a30b0c083b8943dd3decaa1060781eca029e425cbb13515505508273bc86de09

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
Size

190KB
MD5

6e9f6eeb64bbf4811875e387d539594c
SHA1

9572b46f4ae05e2aa622f4bfbf9cda6669f9406e
SHA256

a30b0c083b8943dd3decaa1060781eca029e425cbb13515505508273bc86de09
SHA512

63511bf2430eb766ed1e2444db97dec329477103e6cb3efab1685731203393da069fcbb86f164a834fcd06f25a5871cdaa4c79a614812b030f68b6c282bdc397
SSDEEP

3072:lIhcy1CpPxuC+VpNpxXbrIhrniL4LGXlmJ22CWE+i9mZwipq9ML22cr8ml+65fT3:lVywpPQC+VpNpCrnsA7cr3dTgC

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (75) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yWMsoAEc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	yWMsoAEc.exe

Executes dropped EXE 2 IoCs

Processes:

yWMsoAEc.exeIQoAQYoE.exe

pid process

4872 yWMsoAEc.exe
4772 IQoAQYoE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exeyWMsoAEc.exeIQoAQYoE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IQoAQYoE.exe = "C:\\ProgramData\\AIscQwcg\\IQoAQYoE.exe"	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yWMsoAEc.exe = "C:\\Users\\Admin\\wuYksgIE\\yWMsoAEc.exe"	yWMsoAEc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IQoAQYoE.exe = "C:\\ProgramData\\AIscQwcg\\IQoAQYoE.exe"	IQoAQYoE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yWMsoAEc.exe = "C:\\Users\\Admin\\wuYksgIE\\yWMsoAEc.exe"	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe

Drops file in System32 directory 2 IoCs

Processes:

yWMsoAEc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	yWMsoAEc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	yWMsoAEc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4920	reg.exe
3092	reg.exe
3900	reg.exe
2172	reg.exe
2884	reg.exe
2988	reg.exe
4728	reg.exe
4932	reg.exe
4620	reg.exe
3140	reg.exe
1948
4436	reg.exe
5024	reg.exe
588
2660
1744	reg.exe
1724	reg.exe
1500	reg.exe
2176	reg.exe
1672	reg.exe
3408	reg.exe
3356	reg.exe
4812	reg.exe
3708
2640
3912	reg.exe
544	reg.exe
3216	reg.exe
4868	reg.exe
4780	reg.exe
2236	reg.exe
776	reg.exe
1516	reg.exe
2824	reg.exe
3644
384	reg.exe
452	reg.exe
1528	reg.exe
4692
2812	reg.exe
3232	reg.exe
2116	reg.exe
1532
4208	reg.exe
4172	reg.exe
1432	reg.exe
5096
4596	reg.exe
4748	reg.exe
2212	reg.exe
2588	reg.exe
4908	reg.exe
4956	reg.exe
1692
3680	reg.exe
4636	reg.exe
3900	reg.exe
3308
3680	reg.exe
2068	reg.exe
4596	reg.exe
2840	reg.exe
1920
424

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe

pid	process
776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3044	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3044	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3044	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3044	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4956	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4956	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4956	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4956	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2820	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2820	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2820	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2820	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4988	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4988	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4988	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4988	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3112	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3112	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3112	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3112	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3044	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3044	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3044	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3044	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2844	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2844	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2844	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2844	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
1692	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
1692	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
1692	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
1692	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3680	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3680	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3680	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3680	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2984	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2984	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2984	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
2984	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4144	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4144	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4144	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
4144	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3480	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3480	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3480	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
3480	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
1528	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
1528	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
1528	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
1528	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

yWMsoAEc.exe

pid process

4872 yWMsoAEc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

yWMsoAEc.exe

pid	process
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe
4872	yWMsoAEc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.execmd.execmd.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.execmd.execmd.exe2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.execmd.exe

description	pid	process	target process
PID 776 wrote to memory of 4872	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	yWMsoAEc.exe
PID 776 wrote to memory of 4872	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	yWMsoAEc.exe
PID 776 wrote to memory of 4872	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	yWMsoAEc.exe
PID 776 wrote to memory of 4772	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	IQoAQYoE.exe
PID 776 wrote to memory of 4772	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	IQoAQYoE.exe
PID 776 wrote to memory of 4772	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	IQoAQYoE.exe
PID 776 wrote to memory of 2848	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 776 wrote to memory of 2848	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 776 wrote to memory of 2848	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 776 wrote to memory of 2548	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 2548	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 2548	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 684	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 684	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 684	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 1004	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 1004	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 1004	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 776 wrote to memory of 1528	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 776 wrote to memory of 1528	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 776 wrote to memory of 1528	776	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 2848 wrote to memory of 2116	2848	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 2848 wrote to memory of 2116	2848	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 2848 wrote to memory of 2116	2848	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 1528 wrote to memory of 4120	1528	cmd.exe	cscript.exe
PID 1528 wrote to memory of 4120	1528	cmd.exe	cscript.exe
PID 1528 wrote to memory of 4120	1528	cmd.exe	cscript.exe
PID 2116 wrote to memory of 4624	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 2116 wrote to memory of 4624	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 2116 wrote to memory of 4624	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 4624 wrote to memory of 3192	4624	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 4624 wrote to memory of 3192	4624	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 4624 wrote to memory of 3192	4624	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 2116 wrote to memory of 1856	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 1856	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 1856	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 2660	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 2660	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 2660	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 2600	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 2600	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 2600	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 2116 wrote to memory of 4500	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 2116 wrote to memory of 4500	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 2116 wrote to memory of 4500	2116	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 4500 wrote to memory of 4076	4500	cmd.exe	cscript.exe
PID 4500 wrote to memory of 4076	4500	cmd.exe	cscript.exe
PID 4500 wrote to memory of 4076	4500	cmd.exe	cscript.exe
PID 3192 wrote to memory of 4116	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 3192 wrote to memory of 4116	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 3192 wrote to memory of 4116	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe
PID 4116 wrote to memory of 3044	4116	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 4116 wrote to memory of 3044	4116	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 4116 wrote to memory of 3044	4116	cmd.exe	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
PID 3192 wrote to memory of 1516	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 1516	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 1516	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 3680	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 3680	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 3680	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 2176	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 2176	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 2176	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	reg.exe
PID 3192 wrote to memory of 1844	3192	2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\wuYksgIE\yWMsoAEc.exe
"C:\Users\Admin\wuYksgIE\yWMsoAEc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4872

