a9cea6d2aa276b155ff75470230ea28735d9f36619f85197e9a9eec81788ab85

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
Size

186KB
MD5

4aa9fa508c29d180182fd46b458c3d45
SHA1

11887d2a2379f3fa20b641bcb7beb21eec6f3b68
SHA256

a9cea6d2aa276b155ff75470230ea28735d9f36619f85197e9a9eec81788ab85
SHA512

f320c06d04b4335761ad2b6717c775fc3433657ada320216ffe5d6f31e478598c3c879aae81a0145b3b619373ee729f434bc17f26632e1b5470259f524a90589
SSDEEP

3072:Bo41Fyay14bZhykPagbGUlcP003HloLhJO8cvaFmzj4et8CyPJYbwKgkDm:mj1aTdPabE03FuKaFMyPJYbwVAm

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zmwUQEMs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	zmwUQEMs.exe

Executes dropped EXE 2 IoCs

Processes:

zmwUQEMs.exebKQQYMso.exe

pid process

4536 zmwUQEMs.exe
1520 bKQQYMso.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bKQQYMso.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exezmwUQEMs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bKQQYMso.exe = "C:\\ProgramData\\voUUMQEw\\bKQQYMso.exe"	bKQQYMso.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zmwUQEMs.exe = "C:\\Users\\Admin\\rukkwUgk\\zmwUQEMs.exe"	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bKQQYMso.exe = "C:\\ProgramData\\voUUMQEw\\bKQQYMso.exe"	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zmwUQEMs.exe = "C:\\Users\\Admin\\rukkwUgk\\zmwUQEMs.exe"	zmwUQEMs.exe

Drops file in System32 directory 2 IoCs

Processes:

zmwUQEMs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	zmwUQEMs.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	zmwUQEMs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2436	reg.exe
812	reg.exe
1972	reg.exe
5028	reg.exe
5068	reg.exe
2096	reg.exe
4352	reg.exe
4752	reg.exe
1564	reg.exe
2076	reg.exe
1780	reg.exe
3924	reg.exe
5104	reg.exe
1840	reg.exe
1848	reg.exe
1180
1424	reg.exe
4232	reg.exe
2076	reg.exe
3948	reg.exe
2524
3820	reg.exe
1664	reg.exe
468	reg.exe
3584	reg.exe
4212	reg.exe
1180	reg.exe
1420	reg.exe
4016	reg.exe
3568
2668	reg.exe
876	reg.exe
2416	reg.exe
3008	reg.exe
1180	reg.exe
2988	reg.exe
2440	reg.exe
1008	reg.exe
3648	reg.exe
4140	reg.exe
4452	reg.exe
4892	reg.exe
3028
2324	reg.exe
4628	reg.exe
3148	reg.exe
5068	reg.exe
1028	reg.exe
4328
4108
3756	reg.exe
1740	reg.exe
3628	reg.exe
3948	reg.exe
2280	reg.exe
2172	reg.exe
4560	reg.exe
1672	reg.exe
1028
2980	reg.exe
4412	reg.exe
1828	reg.exe
2200
3144	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe

pid	process
4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
876	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
876	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
876	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
876	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3972	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3972	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3972	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3972	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1268	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1268	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1268	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1268	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
984	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
984	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
984	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
984	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3648	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3648	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3648	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
3648	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2656	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2656	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2656	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2656	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4328	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4328	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4328	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4328	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4212	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4212	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4212	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4212	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2892	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2892	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2892	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2892	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4352	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4352	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4352	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4352	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1368	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1368	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1368	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
1368	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2020	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2020	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2020	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
2020	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4420	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4420	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4420	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
4420	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

zmwUQEMs.exe

pid process

4536 zmwUQEMs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

zmwUQEMs.exe

pid	process
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe
4536	zmwUQEMs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.execmd.execmd.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.execmd.execmd.exe2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.execmd.exe

description	pid	process	target process
PID 4564 wrote to memory of 4536	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	zmwUQEMs.exe
PID 4564 wrote to memory of 4536	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	zmwUQEMs.exe
PID 4564 wrote to memory of 4536	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	zmwUQEMs.exe
PID 4564 wrote to memory of 1520	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	bKQQYMso.exe
PID 4564 wrote to memory of 1520	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	bKQQYMso.exe
PID 4564 wrote to memory of 1520	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	bKQQYMso.exe
PID 4564 wrote to memory of 1900	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 4564 wrote to memory of 1900	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 4564 wrote to memory of 1900	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 1900 wrote to memory of 1224	1900	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 1900 wrote to memory of 1224	1900	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 1900 wrote to memory of 1224	1900	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 4564 wrote to memory of 648	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 648	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 648	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 2324	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 2324	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 2324	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 1480	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 1480	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 1480	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 4564 wrote to memory of 3664	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 4564 wrote to memory of 3664	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 4564 wrote to memory of 3664	4564	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 3664 wrote to memory of 3000	3664	cmd.exe	cscript.exe
PID 3664 wrote to memory of 3000	3664	cmd.exe	cscript.exe
PID 3664 wrote to memory of 3000	3664	cmd.exe	cscript.exe
PID 1224 wrote to memory of 4404	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 1224 wrote to memory of 4404	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 1224 wrote to memory of 4404	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 4404 wrote to memory of 1288	4404	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 4404 wrote to memory of 1288	4404	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 4404 wrote to memory of 1288	4404	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 1224 wrote to memory of 3756	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 3756	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 3756	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 2480	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 2480	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 2480	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 1904	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 1904	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 1904	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1224 wrote to memory of 5096	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 1224 wrote to memory of 5096	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 1224 wrote to memory of 5096	1224	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 5096 wrote to memory of 1596	5096	cmd.exe	cscript.exe
PID 5096 wrote to memory of 1596	5096	cmd.exe	cscript.exe
PID 5096 wrote to memory of 1596	5096	cmd.exe	cscript.exe
PID 1288 wrote to memory of 2656	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 1288 wrote to memory of 2656	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 1288 wrote to memory of 2656	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe
PID 2656 wrote to memory of 876	2656	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2656 wrote to memory of 876	2656	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 2656 wrote to memory of 876	2656	cmd.exe	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
PID 1288 wrote to memory of 3420	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 3420	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 3420	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 1656	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 1656	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 1656	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 3572	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 3572	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 3572	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	reg.exe
PID 1288 wrote to memory of 2980	1288	2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\rukkwUgk\zmwUQEMs.exe
"C:\Users\Admin\rukkwUgk\zmwUQEMs.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4536

