d39d75fbb6833ccf7c7713b42c85dc9cb8b36c1a3ea8d76514b2431c12a4ddbe

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
Size

915KB
MD5

545f852cc1f52d76fad52a4f410ba432
SHA1

6857449eb58747a188f2b12eeb59655d837df93c
SHA256

d39d75fbb6833ccf7c7713b42c85dc9cb8b36c1a3ea8d76514b2431c12a4ddbe
SHA512

d1b607b8007d8b77912ca05a95b6bc50e9d2be1e6c4e17b15fd34ad43492af44d1d39763bd4cceca485d592a915892e9a0a2ef8fc2d0b1cb8a63f20e0f843807
SSDEEP

12288:ObI8Ciz3ku6SuS2CDgb/zg2XKdVV8GKLJ7Tld6HG/uFxzVlk8ihBhUsKbicv/m+3:pOLkusS2CDM6/V+VGqufpjO01o1eC0

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (71) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DaMIgsUE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	DaMIgsUE.exe

Executes dropped EXE 2 IoCs

Processes:

PIEkkwUM.exeDaMIgsUE.exe

pid process

1652 PIEkkwUM.exe
224 DaMIgsUE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1652	PIEkkwUM.exe
224	DaMIgsUE.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exeDaMIgsUE.exePIEkkwUM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PIEkkwUM.exe = "C:\\Users\\Admin\\fckgAQgQ\\PIEkkwUM.exe"	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DaMIgsUE.exe = "C:\\ProgramData\\zSQEccUc\\DaMIgsUE.exe"	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DaMIgsUE.exe = "C:\\ProgramData\\zSQEccUc\\DaMIgsUE.exe"	DaMIgsUE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PIEkkwUM.exe = "C:\\Users\\Admin\\fckgAQgQ\\PIEkkwUM.exe"	PIEkkwUM.exe

Drops file in System32 directory 2 IoCs

Processes:

DaMIgsUE.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	DaMIgsUE.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	DaMIgsUE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2300	reg.exe
1088	reg.exe
4464
912	reg.exe
3468	reg.exe
4452	reg.exe
2456	reg.exe
4048	reg.exe
5088	reg.exe
1872
3880	reg.exe
4088	reg.exe
3992	reg.exe
4164	reg.exe
3468	reg.exe
2760	reg.exe
3572
1540
3352	reg.exe
4716	reg.exe
3876	reg.exe
4004	reg.exe
4612	reg.exe
4480	reg.exe
4716	reg.exe
4912
4472	reg.exe
3024	reg.exe
4716	reg.exe
3292	reg.exe
1272	reg.exe
5008	reg.exe
1428
3932	reg.exe
372	reg.exe
3064	reg.exe
4284	reg.exe
2760	reg.exe
4612	reg.exe
4424
1948	reg.exe
4464	reg.exe
4632	reg.exe
2492	reg.exe
4708	reg.exe
1092
3892
5060	reg.exe
4388	reg.exe
4240	reg.exe
1696	reg.exe
2688	reg.exe
2748	reg.exe
4412	reg.exe
3572	reg.exe
2688	reg.exe
4584
4396
2632	reg.exe
4500	reg.exe
3880	reg.exe
2492	reg.exe
4608	reg.exe
1540	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe

pid	process
2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
756	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
756	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
756	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
756	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3772	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3772	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3772	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3772	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2472	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2472	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2472	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2472	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4700	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4700	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4700	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4700	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3688	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3688	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3688	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3688	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3080	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3080	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3080	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3080	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3692	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3692	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3692	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
3692	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4280	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4280	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4280	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4280	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
1916	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
1916	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
1916	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
1916	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
1536	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
1536	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
1536	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
1536	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2380	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2380	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2380	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2380	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4656	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4656	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4656	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
4656	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2096	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2096	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2096	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
2096	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DaMIgsUE.exe

pid process

224 DaMIgsUE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

DaMIgsUE.exe

pid	process
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe
224	DaMIgsUE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.execmd.execmd.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.execmd.execmd.exe2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.execmd.exe

description	pid	process	target process
PID 2564 wrote to memory of 1652	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	PIEkkwUM.exe
PID 2564 wrote to memory of 1652	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	PIEkkwUM.exe
PID 2564 wrote to memory of 1652	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	PIEkkwUM.exe
PID 2564 wrote to memory of 224	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	DaMIgsUE.exe
PID 2564 wrote to memory of 224	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	DaMIgsUE.exe
PID 2564 wrote to memory of 224	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	DaMIgsUE.exe
PID 2564 wrote to memory of 2032	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2564 wrote to memory of 2032	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2564 wrote to memory of 2032	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2032 wrote to memory of 4608	2032	cmd.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 2032 wrote to memory of 4608	2032	cmd.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 2032 wrote to memory of 4608	2032	cmd.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 2564 wrote to memory of 3456	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2564 wrote to memory of 3456	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2564 wrote to memory of 3456	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2564 wrote to memory of 60	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 2564 wrote to memory of 60	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 2564 wrote to memory of 60	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 2564 wrote to memory of 4956	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2564 wrote to memory of 4956	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2564 wrote to memory of 4956	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2564 wrote to memory of 4600	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 2564 wrote to memory of 4600	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 2564 wrote to memory of 4600	2564	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 4600 wrote to memory of 448	4600	cmd.exe	cscript.exe
PID 4600 wrote to memory of 448	4600	cmd.exe	cscript.exe
PID 4600 wrote to memory of 448	4600	cmd.exe	cscript.exe
PID 4608 wrote to memory of 1832	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 4608 wrote to memory of 1832	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 4608 wrote to memory of 1832	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 1832 wrote to memory of 2616	1832	cmd.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 1832 wrote to memory of 2616	1832	cmd.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 1832 wrote to memory of 2616	1832	cmd.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 4608 wrote to memory of 1300	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 4608 wrote to memory of 1300	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 4608 wrote to memory of 1300	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 4608 wrote to memory of 3800	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 4608 wrote to memory of 3800	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 4608 wrote to memory of 3800	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 4608 wrote to memory of 4880	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 4608 wrote to memory of 4880	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 4608 wrote to memory of 4880	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 4608 wrote to memory of 4772	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 4608 wrote to memory of 4772	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 4608 wrote to memory of 4772	4608	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
PID 4772 wrote to memory of 556	4772	cmd.exe	cscript.exe
PID 4772 wrote to memory of 556	4772	cmd.exe	cscript.exe
PID 4772 wrote to memory of 556	4772	cmd.exe	cscript.exe
PID 2616 wrote to memory of 4508	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 2616 wrote to memory of 4508	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 2616 wrote to memory of 4508	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	cmd.exe
PID 4508 wrote to memory of 756	4508	cmd.exe	reg.exe
PID 4508 wrote to memory of 756	4508	cmd.exe	reg.exe
PID 4508 wrote to memory of 756	4508	cmd.exe	reg.exe
PID 2616 wrote to memory of 3032	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2616 wrote to memory of 3032	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2616 wrote to memory of 3032	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2616 wrote to memory of 3416	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2616 wrote to memory of 3416	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2616 wrote to memory of 3416	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	Conhost.exe
PID 2616 wrote to memory of 5044	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2616 wrote to memory of 5044	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2616 wrote to memory of 5044	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe
PID 2616 wrote to memory of 3780	2616	2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\fckgAQgQ\PIEkkwUM.exe
"C:\Users\Admin\fckgAQgQ\PIEkkwUM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1652

C:\ProgramData\zSQEccUc\DaMIgsUE.exe
"C:\ProgramData\zSQEccUc\DaMIgsUE.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
8⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
10⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
12⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
14⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
16⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
18⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
20⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
22⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
24⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
26⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
28⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
30⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
32⤵
PID:100