C:\ProgramData\AIscQwcg\IQoAQYoE.exe
"C:\ProgramData\AIscQwcg\IQoAQYoE.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
8⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
10⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
12⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
14⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
16⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
18⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
20⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
22⤵
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
24⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
26⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
28⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
30⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
32⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
33⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
34⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
35⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
36⤵
PID:1652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
37⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
38⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
39⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
40⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
41⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
42⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
43⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
44⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
45⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
46⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
47⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
48⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
49⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
50⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
51⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
52⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
53⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
54⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
55⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
56⤵
PID:760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
57⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
58⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
59⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
60⤵
PID:2840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
61⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
62⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
63⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
64⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
65⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
66⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
67⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
68⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
69⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
70⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
71⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
72⤵
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
73⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
74⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
75⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
76⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
77⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
78⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
79⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
80⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
81⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
82⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
83⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
84⤵
PID:3336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
85⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
86⤵
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
87⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
88⤵
PID:2660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
89⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
90⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
91⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
92⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
93⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
94⤵
PID:4336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
95⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
96⤵
PID:2236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
97⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
98⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
99⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
100⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
101⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
102⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
103⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
104⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
105⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
106⤵
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
107⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
108⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
109⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
110⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
111⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
112⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
113⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
114⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
115⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
116⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
117⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
118⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
119⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
120⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
121⤵
PID:508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
122⤵
PID:4260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
123⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
124⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
125⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
126⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
127⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
128⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
129⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
130⤵
PID:1408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
131⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
132⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
133⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
134⤵
PID:4748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
135⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
136⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
137⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
138⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
139⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
140⤵
PID:3680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
141⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
142⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
143⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
144⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
145⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
146⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
147⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
148⤵
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
149⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
150⤵
PID:760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
151⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
152⤵
PID:3308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
153⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
154⤵
PID:1920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
155⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
156⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
157⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
158⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
159⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
160⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
161⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
162⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
163⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
164⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
165⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
166⤵
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
167⤵
PID:508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
168⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
169⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
170⤵
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
171⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
172⤵
PID:3904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
173⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
174⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
175⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
176⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
177⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
178⤵
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
179⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
180⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
181⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
182⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
183⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
184⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
185⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
186⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
187⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
188⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
189⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
190⤵
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
191⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
192⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
193⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
194⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
195⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
196⤵
PID:2848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
197⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
198⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
199⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
200⤵
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
201⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
202⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
203⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
204⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
205⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
206⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
207⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
208⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
209⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
210⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
211⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
212⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
213⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
214⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
215⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
216⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
217⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
218⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
219⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
220⤵
PID:764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
221⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
222⤵
PID:3192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
223⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
224⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
225⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
226⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
227⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
228⤵
PID:2348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
229⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
230⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
231⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
232⤵
PID:692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
233⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
234⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
235⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
236⤵
PID:5064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
237⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
238⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
239⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
240⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
241⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
242⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
243⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
244⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
245⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock"
246⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
247⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWwsYsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
246⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuoQQIok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
244⤵
PID:1648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:4144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- Modifies registry key
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoMwQkcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
242⤵
PID:116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:3892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceUgYQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
240⤵
PID:3708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEsMIgsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
238⤵
PID:4980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:4620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:3260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmQMEkYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
236⤵
PID:4904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VewscUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
234⤵
PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:2348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:4820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOUIEgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
232⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:3200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYwYEkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
230⤵
PID:1268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umQIIMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
228⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:3260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- Modifies registry key
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiwcgQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
226⤵
PID:4904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VscMwQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
224⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmUgAwgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
222⤵
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqkwYwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
220⤵
PID:3272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:4592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:3020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:2440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySskQgUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
218⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgkoQQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
216⤵
PID:3244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGQMIwkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
214⤵
PID:3296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
- Modifies registry key
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- Modifies registry key
PID:4636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkwsUQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
212⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOEIkoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
210⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
- Modifies registry key
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQAwcIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
208⤵
PID:1648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:3460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies registry key
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:2968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGkoMMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
206⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
- Modifies registry key
PID:4620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugMsgUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
204⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkQMgUYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
202⤵
PID:1176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies registry key
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecYgsgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
200⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgAIQMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
198⤵
PID:4688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGcMgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
196⤵
PID:4016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCwwIUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
194⤵
PID:5076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUIYIQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
192⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies registry key
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
- Modifies registry key
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- Modifies registry key
PID:4780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOQQMYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
190⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKMEIQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
188⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uosokIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
186⤵
PID:3104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSkUYsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
184⤵
PID:1432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies registry key
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiQIwYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
182⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vigocUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
180⤵
PID:3692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:1520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egokgYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
178⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:3480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amwMIgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
176⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAAkYUUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
174⤵
PID:4776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:4168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkAMUgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
172⤵
PID:2008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSccQIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
170⤵
PID:3260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKsUwQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
168⤵
PID:3680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:2720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iygEEwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
166⤵
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:3800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSQwIkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
164⤵
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:5116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:2400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUIooIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
162⤵
PID:3272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIUwoQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
160⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies registry key
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- Modifies registry key
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCQssQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
158⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYwwMwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
156⤵
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqQMsEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
154⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCQwgUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
152⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:1740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQcIUUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
150⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQoocEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
148⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAsgkYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
146⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
- Modifies registry key
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LegYMcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
144⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:4484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGssMMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
142⤵
PID:1600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- Modifies registry key
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAwkwAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
140⤵
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukokcsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
138⤵
PID:3088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkQYEIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
136⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:4820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giAIIAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
134⤵
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:1416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGkEgEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
132⤵
PID:2644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:2844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xigooEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
130⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:3200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- Modifies registry key
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCkkkgkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
128⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYgsYQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
126⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- Modifies registry key
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgUAskoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
124⤵
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmQYMcYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
122⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgAIYUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
120⤵
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:3960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkIgEYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
118⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:1948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqMYsUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
116⤵
PID:3356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:3192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMkUkUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
114⤵
PID:2820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkkcIYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
112⤵
PID:4920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcsAQEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
110⤵
PID:4516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSoocAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
108⤵
PID:5116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:4356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smYQYEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
106⤵
PID:4728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:4172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EusEwIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
104⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:3888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIgkgoMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
102⤵
PID:2988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
- Modifies registry key
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeUYQoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
100⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIEQwEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
98⤵
PID:508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeQYgMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
96⤵
PID:1948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSYYscYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
94⤵
PID:3704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIYYggcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
92⤵
PID:2848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeAsIsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
90⤵
PID:1884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWEccAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
88⤵
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voggkwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
86⤵
PID:4904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:1856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCIIsswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
84⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmsgUUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
82⤵
PID:4268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- Modifies registry key
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGYYskII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
80⤵
PID:3636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCcAoEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
78⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouAUssIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
76⤵
PID:3748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:3460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:2068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGYEMEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
74⤵
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQYkMMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
72⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsUgYMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
70⤵
PID:2764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:3704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCMQkQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
68⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tscAEgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
66⤵
PID:4208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oooEkcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
64⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwMUUAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
62⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:3680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcgAEAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
60⤵
PID:3336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:2612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwYIwkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
58⤵
PID:1176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riMAQYQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
56⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwwIowsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
54⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAMwMkIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
52⤵
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyEQYgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
50⤵
PID:1500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- Modifies registry key
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUUgwgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
48⤵
PID:4144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGEcIEAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
46⤵
PID:3244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyIEgMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
44⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOsccgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
42⤵
PID:4072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:1844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:4792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAYYcooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
40⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huYAAoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
38⤵
PID:4820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:2884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- Modifies registry key
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcYYwYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
36⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQgQEwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
34⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAEAYwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
32⤵
PID:3864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies registry key
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcIMUYQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
30⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:3460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyIoIIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
28⤵
PID:3916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:2172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcsoYgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
26⤵
PID:1416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\husIMMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
24⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAMYokgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
22⤵
PID:4020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEksYwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
20⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssQwgggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
18⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKgAEsMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
16⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies registry key
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKIIgMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
14⤵
PID:3192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOIMkYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
12⤵
PID:3688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BckgIMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
10⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqMooEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
8⤵
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heYccAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
6⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuQwUAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAQckUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4120