C:\ProgramData\voUUMQEw\bKQQYMso.exe
"C:\ProgramData\voUUMQEw\bKQQYMso.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
8⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
10⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
12⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
14⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
16⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
18⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
20⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
22⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
24⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
26⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
28⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
30⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
32⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
33⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
34⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
35⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
36⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
37⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
38⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
39⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
40⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
41⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
42⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
43⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
44⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
45⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
46⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
47⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
48⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
49⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
50⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
51⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
52⤵
PID:1664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
53⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
54⤵
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
55⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
56⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
57⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
58⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
59⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
60⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
61⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
62⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
63⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
64⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
65⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
66⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
67⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
68⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
69⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
70⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
71⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
72⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
73⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
74⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
75⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
76⤵
PID:1992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
77⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
78⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
79⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
80⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
81⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
82⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
83⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
84⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
85⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
86⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
87⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
88⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
89⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
90⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
91⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
92⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
93⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
94⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
95⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
96⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
97⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
98⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
99⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
100⤵
PID:4144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
101⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
102⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
103⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
104⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
105⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
106⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
107⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
108⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
109⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
110⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
111⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
112⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
113⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
114⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
115⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
116⤵
PID:1420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
117⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
118⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
119⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
120⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
121⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
122⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
123⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
124⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
125⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
126⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
127⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
128⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
129⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
130⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
131⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
132⤵
PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
133⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
134⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
135⤵
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
136⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
137⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
138⤵
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
139⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
140⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
141⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
142⤵
PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
143⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
144⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
145⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
146⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
147⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
148⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
149⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
150⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
151⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
152⤵
PID:2372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
153⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
154⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
155⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
156⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
157⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
158⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
159⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
160⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
161⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
162⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
163⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
164⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
165⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
166⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
167⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
168⤵
PID:2620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
169⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
170⤵
PID:3956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
171⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
172⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
173⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
174⤵
PID:2152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
175⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
176⤵
PID:3028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
177⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
178⤵
PID:5068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
179⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
180⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
181⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
182⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
183⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
184⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
185⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
186⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
187⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
188⤵
PID:1776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
189⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
190⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
191⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
192⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
193⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
194⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
195⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
196⤵
PID:1016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
197⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
198⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
199⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
200⤵
PID:1884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
201⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
202⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
203⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
204⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
205⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
206⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
207⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
208⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
209⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
210⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
211⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
212⤵
PID:2448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
213⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
214⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
215⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
216⤵
PID:1040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
217⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
218⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
219⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
220⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
221⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
222⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
223⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
224⤵
PID:3448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
225⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
226⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
227⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
228⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
229⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
230⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
231⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
232⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
233⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
234⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
235⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
236⤵
PID:4212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
237⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
238⤵
PID:5016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
239⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
240⤵
PID:4320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
241⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
242⤵
PID:3316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
243⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
244⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
245⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
246⤵
PID:1416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
247⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
248⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
249⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
250⤵
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
251⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
252⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
253⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock"
254⤵
PID:2352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
255⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
- Modifies registry key
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaQsEcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
254⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
- Modifies registry key
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zikEsQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
252⤵
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:1420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- Modifies registry key
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsAcAwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
250⤵
PID:4532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:3664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:4452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsAYgMIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
248⤵
PID:3192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- Modifies registry key
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCcYoEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
246⤵
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:1268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:2812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkcMEIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
244⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csYMUIEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
242⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- Modifies registry key
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOAIAUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
240⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgcMsQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
238⤵
PID:3156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqsEIcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
236⤵
PID:4628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOscMQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
234⤵
PID:5028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoIEgIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
232⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkgkwMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
230⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqAYYIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
228⤵
PID:672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:1672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqUMEIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
226⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
- Modifies registry key
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:2436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcoQcYAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
224⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYMsEMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
222⤵
PID:3156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies registry key
PID:1828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uekoUMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
220⤵
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- Modifies registry key
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgUMUEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
218⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmIYYMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
216⤵
PID:4360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkMsEUoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
214⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:1112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeYkYMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
212⤵
PID:3756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCwskUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
210⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies registry key
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEsEEkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
208⤵
PID:4792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
- Modifies registry key
PID:812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuIEUAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
206⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYIoQEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
204⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiUMQMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
202⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:1224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOsMwYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
200⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:5092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lywYEgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
198⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:1140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwEgEgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
196⤵
PID:1624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
- Modifies registry key
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmwokcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
194⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEcQAQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
192⤵
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqkUQkkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
190⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCgEQoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
188⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWUcQIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
186⤵
PID:1780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:3248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:2076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSIMkIcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
184⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUkcQAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
182⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:1280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQEYssUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
180⤵
PID:4024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgQQUMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
178⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkoksEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
176⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGgsYEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
174⤵
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkQkcMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
172⤵
PID:1216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:1004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeUkcMEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
170⤵
PID:4452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYMQskoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
168⤵
PID:3000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies registry key
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIgoYosw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
166⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
- Modifies registry key
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSwAoYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
164⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:3008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:1420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymckckcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
162⤵
PID:3212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEgcowcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
160⤵
PID:944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LucoMgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
158⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- Modifies registry key
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYQsYoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
156⤵
PID:4992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:2176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeQQwYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
154⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaAQQocI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
152⤵
PID:2988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:4008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSQkYYUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
150⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies registry key
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqcwwMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
148⤵
PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCgQkcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
146⤵
PID:4016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- Modifies registry key
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BskAAYks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
144⤵
PID:2988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:2604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HagwAYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
142⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:1660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYEsAEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
140⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAoAAQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
138⤵
PID:648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGcoocgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
136⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiUcUAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
134⤵
PID:3436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwYEIIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
132⤵
PID:4520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgwwYUUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
130⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAwQcgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
128⤵
PID:2708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies registry key
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwocYYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
126⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- Modifies registry key
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emAQgosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
124⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:4400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwQQIEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
122⤵
PID:5068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkEwAQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
120⤵
PID:348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- Modifies registry key
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKYcQUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
118⤵
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWUMIowM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
116⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYkMowoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
114⤵
PID:220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOoYkwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
112⤵
PID:1388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwowkEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
110⤵
PID:3592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsQoYEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
108⤵
PID:644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmwUYIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
106⤵
PID:1252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:3756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:1388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSUYIoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
104⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwwMAwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
102⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
- Modifies registry key
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEEIYMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
100⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAgwEUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
98⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:2152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:2620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewAEEYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
96⤵
PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwcoEwYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
94⤵
PID:3316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkkMQAgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
92⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgEYoMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
90⤵
PID:336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
- Modifies registry key
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgMgYIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
88⤵
PID:756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- Modifies registry key
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYUYMUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
86⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmMAsAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
84⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwkMkwIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
82⤵
PID:4896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYIIIEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
80⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEwAoocc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
78⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsEMkoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
76⤵
PID:2020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYksEsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
74⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMIAEcII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
72⤵
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoUUsMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
70⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEAQkQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
68⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMYcQYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
66⤵
PID:4520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:4232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgQoQYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
64⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Modifies registry key
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGsYAYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
62⤵
PID:4932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYcYkkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
60⤵
PID:3248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies registry key
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKsYIYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
58⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIwQYUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
56⤵
PID:1140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sskEQkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
54⤵
PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKccEcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
52⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAEoMIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
50⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEwsksoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
48⤵
PID:2620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKYUIMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
46⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYMcskMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
44⤵
PID:5068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:3860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgMMEogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
42⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyEwIoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
40⤵
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwAkAUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
38⤵
PID:3332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:3916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWUgAsgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
36⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EekksAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
34⤵
PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgwQUEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
32⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqMckAgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
30⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TswgoUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
28⤵
PID:3388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYAYAccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
26⤵
PID:3760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goUIwcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
24⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEAsQYMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
22⤵
PID:984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykMMUQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
20⤵
PID:4140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:1268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEwQokso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
18⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUccoQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
16⤵
PID:4184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSUAEsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
14⤵
PID:4284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMQEYIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
12⤵
PID:1184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hikYgkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
10⤵
PID:640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COwwsoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
8⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmgwQwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
6⤵
PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIEoook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owwYEMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2416

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
318KB

MD5
efd17b9e5be70810c5f8dd7e5735a320

SHA1
202987f00e80fbfd90170b88dfdab226f71dcdbf

SHA256
85905546621acab7ac22e2e5092ed4414e36a7513311473fe20a9856ce97a444

SHA512
32ec9d9fe8e48718b4d0beaeb3817783912b4a4c8495a7e3c7ef703628573ddf4dcd42f25327562b90d43503c08d0913e31ca397cf0610ef842d8b28d3787791

Download Submit
C:\ProgramData\voUUMQEw\bKQQYMso.exe
Filesize
197KB

MD5
23f2615710ed78263f18d434c02d20cd

SHA1
4ecfedb5a6c5f89ccdadeaff7580f8f4818d2eb5

SHA256
1880c084769b427a5dce30697dafb24599fde2d3cd4ebaaa1b3bea6e05dff1f3

SHA512
8812f0cd8cb194967b2aadcd541f67f8fb23abb369e4bdbad474d23f6c3ccfd265905e9eb7739228bb61f463c10769237183e123bb18ffe0dbcc2f72c4bda937

Download Submit
C:\ProgramData\voUUMQEw\bKQQYMso.inf
Filesize
4B

MD5
16b7e888861873bf9ed5c577db8f6b4c

SHA1
91ac4e13664e8bf6a1c397ce52680a770b83dec4

SHA256
595f13ff6ea280514948bcd295286415ad72f6edfa4472c85d31e45a24c8890c

SHA512
006e23c31f1574862682bb9b9f96faa161aa5dcee18575e1b8e39fb843fd0b86126492ac4015d2302670953b325be3bae7bf4d704cc445c317e8430ddfe9d2a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
Filesize
183KB

MD5
c8fc764dd868a4b08cfa80b770d4c7a6

SHA1
36a143c1541335a17dc9a6e994fa5fed774d3b59

SHA256
b523b15fe49612099b491ea7cfa786d29e5380da31c78718da1ba55d4d19a7f9

SHA512
f974194613631a378937a985576bdd63ad8ec63427ec575f363c6e919e20d2c7574ba46a017fc7ee30fd0b9d1a1eb14c6e51ae3d78afb1514a1a9d32812b10bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe
Filesize
192KB

MD5
1f1a17364013b83f5d7b9f6c48756047

SHA1
15784893cd110a1e2ebb75f0293dbffeb67b0af2

SHA256
ebd058b5a4e15fef1871481fa0cc5bcceb765aba4a017be2d972e9d0041ed9f0

SHA512
7ce912553648999353f40f5fbfc115e338970e1ece9e5ea58c264ac5c607e67517727e1d7592dbad7560cf6ae87e4cb2e04a537e56a76c64a3ade41494151415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
200KB

MD5
6a1405a15058fa768b47b43289366cb4

SHA1
73db68f0ea26c65d2b56a319dc20b6c32542e9b1

SHA256
e11cada50937c19883bdd7eabdb0d45f894b11f5e88dc447beacd9ee322dee72

SHA512
f759ca09ec91288425268e6ff4f3078e5886c27f34d68573d7054ee01ff64d8e0b7a74157d13dfaf0b6c8d75399a06e69356cae1120eedd9c78d34d8897b7328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
Filesize
574KB

MD5
b3bc3abd85397002aaf222aa2cff1300

SHA1
19f4d1f7b29bbf7c47cf0fbd9fe3ae6eba4005a5

SHA256
3d542db23a64aae1dc4a656876617114a92bab41e38af1cfcd8e8c4528127f42

SHA512
99018e31829687b4e3df58462e1f7c8c25d2a836139e57f9845e5312f4943fbf2ae39cbb7c70bfa0d4c08212098bc5c9af14e013affce3bf5b99bc45aa612364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize
190KB

MD5
a800357eee54c674120cae21643c4330

SHA1
8b3b639def832081734cba016eaaf800b338abab

SHA256
d407ff727d0f4868465ce411163b48893f4d6387e04a68d37bdbacd462820f35

SHA512
f965420431c1028a40d0c3479843b81a7829c4ca614bba4c7df764e6318942e6241a2ffe2e955581915142259bf5026d395df0b3cd80d87a6c9c69e8d5f0c5b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
Filesize
183KB