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
33⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
34⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
35⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
36⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
37⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
38⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
39⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
40⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
41⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
42⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
43⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
44⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
45⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
46⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
47⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
48⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
49⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
50⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
51⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
52⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
53⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
54⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
55⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
56⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
57⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
58⤵
PID:860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
59⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
60⤵
PID:2072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
61⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
62⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
63⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
64⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
65⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
66⤵
PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
67⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
68⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
69⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
70⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
71⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
72⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
73⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
74⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
75⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
76⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
77⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
78⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
79⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
80⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
81⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
82⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
83⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
84⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
85⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
86⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
87⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
88⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
89⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
90⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
91⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
92⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
93⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
94⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
95⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
96⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
97⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
98⤵
PID:2976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
99⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
100⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
101⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
102⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
103⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
104⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
105⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
106⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
107⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
108⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
109⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
110⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
111⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
112⤵
PID:4412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
113⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
114⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
115⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
116⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
117⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
118⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
119⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
120⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
121⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
122⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
123⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
124⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
125⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
126⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
127⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
128⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
129⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
130⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
131⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
132⤵
PID:1204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
133⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
134⤵
PID:3940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
135⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
136⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
137⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
138⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
139⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
140⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
141⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
142⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
143⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
144⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
145⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
146⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
147⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
148⤵
PID:4788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
149⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
150⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
151⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
152⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
153⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
154⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
155⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
156⤵
PID:2380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
157⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
158⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
159⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
160⤵
PID:2172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
161⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
162⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
163⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
164⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
165⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
166⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
167⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
168⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
169⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
170⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
171⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
172⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
173⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
174⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
175⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
176⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
177⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
178⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
179⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
180⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
181⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
182⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
183⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
184⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
185⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
186⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
187⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
188⤵
PID:3216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
189⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
190⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
191⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
192⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
193⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
194⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
195⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
196⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
197⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
198⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
199⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
200⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
201⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
202⤵
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
203⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
204⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
205⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
206⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
207⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
208⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
209⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
210⤵
PID:3136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
211⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
212⤵
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
213⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
214⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
215⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
216⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
217⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
218⤵
PID:1700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
219⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
220⤵
PID:3644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
221⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
222⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
223⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
224⤵
PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
225⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
226⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
227⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
228⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
229⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
230⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
231⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
232⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
233⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
234⤵
PID:1628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
235⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
236⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
237⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
238⤵
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
239⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
240⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
241⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
242⤵
PID:3504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
243⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
244⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
245⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
246⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
247⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
248⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
249⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
250⤵
PID:1892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
251⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
252⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
253⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock"
254⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies registry key
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:1508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSUsUMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
252⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESMgYYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
250⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:2660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWssMIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
248⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:4600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:2000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIEskwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
246⤵
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies registry key
PID:5008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgwgYcMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
244⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:2480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsckwMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
242⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies registry key
PID:4612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYUAMMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
240⤵
PID:3328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- Modifies registry key
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEkgYkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
238⤵
PID:768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:2748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwscIQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
236⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:3228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkosEAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
234⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies registry key
PID:3024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaswUMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
232⤵
PID:3280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeEAMoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
230⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:1428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQUoIcss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
228⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:1184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKEkoQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
226⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUUMAMcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
224⤵
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:3280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OacEcEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
222⤵
PID:5092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:4112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgkwQwQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
220⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:3228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyoIckYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
218⤵
PID:4680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:4772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuAwQUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
216⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:3648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQkAowks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
214⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGsAMYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
212⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
- Modifies registry key
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcQwokQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
210⤵
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies registry key
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwoQoQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
208⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
- Modifies registry key
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASYkEEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
206⤵
PID:64

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- Modifies registry key
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEQowUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
204⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOEwAUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
202⤵
PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:1116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIkYYQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
200⤵
PID:3432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWkwcgYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
198⤵
PID:4980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:2976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkUooocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
196⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcYUsQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
194⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:4284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQUcUwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
192⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
- Modifies registry key
PID:2688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieMUAcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
190⤵
PID:2976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:1204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSAUYcEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
188⤵
PID:2084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsQkcscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
186⤵
PID:1300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgkcMEAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
184⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies registry key
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsQIUYIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
182⤵
PID:3892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:4164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:2184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMAYQAgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
180⤵
PID:3552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:4060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqsIYIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
178⤵
PID:3516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUcAccUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
176⤵
PID:2688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSYooggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
174⤵
PID:4928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:3216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lscYEwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
172⤵
PID:1244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgYYcMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
170⤵
PID:556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWMcckog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
168⤵
PID:2796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
- Modifies registry key
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiYQUEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
166⤵
PID:4284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:4164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGQgswkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
164⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies registry key
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWkYMocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
162⤵
PID:1536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsMsQEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
160⤵
PID:3328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcooMkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
158⤵
PID:5104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- Modifies registry key
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYgYMoYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
156⤵
PID:828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:2408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAIkYQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
154⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwIMMswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
152⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- Modifies registry key
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGscUwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
150⤵
PID:376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIsIksQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
148⤵
PID:4232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmUQAIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
146⤵
PID:4500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmIIksUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
144⤵
PID:1012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:4004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqckUgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
142⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQgIgock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
140⤵
PID:644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmkIIccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
138⤵
PID:3120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIkUYAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
136⤵
PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tegooMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
134⤵
PID:716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYAEYgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
132⤵
PID:2620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
- Modifies registry key
PID:1272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqwEQsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
130⤵
PID:1312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAgMMcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
128⤵
PID:2552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- Modifies registry key
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuEcMcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
126⤵
PID:3420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgwYQEsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
124⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCIQcoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
122⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:2316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:4092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkIAYIYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
120⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DewoMIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
118⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:4240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUEEQcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
116⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOIsEAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
114⤵
PID:3412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:3572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUEkUwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
112⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCggYQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
110⤵
PID:2128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwIoogQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
108⤵
PID:3992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nikEswEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
106⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies registry key
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYsUoYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
104⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- Modifies registry key
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWMgsskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
102⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:3944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaEIUgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
100⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:4412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USwUUIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
98⤵
PID:4560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- Modifies registry key
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOUsAUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
96⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:3880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEgAMQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
94⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- Modifies registry key
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkUoYEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
92⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:5044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiEUUgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
90⤵
PID:4612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paMAcAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
88⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:4636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dugUkgws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
86⤵
PID:3780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biUcEIsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
84⤵
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuQkkAoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
82⤵
PID:4168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:3124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
- Modifies registry key
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyEMEIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
80⤵
PID:756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:3572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:1884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOYgYIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
78⤵
PID:3780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyQUAgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
76⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LekQEskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
74⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmcsAUQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
72⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies registry key
PID:5088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:4716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCQocUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
70⤵
PID:3120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies registry key
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGgwgssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
68⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies registry key
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgQMgksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
66⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAMgcUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
64⤵
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiwIokYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
62⤵
PID:1004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiwMUAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
60⤵
PID:4668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkwMQYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
58⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqcoAYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
56⤵
PID:3312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIgcUUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
54⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCsMsQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
52⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWkcAoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
50⤵
PID:1116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCMoEcMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
48⤵
PID:4708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:2100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCMIAAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
46⤵
PID:5008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeEAsIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
44⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQcgowEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
42⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmwwMgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
40⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiAQoEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
38⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seoksgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
36⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:1628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cckUAsIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
34⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUMQgokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
32⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEwUQsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
30⤵
PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMAYwEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
28⤵
PID:1404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:4800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGYMwYgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
26⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSAYwgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
24⤵
PID:644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAEcQIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
22⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKMccQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
20⤵
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQUgMwQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
18⤵
PID:2300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isYEEYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
16⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUMMQEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
14⤵
PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWMgAYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
12⤵
PID:4896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UywEocYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
10⤵
PID:1292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joMIIQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
8⤵
PID:4160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkQAwsUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
6⤵
PID:3780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsswAgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsgQMscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:452

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:740

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv r0R/JkEKskuJkh9+lthPqg.0.2
1⤵
PID:632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe
Filesize
184KB

MD5
fb36375129c42ee41007756b22e1833d

SHA1
a569b6e4c55126f6bc3298a11344d17d508e6918

SHA256
bee77d954717d0cf5af7bae77a22abd6be6c67d21a81642570b42acf8f64e03b

SHA512
c1e955fa54b94c0ee61269a744101877e9edc4eab8387adceab38686c441d65bad8bb1a7645b1017b2896bb805c993208c3ed6e604983be9e2db3c692d592892

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
Filesize
653KB

MD5
e9f9c19b0552f99343187ddc930b9161

SHA1
3eeb529d5bd0c3de513cd3d80eddb022811e53d1

SHA256
17d093e4c59b044b90229fe3ec9e433117043c04f7afe1f61356ff467886d5c3

SHA512
3e5170b4efd12c37186285003e6a5a5cf4ab9eb1fead3d2e40e394f6a4c0ebe5bdf089506b7a5e339e658feb47658e294e69ecc99a482e4b036fc7a1a501f976

Download Submit
C:\ProgramData\zSQEccUc\DaMIgsUE.exe
Filesize
189KB

MD5
7d5306a5bc8bc264469d64cb3a0b35c7

SHA1
f56ce73fca4f994ba1d256259cce552ab88035e2

SHA256
565ae6bb77d2f8918ca80e01a2425d068478e2bfc5b85048495a5b1fad5da8b2

SHA512
07ff754d7ea507e34b720e23961d7d608fafc3b9ed6fae23a145dc88848db30a9848a341c5fdb13c921a912b24d12ed0060e2bd9d8fff96fafe64b2006a40e8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png.exe
Filesize
188KB