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 7dbe7d8ad6bad0641fa663e5ccdd26a6 0RWgKOzANUKxJUG0xrwmqg.0.1.0.0.0
1⤵
PID:3024

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2676

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AIscQwcg\IQoAQYoE.exe
Filesize
186KB

MD5
7681ea9b977da1c13886aca6fc117c51

SHA1
b5166ca2427b5a1b899dab4048c0e0e79892f88c

SHA256
bb38eb2b4683f6a14d310bd6a5c6bae7bb1b290ab946a75b57bd2425f7f8b1fa

SHA512
280f01de25ef512d74f1d941d3e9744d83e6fb34454c04f9bd9a7cb9c93cbb0b58794e97a938087afb1ddec4b2516e41e4f5b36b2180cb54325f7301627b4866

Download Submit
C:\ProgramData\AIscQwcg\IQoAQYoE.inf
Filesize
4B

MD5
63f487e10cef6420516b2ba407d59de7

SHA1
1d63a38a181b978ebc2e4e252f2ae622e9ea600f

SHA256
30b8191a33a45e27ff04554739c64e46e74f620dc325280b9d5b0e9d22bf446c

SHA512
df4da814be1e1acbbf0c5ef4bb0f89475cabed9c3451a783b45eab860006e22013b53f8b2eeaa4c22e2d2cc263988f060032952b62ee40cd980dd1bcfa8b782c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
318KB

MD5
d8551ea7c45104f5a0e73da164cda5e1

SHA1
b2b9d5ffca6d102ea4de6b54d91e461bb6ddf7c7

SHA256
675f0f99cbd08667f5a4cfd2fa807ddb02fe5ee83c4230dc0490b3560bc88568

SHA512
a97b1527793b74907dbc196878794ea68d0bc3123fb36c2b1d1cc04032e7986dcbf143a3791882f14f0aa09c1cfc39356b7ed01f2cb46c0499f4197483f5743e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
189KB