MD5
7a7e494328ce528fbdb8a1d9c7c6f8a0

SHA1
35010de006c591b91932e478064d68f542d19338

SHA256
385868c98024d34ca3370b6a0395a7fa9a60077072ed2c47b80313d3f2f99e2e

SHA512
82a61ed9d53f6f12c6e64fb20de40354e227f75a4481d0044b4519a4f42709c243802835412196bdced50e308e27f0224dbbd1f70c122df35674bbb733a69890

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_4aa9fa508c29d180182fd46b458c3d45_virlock
Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIss.exe
Filesize
617KB

MD5
c3a78bdba2091f2cf4a731cb2919d0ff

SHA1
4a6ab5c9b827f767337ce335d049b5473028b497

SHA256
0aa150080c810e4f7df8459e37dd6a10e712a3449d83d84fce585c1d4832fc75

SHA512
f87fe377cd5f840a4ec5f904f1fa2c6b942db773bdc6c0a4fb8b014ef15a6e530c9939159cd900f285992780d91403bcdbd3ebb545492f0880ad7e0c5bb03cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkAG.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAki.exe
Filesize
5.9MB

MD5
787b431bf2e73f03f25f2e8cb2d40035

SHA1
6377b5337f8c8d3615c03db87a75e4575bc6fc91

SHA256
3dc9dcea56d18f33980151bc730e599e366470b49e69c8610dfa7700846ba85c

SHA512
76df7e5778d7697779760a2cb6849adc99f609f03b56d48ef30de6f79fc93de45d7f3aea39e90f6d8e30f3d1ebd6a64842bf611d3ad58f9334f993306718a147

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUIe.exe
Filesize
951KB

MD5
ccb3317cb35798da25d7d31ada2aa87c

SHA1
18f115e3aa6339d096cffd45ed3b803e179c4da2

SHA256
745f4e88415f65d114324ac804a5937ab209001e01e8c2e12be8f040a5bdfa30

SHA512
444bcdfd010b8bd8dc2c807aa1a8e2a07525b5fe39ea5fb06a78c170d216f3fa3d0f830cd906f06ed8d2ab53b7a8640f6bff17c233f2a18a989d1c7422d1bcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYUo.exe
Filesize
204KB

MD5
aab83c5ad22f7bc64be272a944345a07

SHA1
2cab02c0af8df62cb9bee40a626ce1985d0f2f4d

SHA256
ae9685ec7349599b05869e952c4e79c2415e85cf63f4e0430a0a4948f89530ba

SHA512
fb8684ce4628dde2a1b48c30ca062773035ca45cb2883a84b3e0a35ac36007656aa2855bc8a6becb6b526e3a569cf35c8779911e8c4de090092f1a4ffd785246

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkIw.exe
Filesize
211KB

MD5
75aab961273f56f99163332ccf3ab755

SHA1
e956b0235a2b93135d135d80d34d994762e5ea89

SHA256
c3b5f62b4b9c2539aba841a782ac1165c4e859a2c2dfa96d66e5f24661dd7c2d

SHA512
59a906b9516eb6bf16fe4cc8ef308cf25252f0f7cfacd3149a2ecf7c6656639675726dcc75be8f76fa5f66c61e4aea0ac23238d797d40496a96cfa8607c0ca17

Download Submit
C:\Users\Admin\AppData\Local\Temp\CocE.exe
Filesize
198KB

MD5
ad179f65ff9fa995bf9ffdb907d2b347

SHA1
bd47d8d5229db2e7b7a981c03e995b66fcf73c64

SHA256
e1b6abda41432ad428070ecc7919132be915b48dbb4022aabb2ae74c2fcfa1e8

SHA512
29e5a8f047dfb4da89329a7e4b7e6555e029de2e14e465e9813eef89d3436e3d7507c5a7d1456a6689c9768918e8857a4d345699041505c4b0f89c721e24f37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsEq.exe
Filesize
387KB

MD5
973943375f38bbbcac84c490f82621eb

SHA1
ffd1206e472b06daf2e5194cd6b7e9a63a0bb78f

SHA256
8b75d559f4bbabbe460d7e00f8b5bab54b54bcd88b22b96c1d1d60e2452effdd

SHA512
37ba80f5250f489282a46a47b2972b03d41c280a6697253aac606b6782464dc4ceb901ac2cac49139301812b60336ebb35271cdf28443fb1d6e8bcc747de02a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwIu.exe
Filesize
184KB

MD5
c89011f216938a4aefbcf61da8023ab5

SHA1
6dfcbe6f5855a135bd32e8e34b7e05f35ce8a1c8

SHA256
0bee7339a3bd5b505793384ccc5f059a367ec4ebf384f8296de6e0f9b0100a75

SHA512
34998280c15e4b8edde9f49ce918ac3708a034d96c969cf297d057494f6a58968fa79e7ee7f289b8ca646489a01fc6f608b460d204300ecfab561f0a95a80722

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwkA.exe
Filesize
219KB

MD5
782fb113580079c8c0a33fa517db447c

SHA1
9141517a410e5fada5d90501956efd0becd6ab47

SHA256
f53ba3ecd2e93e15ef7dd44c6c1ce275faf3a2b55b57ac9b9114466dfaf8d630

SHA512
f56334a517a21af20f276f233768deed95f1f941261c235d45922d36f94a8219050d3606d155843cb7c11a4ce831c5fd70ace1b42282d2e6e57a1323d9cdd3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoEW.exe
Filesize
194KB

MD5
c2b23a8107cf4f467051b0ff6ec88d30

SHA1
718aeeb8205cdcda24604ec9974dff3e3f635241

SHA256
fb1fb0b0e7d8900a7a2550cb8baf94acc4d072f8c283ff6507e052a206625650

SHA512
ca6be95ebe818f8fdb95c1ad4ad91f172006af89d31743ac988471d895f27534577176f3f85e0d8c025e5cca2d6ed3ea8b29fe9507e1dac92b0fa688b80d57b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewww.exe
Filesize
192KB

MD5
cd1f19f854f4323064ea98370763d9b5

SHA1
c33fd8e6cdfe92b5045a094c51b9ae5dafbcbce9

SHA256
e984e4013805578dae098ad40c7241ffa301d33e232c1ed441e9ec13102e364a

SHA512
00f91f66290e871daa5d08c14549f97546e180d867798c7695cb1d9cb306b5fbce61efc8428fdfe37f8e48cbc5c3ccb55973f97f852382c3f408966ac6412a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkwI.exe
Filesize
208KB

MD5
78a0cd8068bd66ea54e873c8c3285bbb

SHA1
94f7cdcf1e42b971ef6277202d73f7aab6317d26

SHA256
c34507bce08848efd9bc831e1c91b6f8807e44ecca122a7f183936b1163823f5

SHA512
4083aaeb7d175a38073a5b3eb216b38f60315d468e0d1dc1ba7a8d53dbaf620225e2e05ac96fbb36c1ee8be3e65011392923cda651c1c6e9135e98006b54f982

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsAs.exe
Filesize
207KB

MD5
748b0e0db66f01e6055e010775df940f

SHA1
6776d8247e63b8817b082dcaa1653aa1a2ca45cf

SHA256
b566ded6680c3a1cd2bcca3e954f1c08b02488d0c44f06818db521e03364f767

SHA512
1576a04b6e514e34e2d4cecfc85db94961939a3946a65cbdc5a06a678130903ff90f0a494387bfe83f3feea54b6acbbc4cba66d5ab37bc1075ec8a3e9505a97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIck.exe
Filesize
190KB

MD5
47c2653ea1e6442f5619bf4117942b3d

SHA1
211f70891d26974d945115a76e8a54d91a0597c0

SHA256
aaaae24e6d76c49f42beabef765139b3ab6d2ad3c57c5798ff739786bc126cc7

SHA512
e6bead7e4966524e2a3eb4ae244a57585960fc224dc3dfd5c8b0d276c1ba327ab0ea5a9466d31887fceadb82c9bd28135a5607e5de6246639a76854ca4289f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMcA.exe
Filesize
790KB

MD5
0addd28dfb5c10b010823cc70826acb7

SHA1
ec48c8793e24a345fc921b63dd119bf235a62798

SHA256
a5b5eba41660611f10af42a87e8c115eb9e3e949885593be4382e67a2a64fbae

SHA512
762b07e30e3b22f2d48d3fcb837a656d12fceeb9bef73e07ccce59f79f573f711d1cfe006024592a765400d3392a81e4009f50fc7d3a8649c248ea7cff5c2dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUkm.exe
Filesize
225KB

MD5
249dc4bd160724278d76c81e71fc6876

SHA1
d4a55aabca09426364d90b3ab22be6fe6fb4dffe

SHA256
cb83e1a8fcdf55dcb9d53cd8913691ea2784bfe0f5baf16fbc30c7b08cb2fdbe

SHA512
d457f2e38473b6dacb8d5a3ae4d8f14c415ca2be2c0302a219d128bfaa922851b54086fac210f08da8fd6e67f151c3e43b927616aed903fe1a91458db1d7afb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAMO.exe
Filesize
5.9MB

MD5
d91386f8d689f6101736cd149dae91d4

SHA1
dbe2131cb978fa873a7d1e8611d50380318cf26a

SHA256
6a26a4e58c76f1e1275b1245fb35268c01de6fa1e51977e9b6a803d98433273c

SHA512
76029dcb18d00a9d8b826a3a5ea25fac494e79ff45a819aa4d8f5cf647b2a01e6bc68e924d2489c258fc8c6646d885ad6e034278baf0077edf170da8f85afca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUE.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIog.exe
Filesize
192KB