MD5
7c87378306dfef1e367d82453a8d52b9

SHA1
60e96d905d24a5c914b16615b092f1328fcab9ed

SHA256
b3d649c740f326d153c96aca8d427f2b514df629144f8d3f5fcb4f75af89c1d6

SHA512
cbe1b4c34b6c709ac49fcffb4feb54f8e428799e325b3140d0e57c157c5b080ad91dfaa7dd5d819ebcd0f032c5092f285c5cb24f3276e4dd38fcaf05182d1679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
207KB

MD5
a793d6a29ab003ab402ac51ab7e558fd

SHA1
e9b1c88694b894035212ba858f2b12702d7f2b4b

SHA256
1afa0a3edfa3170313035ca50a188aa030aadfd79a5c1a912554bfde29a7fa9d

SHA512
3760b326f2506d993a1b72cd8a0725f35215f543707ef079411dcae9891c53511d2f0690dcf8d911f24b5e7e1363843b98c2498e3fd25eae5563e8f65a67c419

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
Filesize
187KB

MD5
37588da5858bf85d1e269563ee828b32

SHA1
c558d8b749cb24b68088b6db7e6a9a9695a25e01

SHA256
272f88321c87bd6cfb8992775a5eb2f82b36c2d8a2b8330246b6ecbd89d258b2

SHA512
12d6a2816be9985f6290b857f33d6c0be3b65ca52af92e5472544517a4cf9a019489d1b6e923cedc3e8f5aec409e13555a330606d39fa23aa901e46533862cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
Filesize
195KB

MD5
123fc95c8a2f00a8bf5b5a6030da4772

SHA1
63ffab4847df9debc13993369daf807a90391615

SHA256
90855f8fd40b883bc98f22cd1c9c2b761b4adb46b23e8a6d1e63761bf6675f82

SHA512
911d3ac67ce79225e2a491e9f207e706b82ef1ae50e25af48c1a882e7eb852f5c5fca2606e5acaac97e4acc021520c427b1c0955fb93d3383c563eb627c07a6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
195KB

MD5
65d3b6076f0d0708db6f853155104ade

SHA1
5ee224aa166568b91bee6144a9142a606a470a2b

SHA256
8354cab4f46dc1d67a3de57c19315efbe08fb50e8b3475d18d09307d10df63cf

SHA512
f673ef09e6ad18453bec04ca1993a85b6adbc64139fae6aa8908da811d0d10e1c537769c12996936bd636a42eda82690f4ea4a9cd32223bd46ae03d32dc29093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
Filesize
200KB

MD5
eacfcc3e5729e9a7700294976e871f6c

SHA1
78e73a08669a6c18b737fa8f9104c2dd91f2aa69

SHA256
5839e580d1f8cfdb1cbbfad0dc01773e4d5ef1237c1652bbed555d13b4a1fc2d

SHA512
5ec0a750ca3d877987e67b1bb09e0cc1d91d72d4cdc80332c1f6a8eaf732709f996f516f4e1abafc92984d9b8c3fc37a7200aa1032288a6a0eb43878265e0b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe
Filesize
441KB

MD5
ab01f320828e0458bdaa6a9126e467c8

SHA1
e5333b7234504d09175b89bf91fd6f078bb5ccf1

SHA256
9298f943fe290dd8286a025dd1d3c33545dc9cbf7213b658474a815dfc43c881

SHA512
a9559982aa0209cfb80dc0c7b0c1248950fb8b02404a73b5837c2ef604a7e304b23bff267bc492711001abe14c0a0d817445783b9dc93f5561a5717e27d1e91d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
Filesize
180KB

MD5
7d590942a3561f84740c05335a823527

SHA1
9b2d1f7e82e990c8cfca91097fc688e06b306d5b

SHA256
85b47dd0b5588245f9c7dcd9788953ffed6f335bb3368a8a02d6af9623c1c1a0

SHA512
d3576fa1f4bd8bb03a24a29f909092c4bffdd5905a945563221a82a0f401256e2fea508a8a50e98a3d22f622eed75d51bb5bab484e6551d471478b96f89770d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_545f852cc1f52d76fad52a4f410ba432_virlock
Filesize
716KB

MD5
425c8fbd844c7f0fbbe383d67564dc94

SHA1
e3f56a9a903c8d660722549f82106ffd85631514

SHA256
e76a11aa8226efc12faeea663f34f8e24cc88f6bff7be23b6197246463b87a05

SHA512
2b85d0cbb7588f459dc66bd934a0c10c77a829b826e2dd976b24a183eb9d061a004afecc70b1fa54264c50c437d71c3caec65f6e4ec69230c562fed81f24b98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAQk.exe
Filesize
2.6MB

MD5
a065b2d0b2242643353536ec2110f85e

SHA1
ba0f3856bfdd6f356f6694b4b92a214c3caf8de3

SHA256
ab99aa586e37da9845b04359315dfb9e72b05fdb5135b83a76c4a124d30b0b3e

SHA512
a1955a17a7f7c2e7987d350d19659f30877fc3e6421b0803b0f50df24ad9d299497c2b081863f40f11d1692746b2771ade76c48bac7a60c74349ed895ef3f558

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAYY.exe
Filesize
801KB

MD5
186c052c49fb4bcd71f0df2118485f50

SHA1
a0db591ea67888594ca0dccddf8f0441f7115aac

SHA256
8154c146135e2a6e69797d13888f656b3a91ad82d85f32fa6af4394111408117

SHA512
c7358f7829c063e853c29021b751bf4457c12852701cec4aad262b584db18feb27250501722e538c63a6fa289b153de5477640e6c78268a42b22e537aafeae7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkYK.exe
Filesize
205KB

MD5
b8d44fbc7cbd6688502102e81ce04507

SHA1
ff0fa0265f57ddebf51d4697e7589068bc218666

SHA256
2eddeae2aefc112b7be8b43f974f17998c25a521b344d11dd8f49bd8dae5db57

SHA512
2930c9b2b5a9beeff4a54d2d4cc53eb5299f5148b05eaa08e3250dce5e82ad0b9908e789258d2a0c363f9586cbd54ab3eff9862b99addcf1db622380dbc15454

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIW.exe
Filesize
198KB

MD5
350567c3ba5825bb1257012b1f866b20

SHA1
31a54baa3e4d898eae2e9ab6696a732d8eae88a6

SHA256
400320cb92296eb75840c6f6fcb3003e1ffeb6a6a99ae0f006991cdb9ebe212b

SHA512
c8178d4d2d9ea25ef04a77b991ec8785fa3196337e354a8120d74e516f6ade0058c355a9d2f2ba28e5ad748e11de78ca566f7a6274e7c7e91723bc75cb319df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwgi.exe
Filesize
1.8MB

MD5
5d292b943825345d8c68cb9ed79603c1

SHA1
4ad953ccdaeaf0941aa2b816d39e410e04d50033

SHA256
029f4db9bf2e88962af082f9139246cbcfb6cf6cd170e528e50fc5a1a133a06a

SHA512
b7fb8f261efd5e3cbcca1cc95020b93aba7ea2303ae0888a11cce1547841f9522bbddef5b44719b018ac962719370a51063b44c52e5055b61f421b2a32b7f75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsgQMscs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEIs.exe
Filesize
189KB

MD5
6c24f0e49b730f49ae77fc62eabab063

SHA1
ab73891c0fa22769a2f2c3817b8afe63c77f9119

SHA256
b6281afa49e96b7c5648925841ee6e33b3259813078643af4401711eff8b3061

SHA512
9647070550c57b9aff00ed964eb6fb8e1916a083b51d6f118ce5ee2767c71827b2d613a11100e80eeac36f22fdfd41f2f710db9d16000c6f2c81a1a16231c842

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQIY.exe
Filesize
189KB

MD5
96d0687e9b138cfb655de2d858c6dee6

SHA1
718c118a82b95af12ea1b67c04521a366847c0b0

SHA256
624e879b58b18c0796fbee94a430db66fe6685cb6ab687b46dfa49db0d07c507

SHA512
bf9d7fc21af129df8efaad6f93855424ebb8788329acca1c529536df63a4d54fba0dec3b19dbd465fb5cfffd5e75cb1e75f8c1af4d3ac2d8482f0943ebecdb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwW.exe
Filesize
203KB

MD5
4a901995247fe77fcbabcbc27a3229b4

SHA1
515625383c7f3997210a179221832338a2fcd221

SHA256
ad0168ce14d1fbc7f22023a415f60854e1f08b5333667c9804d51cc3eae779eb

SHA512
b686624b3ad25d40e4725389f19823a4bcf17efb74b261a83a2a449ea8f24c4948f5ee4a70b89f874f72bbdd9a837da31fd997061f23f85beaec2e9ea48b66fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgMo.exe
Filesize
191KB