MD5
789184e6d01f685b37ae0efe05870641

SHA1
0e57db6ef6457ad941f3edac28e82cecbf052fd5

SHA256
209d86286a9f69f129bcfcba722db773cf5ae30c6b464cc80b0042ae91f91b42

SHA512
ee1359ca009725a55c67e5e52531abe9c050c9285a96ce6152f39082f2ed7e5996955aca3e1a5c6ab2f2ea56d730c5122c7088a3555d25340f994417d4493b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
190KB

MD5
eef1a9ba9f09e46891ec1cdec241448f

SHA1
f82ff9c5bd41997dc05b05776a74a985c15e05f1

SHA256
e81a1b4d167a9c47252e077b26c37fee8bcdf93102efe6c0b1a2301871faa9b4

SHA512
093bfd1c6c8b477e10fc4ce1c1e0b70c08b9dda5917edddce374526c3e2e38bf93b8e8920b9fa1e406bf8bf1dc43507256c4da5f3a881d9f5b4d63702d8efeed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
Filesize
197KB

MD5
84f0df328e7124251a8d03474285ced1

SHA1
3a1cb47e121df66fafad1baad0e84a6fb5f7044a

SHA256
2b482e18a90298ac1973bad6ff3e9e5589b6524208a810aaa12491f8e4289dba

SHA512
832dac3584f93c3df1d4f045f383714681a4bb53e8e3bae078fb4920a20bd0cd832cd6cbd259b1e9080db40ead014bfde811e48202a7ad657e54f459e9391243

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
Filesize
185KB

MD5
9685cdb8442f99ceb634dfb85a7ac751

SHA1
f6b22b70e3dc654d407f045ea22e580907859b1c

SHA256
ca7b30ee626ec022a05c633381ea3afd7c8ab5c999da5a0bb058db2a4b75e3f3

SHA512
36867f403c7f7772cacc543eb451fb318401c62240084e11a249b0bc9ccb10e8a48147522e4de0854d35be113c79f0c5f9d3105904725ed132db902883c9fba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6e9f6eeb64bbf4811875e387d539594c_virlock
Filesize
3KB

MD5
bd12b645a9b0036a9c24298cd7a81e5a

SHA1
13488e4f28676f1e0ce383f80d13510f07198b99

SHA256
4d0bd3228ab4cc3e5159f4337be969ec7b7334e265c99b7633e3daf3c3fcfb62

SHA512
f62c996857ca6ad28c9c938e0f12106e0df5a20d1b4b0b0d17f6294a112359ba82268961f2a054bd040b5fe4057f712206d02f2e668675bbcf6da59a4da0a1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEoS.exe
Filesize
203KB

MD5
9b9e2e40c2c452d40c8eb24203225320

SHA1
bf7182b28e817103d6b68d80155c154f97bdf211

SHA256
6fab587bf1d7d1e3008e866149704f3a467ad466079d38d2b485f66314230d6c

SHA512
f7aeee347853b4febc79e6eb034331da39271441bca7e96d6b5afd0b73780edbf0a3a6570ed80dd61a42bb29518cfe8b1c95aa65990544426a40116992cd4651

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUEk.exe
Filesize
200KB

MD5
930468abd8a4532868577bc3f6396f6f

SHA1
dc9f8475615ed41180bed9a9633a356e8ed04325

SHA256
90f72d37d37e7f1138109b724b3cd6d6995203b2f7711e8e09c1ff313cd2b0cd

SHA512
91b722739f309dfbc8181717d4c326678db45632f6479357fb0829f405db08535d713ca15b772833e66bb93ad6b306de28bc73e36b17ae74614bc7835c10e86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYA.exe
Filesize
186KB

MD5
26d9c99abc4435100543f58bff8c34aa

SHA1
1b809e5106aef36247c2e9e2f540136d4b717aae

SHA256
ea7ecf2bb5061fd1915b064703de4cf43bac9129ef4f0699e87706fdcd4ca864

SHA512
6336edc1dceaede7a48863f841686f4ba53cb89b9c3beee938c4713916362240c5fa19f92076943b675595f8ef8f279826956c4a164197797e84755e480034ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agsy.exe
Filesize
791KB

MD5
df3ce14c76443353a76775caad98f848

SHA1
b26549331044052caeec84b7ca06cc0d82e1111a

SHA256
6f8c4b2f2ba5930f76c46fe55748773afd6fad2cc02854f56a273da2bed07b45

SHA512
31e431e6667e221c943118b5af22ccdb699a629abd61e271cd4d04fe01389d215da6c4f62f96ad1e8f4a25db51888be6094cdee53595f8d1ca84ab2f6699cddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwUI.exe
Filesize
191KB

MD5
3b86a779382c3dfcbe61fa4ad9849cdd

SHA1
2b88877633cd8ab024aebe72e59d17c8239e5c89

SHA256
ff86c8f551c31fb291529c0ee5b67f3a3467202b0dec14dc6a5a86e5c367353c

SHA512
4e02a86419e5c6272c5f489a203a36140615211cd8f4aaea01cd4fee84341d3a79e20ba368ea7136ecd22f3789c273226aabfaa5ad5c0a71c3f4a3815c82a2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awku.exe
Filesize
212KB