MD5
c7e36921fb34010e808b2fa0835617a9

SHA1
ef1287ad8ff3988f7a9ca12f063741be61ac1849

SHA256
689332d1a77b0fa684aee8b686a1c3104f9b7defd915a1620c1792ec3b7e9f1e

SHA512
74c551486fdd20ef4c4a7217058e76323b432f778c33ae71ff77d55d130292f362920a200605c757453de225aed0b3857d5fc9365170fe545a0f26c82dd22dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcsa.exe
Filesize
539KB

MD5
90141587e58ebf1cd57f37545e3045f0

SHA1
9b6f839704101a1b5b8f264626cab6f2fe738e82

SHA256
e688486f7d099ee41609fd14a61f5d5f109431af1e0c93c7e5ad5ab938d31381

SHA512
c53822d27be8dcd4e3751b8a51066ea0d6425c75ef39bf6c50c022e5a5975f2bbafabe7beab0617115b2d4fea3abbcab3ff4a46820d942e73b75ecf18496db80

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoUm.exe
Filesize
194KB

MD5
6af1be265bd53a273c3199cd5f0fd7d9

SHA1
b9a98483a849398b1dcf8c0d1f67768a64d00396

SHA256
3aaddf5b67ca66c63328c30235cec56092b79fa1d590b3a3fc804df255138a35

SHA512
de990ba32731c7ce5048402266c02638f764ab749649f09a2dcb674bc66d9062e0f96449c9dcdbdb165ec3391312d02a4274c7bd82467b60072e7e86ac4a4ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMYI.exe
Filesize
194KB

MD5
98f415e9b2cf1ed6ea9638fdbcb60b8a

SHA1
ec645750c42cab539c993f1f679a5cff648b1c05

SHA256
3e3bd44123f643007d6f8158bb7bdd947eff50da558c2fe6dee82f3235d11d3d

SHA512
d84ecc40bc545db57fd757b85559a9f2e6b004392068717e9cda68e0ae19abaab73f22c96d2cfcc007aa8f483ec847ea00633a95dffa8f3a0f168f2c3eef21a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEW.exe
Filesize
195KB

MD5
9e6809d48fb7b0aa1995b170948a716e

SHA1
139f077ebcae0b89dcc417d673bf58a5c8848a7e

SHA256
4006a5a41b7bdf5c397fbe9dc268a74f3f33faadd94d58f7174c66173428fad0

SHA512
7fac77debbb19b93d946cc4c9f13489cbbf27668754e33777245245119791b4d52cb7c027462faf2eb312385eeb092d0886d25a0bf9ef7eff2cd7c81bb9fdc24

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQkE.exe
Filesize
202KB

MD5
6dd9b14d491ead0ac66f7a6f2ec05994

SHA1
4ed6c41edb62065e38d8ac7382de2569e499e179

SHA256
c9442ccf065cd54a98ecb27646d5bf53b66279cb81bf027822b0bef12c0cb88d

SHA512
cb020727d5baf928eeef35ef3d90c3c7539876e0e6aff0bc26e10d93b836152ae5044c39340d168902f73beef33d64f46da4783264d286b840087bb58e45d688

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUm.exe
Filesize
205KB

MD5
c96a3fdd6434b34eef9d5faef864d70e

SHA1
9fce6b57b741866627d3dfd5d94197a06f0e7066

SHA256
bf8e90ef4db3d19be633429bd0f47c47e27ad67e3cca29e826dfe30c8c4abcc1

SHA512
aa9e436006045f68fdfbe832cd76f2ed4596484431011d188961254044e1fbe98dd4555467fc812e405849049e2cc626900f7ad0a50e5e84fee98baf4e20088f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ockw.exe
Filesize
194KB

MD5
21319ad85594ed0b1bf27e9290562a01

SHA1
497b50b5beced92634bb914459ce1d283fba32a2

SHA256
aa98c9ce8312da20bad07206dbcd6914ecc6e7d116388ea5513f8d8ab4400346

SHA512
89abb514c3c0a4e7183480fe30fb06e84779a721431d3162be145e90bca2d0e55bf161b5d34ef6138f569c86f467597e369d529db3efa448d7d7b75d28087cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OokY.exe
Filesize
191KB

MD5
13de88080de98247f05e2a6e00e4bb26

SHA1
e1740819f6380148cb7f11dc20a48e19bd392607

SHA256
89b3ad3cc43d9e966ccf874e442879b7e17e908123d492a9ce80008bb65986ec

SHA512
a08fa1e6d08cd37ef1608f702bc0d9ccc8c7d66c587281d8a5fdf33b752f0291c9594fc68473bb155fce2dfd14ae1071c14da17afa88b719a552e86a4bf30f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEoy.exe
Filesize
802KB

MD5
92d293cb45f857a3d5ea58f0afdfaffd

SHA1
36a3a2a2d4cf737d4420a953d215f3dc1013d76c

SHA256
9ba3a4ca9e8a14a5c59f09d90ebdb130d1cfddaa3420bf8f85983f06eef8c0da

SHA512
2f835ac51c09e1e5272b949b66ace25db1c867cd63546e963edcc3198728da79a9484881b82ac024771361397a4c913ff0d63b338d8e47e59bc3d8291bf030e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcEC.exe
Filesize
204KB

MD5
6c8bf54375b644dd871ad47b17867fa9

SHA1
22e052a7d0ad84fd677efc53e3621f24e77706a6

SHA256
b03ae619beb1b61dcedcc0410a85b6abdb53d95e600523b7e76e4da9bb7be575

SHA512
c3e86f1c47bf723c5fc7b47a8e5a10974e8ba22dced9d2325b12f924b661a9c95d500b54afdcd560870233c82ecde89630d03e2791275e86badb4098d54e1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsgU.exe
Filesize
217KB

MD5
b5152296e7425da00f2bf4a70b4ad5a0

SHA1
ef54946e441419909748ac5317ecc7afd13620f1

SHA256
44bab6020f00a96357a2b9b335cf4b8be239b7f30a6bad5569cdcee015efe60f

SHA512
2baebac4e361a8b75fd71c6740cd965ca7fc7e7d59260b5fb66c33f37647137137d8069e777c350277eeff064751371f2cccedc6733aa3029c476f189cb9edd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAAO.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAwA.exe
Filesize
190KB

MD5
1e5b90c5b2c9fbc0537e0093a696ce5a

SHA1
e664bacc5022a2a7a9253202944eec850cd0c054

SHA256
801084524419d66e752133b387a0db5c02c7798c46b127aa9c2891623bf4cb19

SHA512
4acf464e246c3452569b4a9a5023b51866dfcb8a681e51fe02286a694c41f398d6c429c65e65336e9ab41b5eb557437a0009d27729ad288b094d52c1a1e7db5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIsG.exe
Filesize
213KB

MD5
98b6361dc95951d5731e29144e134f9b

SHA1
718600483c79b961c0ffea8acde1ac54146c2702

SHA256
622f2e62109ebeb4d2779262e7589c65746e3df601862dde19d0bb447e94050f

SHA512
bda977f05ef329e6f7b4ef76db5c5a2deceda1e5dc4974a8269a853c47245e32e5c5b5e721977d1c0f07b45396c4b929caa434bc7933f9336eb7d8a534c48961

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsIQ.exe
Filesize
196KB

MD5
2452cb988dd2770e2cb1063ec6f8551d

SHA1
cbb0f14a107efaac5b4f46161f102cceacf67bb5

SHA256
9c2efc0ef10c16304a9fe14a9921c7e35e861ca86e540673e68ba2403ffe8e4b

SHA512
d3a44841d3406d764843948f4eaeb4b2338edefb5ed6f9ec7bd58501de704d07a033eb299714461daf82f8c879dc30f3741755d0b0a8969869210fc4b1cf7339

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIAW.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIEQ.exe
Filesize
195KB

MD5
f645a59e9dc5bfafe404a3b262112615

SHA1
0fba64f1dd19415c2ddda1bfc5348fbf83b7645c

SHA256
9e075268d8f575484737594a584ac6ff7a06b3341b6ff38168b622beed4d8c4c

SHA512
e06fdd697406e10f1d7a9fafbf6686ede64418589a40a626a758a16997b9e4c3c4a46f991986468b521d3cce2b3cccef7920b3b7cb84700e21c3e9c23bd9a377

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcAy.exe
Filesize
204KB

MD5
b854c267fd69fba6c3e3cb58e58535c6

SHA1
1815eb4d97a36c62bb47a9e7d52b3db30cad4398

SHA256
772004678297f1a30a830f556f2cd769fe657e4a2e8cbb6806546c4bc6dc0528

SHA512
978d90624555b58717f2cde62e47a1e939511d4e544074fc5c063f5700d280a74240a895b38246f92eee46ca9a8990b078d2899ac250784599a8305a0b7a34f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsMI.exe
Filesize
203KB

MD5
55997a904e154c258ddd20b0a07a2c3b

SHA1
371ebab095fa898e9b02a38c3864247da54d3ea8

SHA256
e9afcc599d51563b8d595912af142750a376dfee3a94f0015e0a13b56302de0f

SHA512
9f9fb8a41c0ce9b1cae27a92f3f413a2006994d036ff0fa4585e20687784971a16b7706d92295b3a94995bc6f13dfba771ccc2a5b95f1e8b1df10d76d9c02643