MD5
a62b6f9638f899a79bed6914d65b5678

SHA1
9fd3f1822dcfeae4521e7b2929cd14ab5ba9356e

SHA256
5e538db22907f1ef9cdf2e6929d129666fc17158dc27fabbba149173fdd43b54

SHA512
ac085fa7248054b7f7e58747919a11eb8f7e754e5e2f7df54b5a79eec0c94d18920a67cec57481d6931ade91e99b1bc1674a200e91b0f9af8f609931bfdb75d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkMk.exe
Filesize
5.9MB

MD5
de10b0f3d0f007f692972f1a100e358e

SHA1
f084d820ec30875689be2fd29962a53d0b025bf8

SHA256
e9048deed8ef50614e13595b75bb54cefd401b99ace02c72a79df5d5cf95bcc8

SHA512
4376b2f6390d5f1291accabcc0bd40d988f01d404c795112f793f80dbcf6018fad84b55f83d271f5dabbf465540824bb4d2ba6a4106aa6b5f132e743dc0301bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkwE.exe
Filesize
186KB

MD5
3ffbb19499f891794b1266b99940d0c1

SHA1
b0372ce2415b05b4362351d40a582a76c0c0fbff

SHA256
e15490d588cb612265fc699afbcd35dd9c6ba22d1013deef285c417c71a51425

SHA512
32ac0b0d9220f011fc9468b25cd5016d4454687924f061d0d7f4d92f37d1c2377053316ba899b2c8ffc76f1e0d1d8d4aa9c7385e7b0fcae8d9b8604112956eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsAe.exe
Filesize
197KB

MD5
cf1c1358f0de1bf0f5c2bea65b56c4de

SHA1
99ad84d23fdf77175fe1ba1e297fbbf0a914b0e0

SHA256
87bd5af74908a5a09601cae727f8fb66e5ca91dd0c8d8290bdcec27f49dd9596

SHA512
2b5fd44bb13df4c7c8c373392921f96a58256ef6dc016bf109ddf572e008b6be9027abee4aeaf5b099f76b2aea2f179d4379abcf46b1cdd2ddaf1d3a3e30e866

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAkc.exe
Filesize
831KB

MD5
e39c983c902ac63d52b20998e672ea5c

SHA1
3aecfde89432841e5968186854524c8a551ff571

SHA256
009a7c6bab767700f37fcbe9e03d63a6d6fb388dd27a36442157dfce4b2e268f

SHA512
46fcded43b5aec805c09ca78484838684e80cdd7261fa5389fd2b5ab7a2a6b518cd1f3f4eca1216db0bf74bd797c7e9815bf39508d82e374fc236b3e509db069

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEQe.exe
Filesize
3.8MB

MD5
97e2f4025e322da441baca3f62216a5f

SHA1
f2c6ebd3597a82d22e534d63c5ef663ecf58aef8

SHA256
607a0671e883fc2e54e3580f5cf386edc24130d13bc245e3a6b7f11cc8b6aea5

SHA512
8464eed9f1495637472f1257934f9782737de59e94035c661ce353d87979a75f506c7fb7835c3a72277ef18e74cf3a838691bca2263f6e747303bb86f5c246b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIku.exe
Filesize
186KB

MD5
f7cacfc7052efb082e4814715e4ab28b

SHA1
a459a6690112c190d2119de348a1714827ddcf3b

SHA256
b5aa2b22563002d984df9e8f78934017a9cb0591720036e0f6610b34a42bcda7

SHA512
22599a58693f6c875393fcc9819e7f8edb52b3d66f81513b6a953277f34ed9c593ee218a2450c4edb5d7a33b38e71865ff0df9aa1a09d33661bfedf02045ff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMkQ.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUgq.exe
Filesize
220KB

MD5
b04a08ede7a1cfacccfe20d1d67a1c34

SHA1
776461fd0299fa9cdbf2cf06bb6f7fa5fb842faa

SHA256
ef5ee290216b923af51db328227884d718f742fca87e2ddd6969d21f5f4a15f2

SHA512
2412c8fa1b9e470a66e506476a3a09a6f412508ed7aea202ea73700c30716453fa8a5886f1bdc6e5e67277856c25de81a5fd0c5f6ed0e1bef2f6a5d6aaaeff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwMQ.exe
Filesize
331KB

MD5
273326c802e8dc3708c33b54ed45e94d

SHA1
ced416be28859ac71771f813a723d53933c1487c

SHA256
77655d17d4f99e32c575b15eddff3388fa80dbe45f903fecbaa738565c806f01

SHA512
827a7647e5ce217444d8e1833b84ec4c81bca8de30e5b5163bc0ff9062afbb8b4c22302649a8a06558c15cbebf6cff4adf4ce723ad42bf18199ae255f6c1c2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEwk.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwAg.exe
Filesize
197KB

MD5
4d1f7e774a44ab76af1ebf780f496dd4

SHA1
b63de2f03c7800e290298706a286a85615b6bc2f

SHA256
f1f3cc02a6b0497cd1542c153d0e7e2ade6e3af90f8df27bf41a79dc943d934a

SHA512
cb61392b5e3a8bf328ebd322b49c7c9211ca11ba361ebfec56b17b16612a253b2c82684adf09dc948e5e8b6a77356eb7075e6485b95d65cd16e7ffb43ddec203

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUC.exe
Filesize
263KB

MD5
eaba9f9c6563a4d702f9e3a344cd3e64

SHA1
ce649fc2af78ea0136efcf1173d2ac093439102e

SHA256
37eded4a1a3d5991ce5f3856b71cee2a661857195826fc8b5c3c4d845b5280ca

SHA512
b843ce658ecbd173b94a6df98a7106693cf94f17f1ccca3e89ee9b494ceb06989ef8fd1417eb74c8e7355bb6e2d721972c22bdd0e1f18efe809edd9e0fc8b99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAwY.exe
Filesize
204KB

MD5
e5976ea3c7c8eb74975b6c9deb581fb6

SHA1
3a78038fdfee353658f8798c8136f4a478c39935

SHA256
2ea241520e29058183a42ddee0dc4698d34008a39d81669b6e08087e5080f3ba

SHA512
09c7bb11415d7fd6ca974380dc04c99e77336dd102cc1d1023d72e90d91e5d3d4b361fec7f7475f9f6b136e4f5509880f9e4b8516906d4719d85565637e1da95

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwYI.exe
Filesize
1.0MB

MD5
92b5d9fc4789cc57d93f092d32fab10f

SHA1
fe7c8e0bc8e2e0f51c6f103e12c27aa0f40c1ae9

SHA256
07db04e7b7461b66cec6dc76468cf368bfedeebdb2d92c842d20baf69fd46bd0

SHA512
5f15b975cba857f79d9ce179472332191af7680b1d73edf484cac204258a9e5c5be64b6869e36c95948f9230d59cc5fcb2c74bd156abdbcf87e66ac9b69407d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwcE.exe
Filesize
642KB

MD5
06c18353d53f308fe6781d573ad96a40

SHA1
448f041aaba236e3c884dc3c17b4bcfd4f660ba5

SHA256
a58cd6d5646e7389c6312655ec40c71e4fe3bdc8f69571ad34d86356cba369b6

SHA512
58ccdd21c2f6470c8d7b323c6165128793725d92f3f67450a500d9d8ba04aae14bfd1cc574e65da77e37bcb9379301f48bedef28c84eaee29e202824dd204cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAge.exe
Filesize
225KB

MD5
15fe33faf1afcdefdbe99b52333d8cb4

SHA1
e713efc301e7d6d5688770fe31c54e126d640e3c

SHA256
49ffc7d29b3f8c9929be00fd2e966beb0f5ea408ef665fd48cc5e9f718bef4d0

SHA512
99e3cb973505af97aa4cafbf1e160768d8b21a06aa0be93af57222073291705ab218c86a0b4ca81c3358b2ee22b5f5826a2abf6d02ab150478ec073bf312f7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQIU.exe
Filesize
638KB

MD5
1f0fa249cf5ca39c8b8bf6de3898f7a2

SHA1
ffcdecca931c3d51152c65a19da900feaab17bcf

SHA256
0428ec7ecc13b87040a68b46f2f71e014011eec501d23a2aa9c036f1502c7744

SHA512
2aeabcd994545244af80e662e4289ac0490e5ed61a2685fe2667ad0ca3a73df48af2df63cce3c4a7268945a97a5c35237f346ec477257aa52d9cf56c360ace63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcce.exe
Filesize
209KB

MD5
90fbab0574ac5e2d2aff793810cb9772

SHA1
4a0fa4628c38144f00a21fb1d17bf56df4ce257c

SHA256
a3eb9db779f5c25026d7e2e70c4b6db624234d57305011879e2b8af4ba46b009

SHA512
255cd109950f14f988b5d53d2884f60e377b041ed323bc43b48e26ad6d6060da6f814a876be37684603f84d6d9cb91da27d95fd62210e397c4fa4363741a05a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEC.exe
Filesize
198KB

