2f508088a42b900b5923eb6957fbde1be48a2503907d10a9a8ebf17fb56530f5e64e4c5820ca63185d37e574a4454c6ca3838e

Download Submit
C:\Users\Admin\AppData\Local\Temp\esoq.exe
Filesize
448KB

MD5
3214e21b5ed888eceb7c11f2ef36783f

SHA1
0a9d02e38ca9e6d5218c524565c7a44b8466f82c

SHA256
f1588662e8d19e87844d919eb846d3eb0a62e7184cf11cab8ea656722862c9ed

SHA512
216489ae1cec1373ae043b1ce39cfaa4e8e493a4aaa19b1ee0c8d5932c4311e90131f101236cdbfec0bac6061e894fe68e1ed426f6b7e8844294f014270b5d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewIS.exe
Filesize
219KB

MD5
12b15c3b127ad7d2501ae5241dfb2832

SHA1
f857a55b458be97de0a3e24cd4dcb18f318998ba

SHA256
8cbefff7f50705bb76d08568cb1b761df6b897f311420ecf1a30fcf6db379b77

SHA512
92fa9cced7d1bfc8abf851c29a7ee4baa7db2b602c12459627f8821f3cb10e506e3853cf90defcb47310895d6658bf6540f5e78b09dd551c84d5f47f49f02b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAQG.exe
Filesize
187KB

MD5
f907829242ec252cae8da7b3899999dc

SHA1
779c1113aa0dcf6f5af6bb34659ba9791b454c6d

SHA256
78b7b6f8ec2e787679ae33d6236755c40263c06428805e5bc40a6f99cbbaed64

SHA512
cf2de58179e18420b5cee539594838a4127a90b653eab3d8e93d86eb63e23e44d4dacc810e874611f0abbeb35fa613e7a48c934ba25e60cbf7e6d63dc35ce69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEkm.exe
Filesize
188KB

MD5
9a8a55f90469cee71f4ac99eb22b1061

SHA1
02029d68df8b90aba33d10fccb7f31e6a388f16d

SHA256
a3d7229cf224215c660ea212ea7901decba5eddb15209f596c5517484888b25d

SHA512
724499191b5d5f3dfb926e3e8d718efa96df4f58fabc5873dfe57790b2db0175617446d13553781dece1449c849123d4006919182f1cc7d5ec2fa4ee53b0fe48

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUwm.exe
Filesize
182KB

MD5
f9227370e3d7497e04c67682ba5db25c

SHA1
2fa2d36144d77a07a85c00cdfd2b2d6dff3ecd71

SHA256
381877d02ca8d94a1f6e9fbe3a7c9e39d0992f61f56a8fe56e7f7e1276438bb8

SHA512
166d69ea835eb4ebf221cbdd37fa25d41ba154d06d09d9ff4dcb276befb4fec5d74d55dd29a15f44b0f7b460d822762c50802c0a63176f3fb82e46ec4bcede40

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYwi.exe
Filesize
2.2MB

MD5
e3c3520049b4748089a67cc22d415db3

SHA1
8d0a0c7abbbe077cfb71e9c30cd56a75a7a33df8

SHA256
06fd311bc05c13d9237ace18174c1e9965b6058d32c22e0fa3b298e530391408

SHA512
a9868fab777c561493f51cf17f454e75965687f89d24b11c02e207e5cbac4b30f70badafb95646dfa0c8f15b28b5b95c876a7e115e6569b85b9934e391c86a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggIW.exe
Filesize
190KB

MD5
07f9f5e1919ab1b75f52674c4d836aa6

SHA1
b50bdcc5237bf498e9fa531dbae74fa4c7792bf4

SHA256
060cf1ced0da674b9b6779be118514e604ef4079bf3f6e50e38e5c15abe9865c

SHA512
2004de38a45487abd1c777c3449399e24fd02e062d6e2caf3c0ab3e3b33bef05f023a09245c625f405b48b25f4bf19df1272d756f1f59e2de3cf49b5909de46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwG.exe
Filesize
5.9MB