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwwy.exe
Filesize
820KB

MD5
e9a79965ab17c7ccab93156308fb133f

SHA1
ea8df6454f8c564ba899b2a9afa2452ac7260352

SHA256
460720b9acdade7e17088335138068d4aaf97740db7ad864dbed798588ac925a

SHA512
25832de2d11ce958bb8e8ecd6fefd28782a11a09a8d25ced224c48ff9e480261b375e22fd246818b558b6ae158856288bb91e9c29bb8bdd52cf66c34e617ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEgG.exe
Filesize
223KB

MD5
78297d85f2336dead0ef8b4f05308372

SHA1
0f59d315da2742e511cbaae6eb7da479525272b3

SHA256
fd52cee5dca1a8e69462e389672c9278506d4f2bc0bd2891a17b13cb568512bc

SHA512
7e0e5a2019e0f42269f70fefd5c94ebcc82b00ae75c1d41e3bd70c5e1a1bcaf6c2c5f57c64de74265bc43da0aadbb1467c1a1d184150ec4a6445695be332c99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUgQ.exe
Filesize
209KB

MD5
8e08d8815313f1e422326fd92f860bb7

SHA1
9465f41f4c71a51d9df9d858359262ae20291626

SHA256
d15ed11eb4579f074ab47f36a0427f4d5fc0a49a8ba8415c18e4dc866522c498

SHA512
19221e1905986120a16110872193ee17771829d2584bbaa32d7cffac5f9da25aed82d4adbd751302f42af71511414f705e845b2ec80ed4c19383f2bb9369fec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgoM.exe
Filesize
188KB

MD5
fa0b34ec0be71dfcffcc95da821fc47e

SHA1
7ebd969da48bcfe24d7a98bb818ab0157f3d9a31

SHA256
305c5a694bc4641297440d634bdbfeac7b56d6c558b0ef3e9c0614e4962b913e

SHA512
680be4a89dabc87910a873a893e2f777ec3f7013490f5f3a790bb83b2625def62dfdd39524cf46da78abea538e7c4e486df324db47edbcbe32046df9c2bfb67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcEW.exe
Filesize
639KB

MD5
aea4e25682c2535e699efc206b638a90

SHA1
37b6f72071d1c0b5b9a7b18fdd26ee8aa66210fc

SHA256
246ab7781412cad6b4c63fe13cd88df32e23f7b348b8bfa87fd41cb5b9cb8910

SHA512
51bbcabcd21dd9ab53b1173deb83ce06e5d1b7c5f5d504898827d610564b4d74b13ab844839da7988d7e8ac9ced9462ef99166571bac6e72019e762d3587ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycss.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgAy.exe
Filesize
217KB

MD5
d782f4ebda4afc35686e4396ac69d8e3

SHA1
bf5aeffb93a7d45364d0001b09898b31d90d2132

SHA256
52543df8c5b261d129327ccfe169ea0bbd97b6722cb1c1f08d85ed59e5480e6b

SHA512
18fbadc1f6ad55b6e78387ef7eaf23dada8182d90bac6c292287fe3afcc42cbe57d51fa73a421af24a92e164919f28f40ebfdfedc828c0c17a72b4b4ba1bdfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygcg.exe
Filesize
186KB

MD5
7a11ee1f1fb0a9aa31d898f8ea00a219

SHA1
0e260321d96af84daac5be9af05207fe14700b83

SHA256
dc31a23c8cfc8add945cf12e3f5d187647e9f51557132f13cbfe8caac95cd826

SHA512
e8cbbf46bed396754e152109135d68ae38c2d0824108181e5577b73929a39692cf3f81fbd95e06d20d0d802851321198bbf6a6e8426392e654c22ca38bb8894c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAAq.exe
Filesize
223KB

MD5
bf5311eea24471037330e23c83c2722c

SHA1
ebba594cc16f490f8ad3426dea8b056f3ae7e2bf

SHA256
4eff8426edfe873064051f3e4b88aa4b401a94161bfbe68431cece9da3a5950b

SHA512
a62a5a3acf106fadf8431559621d4c6115cb7669ec28e5ec91af84b3653470c0cbdc354a7759fb36c3ec77a99fa389372be25d3a705bd21f6ef15323f93fd522

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgq.exe
Filesize
204KB

MD5
4a78b258e2f9ca671482ef5939546d6c

SHA1
b37c522982875b7d918ca0f5074f69b9040a6c00

SHA256
aec83e838cbaef79aa3f0fbd9ccd6b4f16d885dee96334ce2d353eff640e3594

SHA512
3ff41f9bfe91123f31f7a90ac31c3aa59aac3aa3f3aebcadabf652a96660302b9bd632adc18ffa1ead0689bec5b399803b26c8fe0339e7a9c719cfb1f0a08ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMky.exe
Filesize
622KB

MD5
924e1e64247e218631683e52f2b3c1bd

SHA1
6f39851b0d97f9288e47d07d5e82cb88ba717cea

SHA256
ecd0ac97f5fad3792b7febaa573a6388fbfe7b3fcaa7c5bd839db88d4b952a88

SHA512
861b4a95953d588ca7817cb2e8814883de0cbd2192e5d7c0c31b90caa9f7b5b9303a752b629db94f9499ba1165876c3f7aa84442a515e99ea0a8f76b086d15f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUoo.exe
Filesize
371KB

MD5
69c91c2a1be4bfbd4b4e4ecf261ce6e0

SHA1
91286b09483ee3a5e3dbd5d29539f20884bf39e4

SHA256
63da21372d2ceb6dad49ec481d7396fdeac3ffff4e136a7c1f900cd2c9ef9eae

SHA512
79fc3e796f08dc2412725d80b968af0f6f5b7a0e9509d1b7b8a438ff5107955673edef473bab158492941f6bc901f8c5db73e5f357314904007cae33ab56433e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccAW.exe
Filesize
285KB

MD5
183a447314182f5d3a1fcd423d3353c7

SHA1
c0d049d14979bfbe329ab3d01b88ebd6c97cd3f0

SHA256
0e3965a8cc8d045808c2e6cf438b87b72a81f0298b5a6f12f3b63fbd931ff06a

SHA512
a85d687a2f13c514510694f42f1b685e34ca85148af1b702cd0e262f731a5bd55fb17807d3bac8c23d381f9da1c010f2515873b6e6b0e9797186d600f832a473

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgAc.exe
Filesize
225KB

MD5
f0c3bcfae4bb118b1fa6e4661a40a307

SHA1
b1ca37e05015d85e4daffe33ee717d1b5fbc2892

SHA256
e091e06a770213780278f9431a5d6bbace927a716a4cd3e7b4fc5c7c6b97b0ae

SHA512
1b594eeaa3f6704b11de3bf2a3c1920aeaf95e2d7df40a10d3cd92eccef5928c283ba99f334b40cdefb0204283e9d7861f7af8f7a32a4e5fc3bcbf938f8c626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckwA.exe
Filesize
642KB

MD5
b2d009460832b10594151bdd35eb6eb1

SHA1
154f337401175dd73449b749522f85fd78311e4e

SHA256
0fb6ea97a261b85c33313a6d5c6ccbb60d3a2cad65b7b265a42b62ca2f70e159

SHA512
5f71fa173ce00875028286b5d70f9e682baa11e90fcc2fce5b433a37479b0b2220334c84be1a59d9c9176520733769995f3ba1d9e7089165daf0d0c68c933389

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwIa.exe
Filesize
198KB

MD5
cc73923391c1cda28a3d104edeb0efd7

SHA1
f5de5d0ed581ac601a0556f676bb437fd0ac1a3a

SHA256
1de924fcfcae26292f748c6935026963b6a274c9181ecfb99d643c35d7458787

SHA512
f2bd7a6f2c7739ad9200ba3ad5e0d80d2d2e6d4472a4dc1ae8c259c9027c58000a6bb9d8f2cafae54b0af1ee9d10ef3fae2bc6fd68b2b7cf0d11c204cd898c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEkc.exe
Filesize
212KB

MD5
5c890b366b52f9a86c13982e4559edfa

SHA1
d3478687f59fbbe1448fb311319bd57232471916

SHA256
de80ed53373561a9f54e0c02998b1be020b5e027b65e87ddfab267e75d16e0d9

SHA512
6cb7085e1d4b09a1fe8691fc6d73db68457aa8632da32a9cadbb619a8a364f8193af6a622bd7a67dc2e5ea657ac64602b3eb85f5b2c902f0bb3104e54a56c4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQYU.exe
Filesize
199KB

MD5
9b894c361a3359e6715cb309c25f18ae

SHA1
996ef6b9b53c20a9aa8ed353b314d3fcb5ca8892

SHA256
0ba73df0093d43e2ca5ff8fcd92a9d07875fe6c65e60c5b1523319395a1cf054

SHA512
34a274a9af734b1e8ebeb5dcf7cad52fb75c02105f1868609c45d492bd2fd6538fb014979f3b110ac32af868092742dd6f1f2a63900158b3bbc1e5c6de5da717

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecUS.exe
Filesize
555KB

MD5
517dd8bd9536d0b3aba67f4f1566113b

SHA1
d76fcfd15e32ea6ec4f662ba7221943da133962c

SHA256
4a6f21c37f28a1b78482012e3c54a0e4d44eaa455afa03e288793957ffd28b5f

SHA512
cfa453afb81ff57d51dc9e641892437412fa7b8d888fd87f596b482c620f9cfdb3769bc8eccc3c019e21000a57745ddbdcb7c8870b966bba6b2007a1801326e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\esAi.exe
Filesize
1003KB