MD5
d30c6f20db02d2611a793fa7f5b3d402

SHA1
0ffadc1bb6b94bb2876178be022660048ae46d1f

SHA256
7def61a3cb6bd8bfc92aebbf0ee89937eb4023c8d8da79fd095e253aa9ce7795

SHA512
5510addec60253f5a825378495cd14ec79b735c87bba6e67da24157f8bc02ac7ce6d665a569f2f1c96e4c8e6d6444a22f7a62d876d48b78c42490e4c8e74b488

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUMI.exe
Filesize
190KB

MD5
430511b219f8fad2c6a4217ab725415a

SHA1
49e3a834869771a67fe73e43c21bc23f5e5a6905

SHA256
78014865198f5dc547749c3f4e5b96def7676f8300c71400ca03ceb90b648ff0

SHA512
2f0207ed9ff4a01d0e4243be30bc13a546fa45f5d82e7ec844d0cd578d99561378e731f9acb46fcda13f6473bbd8c4673741183f7f6dfc38e959709f5e3489ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYAi.exe
Filesize
239KB

MD5
c50e29e3c88d350b73cf4445a081e234

SHA1
1c92a4b21e8c86bbd9dc52d7e64ba6b8454c0e71

SHA256
1e184533aaa728d96b1c05a3a93c9ff1307fe244c34b5b9bd70e10298d6b183c

SHA512
8e03c237c471f99984b5a3c495907ab56764959d69b7919056dfbf97734ab4a744f4b2ce90b98dd7667f35000f0710cd1686ba315be14e088bf382d2cc2913ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAsE.exe
Filesize
211KB

MD5
8dc197ba6e46aa39a1a06c2694e56c61

SHA1
b4d16021f06e1e9c3f4c616a4f7f4ef0afb2c0f0

SHA256
dbeefa5286ddfc6296f0c071baa8c2b214e5d6722484e059d1eab2f51d6cf23a

SHA512
758add8579f02403b05626f12354dc71b93c70df7179aaf265c8f62775ffe9bd57732ae385ef6e60ccef3c9ac8f9866381e2ee00854ea1b282cde61806d6db9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQkg.exe
Filesize
203KB

MD5
5404c97d23c1c46f687bf188cbc6dacf

SHA1
ba56a23023ed63a0f204081a9414b94248d2210e

SHA256
4cb8bc122fb78e3f76a410a9815b9757cdab54764e57c4ea32d7fed1819762c3

SHA512
f3fb8e9b8905219f7f41b4859aed32f855ad906271259fba95c02a93829e2c6fd6a2a922f9a091cbb554912f1bf2896c4a02b44d110384a7c85646d49ccccdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgI.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQAi.exe
Filesize
203KB

MD5
066d9d76a5869a8767fb5c9c884471ac

SHA1
c0d122bc69eba3ffa274a382a06c18bcb28eb524

SHA256
740d46c9a5c3929e3526aae79b9ed91ee5b70db98acc6e350a1a5ee6b313c118

SHA512
9df68bc5f14642e54c72fe18f84aaacd49c415b7717f026a65ec6749333055c9c676229713470a387bac3c0e3428bbb61632b80c12332e9c6681c451de6c4e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUww.exe
Filesize
182KB

MD5
ae9513652cb5b52955daaf10296021e1

SHA1
f9a19191944313e245c9ec2bc04f417fdc7d458a

SHA256
e7f4d87cebb709af8aaa70001f308ec9f81cee736dcb9f63b08c0bfcb590328d

SHA512
2143c25d2ec36404afff0f25e7646383ed88316411af206e80d8a251f65196223cbfc28c29440aae5a3c5797441d1b0c057b61de34ac3c918a4c049bfefe850a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkoM.exe
Filesize
191KB

MD5
29c9540cb72152c0e3780da2ade8d3b1

SHA1
9230a1d735ea051f7298e80342c79a3e52577629

SHA256
076e4943b2a4f6eab9e64cf0a994cf0cc6caeebde02af06cd8a8628086c081af

SHA512
390393061a36737c1ec4dcd8317e2749f44ff131d9a5614606899b9782cab02e15758ca8072fc5a7c16e97be2c03986dd5b074a5c9df0b2f072153a37e667554

Download Submit
C:\Users\Admin\AppData\Local\Temp\WscM.exe
Filesize
193KB

MD5
916f02c0e06203410e79753dacbe6e0e

SHA1
b859026e95dd150e691be4feece3050a7109d142

SHA256
43ae802551931f17ef9e7143b6cdd36c5f5f2d2676b6272ab87534ab141a28cc

SHA512
eb9644762666f706a729e9b1ddcad9b4f0d4bf23bb4bd1a62a042baeda55b18138ac2bea20c89ca064b27e38d091a907b96888f33ed077109f37581bf400d72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMYS.exe
Filesize
308KB

MD5
e44cd76c5251fc5c9ad1950c84cfc08e

SHA1
ca94ccc26c2e2765ac46006687b0693e9c9079a8

SHA256
cbcec2de6e675cff4df8ffbf7b1352cffb0c48b3a1a57e4f0b6e63c88e84313d

SHA512
d566fd2b80312c79ab199c06a27fa4c23c26667fc4a2933ae200354f65939880cbbe19871663566d2f2cb87674e62743ce72247f2a1fc6261a1a88f4a3198e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQUo.exe
Filesize
205KB

MD5
6bf7ddc7c2297c35f563aec1de15733b

SHA1
35f68959efd840fd8768d0a2c6bdee4429ffa29a

SHA256
05b12652032b279793099e404435808028c5533f5c2f954977c91b9c3a00cab8

SHA512
f2903204f4c69c21a17825790846edf5d952ca38220abcafb4d852445e2b54fda7c39f6115ca06c0c65873788b1982dd6e0e1390dc095c897e1bad555e77b750

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYEg.exe
Filesize
198KB

MD5
4dd8a780c6fe1d6e80b308c10e3a76d9

SHA1
43e2f1ce502a6b041c64b1436fd1d8d1de79d5f6

SHA256
c9d48e2a4da8b31bebb4faa4d5fda3d65db18de99bd5bbd28d9ba95907290a4c

SHA512
ce571dcf3e51aee2d0bfa807090e9da746f113cd80cee3e490e9b23ee96d0ace2021ab090126fb47320fc5ced8d73fcae186d6498d5745cf39fc7b2cebdfd5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\acAg.exe
Filesize
204KB

MD5
113e9dd6d6182d454914dff194ca998c

SHA1
6fa7f1025fb6864ff60ba27b3e1ce5c23987dff0

SHA256
401373ca64e6238c0facb2b55f454267bd0ce4eb72ee36d79c51f18fdd70af4d

SHA512
d9a8644ae7aa6584dc8ec23d9d6b02978425972f1b007b4091425a347c30ea7dc2751bdb8673586fd2794a441856e63d5acda25cb5bbd9e02779f19c97e7367c

Download Submit
C:\Users\Admin\AppData\Local\Temp\asks.exe
Filesize
187KB

MD5
e61d112aa4f11249a3e4015d54a757bf

SHA1
86a83ba111a5b170029b8686ab85e6115e054f64

SHA256
0e0fbbe14b3d7450bf6e12b9e46571b085ff35984819adc7cd55b2f90f9cb8e7

SHA512
74468c16fc9f900619028dcb1df245a5d38463e4f437fea0e45cda8c4fc4c0070f2675b7961fc6f6b5f858b981dad291a75c64a0e9e6e3e7a1fafa6f650a9ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAsK.exe
Filesize
191KB

MD5
3913ec4df9cba210a5a76c4b108b53b1

SHA1
3534f256465e6f31791675cac68ee4583288e714

SHA256
5718f6353bbb87ec253334ab0b80698b7b0455515ba41dc91726de6300667973

SHA512
a325a7c687eb8251d560819336dd7609cbc4a97018a5b6348510515c6f27bc0faedee4ca106e9f40edcf56c438f6d3a0f8db54e22f39471bbea0a5baf8297e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIQK.exe
Filesize
191KB

MD5
e00abd61a58077f8e1fd3d822b3297f8

SHA1
7e9238749d898a5aabd441ccc059aa28fe3a0ae0

SHA256
4db24c0054136b616fffb171e5880b4a8a7d340a59882ac6d13e3f5452165319

SHA512
81c61a3dc4700389e2a0371ceab5727f7ae773bed41cbdc86d28c325ef3c8d7ffe139cf8f5dd5384bb62f81bdcfa48fc556904f4f532a7dfead79760689518ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYA.exe
Filesize
209KB