MD5
fd91a2bd6084071b86fd7bc8e4be25bb

SHA1
3cea5ea8ed5fed462cae7ebcd163fe17d7288c0b

SHA256
7fc73e1dc9deb3e084d17774d31e0524e2eccaf1a3e68c5d1fce884b5dccd8b3

SHA512
88d4c2a2582ae4fc585b80adb87e38d4fdee4ab9e068b17254e891f87b4269bf7ce62780226e15b4182842e7bf93d45d5484807c98ea24ab5b8fa0dfbf29820f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEoY.exe
Filesize
266KB

MD5
16b4292f2f1e8e6e680777617a6f8eb1

SHA1
f35d71ef6af8723049ef343e507231b371c3ec9a

SHA256
c7da6e13c530715d129bbb73ed20bd5967697421de05adbf45c66bdf91710943

SHA512
c75f8538eff8a42b16028255c9c9af01ed35a9fc1695d9fc7b2637221f8505cc79f12ef7876d64b60024e67920c75e0c389009b8a28703eb4a714c65e3e941f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMcE.exe
Filesize
202KB

MD5
3908195b355131d707f268bf457fd044

SHA1
a8cf8596ad2ccc8623ddf9dd369b3a2793bcbc0f

SHA256
44893918838b26357d85f3a12dbc5af98337757a464f4c3bfea2bf49b6f91925

SHA512
d2b2eb0244f8a7ff19abc8b0761ed68b3f414f8289cf9cf84b9c08dfd56cb5eaa66e5d3764f5c46da99b4806840fa43950b71138410f624cc11cd026176b2326

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgU.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUki.exe
Filesize
187KB

MD5
b5cb0f79f236b195182c5c2d7a15fba8

SHA1
c24fd836a08542560c7242df8166cfe284ff541d

SHA256
e59c48e932497536e86d74ed376103aac88aaf12e04b5ddd6bded0d93ae0f5d6

SHA512
8de545ee23b2dc17ee1817a1ba4d1192c3e7a433a838fa5e209b74676a063fc70d1542a024d8e72567374f97adb9cfd736c9b70003644eda8a8e132209350f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekku.exe
Filesize
204KB

MD5
dc2239648b4d5536602a50ec532afefc

SHA1
c5972ea0292b623782a7d35c0780721610b5825e

SHA256
720cefb27715e1e371bd8387fc5c0ea13d60964b2e8c786194cc40b25123bded

SHA512
0282b0f074017eb085ee1880c0b660046afca631016d3cd3a870427eb271dfdd2493a3eb65f96af953ca12856e419ac28315f83ab71534df049c50e34bb68226

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEcs.exe
Filesize
198KB

MD5
0f03363833301c69108b171663ee4474

SHA1
7668d8b03735c8c786fd530cd6c52ab83de16944

SHA256
cc66958bc06ec15cd6819593f962e455e62c74e27ea981ef883faaa3db62975d

SHA512
699864851c2d349b9913c218debae9a25cbe88ec2ff8dd6828ec9c41ffce0b43390d3ad3774940509e9559b1eafaabb634de64815dc1f8590b245b36a24f4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMIe.exe
Filesize
187KB

MD5
80c13ed7ad9b3bbc9eddd6c3608ff5cc

SHA1
0d1d53147d75f0f356fa2aecf8d8a55d8e701873

SHA256
df5f1c00612960c323430c73f240efe16bb67010d25513138af480be6dd2888a

SHA512
a24782f9da61d84035b4c7d50101e06f6800b72056945059c79300252931e419efc40e01f83a4975b51320cc4bf2190a55cf3cb20101ab7c4eedc21eb57297bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQYg.exe
Filesize
234KB

MD5
9b1be729f7f71ec9877cea62bacd9614

SHA1
d3d8183df211fe8c4607e3d35739cc1b24601966

SHA256
9ec82eca9a0318e683075a07ccf8a23b7154f4041c6ff14cad96ddbf022a8349

SHA512
1698680e004c3f6d12912cd853655cb1ed1ce1dc1e33a30af81e689aeed768e3cc533c5e9269baf0f78ba4a7548ff1ef003b4f1da4d7e74e3607e2c872e4b99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMUu.exe
Filesize
225KB

MD5
80764746db734460736a44047e0c96da

SHA1
b7baf9c42a508529375b48dae1ea5325c1192f53

SHA256
e12d7721402bc2e53f6272d49929b57b2229a838a65dcc59edcc7d0c3e4ee7e2

SHA512
0cff3427991dd6566431dffc511eb0c298278212b5a51af1b098f9b0b3d673e50541538a58d4fab4dffccdbfa14349b3e3af93dd5e137a5edb010ce9a5f92d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcYG.exe
Filesize
190KB

MD5
720a9c449354f2e7f34bd183e4c8f617

SHA1
07b3f06f457363ab47d32e472fa832462f0254cc

SHA256
02607862bdf58659a50e1c625422657a759d5e670a75fc377355f44afc68d2b7

SHA512
1f50eb86c67dad895d1ec3d7c2a631c3d4efb1e258b37f9ac4bd97f947773ac74b14608f09c97e080be8bc3217f195a43dce461cbf33e82852b59b84aee45849

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icws.exe
Filesize
187KB

MD5
61b0c48d8f8cf1014d82e051749c1e9e

SHA1
d49379f85d09ae7c9ccce7c8399fca8e407baf1d

SHA256
a75dee150be212484dbc19cec5ef576661c2bc404fb4af1bd5ddd94f2f5fbb81

SHA512
4f4bc12cb96b08c75f84bbee1c8e396268b6ec09a1a69cd22d1d207263ecc777665ac1ebb54b51537e467cf5065eac151e41d933c4a8980086ead7fd3d165014