MD5
3f68a8a9431f54979b48619069a51233

SHA1
fe36ef1439c6cd2cfa8d9407fda9da71910bd34e

SHA256
6cb09071f9bddd997cce044e9433094afdc48ea2be4cc6e26b2e214c1d487b24

SHA512
cc59d0dded887da4e8b3e8a450c2f6a7919921580af6807dc7fdc456c0df0947555b682ca0752b1b1f5a939711e5f380bd2484727a68364c7816aa42629e19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewsk.exe
Filesize
193KB

MD5
e644d5737b7b11c0f0cd34f55230e082

SHA1
3ef0af196773e041625ff2a10409e3998afb709e

SHA256
6991026350c268c4d6730d593b261182f24ae322f41ba48320bb8bdb6d0a792f

SHA512
8987fc8859145afd5d47bf6765d02344fc416cef14bbf1e72af2569cba92693409defa37c08253d7915ace31f4b014838d582620327530e61a3347830f99d23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\goke.exe
Filesize
485KB

MD5
717212bea2a3c3387dd49a79f111cd08

SHA1
029442ea81de11420b3b3b59750a051940264ae9

SHA256
cfe4af6f4e3706cfd4cea533116d926ba99e12b768811c95df9903210879dd8a

SHA512
2f671fcc8198411a26b81218cb46e5a43cbae63fcc8c24dccb951dd94c18b082263362ef1fea83ef54ef5a5ea3605ca4e62e172b10956e2130b01c69a4df28c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwcQ.exe
Filesize
222KB

MD5
27861f386b2946d67a366c1e57e8a78b

SHA1
4f8c21c0cf219a04635296c1faadd83355cab93a

SHA256
e95716583b9494668c66f0151356fab370020528e4e762c14eedfdf8d6c0aac8

SHA512
a0335b1bd1b10772ef34997c53d213d6e7f4bc5d75e2cbc1b405e1c956b1ec90eb78d51ef6408a88e9e8a5a6908627e77a3caeb6ace3e54b5cd549413cd151f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwgY.exe
Filesize
206KB

MD5
7efb29b953bf7f49bf85bd707f72f517

SHA1
d8132ff60ec1fedfef71d2f8e2b0449dc90e4fbb

SHA256
8fdd158b7108cae07946e73196a5d4a852a86ec598794ea7fadc06c7621c4b2c

SHA512
034bd1797830ae7c19de8b28980e4c5ea99cf95ac35d99dd28a623ecd0cc8481b91eb2a6e139a206c2807e9040c98a1038baab4fe770c170d39628d8131fe2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgM.exe
Filesize
315KB

MD5
2fdb097008337e390def5ad81fd5b5de

SHA1
e34eb9123780f5a12ad7c74c812876b15693eff0

SHA256
35c8fb91f5b16eb1d268856f3fe1f760529ebe15b097855f01a1bfc8b1c3bba3

SHA512
7d88e48caac7f3619c3076b5a9936586b2c7a2a3f06f40549f408e113db2aa1b49cdf30e279d2e5e8bb5d7622a0afa32f955ecd0f2fdb4c4a5973e9cb77c3cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUYM.exe
Filesize
191KB

MD5
2fb3f462b1a0cd0e83fc824a8a1396b2

SHA1
0589e5041895f2488073e19ecf415df74e335a8c

SHA256
feec8c828e1cdd0d4271a3c9d2b715b40305e6485f9e120d792b5c929387566a

SHA512
0cbd5d0d5e50dba90859b7fe3c467ef54c15539e08675848df785281f03b91cd8682807df381e29801170c92ff6471f32c1d29250de87e861b11fe0f51881bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iccI.exe
Filesize
202KB

MD5
91e2f46c3cf4722ee2bafb8931bb9507

SHA1
6acde5bb74e2f7cb1284c423005a1eee733d4b8e

SHA256
ea57a817e5809cb9cd0d7f5edbb9380a599833379df3c3466e1bddeec4617940

SHA512
1fd8cc25ca586850feaba414576850078e9b0fff6e0388e71c7c3e4e8a7312d4042260233b0fce5850607208f532774cb2865264c9ae7509bf59e921a9f34b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIE.exe
Filesize
192KB

MD5
fa582bc24fcadf685bb14317ca32be64

SHA1
c236f57b4b1329063d440af10001344599103c19

SHA256
60e522fc81b03adab746e47877d0e0e01ea23c58d951f3c59c1983bf92f621bb

SHA512
f97376473866629cd56d4d6f7d0f75f30005fe8f99c47794549d889409a1e34e814c05160e655b7693da4a81c0140c18faa0560b09743272a3e63d76e5984be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMYi.exe
Filesize
191KB

MD5
a7c80480dbd5d79ea4c8504fe98422f9

SHA1
ed7579051f40ffcc62ebe3636e9a9124bfd88096

SHA256
0de003c6b597552c311b7be14650ee2eaf31d2de450a97ca819b8879cae82a63

SHA512
1a9bdd065fd7965519723c2dcddda9e181b186ee9188eaea39566a4ab849bc9289f9548f34a218684613c5ddd4309071bea63a1246713e13d60742cc28353c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMku.exe
Filesize
198KB

MD5
adafa8e84e81245828b1ade313b08b6f

SHA1
3812e638e267b605eb787d8f3254edb217e3e64e

SHA256
5996fc9329c6e8cb818d52630cf450676bde18d500a9435d42ca00664ff067bf

SHA512
93aa15f0d3304a8e2fd841dca86ab91d9e6cbf31f18f43f1140a3437787be193974ff5fae1d395e1987d0bafb30a0f75171e9b2cbc30ea4fea7e2a1b9b746458

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUIa.exe
Filesize
520KB

MD5
e8f84fbe414f34f74888bc5a30aead6a

SHA1
384a662b67e7e1fe1e0dcd1ea85b8ebe0ac737fe

SHA256
171d818190d4ff7a7347a84a5720f616f3db488b13f1ce0bf9bfb181653208ab

SHA512
db42918b5e433fd3d487bcd306e7f50d2667d438604336a7abce7a26bee4d48f75ebe5dfade43550610074990fcaf65b5da60b2e980df3fe82f694f02c3880c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUcc.exe
Filesize
195KB

MD5
18bd945995964672b8a760403e0afe6f

SHA1
c9b8df7b6c5970180aee0fcbe28612ffc50503ab

SHA256
be0724e2596bae50ed49979a8ee94c65a8128d933179c2df0c440aef3ad81e41

SHA512
3949d3106066d828862f383d561e8074e9ec25b06f7bc4c10c9bc2ea20500fe67ccc5c85cf7811b7dc57a0fa2ab317e65f294c2154d672a547683ecc116c3528

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYkS.exe
Filesize
189KB

MD5
b6a3ab79cf2b8b850be573ff8174cac8

SHA1
a8ae3ccc886bee44f240bf8443ab7643e40dc2ca

SHA256
4063890a35d7fca51b293e3fb89064cb83496e32a52667d9a50443de6fa74e2e

SHA512
85f94b85a006451c863d10fd96d930a9be07ed77fe1a6c8057e7afbe1bb008b7131cb5468420543f4a7f7f8a79fb131b307f586c0f48de0365a94317725db286

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksYk.exe
Filesize
182KB

MD5
dbbf8f82d54a6f7e4156d3bc037cfbb8

SHA1
3bf7d3bb23d10ae8a7f520f5a165945eb86d2d8f

SHA256
818adb8fe3f2ce175ada1b34c3365ddc550845a8f271a783da455031e2480323

SHA512
104c1c88328e49a0b2a6c88862817168f187e1f408ebb28ba085b33cbf930968ef353819b0327a58d11340cfbbcfc77ec2f44a7f798c452a5a1901b1c9ae52e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQkU.exe
Filesize
658KB

MD5
a1f6950a56ade44cfed7e0be30c40893

SHA1
d57308e09074b87114c6f8deae280d1a45e229c0

SHA256
004d45d78ec61b3bea355cbae473ddf0443a0566d20a95505d19b05f7ae39a1a

SHA512
5942f855e0535827064b197364c693438077d1e2338ee54bde3656cd587154f34e0a54a0d3ee3f54d892ff16836758c1ee9410af800e48026bdfba1a61978540

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYgk.exe
Filesize
196KB

MD5
23254784ab26a1f2e9f84d73e6d57c9e

SHA1
147349dd1048be5caf43987dc9b6e0b105e201c7

SHA256
4f39cf6dda47de0b151201d6532ea5db25d691a0cfdda5c647dff219db5b8e99

SHA512
7948ab49c0598047834e2ec1ec3e57e94b13597e5781f93c3bc56b859f3d53e3de1ea019d365f54a08a7011b5e2e63017aef8a69bdf32a89f512c7bfd8d92659

Download Submit
C:\Users\Admin\AppData\Local\Temp\moYm.exe
Filesize
1.1MB

MD5
3fa34981ddf2cf20f6006ccb4a6a6224

SHA1
8ecb4a712166fc07da1b2ef711735f77eba41814

SHA256
3030f54ec95a693e04d2dd42dc88b92e7fc1f0a6101f0d1e4fe9b2f7ec8d6054

SHA512
c79a227249e302ea81aa9245dd55b89030d7d6f111b3c2e0b80bbb6aae543c93edb19dcebaaa3275bfd6a5bf51757e18f7a214682876c4556709cf49370669c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msYq.exe
Filesize
797KB