MD5
d20c7264dbc4603551b358bacd0cc773

SHA1
f57c2188c241a3bd856419b7567348d17380bdb1

SHA256
56c542fdbf3ef4a71e746a571f0cbdaaf99f3ad1d318017d2cdd7887740aad52

SHA512
c18f6bcfd75ad5dba3c82ab4d46ca6522605be6362c96fb549f9bd0bdcd2afcb8c330571d90f8951217377fb47d9b243595197d694563147113671935f9e48d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIcq.exe
Filesize
208KB

MD5
36a69833178cd4d4eb3958b742899ecc

SHA1
f0fa9c028593bf9cac3e035d6f1b45db3d0a87d2

SHA256
ae41e418714bda0e47c549a9f4f34f7adb9838d45fd0036449051fd3d559211c

SHA512
7441c50db7d7b5a5016018ff7ae55ae77bbf882f1a0d09f4a8aefebae384a738973a5cd16b56d3fa7c3eb01ebbf3bb8be2cd4d8a971eae770cf4a3bfe809fcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMgi.exe
Filesize
202KB

MD5
2a1c9217cd891d3847679a542e76f2f3

SHA1
0d893b87cd6c93659f9853155e3ef4f015f61b7b

SHA256
547b2efc74f320a71ba21f1278152f76efa016ce15c31fe84ca80168a89ee61c

SHA512
0858f565e28c6ca1c3c0ff186b271a1e75aa1dd3d19c16e33a6da4d100eb3ab745d6ce7db39b26f9b879c1e59c96a40bdf9b44885be7c2dd7a6715a526ebc862

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYww.exe
Filesize
210KB

MD5
6b1e9fbdbba9d47687f6ff05b657f62c

SHA1
b50774d0b8bdc896ac945486709ee032043c45b4

SHA256
5a9756f519886f7780180ac25e4eef54b2abe7f03249a7b5bcc77a674294855d

SHA512
fba38cc14f46bb2fe8fa8e40265430046db6946363e4b33c9c2ef1e994e68d137ca60d214e5c2f06970a3ab466372fb37cfc623bed5648865cff913bef308cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUUm.exe
Filesize
428KB

MD5
fbc7aa1888bb6564b828fd3c48b4fe2b

SHA1
96d42613908469b59d03d94c001c8e6cb8275e60

SHA256
a3c15efa0087ee76dec33248996e6fbc0ced909bd6915f9f74fddd5c2d7ee4c3

SHA512
24fb63470e02807faf35548af5ab9b6a387b9d5468a19a22ce0cf521e5534069bd2b4255d4f5717ae33c79691c074fcb0da3d3439ab832254523b67d20fe1a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcMM.exe
Filesize
5.9MB

MD5
9316c38c57fed17544ee73991eed18f5

SHA1
4a6df49e43fd7d6973b4fd7fde960891cd6c33d3

SHA256
9e0ec8e3fefa7514bb58ce83db60d15a702230f6bf4b03fe2dd832fce2f23d0d

SHA512
a5d54d8b510317b6e8645fb2ae63fc0783fe7634fade59a0a82ec5b189684fe2ae5e92102a3b10a6be3b8deadadcd3449af2c7723228d9fe41ed0c411dd36103

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEEk.exe
Filesize
232KB

MD5
8b87f98fa680ea3c067ad7fc02bb11d5

SHA1
627f3db8c54c50924928e915b0b4725d966b7947

SHA256
52cc67c8464e20f614a6d0745971e1befc8d11c8dd866f04ca195ac122fde3bc

SHA512
f9964e4965859961c7ae566f468623483fde2a49ba8613236c4bab2b97936a66877c1b68a3f7b42ca4a63c96098f6f6b5675b519cc45f92fcd17c5abf09a1ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkkw.exe
Filesize
189KB