MD5
3bdfb4a1a2666046677f4d29d6dc7d78

SHA1
e2315600404d7d112098cf8e4ca9bcb4951c524b

SHA256
671213a8183a04a10526b7989f03c930eec91328898e36cea87c44513f074be2

SHA512
159be939a648e4ae64f1ad38e6fcbb4e33b74fd0a802b9a5f1f39e3539547bbb4a01495b73fa2043b985f44e00b1a2136e4fa96807b0fad4b761bdad6672462c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQck.exe
Filesize
194KB

MD5
a9f4b7e191665d62c37055340e528ff2

SHA1
8b3020a46057c7ea25b75e7afd71e1e013373bea

SHA256
b42e6a70c5bc67d5a2d35f088ab29650a4451789cb8152734995233ab568a101

SHA512
7672fa7ab414ed670c59a174c4d58958fa17faa386c99093d53912ebca71c64f487eafdebd5e484cb43eb794874f4d0861bd1ee1bbde5d7e88fa104d2fccb6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgo.exe
Filesize
239KB

MD5
78dab58c8ae33e6c002a3db7eae4259f

SHA1
d5ac8018761c6c5d2bdb6ee9b9c7fb1e4ce86a3d

SHA256
0d604917a0cdc967946aaddf95d7ea5359d44d764bd310289fd5a2a17c4d7a76

SHA512
cef4524aa60ac8c83900df788920701641447f56f59e62f404a127d2e2d8edc19395b04f606657d0f4fbc7eef951aaeb5c6135fa1fe64b62221171a2ea56d6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckgi.exe
Filesize
328KB

MD5
86ee636aafa0bd39cd25257e51dfe9e6

SHA1
644ffea3a7b06ab57ee370dce940bbfc97bd87b2

SHA256
03bec6cb30b2fe4151e911ab13575b77430073d6dd7cfb3b7e3f59b6035c27d9

SHA512
93e3e9114395fd3e06e1c9b31111826533d4f0958995d8ac1eb2d595e4b103a6a27001048d2ba34a66cc4a24641c66826b68f2361dace8ce4a7f8d7a3c5dba3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMgi.exe
Filesize
197KB

MD5
5870173b80c435eaa579edde15d11c5e

SHA1
d240c62bb79c5cfc4ca072408cd2e829c23643d3

SHA256
a7339ed0dbf9c83bfca9ea742ab49cdf8d84910fca46ac8d5ac1be6d37bb78c3

SHA512
8ca16b72f9b019e3721589ff8c019b67948116e35238865accf145ec2735b4328fe3026a6c2f16d7a32963f4a62172af13f04572bdf84a4f877d844f50c085b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQEa.exe
Filesize
225KB

MD5
4094c357df08845fe269824be629a07f

SHA1
e1337115373041f6e4eff83c6d79318810ec907d

SHA256
d67514002cf0b1242dd80b2056f99f556b3605f55c9acd5457f4bfee815ff449

SHA512
feace8c217084941f35fe2f0e42e6849851dfb090547d17de76fe519d522fb46bd07bc28ec8c9559f67575bd7fafd43db07d19fce94fdfd0eedc76a7bdd7ddf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQYe.exe
Filesize
227KB

MD5
3da253799d6f82cf421ab7b2b51c8b6b

SHA1
60febfcae1c0e40093939c4cfa65cc12d164d016

SHA256
f88514dd99dbab3a401b17b101f9a8e87f7ddb56dd7bccd0716c158396e48e9e

SHA512
51f0a27f5e806bda8111576cd4dff46109e6f36f3fbf939ba2bae9299143ea7c21ec4512db5ffe37621a25ca1c1d5f59f28cbeb2ee2d94f3b67882c4aad17e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\eogU.exe
Filesize
188KB

MD5
bf785eaa86a83a96a0e15d8b7a779f16

SHA1
ca9153a3c6cbbb7674a7c619151fd6b6f4b0456b

SHA256
b137bd61c60df06399c7e3a61fb29d5886bb9a49f45366522fe901f712d810a6

SHA512
ae8c3aba68eb0a57cedce65026ebaab6439484eabc41b4ef0a23f869beab7c2def29c37a7ac5e6c56bc2f8efb3047236ce8b46952e13808e436f56c767b1073d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQwG.exe
Filesize
193KB

MD5
3c593364854a1aeabe4e6c0e625ea068

SHA1
d3af75d427ee5bc3f3f4d1f083a8e3f4038a8633

SHA256
1d22f026c7410ebe0e0f5b38d9d9d48b22f32f7ecf864e6d12a2aab651d701a3

SHA512
bb89fc6c9c062c407d006c3779ebfea280e333b14e1515b5f91680e17160b975d3e697cc2d6cf293ec9044db2e559293645bdaa3d30f11787c3c720680864ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggIM.exe
Filesize
5.9MB

MD5
ca8afdd29f506e8b3404fffd5ff06abf

SHA1
f3f48f101e645ae46361120c79886dc9b1877ecf

SHA256
43a6f035a62f2885983e1552f8e3dc3e0e3694b923b984d75b98a078946f9d06

SHA512
2fdbb599225df8f05a0789eae1a351e3361a7989a9e746b1dd8f56750e6f0c79280486b290eb6e384bfb26919a0a944307db8e3b74e1796b4cff011728dcd808

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwEA.exe
Filesize
195KB

MD5
35740750439e23257959c2dbe42b5a87

SHA1
4cffc3b5df55eea074e5f490870c0f9d1a2197f1

SHA256
2705a5319f1d919f1c7483eb0a9cbfd70309df302d5f8335d78b6c6b4d12a357

SHA512
33d00d47c8ff120f9b3531807ac918089bf6d2920bd5dbcff8a591fdda5072cace76f5a0cb3eea2dcebaf5cc20a3fc9d59456a28af91658a6cbb534f8b0b27cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwQc.exe
Filesize
213KB

MD5
3d6d8826948d70d34e80029d881165c4

SHA1
377003013252e018eb348f1da9ae3a6323d04a1d

SHA256
ffad920de05d2f2baf9106e9b65efb636c6f2861dd58da54fd0883dd23f580a0

SHA512
6b4ad242b1f51aee908c45df6dcebe66cd735fc1ae41e851428e7c6e351cf2c9209a267d67d3084407731b480b0c9d37df8c02c0cfd64122bf5c722423277071

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwsY.exe
Filesize
1.1MB

MD5
444715116813affb704c365b47a10323

SHA1
bc575618a96a4a3a705b0851021ce583eaab0e04

SHA256
189da365c42cf726d57ef4ee6e3d5189caeef2ea4ec178950e1d56c6906a7396

SHA512
e0ab76287b9385f2072282c0d5f99041e51fb3c845265270e785f36cec32bcface057f855e01c17e357b9854c0ea55c34058462b88fcef8b11ab0ed5950ff6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMoE.exe
Filesize
194KB

MD5
95d7689161efd6bbc26823b0d857e7dd

SHA1
6a36b9454528c6169121420164bfe7afd8ca40c9

SHA256
b1fb652f3b08199900ad54fa25973732b8ea353b5b5b3d4ed5ef87bd6676d2cd

SHA512
bb0bb3a75e1813ff48913440aeebeacc208422d0f09f4912d74a04c9db577cf7d8b99ee4f09427b6148656983042b9069d3b4c18a317913a5e221f01093c4737

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgW.exe
Filesize
640KB

MD5
551ee7d57b2aabe22e63b764f5299c76

SHA1
e99f4ba36841ef49801b709e038afacb2459010b

SHA256
42727fdcbe12528f2c4c2d3bce3731f81b4ad640f9be60974ecfe3ab80d22c74

SHA512
943b431345745e9b15d02f7ce08b533b0eabb9edeee1f9bd5b03202bde670c95d4e01ddf1df5511f31d877f6b3f73d53a0b7b7d6db37e4ff9e7555db8ba307d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcA.exe
Filesize
799KB

MD5
5db31b27e9156e400abdb6fc2fa7b3a7

SHA1
45013665bd427b99e5f40e63f0432919df989ecd

SHA256
2de5644ca285e9dbbd58bfa1d4de7ee7daab90e3c449c15190645acb64838886

SHA512
f14423c8bcbde3794a70ebc12810102ff5cdd57b00f6cafe0abb0494527e5d519b4b39be9e076b63322403298516d29fc54a3474d4ae7ffcc5d2c069ecc5cded

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikgy.exe
Filesize
190KB

MD5
b4d0dfa9e2fee3ae3364835e6952b4ee

SHA1
09a32ee4c9fed420fd189b75e84dfb52db23c54e

SHA256
b316aa41b0fa89b913f20a3ca35c5e059611e2fd9e519d83487f0b514a73cf2c

SHA512
51c3bcc8fc67fe9c9acbf13e8e3087c9a99d1d89b8f9abc453b9f0d0a894b1b1f81aa11f0ce8fdc6d76c0ca578f2f412f234b9d830770d02e2ef6b22d1d02717