MD5
68e4ff19b5727e73059f6cb5a3890b63

SHA1
8fdf6c215c9bbf446f1ababae860fb9ee807ac35

SHA256
5aa5ea5f875b320632210d9894a8c64e6a62af90220a490380ef52c2f464ddcf

SHA512
d500d236798f8a9f51cb3efd9fd129073d636f61acbf23094192ccb115a2063b0cccb8694cf33ada5d17a9164e8887dd7a3d7442c7e6e863a67c27a004f3123a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAcK.exe
Filesize
822KB

MD5
0962032b85283f6504f4c76706437cfe

SHA1
b9d166d9b5dda7ee2523537bf837c9337afc822a

SHA256
42da5d3083a59aef86d43ecb4e3be1f12f196de0bd56067a77fe20a62b007846

SHA512
0d1302a5f7715c90734b7490cc90c6e1903bed793cd27048de4c0d2a64a16620d9b8072c8c4440262c9cbb67fc539ffb7a5a56ca206440219b76cf99af7a2906

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMEI.exe
Filesize
1.1MB

MD5
d1377ab1f5de11fded54fede7c518eb6

SHA1
a1f13ba17060cf27accf292ce816006e9df4983e

SHA256
6d4b8596e058be42f0c73909b4bd8ac2bcfb175bc71b8c3e7cffdf9af0630b86

SHA512
f2664d790095120c82c5fe001f5d478fd1a3adb34ad4e0ded9edd4c7635b6f39a0cd7218ce4e2f8b668ec98c3ae36f1f928ae3476ab47f34992b7b068faa42b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQAK.exe
Filesize
630KB

MD5
463e7bda1f275a283cb1fbe58ba02b00

SHA1
17f0df799a5e815c5918fedc4d5babdd460fb707

SHA256
61be49cfada8a143d8b5c27be4ab9604121865a1ab2ae5458d8e8310097100a4

SHA512
1937d52ca00b59298f6c946b2124d9ec889c9b20470cebc2f85a119181318758c8e654f2987001b6612b6cd118bc0ceae871d9d8842750bb0d0deab94a65e8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQUC.exe
Filesize
214KB

MD5
d20c08536f5e4cf5909181a9e6f2fb3f

SHA1
ae06b3217e63e947408da1be73d3b5b653d35d18

SHA256
70b30f969a9f873f3f1477925ba6d63ef8c87427cdde4da91e9a170130e5bb4c

SHA512
e921627dd3a479e0d777739e02bcf1eae95e736d40bb68355b8f169303cb31c8cd0fff865976356aaaf273c04f26a291580b9ea70752cae17c9e26fa7a766ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUwu.exe
Filesize
308KB

MD5
f5785673960eceb329611bfb8d338b45

SHA1
33431e0c6bcf8712564cc813c8dece1525b20c7b

SHA256
6f11bbc194b0d3ed237e75650f4966895b15b92b569baafa5264ac59ae4076e7

SHA512
2000bc31abb297add5902298b66464fd72a5c0942b310e66f79b2c97a01b4856882508dab7c7d31914aa5d2f41fc4f2f0df3ed80a9db68e306ef42f187c46b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\okME.exe
Filesize
706KB

MD5
ae94be30c81842d684fd891b25d9af49

SHA1
e5c0446f221c55a638d0f191ce83e6b855c81fc5

SHA256
1542397357ff4e1d8cd5b5a7095262a894211ac28362ab130139fc9e233aa7ac

SHA512
a9b4abf41b0e9df68b155a9b80901e7627af1dda1a760b1191a95824a32e6507e0f7a2fc4c3b9af554f0c234bc2ac5f982e68af87747ae2412e5714dfa140c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooww.exe
Filesize
186KB

MD5
61bc49f7b4ee73ea8db93b43216a87dd

SHA1
9a10af682c006306ac457c0c5c80afc025e1e32d

SHA256
2bde586638b21d6f4cd6587839d063c50022fac682ef39e8bc61b2e95bece0fc

SHA512
3724ea32b7cd6b670678bdff713a1cfe09578327b4c0835cc7956759644e5ff2040bb6f9b9055b1d5e9c1ab33aa98e7653f3e0742c1acd5ab15579545d9e33bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oskO.exe
Filesize
258KB

MD5
a76b0ace177bd90702e0de3234e6bd0a

SHA1
381cfb24307873e7b62637710ee5d556e2beed49

SHA256
ee3aa3b5d37cad82f32d9e2691cbb4f169d39cd66d2fc93f77a1691089cbb2da

SHA512
4ade88e268c0103bc762e49be36ce99120c7bca138ed7f8e416d43801fd9b26368353042e816a831acd45b596873b4f44449ced0aeec4c3cf0cb2cfd76c69b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\owMW.exe
Filesize
195KB

MD5
c0e8ddafb1212f28cf26d6ef395cbfb4

SHA1
84138017852af755b5e5ad63a94465f8132070b0

SHA256
e463adc8ca19c6678453a0284f1dc57b6fd72366aac164913b469c9687635d9a

SHA512
51a20d290c4d7333d0f6781c39cb9d8dffd0fabf490f4a84d0aaa111aa839808593d0a2fffccfb2fe95223051a9b8975343e706141efdc85ec0c479aebece5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\owwYEMcY.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYka.exe
Filesize
208KB

MD5
0a20100731a7d65e0ebbef9c7f81d3c3

SHA1
caeed33955f84cfbdfb0abc60072e1c3964ecc0b

SHA256
fb776af8efb83c894c3405d74c23874a80cc224e0b38ae26378d0572b4c6f8f8

SHA512
b9b9e69a322c86a32f8b472ca097a7f4268cc146f83df8b611c9f2b3da68baa459b25b277f7d56042197e85130586fae1a14f69cb2ba29733d6540e3713254bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qooC.exe
Filesize
418KB

MD5
70a08195312c01dfa0fb5c873131020e

SHA1
72466503ba4d1bb704a493053d959f8e39e0828c

SHA256
fb265fbccf950c6dcb224cb590fba943cefdc20d8a0ab4596b0949a8075eb0c0

SHA512
1bc9e18adf77ab502e92b582bfd2af31f7b47ff31f195b9014189662488cb7369ea8ff57ad994f0597d4d8f0061905bed946ccf98c34fcee6727f6688b888415

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsYg.exe
Filesize
5.9MB

MD5
483fbf47105adb6e2619f99919aea1ab

SHA1
116e790c3a57c34bc785fa5c99f2097674db150d

SHA256
df2e20ec6c730ace0c361b6b46ad2d358ff721b1a92c8cdf387ecb145aac830d

SHA512
d8fbee42b863b5ce08748d92f48082acdefa7ba30efc28b1e75134e6e0377d13d374ed2569031ef9e1912c6aad1eefbbee24a15eb451653983f0f378d0e8762a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwoK.exe
Filesize
657KB

MD5
954332bca798e6a33f83068ab3a1f4b0

SHA1
455059aaf03b50050544f5485d926a68bd03cc9d

SHA256
71dea1ac9278dee16b9f5ef8b2b0df817f3b1e184edd2d597cc1639bbf86dfc8

SHA512
9bbe0f4e4bfcce52b17c4b5916fa8fe19ed73fdbfa813720e55912844027648c2db403cc24e75641951bba12a9f1e473cdd68529909884d312cea98f69949397

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEm.exe
Filesize
562KB

MD5
7eaf1cd970ae608beee32cdf9f99c4e4

SHA1
1ebb66c8a860519334f25de7fb586d7510998b6e

SHA256
060dc8e1d8cc7ec32b70e05a20cd1bc545ddb6a4f5629defef58a256a881a42f

SHA512
0c2c0899ed8b56ba199ed7818fb6abc259d18ca24902cca48d909910bf96c3f4c2136dbe5494ea2a191b799f2ca7fa84940e73c978ceffd649d7646e354e4b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQEc.exe
Filesize
206KB

MD5
ab13b95a4023b8b6a5247b5bd6d05644

SHA1
a0d95ba96c601cba910aec36a2fe900fb4fa5957

SHA256
fc80def508530ed9d25d928734cc7abb092e87d11620cb8ecd669af1c5211336

SHA512
4822cb24cb60c21aaba9a69778c99f1014b554e9a955ae45e53bdc9c3058424f816088c423eff3a78e1c51cd0bd5c4a1e54c1d357c57a049cf10f75d64270a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\swEM.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAQi.exe
Filesize
197KB

MD5
34c302ca8fe90d815a2d7d7b7f2074ce

SHA1
ed90ef3a3947464f2ae2d5c93e1660efcc01d942

SHA256
d0f0aac50b3bbb6ed4ebbefbcb3fecd39db2e20b15a20dff9b79b510299da02e

SHA512
dad3c3f608cef6b75e88bccd356be855fed7f0530e7535c0ec8e7c590540ea876a4e261c5f320a0e7cb98efa713948b45835e7170f72dc57af08f33e202b9a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEUe.exe
Filesize
192KB

MD5
b30f32a50df95214f11c98ab3c00d8d4

SHA1
e66226958df7c99710f6372a7b43745cf598a841

SHA256
61d863d1c73c205f414c4614422fa02bca820316ae45a2bbd219ce841f91c9ec

SHA512
c97bc1e92cc0f3430eede974ab6a4903ae6ef95daea39d33eb6e3017707a421262a51792c60cb2dd16d162da0d4d58344f66d2de8d78eb39debc78cc46bc0be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugAi.exe
Filesize
194KB