MD5
567b74376b1d4d5d412756a494d3d67b

SHA1
415a237261208a3fd7a42aa398aa090a2eaf136a

SHA256
ef05bf862df3fe844c87bba44e7bb4064a2b926deb491719d075879dee57214b

SHA512
3780ac65801a91d102ece576352a00a6fcf79037740328f0de8b96302b060ae1e1c26099344003d62a96a5699b9721b4cdfac56a0c6093be3d7bb81d410cb2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\msMA.exe
Filesize
204KB

MD5
b88309ffef7e7fce983270c9f4ae154d

SHA1
210c4cb58a065fa8a009f1b87d663bd732f01268

SHA256
8ffdd3d5847cbd76a6dd24ba9ef38e6483255ebe8fc07b578d5175fdc73a4411

SHA512
1e00e718b6b30a1f8a2d96a43c3e07fa2611929929b80a431b103e736c3bcb1768a8c455e46395270fe73216b4d697bd4a879fc8ec04397bd7b56899bba16d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgS.exe
Filesize
200KB

MD5
246a7052bfc9919e4a938af1cd0acdcc

SHA1
44243bf0e1d3efaa6ca6f4bb53812f9a9d2484cb

SHA256
5816f692083cb3a93c1e4bea18360ce47a3cee76709dfedb5404fdd38c2fa051

SHA512
cdcd1a9bf16ac1bb89c47db1ad421ede820ab05ea667859cfd2ffaf6fd6b007689538057470241d6cb61332ae034d0ba650ed4fa469804103909cd2f49585303

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEAg.exe
Filesize
309KB

MD5
4b3b9a94cc608233b92e159f9e4dc5a9

SHA1
998afead414ac687def85425805f33de02448af4

SHA256
6d2b82a8cb2ada8960124843ad0137513509e1dbc42bdb0b3403393f0748b69e

SHA512
61e734b173208a6a613188ed4c5f7a19bf63e81891ea07f27d771f5c090bb3ad10f922f7e223fc3269e780c5b63e9bc6ce56dbcce9e3c98919714384777f965c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIco.exe
Filesize
306KB

MD5
b493a8f33f98f98d558dacda0c471df4

SHA1
6c6a69362d8009204975babe78af8b706d79ab42

SHA256
4518a612f2481c6763787ec3a35afddcf971e8af9ac81786f60c7a75700717db

SHA512
2b22d205ed3abccac7a20a06489a56deccb96b5d3ac714fad7e9e29a0d0e643f6dc24e7fd0f49a59cf1430148c1aa0a5d70bbfcdb3ad0628cc4c61ad38bb4e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMco.exe
Filesize
362KB

MD5
827dcda7088416ffad386fcc90458936

SHA1
7e9f87d66022438db666953fb52d0698e57985b3

SHA256
42bd7e15f635ee18382b85cef7d9755e86551b45262040ea691d4edf47a5d878

SHA512
605c6f31b8d22ae7a95a842fd051f3cdfc6e7ce433feb93b1901a02ceaf0adbee090fe2c0b1078d7ba548282be9b7e717928be863d36a2dba6a3a3d854a211c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUoE.exe
Filesize
188KB

MD5
a6e552b2772034cc645ee1344224b2a4

SHA1
f1b4b482cb35ab304158c1f87bf6a521a7481acb

SHA256
9d248007766d7233e19596d1ab06bcc3721f51d1c4df98bb842a16178862a0df

SHA512
6104e2bfdaa1a728fe15b147570a21fa13268c8e009cd265b6f7b183425d6e23edef0769bc68a41fc988aec3376c06e74ff702889f375f678e22f4d7aa850234

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUoI.exe
Filesize
399KB

MD5
28bd3b1109697b381afd9b24a53f3d76

SHA1
341ec89648f7c54138c436cdf2ba8798e066ebaa

SHA256
76cce5fea9ec7b1bc1d61e24d7ee28569dad1df13c3fc70eb27fdd6750f83d64

SHA512
7b004b696e098bc1579cec95235f2548dc1425792632265d88b1b26b6ff462e9f68b672ad73cfd06ccd4e9b71aac0a733c9c26a082b40390387ecefb87c837f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMM.exe
Filesize
230KB