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwww.exe
Filesize
390KB

MD5
9f0e554687dd9bbee38fe18f9bda4bae

SHA1
309ad5de66e5957e14a2e639169e410830baaba0

SHA256
fbfcab46a053623f9b814c53ee3ba4d1b9a7ceab51edca780c96809ba6f3518a

SHA512
6bd3b9850b9c95180417f0548f8d94bc9460ea08350269bb4ee756858cbb840e75f100a771e0fcc9fdde472289f51c0cff81387ea689b82d1acd49bff41060a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQks.exe
Filesize
185KB

MD5
077c8b23669d4ac2b6bce4ba0db7cd28

SHA1
e7a392d0bb596da2adf3a043719238b201c5a05d

SHA256
7c5918d51b4e2b9b27861c71b46741aa02057c71962b59ff498c16d2e544c0e1

SHA512
5aa3ef43897637b0a7d7e5af9d769de624dadc68a4db1e8fdbc917a25ac6416e4a6435d677bb3d209f28667e9e03e55949f8314c76c4d03c5c290a952e2b42a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUUS.exe
Filesize
314KB

MD5
0050115ff03a4ac7b75071ab82d7528b

SHA1
5970b994aaaa26f4214c27626e4f56cbd68a436b

SHA256
247f8bf584669aa29f5eadb908a9b2368d80dd6b881fdcc5c036189555b89e6e

SHA512
ea6d3b095713d3e7cc66518ac6bea58b495e7ba68349623561ecacb2491a3a6b6f92bb213a84b30ade951043a7af1849b22d8b1733461bac61c2b372d109846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUUw.exe
Filesize
199KB

MD5
9b8e5337895f3b9d6b45a459d359c0a0

SHA1
3958be1dbd10558f836b530683769c0f90dd7899

SHA256
e2759799dccb9a2dab74e7304fe14d6e3e57dcd755e33c15f4b38a50ec703740

SHA512
cd605219b4bfa7207038a4dc57427780d51087538431c1910c668643515019a75b77f5ec90a3d1dd28d5788e28c0bee85f8f787c82b3d6ade738a6dc2c75e4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\McwM.exe
Filesize
201KB

MD5
1092ccfb19dafa669efef0ab1c674ae8

SHA1
cd1c6363aebcc8189f0d1b7052b556f8cd2e0879

SHA256
76d324df2bc6b1694747eb35592ffca2ab9d5840c8304c505bc1670cf23f229d

SHA512
d2f3684b83d34771f67beef01eb156a1559b35db124563efdd8c533ba916023f77f5227ab909161fd739ec732c5b4bac6c2bed379e747bca5fb91adb7816d577

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcwg.exe
Filesize
186KB

MD5
9d593c8dc3e6157c2fcc22e23682c866

SHA1
18bfc94de6463d6050b05e12468f14cd4b488c2d

SHA256
d4c20fb8097263be699e274c3a6ec0116e6a98edee8b393e5827ab1ebf0fa9e2

SHA512
8fb3d76258b43845cd9999d377a2887ee0563f31ca3838b65cb5c2f31c3450cc32a3cd0dd303341a7dc5d89fdd219871fe446b29c6dd5c6b8f3dad3f13c4bb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoAS.exe
Filesize
202KB

MD5
5b8b8e1a3d01231d6ec97428f2819cdb

SHA1
ffd4d3c1cc931021371352c7e3e556b44ef4840b

SHA256
256fb9a899d38b14dcffd0a4f9477e303a058668457ebcc192e46ef8482548b3

SHA512
34f523f313dac6337248be86f3c3a7d624e8f15d29b6ce9f4d263660dff3f586ff9097282bb637feb249a3d9f0e5a75864c1d40f3e27df4198c6e9cc2af342a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUgg.exe
Filesize
190KB

MD5
391bd400e85645a7969c14d306709b02

SHA1
bdb7adf77d3739f34dd74a6adec57d14fde84df6

SHA256
1421f4a8431e9feff89e92e9915d38781441e1b9d32421a48fea6209f6eca295

SHA512
642bdbdb140be97fd7cb310d69df6538eb190d8ecae48cb9ee3c21839ab1a3c9b666f44e5ac29c424b871ee66e025d99496b652499a9afb9329198f53d09e821

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwUQ.exe
Filesize
313KB

MD5
f16f1a087409cbb9aee82d69afc5b371

SHA1
60651b54c6aacbda73435a2650ce984c0e970eee

SHA256
315bb58ade8884b770ddcd071e9c375be6d6f8c7635ee8afaa3500794f988e85

SHA512
ef383eaa047c3c2cbe65e667cdd747df6fc3b8961bd47f42f07035ac01b0a87a52157bd3e09ee58ed330d649fbb43262695786bdf613821528a533c6ef393aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEcY.exe
Filesize
212KB

MD5
520773ba19e005fec2b736b47f80fc73

SHA1
9a83fa20c1125f2d966a8b473641ee0786890806

SHA256
5dd8f8e4052c44428de4e6297c20712ecd1f2cb675212deb4fb7920e740225c8

SHA512
562cc4ac71e064cd30e0b4d8693d8cee57e6a66bcd92bd12419112ffa3ccbf4dba7e3aa3558ca65833e0d4d2ed95bc8b656ad7538efd33520af74cf7ecb6d1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIIC.exe
Filesize
197KB