Download Submit
C:\Users\Admin\AppData\Local\Temp\isIQ.exe
Filesize
826KB

MD5
5df9ebcd7e54cd12e93aa673dd55ce08

SHA1
0b3bc4d987c16106b04565c5461d80cf19512fdf

SHA256
9023e6a4199076a0a1533c3f1b9aca4bb31b354652dc7df851e9140132fc1afb

SHA512
271670da06d16fa4ef4f1be48f03c38380b4146d693f7ab0d5dea155e5c28e82f4e0a9120b52dcc1cc8f700be1de3e148139d7165e6ea72d098d81980a6b6a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwIW.exe
Filesize
194KB

MD5
254865f569cc919dbd102109d3f2e9a6

SHA1
c12a242f1a7a890b324bdc4640e50cc22cbb11d0

SHA256
d113e87af808d72bb55ca7442c4a50768b34c9d86656269da71fb5d0006f8ed4

SHA512
018e13e5ff742964c34fac8b9d1b9566ab32baeaf265f9de134ffc9db5151efc10d987d7e6b3288002357daac781cfa2b8f034ac64d7024234a0a534e08e2bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIIU.exe
Filesize
317KB

MD5
c36dc86c9e8a27f8744414a2685e7699

SHA1
12b92596d37bc3503e87f539e3e187e75ba13cd7

SHA256
cb9b1f984194d2e55d671cdc0f00253e218102bb0d5bc8df73c16f019a4d6933

SHA512
b28064f917d5667138d17dc929fc4407c0939960ceb2fee827e3bd5451b0cb0b9058cf92dcaa19cf61336b9ced9ece391bd4386cc4557325cb8ad09c896ce533

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIIi.exe
Filesize
738KB

MD5
78143d53c0d9a3a9399b6263a77354ea

SHA1
3e9e8a427c5c3ec2df5e3a49be0c5ecc724b4809

SHA256
184a3b857004473cfce6b9ef16343e913a1d49c6379dc3869f262f57074a02d0

SHA512
fa985d6a8bdc4294cbe2cf8e1d55307124c9824a9a605e914b23d1dd95ac522bc46768711f2cb24fad9c2510c25a989ddbe859b4ac540f19654e315f30ef861b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwA.exe
Filesize
5.9MB

MD5
bef54a97abf98769b9aff7b443851785

SHA1
f1c423316b9c8ce748aa66443c41eb29fedc162f

SHA256
070b24874e6504ebbb0a84f504f07b286595874b4c00a56d5ae72ffa9e2d4aa3

SHA512
a05ac72a7c46b99ec0c213f42add10448632c740cdb51c7500586d47d49280918fbe66cb0060c8e92767ec94d36bf1eee110203c5512155575c4a8b4e72f2b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwq.exe
Filesize
235KB

MD5
bdfe982890dbd0eb984d22108ecb3dba

SHA1
ac9998c94af9b8576495226d5d94634d9ec277b2

SHA256
fe26e768ed73189bd30d2bf38c2c8f76e58d8671211b571cf69c8636ef9a4beb

SHA512
8720411a557ddb12f4a0c4a0ca3bb51c397f9c83da9aab4781254fe3c4d29f596bfe85cc68808503d23a1ad82656d9c7518e09c2579fb75acbeb3bf748e204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIgs.exe
Filesize
188KB

MD5
9ad52dab51fe28a58b4fc80057f6daba

SHA1
2d53c2f550b585d50ad71e1caa20d6f94cc5a39f

SHA256
b3dc19e4c2255a2133bea1a2a08bff5173d53f2132bdf594f1110000313a04f5

SHA512
da78057e42dc8edf8588e3f8af5cd2182303be2c018c7d47a58f4b173e69fef037b0333ba55144a1d0359135213cc3c82d50ddb25d3726607310b72cf4828025

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEa.exe
Filesize
198KB

MD5
905bc84f44acab65464b133fbf741b17

SHA1
422ecdde3bc2312ef8a00f273d20db9626e9d41a

SHA256
c02a304efdad7b4c65aaeda1c2e8c70fdd42d967ee5e18f0efa9353936e4cbbc

SHA512
9c56d28ffb44d54364cdc3fbc6c8157742d41477ab8fb7b6ff443748ec58f08630bf56808a6db8fd8a505c7a5f6a182a1e70d4093b8430b64c6439b3cec94e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIcO.exe
Filesize
209KB

MD5
c3b816b87a49fde7fbb75ab2e1622bfb

SHA1
494776a24cf1f6542e9d1f03d1d7f68448deb00d

SHA256
33c1f1e5d304068afd02a5bef2bf646efcc6b230c94facc0fd97b409423ad9bf

SHA512
2a3d0d1b6c7f6a41fffbc4034f4f8a55e4b011f0c5495213b8025d32a5cc18cadefc4322264f2171a5233c49dcfb09fd6ecc3b1754a08ffd6f52e5ec3c3bd87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMwM.exe
Filesize
210KB

MD5
d6d38e9a0a6f5c260486d28a3c44a503

SHA1
ebde314b81c0f1631d96cb78b23c7ca5505ac86f

SHA256
3a8053ab15220283f95de8b17b6603b52f9c7fee9145007f6d54a534a682ef44

SHA512
45023e48f2b2e34744af042eb1f32c9370140d4fd35f84eaecd3201f6ceb65554d6ad72ed887cb7b8baba4dbfca77cc86f3d3ed408a6290830fb865287726332

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYUI.exe
Filesize
201KB

MD5
37f40aeacd8e25db572fe5028612a398

SHA1
34d519ff4b3f91e0a95376b80827b2761aa3a72e

SHA256
5648ec9fc60932a9cc1ba1482a8a749090512b7eeb96caca3c3fbae739f29043

SHA512
a1e787095bac7938d238bba778917c99fe70fbf4f67db456f722b2c211036e48629f50a3a5803d488a7b39611e7af03edbabcbecb9a291a0927bf5eb790d1466

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooom.exe
Filesize
197KB

MD5
2dc65f079b1ec30316ee00d23cfa4796

SHA1
249db343002ab3cf5c4d9caf46bac2db73c52313

SHA256
06d3b74c6eb22084117942b5784760cbacfbdcc4a6c6ef789092c8201ba3bde0

SHA512
f7ad92646532c80590647b798ca6348d48bbe7753af53cc90a58e0004f3c468aa844fcb538c6a2b95d1b473f56fb85e65d6af3ad541121fdb842372c02dbe38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUMu.exe
Filesize
236KB

MD5
79ab8e4063c1cbb0524def196d80ce0a

SHA1
9a5a43602b7324a4bdc22e70d8371ecd1685a7bd

SHA256
0d3abc04b61123e21bc1672c127c54b1af37b94b7e8e0e05cbeda292156f9050

SHA512
f26c5a284269eecd51d38614c449b51d625802e8adfd866ca6edfa80bc9e6fa9161ded5a17441d1a79a87e5ab9f17954b9f20534237f79f1b69bea8cbce643fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgAU.exe
Filesize
192KB

MD5
5556a1ee7f4beeed0da78fe43735f2d5

SHA1
818829001d7ef99be40f2b5e78dfc2e13b9e9f10

SHA256
613261cc5cab2ab849c0cf324608b7015f8e40c313cbd0b0db113f4cd7b62d75

SHA512
bfb59708f019d09d208eb1f694995a2169ffbbd2d5a37a350084ad5ff1bddec503e134e989723352e6c814d159dd6e12272bac14dba3ba36f41b80db7520b6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIUq.exe
Filesize
780KB

MD5
7220993f8453efd0d56712a2d7793d00

SHA1
8bf85d0840b0cf527f6d7caacc73d3d8ccf04ebd

SHA256
27f4dea575286f6cf10349947e8960fbe9f85d07841b9b6a1b176745046e6524

SHA512
c9363bd17f7c053fa73e78345b4a94d69dbe7b0436f42b298ffaae75b8c30449ba192b3e761aea9b3ee93abcc16696ea275be52caa0459c79235153ef2fc409e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMIW.exe
Filesize
560KB

MD5
d8cdf8cf726098c4a20ddd4c8acf458d

SHA1
2ac13614ab641f154e14924c1c0eed69a4d0ba40

SHA256
f4dc7357903e29d5b28d79e03ea13129bcd28cb083869e5eef98ec1f4b8013b6

SHA512
3cdde6c90d2af0eb40766ff411871b4fae6d10798ab75a23592bf40d7f70b178805226fe6ee9d49154f26066eb7a28d1796dfda9c002b7144d6f75c7829b9783