MD5
afa3daf600fdc021a487adb6858ecb4a

SHA1
50acc9528539509df453ebd80c436adfa60be028

SHA256
8fbb1961bfb591b1d2e1508a23d2708a9b5dd18b25c8950721988d6f4ff47886

SHA512
7b3f7c5fa9d3e0cc723d414af1570d17af200f4bf8f00cb6c311a74559eaa4d4fb974626683b8db718bb46bc9f7818d328af9b01139a220174be2d85a7807bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\owUQ.exe
Filesize
798KB

MD5
c1497b88f3cf3813a4bcaa0ce5c2d7ed

SHA1
4b1c65b9c9982e3dcdb33aa2d8802ec61e15ef9a

SHA256
4fc869da4b4ae7425533ddae6324b74f0c21b0e4ac6e7592d26b3a27bac54f1e

SHA512
3a22f63ec6bd807b2f5f6f7e2a94414e623a3e46e36703f72367203d6a002554f1e0450421fee7f4b74c573280459e1a914171df8836583622fda2f97c49fe0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAgM.exe
Filesize
198KB

MD5
a142aa9b102448c7e739c259798717fc

SHA1
c2df976b1951e45154444fc5df141be3d35bbdbe

SHA256
d4e0955b7beacdfe5701d254e49d91d25aa2cb6ae7fb56824dbcfa94f3e9fcc0

SHA512
c44154e1c67f674192fc3af063fdef66aec2b30f82c2eed9629a2b6c29582606a8be0ab193ef2c59c50bd462c309a80695a3491c0de91026121d357d76f42e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIws.exe
Filesize
310KB

MD5
09f429b5c739ff4ee2ad120deaeafc3b

SHA1
945e94efcab51d581d5757f76deb9022b760c7bd

SHA256
5ff032211212e62f01071608417f4d5f739a3c75acffec0d387c2e9d3280273c

SHA512
1f3904ddb8c2368b10c57731843a0e2aee67612632d5e04409f1bdfdefbfffe35544084000a684308e9673c90ed76106119d0df0ddc75f75bc088521278b31ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYAo.exe
Filesize
194KB

MD5
b83f74b6a44c4f8956ebc122b2c7a012

SHA1
46a3a4eaa11433974893bb613a4a49133930a0f4

SHA256
e1c4be9662c4d64aaba4fec2a5cedb57eae7ea0f72e36adea83563bf4579dcb4

SHA512
5b1a621df0812c760c928714205f1bde9fe9b3aa52b0d5ace4ffcf252d270b6a7ff44ce0da4d039dd68826b0bbd4fd3667fd2a37209a83f672aa6bc37ba86a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgcO.exe
Filesize
204KB

MD5
e97ba2c9586e2a97cdb44505eff480a4

SHA1
f46ebc0ac6363d94e1fe1bcd3264ead0a4c133bd

SHA256
ae6fbde043ad27c8d761fe59df516066d4b3ff412f66630146900ececeb2f6f1

SHA512
bbcf731b73c30fff0e2649a4f1952fb66dd2c19cfa424bc092fd26a15e52e64170bb823cc8c8246d65f0c36914763487e4c9785ab0a59cf14ceb36082db2367c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sokM.exe
Filesize
667KB

MD5
4f37769dd5718f1d38347429835ee0a2

SHA1
677623bcbe062b1f3696cc8d9a26c9955115801d

SHA256
80bb1f35b57d94021d1da7f158120cc0fc5b58d6d6731b78f97228bcd1393345

SHA512
5f79bd41955246a85a385623de0a9a1b55b43e2a9cbedfd109ce1e068cd99413c12491df998d85c335178f7986d8c4b828351796e3622d544340f9fc538ec9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEso.exe
Filesize
191KB