MD5
0d9042801b2744add6124159fd270256

SHA1
424b60d47c4ae689a5ef34816d8af7facf972dd1

SHA256
88740b229a2f307a775e6233d6ad734c1fe013d7a9360aa2610ac0c5bd89a59a

SHA512
084fdbbd65244ddffcff44e4f333a5d7d27c2683276387ec92209eeb0cc95ef5ae1e393f783dbccf2fd368782e50fce15542c4446d900afa8ac9fa99a2e26333

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgsy.exe
Filesize
188KB

MD5
972f31750fa74d807a7d92519f2bb174

SHA1
37f31584d38b09dfed939a2763918ca2f53b3ce3

SHA256
99d60acf8bbe4be2f51d67d552334f4924e12fe7c30b35e39d177209b9b3cf4c

SHA512
d678f38066370816b14bdf9561d23c9e7662d54393d38d5782a24a1a2acb6fe39fe2eb2753258faf09f47edeacd3888c4e42d9bc6634732bd4dcfe4ead3d65e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkoO.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwcC.exe
Filesize
236KB

MD5
38fcde243c2dd9d4c4e3397e97919934

SHA1
d3f688605b7a77b255005c0119747527f9ff6943

SHA256
ac3cfdee15900de24a899c90605c9176d3aacd26684afc4c3715c6bdbee68613

SHA512
ab7896645c40892c6f0806afcc6f206482cde32890be932d10a0afbc8153168dab83a9e90094a2f8bea85194045dc4744c46cc97117153209dcc12a06dd33b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIIY.exe
Filesize
184KB

MD5
386fbfa202147f4cae053caecca928cf

SHA1
6fa5f37435bea7e62ed14e7547c29f0a1327caef

SHA256
c434eee4441a1650f95d6986ea97b23696441e7202791b6d6b61892720a892c6

SHA512
6f5ff8f299f7ffff430f497dfb1d6952abafc7c3fcba8f810792da2701ab0a38e2b5b5a3a67c8260df2b07add13b0f8f91b4d9831c851c06cd54bf1350649287

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkYe.exe
Filesize
183KB

MD5
208b379e0bec748a11b4dd16c3ba5e38

SHA1
e5cab8d87dc8f08dcf1648aa7c21f1f21bda283d

SHA256
a17d46af8dccf1745437956b6dd8a8bab07ed0daab189efd5a26c6439add5a25

SHA512
75689c952ed1b6fc10354ffe7177707e49fd5f3a9ef4e6fa3607133d9aeff1ecfcae977cd8756f8fb08695fbac3f591c5405b860d2a6b83bf39268f63dc448e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIMI.exe
Filesize
1.8MB

MD5
0f238af4c1da74eb1189ca34bc58c124

SHA1
ca161e1efdc3bf69b4c3b1577e296dd6562020ed

SHA256
b24609b20e728c91166aedfe9ad43afbec588b80ae82edbab4041c438671dd6c

SHA512
6e6f40c080bc94d9aa1854a30735ea8883b986dfc137448a0aecabd86efe9dc174eacb8c9bace69a8db6529879ab97e6afe2ef23dfb462337f0b8312149c001b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMoE.exe
Filesize
1.1MB

MD5
eb49cf5e7153ad5fea11d3e0cf1da720

SHA1
9aaab9a63a8a5c6215e32f51cdab735fc58c7af8

SHA256
e60d4bd48ad0d52fbb1571ccdd1977a70364dcb855920306f9146cd0d7eb1437

SHA512
fc439f7eb104e6475ad2737ae4d983574df4df4e9e719fe729610d91dca1963099323c48f9a374ceee4313493aaf887dcaa3c4d1334a442782c6306cf3a8db66

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgQo.exe
Filesize
333KB

MD5
b3807b6ea8dcc5306ecb40f691ee6f05

SHA1
486e47be7ddfdc456a147eb4bc6b8f5a0b712a5a

SHA256
5c7362f594dc649fd30f4d5fef28465f1e5475696bbd4ba51d5623b9aab6299b

SHA512
c9c3e73fdcbc782f9a7c3b6862c6b4d5b85603f768f1a6c4cbb93f72b2d6d848f0412138766a0cbd19a571d572607fa873f60fe66ba33f57e2d8650e0f43d59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkMi.exe
Filesize
826KB

MD5
432e50aa29db571b752b20ee460054b6

SHA1
10ec6f5ac9c81e01208f96761e443040fff8b2a7

SHA256
8a0bb73d8a33086bd1e89e085ef884204713a6d3deefb88d1c281495fcd7a7bb

SHA512
6a78670b0cb10fc311af40652e172b99f570dddb9e08fc2ad492fcd436f956be293a98526cb513ca3fd1f1302211a83009d016b9f2c791e696f68973b8a4ff9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkcW.exe
Filesize
195KB

MD5
2941e51e6f6bf1b2335d198bf88bdeed

SHA1
1baa321cd50cb1e208ed6047a7632f48a1fce004

SHA256
3a68e38c71c1286c1d28d7e0acc167063d4cc1acd8abde5c18faaaabbc329206

SHA512
9fad61ebd86fea6ceec9256a3a7b8a5bc9e07677f8a56f5661acd1d45e6b2e42441461589ea3f6f9837cc37b9a3178fbbf465eab8693991366d0b7bfa784a3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsIW.exe
Filesize
199KB