MD5
6fd22763a6e763915a762184d7c0d5d3

SHA1
d9bedb0f56f3f5c09b37d910945445171f934a62

SHA256
da5298d636ede52ad43719547a1a9627be394aa28b48378f1864f9d1092c71d7

SHA512
a05dd95c55e35b135e327636ca2e842c8d6b75cc407c5837c72cae1e8ee0c7267675b64334306af61bd1bfebb5aa5dc6bf3eedab8902995033af2812d60ed1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEi.exe
Filesize
206KB

MD5
c111f0a97266cb6e2ff764af00e1ca3d

SHA1
138ecdcba3e9777ab231779e0a5f37ea96af94a0

SHA256
7178a906d57e0867cea12619ec76dd78d8ca9f458bd66db85710ddad2b0403b3

SHA512
85bf6d5efc3cb9c5bbfa9fbf5737d72ceada836d24e3f5d9b275c2b4ae5fb319b8a9e98a2b3a902850e9e1705ddd2034cec337c1ffd03e40f823f452c3a36814

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoUS.exe
Filesize
572KB

MD5
37f73921c478220e7156795b5c690ce5

SHA1
77329e2bc06c921cf2080d98d051bb0963af208c

SHA256
b8fd25602b5152184ceb5796e54e0ff469788d36a12e51240bf470a6ed44c6dc

SHA512
430e95c14177f0d920de67900062e9af79a5a3c59f26d5056c08b543d7db2a8869623c692b943c12472d6d45476f6ac6d505aae48d7618aeb956a36d4171b6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwkm.exe
Filesize
194KB

MD5
ba15382f128dcf90fdd07ad88922f268

SHA1
3df35675a03288ef260feb88945be472526daa73

SHA256
0f7ff49a51d3e5e6716197a1e8d59aa1390d965b9a062ab760a92990af04169a

SHA512
ecc632045cc5aa53d5651b68473fa43f2cc63d8f4d5d18343866eaf168b12a3de972cb1710c95104164a5a20080998f3cd9a4bbeab8d0d5698d26d87f7f69f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQQU.exe
Filesize
209KB

MD5
e6a8ce1f573de1b2aa236575b1c56ae2

SHA1
3efac5499625fc4e8d8ce2d2c382327fd6f07a92

SHA256
939c3a3f5206de380bf3502080b363ec533bb88d1b60481b3f9468be0aa03e9c

SHA512
01cacd9787abbee9c9157276324c90ae9640f9c5597188ac30a9ba4b6067ed2a44f0fe171a4cd1c2837bc378fecd3b5084a90a345bd8f983a3416005e8e0b5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUww.exe
Filesize
326KB

MD5
8e4ab0403735d712c858fe548f6a3187

SHA1
1f28b90d319154b780b0b3eba47ea4f4472c7b68

SHA256
854ea2c7ffe182283d9b79c44ba2fffa4bbac55ece33ed396a097eb3cbcebba3

SHA512
e3a5ed7ab4aa01bfb414ad584ddf00184d0e5faa40222df35f9eb82b69cbd40bbd7a36a7a5e1e87e76b1da0a910132e6b549f6ef27c2ae9ede827492630f8bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wooW.exe
Filesize
1.8MB

MD5
f02215ffedec02f6491b3f57b9cf2f4c

SHA1
b1b5281918325d40418a2cfd1a991299a6bc81e0

SHA256
a30c850f5cef1a6673aa13823f8b305045a5ee1ab145d77946141f40284449f9

SHA512
ae36394ebf67616326d46e4180003d0da99f1ac7dc9b3cdf3e0796513bb3cffb0da07a85af711dfd4e54b3911ef93f100bc28d9d7240d1396419067cb7a2c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwMI.exe
Filesize
188KB

MD5
fe909b4d5b859f61665933533fa693e8

SHA1
bf56f950f287e4bc75a0f021045b80d6d9740ef6

SHA256
3a6a4bec8cfd63e4729208bfc9f680bdc05d9da6c8897c5251ca2ed5b2760bcc

SHA512
dc427961cbaf8e1e49919f07842198ad2e0c8569491c456e4699f05f00c965a5e50493b8587e75f69ed373f0f0bc69247b12738bcd1c77bdafaa8190c1fb2e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIoQ.exe
Filesize
925KB

MD5
f11e5c9488b40ff902a00eb32b4f0f58

SHA1
44ea1a2d5d674832be6bf054a6bd51d0d29e6072

SHA256
7e506cfd8b6008429a1d664e0b3fd39a3e45cfb90d49ab9e9e39c6b6dd2ed959

SHA512
ae3b5b708348db05ba5f48cc23d22355faf03b96d5aa998f1f20c18065a8582fd08dcc58f752e90179f5b2fd61d01aa547bfee248002aa31b4901799df125135

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMIC.exe
Filesize
800KB

MD5
48c776308816142f5d8491c250b0f325

SHA1
e579d8e77fb5b0339c1acf4ed70a812e5cbd0c1e

SHA256
be8a411bd1d482056c6f60d380085d9c027c6b935ea076e56821fc1a36d8e287

SHA512
332dee8110e0e516b088ddff835b46e41826f308be84a7864d48be89d34ad77b4ed33adf867b510407b9c5ce44cdfe5fcfcb61d8cccd32929330d2877e1e7d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygca.exe
Filesize
784KB

MD5
62875fede774441be2d99ed2a4668286

SHA1
ed1c461bcc8d0d35c3e19724570b015e90c8ebae

SHA256
bd981f87064823740dcc5143d313c513f1f21576b12f8d5a3ae5466bff78ff98

SHA512
e04580fd385c9d5235218c016a1462a2c1998d189994e37a195336b824e637e966dcd6ec1d504188616b104f396837ed7bc45eef82382b40bf23e64345aecd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoks.exe
Filesize
238KB

MD5
f5b10af2e1afa9b1a3594ebcf28be0fb

SHA1
568d53efff95c9be3e52e9b3a4f14a1011f9de99

SHA256
3fa99b0ef1fda90fe60f7a43f3207f25dd77891e399b3d99c46065bd83557e56

SHA512
ca16aa7d31cd1103fc20509d93c62f4c524983a20161376072db567f3a00b57b74589f4842961f500de8cee9a028bf140bb11f5cbbdbf80eb19b9e6601fcf231

Download Submit
C:\Users\Admin\Pictures\PingExport.bmp.exe
Filesize
355KB

MD5
4be1a9887b6bf2663cebaa482519e2ad

SHA1
dda7fa541325644acb95e665cd8427d0bb084414

SHA256
29f305f2f2baba0101718a04968f8407d89faf8c37c3eb45cc55b8038a6681b9

SHA512
26292612778829ec16ccea700f7d358d8a98b0f700899ebfcd118e3863a124698757cbbc0632a8d07a717af156fe51f372f7934a4ad0afbc085a8439ec73a89e

Download Submit
C:\Users\Admin\Pictures\SubmitConnect.jpg.exe
Filesize
812KB

MD5
8a703f44391cb89e3d4e811aa802e61c

SHA1
2577ee386f24b9090be6b8ab16e548eeac5f13e7

SHA256
10693df203529a2b732090693a2bd43fd2973b7b1944f37b0b3d451d79a7c8c4

SHA512
21f6261ab6606a98c5e8384f2d20fce461c19270a4c38fdc042871e38403762e6698750b87ba206f18cf70b61d515149cb77c155b9988b479ecc7298ffa514c6

Download Submit
C:\Users\Admin\rukkwUgk\zmwUQEMs.exe
Filesize
179KB

MD5
f5af9d2f13e07e6c4832da3538c00172

SHA1
5a9b504a6db529518fa809d4d754eb71b5d61b08

SHA256
0914d748f4458355f56e37711bb37a928ef55abdd8dfdfd7d82b327ff94a942d

SHA512
50dd66e3672e4f00b8cfe457ee260801e5991f8ee4863a2a78d9c54598af81f72fbb37b4a7b6826b5fb97b653364edc0c379a0e49450ce6d2476d485618579ca

Download Submit
memory/336-236-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/336-251-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/536-479-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/876-43-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/876-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/984-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/984-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-431-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-419-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-254-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-267-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1192-521-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1192-405-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1192-414-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1192-533-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1204-461-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1204-452-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1216-368-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1216-354-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1224-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1224-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1288-31-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1288-46-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1368-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1368-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1520-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-543-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1624-530-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1680-515-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1696-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1696-321-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-303-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-293-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2392-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2424-460-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2424-470-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2656-120-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2656-110-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2892-156-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3180-561-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3180-552-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3180-488-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3584-443-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3584-432-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3648-107-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3648-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3656-224-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3656-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3792-358-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3824-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3824-341-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3948-553-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3948-544-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3972-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3972-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4012-312-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4212-129-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4212-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4228-374-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4228-387-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4288-317-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4288-332-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4316-378-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4316-364-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4328-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4332-497-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4332-485-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4352-169-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4352-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4420-337-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4420-349-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4420-187-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4420-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4424-276-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4424-406-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4424-524-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4424-284-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4536-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4540-423-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4564-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4564-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4888-383-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4888-395-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4936-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4936-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4992-275-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-507-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-493-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5104-562-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5104-451-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5104-439-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5112-292-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download