MD5
d7ff2b5008ce74c60527651b64872402

SHA1
9f8847345422d5d94f7a2e79040341b558214a84

SHA256
72fe55e4fe1f14e67adfc551907e8d54a69ca4c3b5445c16a986bc4848840d15

SHA512
29c35c5c8928708ef22b20f1d6f82a3cd541a8868d15321794152590eca93bb530b6eb5c332887fa18bb6c1100b84d3a7c7638a5a30905d8ee960f178ab41ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYkK.exe
Filesize
197KB

MD5
7aa21035c0849c9253191d4ae43f5630

SHA1
0e84f53b0075275990914529211fc949abe4cb70

SHA256
5da14c104d3e75ca36db2a28ca86a50bedf812ca39f2632adbed2b37d4da4558

SHA512
91d2d5287827cfffc356c864343c64bbf42022ef27949d9bf34309bde56bf6b4a2530890e7e77c598ad41f955fb5cb74474776e16ccee2bc6f516132f84119ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\usgw.exe
Filesize
212KB

MD5
19354279ac528af04e918a47161c1e64

SHA1
6251f999f9f53c5b1f6be0bf808351106a97f935

SHA256
3e4de9d494356643ac98c7948fffda7bd5a95060fa052371dcbd50ea7b1924ca

SHA512
1f3d953161ab692da759b5d6f76762b9968f29385d49f0566ed904ad901e64607be6fb36d90d0b283ea0fad187ec5d42bc0161b325d2bfb46471d2d294c09e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwa.exe
Filesize
641KB

MD5
72d346f69456d57e006e868e25dfbc1e

SHA1
634f4293275d23eb090f9317b46828948fac697e

SHA256
2999a60cd1e811d66563ebeb76c9093612f4763ae421d92272b384a4b2803425

SHA512
ac1c306df5fc0d7bb01c3b3272237b92786e5f250cebe0621a8973b57a2f50d24b086aac1dc24f861a456aad0b318faeaacf5b2d6fd1ee2a65a0adb2ad26115f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwk.exe
Filesize
195KB

MD5
a0973e22c6298b84a3c362c74092886d

SHA1
3f55844ac8f91da659384e638316859b84cbcb50

SHA256
581e363965fdd84ed8fc3d4bdf7366b7fb66f81bfdfa551d83b152415146e38b

SHA512
530fa103135f0e636e0389c2027286444779fbc91760a4536f66023916fa4181dbef07c9295e01f4c3dcbcd04146eb0696eb6234e8d65d60b5940a8fc423ca03

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEQW.exe
Filesize
815KB

MD5
c49d9a80214ae99b2b58dcf1e1d7325c

SHA1
785dcdb0b958f8b5f57193764eaa89ca4d947d3f

SHA256
e3ebc64e6f75a5940c0665c7ca553f4078e321c9eb1a22ac7617d393690d4633

SHA512
06368c20ef9e4a249e00a5482935e43555c1b5a22d6baee05b8d568e45e8b421219fbdef6cad7d4b9d57328f45e52336581d06034f0b0f201f47528b9e6ef7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkks.exe
Filesize
204KB

MD5
25edf6f18f81a15fd8f24d1c7dc289b4

SHA1
9f8b2f5b0c5d340d0fd323daa70e4638cceeeb52

SHA256
30c93bf5ece109c7c0d68ce42395b5ef37bed88927e6aec81f09a2b80c47e554

SHA512
d9d648d8e21517708a2a2a7a41d96e93e2a75ab0f9311c01b00fbcecddbdbd03813c8fe2f038461bde7361b69ee363f124058b56ba7f0c3292865452fa98ed6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQck.exe
Filesize
832KB