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUoo.exe
Filesize
809KB

MD5
66017c0333390cbaf28baf295712dd15

SHA1
5605e0afa708be7340316148483440d5cb8c3c61

SHA256
d2e28cdfd9ce0c3b7afaac8f7f907b824830f900d3af754031225f9d45761661

SHA512
fe5396959a6f1376c96d2973d832b8f13fb4f4dbb68355f430605700eaefbd57f83518b5831ef42a5602e943bb06921d0e8257829fd34eed5185c7050deb2d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgUI.exe
Filesize
191KB

MD5
6a9b9b447258f110d3bf4d79f8790216

SHA1
e8cc709e7c6f09f980455d867e3547105c46e05a

SHA256
037a124b126b1ec236da50e9eee0287541710a682d5fb1b2935dd3906af17852

SHA512
af767d6731e8e374113357624fc28a1fcfbb708162f0d72412ecd51f03595c7591ad4ffb93b2ab9233818ff97e71ca523dea2ffc1de8b9ab0a6f041520a90bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\soEW.exe
Filesize
228KB

MD5
ccb93a0cffc7698279430a6bc3e2c528

SHA1
56a2a2a1a4a782fa34d19f338d1598b730e3320c

SHA256
1744235151e5399debc47aa72ee848058c1c98a854ab1a308348d71dec8a9e75

SHA512
74b72afd0e24f8fe008075ea0e29a8864403f02d5cab2c2c430ead71cd2e2d29516b3af9e59fc2f5067e136adbda22924d981c1995f6dc074f8d39a002240554

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIsy.exe
Filesize
205KB

MD5
24f45c8ce88c3d0c8a4ffab1798ebb66

SHA1
bfbf6a22564d41ae6c8f76a477f7414ef5eba24a

SHA256
1f9e4fdea9d05225fe89d62ca6a89cdd597aebe7aaf17e825b344e89c85f6270

SHA512
c14e7153b13cd0c7a334e605b06adae876c12e479e178397646a70a0e8cda68f0311f1de3cda3db321e6823760d37aa0e5ad6f81fe8b6a7282cd0486f55aae1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMYy.exe
Filesize
641KB

MD5
1867dd5cc182b048ca0c687eb81ecc75

SHA1
326594146a25c947d1d55d740f179aebdd93c63c

SHA256
c9148cd4395b52f78855024839858d217a096b8a7bfdcf1514c6bf101eda265e

SHA512
97d4abeec96a0335b7392e0bb6c59fd583b532ce801f7b8367febf27e3b904491cfdc7252075e3e1e8861146e20d9a720bc9da8840fd800c43826bb451c6a700

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMcs.exe
Filesize
777KB

MD5
92d025e86dda592633e2dfa9b27eed9e

SHA1
6005f12cd7c5ca41c0feddc194ab5498f2ecfb18

SHA256
74c97271179f81849e203d97e12800673b632ebd30debb50bfcddcf7a629841e

SHA512
4b037e6b84a1427bcfdffebab898aa58110331e0da6156b6a3a95cae3e13e83d65f7b609623622626591bf03ed37a9154c650b31e55c898728d5a8bec912476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMwS.exe
Filesize
195KB

MD5
e0bb012d99ad12467239c87980542262

SHA1
091dbec273320c520c72393b61b8da9ca0c97344

SHA256
e70ae8774ddd619192b44faac8b4572171446482b65483e8f1fd43c1effa7cb4

SHA512
6d0c628a2c4b0589193294e73137d709e7181800c53eceeb80da5c076dbf607308e3f6a8628afa4ec130c43b2f6e8027b2e92c120054b0cd3b81d6eebd5c6e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwgM.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEoO.exe
Filesize
207KB

MD5
38cb7b21f0081014810d8e4d848afebd

SHA1
ca2d1d16f1781588c63bdd747440230a7067e47f

SHA256
f960f69937aafe84ad96cd925fba5cfe7adb32aff13d5ef11d6363b70be45c24

SHA512
90ff94f909617929169ddc70364d8e9ceb639c8850d3f8d9652cc66a93a392a10257da9e264ca25093853ce02fb241d2529bcd9a9aa4346e1e64ca3ba3cff172

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIIc.exe
Filesize
195KB

MD5
b232c9797526ff09053152e7fe8a1586

SHA1
230e2d88b2b6d87a67557cfc2e10b26a68fc149f

SHA256
e5c530c5572f78e62161689419a4d6abe92db3c9dd0398f25b87d4a14e794a1b

SHA512
3be26649a3f0892907aacae78673543879bc0b0a10311f1dfdbbb11f21f825f6adec60261bdefea75398b94bf6645ea3fe8e7a6bcd09b89eceacd270586c9d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQwk.exe
Filesize
194KB

MD5
f88b4430e564400fc9cf59772087956e

SHA1
cf07484c8697d88547f3bd992ed615acd76c4c89

SHA256
0b82a92df38ad245e2e7266ad3e694675526b37119eda20b95c6ee332571a8d3

SHA512
6294f10555d88c5a5378215f916a5e02b54b9b61c4c897e2a83f5945334b689fa2b96513b89dc4126d3b56d851d6e5626e0d9d2efe932e3fbbf89f0009d39184

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUoi.exe
Filesize
198KB

MD5
9209510acdfe39aa87b22558bd4c1c17

SHA1
9ad6e59ce196a2b523d8596ad3611586ef58e4eb

SHA256
2b4256a7458441324855213ceebfd507289620ce5ff40d3e3bfefc98cd8fb2b1

SHA512
14f1922a870e85454165ce4a42a0aaa455f358fbfabceba02766843c888682237f911b8a64ee870a0157618669633e31f7f3656362597a4dc830f6e043df6302

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykcU.exe
Filesize
181KB

MD5
be0c0b511ff37aeec89380394dabd613

SHA1
76acbccbd3e479fda64eb49d3d82b4dbbaf556e7

SHA256
5cd6d73bd2d92c7f60d2b6d9608aa309d8e480ec4ab1f864d6e1fd791e4452bd

SHA512
06a81b110d8adcf12bb69dac199a55435a0c6a6bf89df005c229ae1f7e6c376fa54487bc1c12c4a80cc6c975566790587993bc49ff33e2b3291da4aafe3bca81

Download Submit
C:\Users\Admin\Pictures\SelectRequest.bmp.exe
Filesize
2.1MB

MD5
5efa4df5af5bdcda2e43823a8c766ad0

SHA1
48cfbb6e59eb8ef9e9d649e9bbabca12385c532f

SHA256
df0ac029d5012d97155756ee7d7d2faca845d8ad921b2eda8894fc713996f4c5

SHA512
8fed1277160990d0eb57856b3109928ea4548d407d4ff5d8cc2f0dd4e23a199bbbc57a22c2e6f958f833f39e32dca75b7af242c5c47ee9f6fc36166202fa09cb

Download Submit
C:\Users\Admin\fckgAQgQ\PIEkkwUM.exe
Filesize
184KB

MD5
f9f0bc62e33dd737c774680915ec08b1

SHA1
83d2fe21137a0b7dd1a466abbce107a7cfbe347a

SHA256
ab6dd821344387a9a55d633c6931009304eb0a3d87c6e68c55357eced1b49fe0

SHA512
c8f598e24cfa216c0100aac633846335dbc41ca6bea6e20ef765cafacb31a589a12891605eb6e87f2ed8cba6bcf9e399a231610a3682828253213d4473e7a0a9

Download Submit
memory/224-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/376-277-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/376-264-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/756-42-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/756-58-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/768-306-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/768-293-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/828-400-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/916-345-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/916-352-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1004-203-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1004-219-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1144-455-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1144-464-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1292-302-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1292-315-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1492-324-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1492-311-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1536-169-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1536-153-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1652-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-447-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1672-456-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1904-390-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1904-383-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1916-157-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1916-141-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2096-207-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2096-194-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2288-230-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2288-215-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2312-381-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2312-369-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2320-501-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2320-489-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2380-165-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2380-181-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2472-84-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2472-66-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2488-475-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2564-0-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2564-20-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2616-46-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2616-30-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2908-410-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2908-401-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2976-438-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2976-424-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3080-119-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3080-104-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3228-320-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3228-333-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3444-242-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3624-538-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3624-525-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3688-108-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3688-94-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3692-131-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3772-70-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3772-54-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3804-297-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3804-282-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4048-418-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4048-409-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4228-238-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4228-256-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4240-512-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4280-127-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4280-145-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4344-446-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4384-361-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4384-353-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4472-362-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4472-373-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4484-480-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4484-493-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4536-529-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4608-329-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4608-18-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4608-34-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4608-343-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4656-195-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4656-177-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4700-96-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4700-79-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4772-286-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4772-273-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4792-534-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4884-472-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4884-484-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4892-428-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4892-419-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4896-511-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4896-520-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/5036-252-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/5036-268-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download