MD5
a70e0292dc0bb2e464c0ea1fcff69f92

SHA1
1f713b68e11005d7c4fdaea170f7c49073e8eb35

SHA256
85b520141baeb2ac0ada9a0d2d64df6be16fa2f8a606d242e3e6de14583f54e5

SHA512
ba3a9725d0484781d3ea6675e8c1be5bb9effacfb22fe990881649f52a929dddce3f53200f7c0616e2e6912fbc83da1cfe079206be90346e406027ee60acd8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUkO.exe
Filesize
204KB

MD5
34de35c987ed7628461c023ab335c22d

SHA1
1c834c1ae70d2020a4484fd12e516b73a4470298

SHA256
10df7b5f7bdb03062e8b54941ca8100d83b39fc175d7f9201e9aa723f4eb3842

SHA512
0511479ea32ae8ae35fbc91f46fc9c9dc9b226d4151b7f934be0fb3e045a2c47747efe740df7b42ef1a70f2dffb9410747231b6f3d799fbfa8ae65f9bcbf023d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycce.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yioMQMUw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysEw.exe
Filesize
186KB

MD5
46e01789055ed9650e9a95af5bf4fb5d

SHA1
805b69e3e00e106db9574ab49103a56c4bf21d20

SHA256
682da277c131bb1da91de8a1222cfa137d5be4cf7f6631d281b6282d6c742b7d

SHA512
fc0311886dda1bdd0eb95aa67b2d5183bc99ef29335297610570a6eb394c988faa3183b97b5978ac70c76a6655a58ef81a756fa88d728a20f74d912525fbb47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywku.exe
Filesize
208KB

MD5
85ae2406080c9605247a3201ff6dd100

SHA1
a6c3754ee9a4e40daeefdeedf28929ca9e6b847f

SHA256
b6ff921102c428c1a3bb12b6590c8e85809f8e2404b08732f37bbd07f573630f

SHA512
c2d1ee8c01164c3b12b93ae25d16261ad706fca8e11f004ac4aac7afee0fe251962aecaa87d6fe5fc5d3b95db66146afad74fb09f4eb7f32b648a9dd39f159c5

Download Submit
C:\Users\Admin\AppData\Roaming\WatchConnect.jpg.exe
Filesize
381KB

MD5
cd97964b231ad4cd926afed486d8130e

SHA1
8f96a18f3c69788dda7dd406eeaccaa27ee50433

SHA256
80a99496d12626aad3fc91c5c5ad0576e748e87d372d9ad0731c99c487e34e15

SHA512
79337fbcde6399c27debd1614bed00e6b604b7820af6480e55ffd8885709bcd6abe7216f49b19e8ac73142420eb70d3749f9fef218889a4bd11c0ceb75f50315

Download Submit
C:\Users\Admin\xkcIcgIk\YmYUYUUU.exe
Filesize
201KB

MD5
f4c3f2bf9623e3e39a7514b95e2c34e6

SHA1
832559111be3c7d8d3b088617aa56e4632cda068

SHA256
ff5fb23a26e30b62ab917927e26bfa50dc28ff8cebdea95c1b63c03745cfbcab

SHA512
12664dcc9ba6903bc746469d050aee692ce0180802f322f62169d8003a0f3f3c4bfcaa94af6e0045a51e825ccf3fc5b6604a3d5b86b7b8a7e203030ed66dae36

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe
Filesize
5.9MB

MD5
9c3328acd8cfc08811ae411f329a743e

SHA1
194b7dc3e235e5118d131eb29858f3f79a6de1ef

SHA256
4886bb7c7bd391a85d84725780d2b596c77c5c3b5bd60fb59f2cce6383ceaedc

SHA512
ecdb715519f00897df705d92a282fd6397aee51aa653dce54922e4129d144f9c3ad79e494fd4ae75ff63be9ce0efdf67ba31d7b34b590fbf688d4073f76acd52

Download Submit
memory/392-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/692-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-195-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2232-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-530-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2776-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2776-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3304-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3304-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3520-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3520-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-476-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3876-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3876-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3912-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3912-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4552-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4552-529-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-549-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4720-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4720-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4920-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4920-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-203-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5096-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5096-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download