MD5
78779372a46a2fc6580de46bd47ba454

SHA1
10d9a87aa26474fc8ef70cf4ee2d4ec9d0b86eec

SHA256
603c4c9aceb0ea17b0ad9d542ea8d67dbefb00c19c70c64ea201f0657bde8d63

SHA512
0bfe50d9ae1b97345923aa06de947fa49bea10af8d97f686770b252be5d23238eacf296f2279e038f6de953ea3dde651618d71e885e64f2ddd84cf14dc12708a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WskA.exe
Filesize
657KB

MD5
6cc751f25ddde44f5c4e5f70f6f48799

SHA1
f8af1cc7c87016d57f74d7500050add2c7cc90b5

SHA256
5a1436ba966d5f0c5bc484eec630caa2bd6bf2492735b0fd6c1ef2bbe4f70d3c

SHA512
ccabc3142b87a3585070f346a14774adb7020091a6b9192e41b3e5decbd966f447012cf3d067be169ddf0f7664004d6256b4f369e3373019a0f1e63d31958291

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQwm.exe
Filesize
187KB

MD5
be9ca08e1b0f3958c45b8e8181c404a0

SHA1
f82cc92f3a748bd796f809527241dd47aaed4ab9

SHA256
b472a516bd29e6d4525846c97fd421a9b0c9b50ed4cd3368138838d7e49ff040

SHA512
15ebf0b0dfb65fbd133d35b204eb05fec9afaffc718967a43010a4848679c566b5a8c10e7af43249c1d7c6dd5268c018f62b4e3cd7dc3e997eb0cd17c09ca723

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYse.exe
Filesize
198KB

MD5
dd69855437623ff0a790b00ae51a5d6c

SHA1
079fdfc073645ab73a11caee0e415dbfb2a7353c

SHA256
9ac2c26e58589a82a4c1bf0b1e8595634b48132630871c855c2fa4991c193612

SHA512
0885cf84399e6686d8c7c58afb264fda50914a05668d9cd1d466d7602a79ebd1e5b841d3a6a8e013bd39194fb22e4f803232d01161b91b7534a814783a404fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgIC.exe
Filesize
194KB

MD5
4ba19e181a6beb9cddda4c5dd979f5f5

SHA1
ed51b1894e978e22b78bd2c29cfb3965adcacfd8

SHA256
5a6f47f9a9be4197d09a2d77507691e7e2d11c60b831f98cae23ec8b6d671c78

SHA512
eb34616d60decc75373bc33329b2cea27f3672472ead4b5389cfbb4b5717c1ec35d026214ba12b928094e91577a84beb1acb2497a60a5048939786d8329814dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YssK.exe
Filesize
1.6MB

MD5
fd23a0e28ab9cfa481b3c5507c58f97c

SHA1
78b75fed31769cfc8828fa20bf44c6c29b12ad68

SHA256
fa99a3bc8d644705427a4565c8291759a76f225d672b76c9f9f2b8c6cae2faf8

SHA512
588a2d2cf497637f0e56e7aad6f63477066b6b6981dd32ce7c0a39fae5aaa7723c40c89e82635f8bc3490da2aa1e329eb5383d9c2124852f66ccddc02572bdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAsC.exe
Filesize
185KB

MD5
62366c65d3c23396bdd87b8d8be44038

SHA1
a9e5b3a5e84057c9907e050c7711434ea2727d74

SHA256
7418fb6e5918eb9b52d0cf9addcf29cf9795a1e6d3f3bfd6cfc201a9c9f25107

SHA512
c4e35947c167e06ab360a0a439a79340dba793759b24a4fdd651bad1beceb5a656e2d23f88c1ec18fd721914b23e618ed22b58bba177fcb871723949ec8950f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEAy.exe
Filesize
854KB

MD5
12f2c07ed4f452706aba714cb9ac500b

SHA1
be8d1b47e251181d3c06ebff457a3894c7fb81c6

SHA256
83f44a302077938955aad52e0524608d8ce5b226eea9bdac85e8b049c50d87ed

SHA512
22f0fb4bb3fd91b0691231a982380c60f9d7b3255a9153cc7547d93d8f4ce327c122c74b3bb657a26a3b6e42ab9626a1fa1847b3f24aea3af6754bc0d3a56fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIMA.exe
Filesize
559KB

MD5
b5e4cd6cb7d49b72ef548f8087a7484a

SHA1
2d12945f2954916ecfcb735f0ec437031a1e3f55

SHA256
a6f716143a797a11556709bb7c85012e2dbdaf8319eb817ef6ad2caf6df56b2d

SHA512
f0748ef577693b114dc6cbaf5594777c23c0d6a2034049a83969345aaba647fa8fd92756a8d364ae1b958ef05f5f2b625f7557e4c479d4442d90721747f9ae80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ackW.exe
Filesize
184KB

MD5
fbd12e7f2085b191cb4377d0ddc81924

SHA1
5ba6f8b65a19ceb8a245b5034e0cabf5deae07a8

SHA256
d8fb976681c298ec0a7f6369f1ff53d6a3463f6e92d5a49f9e401e310d1c0358

SHA512
21b435d431935fc5d26064a37e306d8846f25fd055affb04fac48b69ea4e7b1e00c8017af0827ff68637554af681325f0dca547692dbf572e7cf925fc442fdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUk.exe
Filesize
185KB

MD5
88fcd7e580808f75533a389b175ddeb6

SHA1
3e15eed1fdac540150a9ccfd80436eea2260169f

SHA256
3fc653d37f55acda3ab31529a6b8d20b5fb8b6c699f77ea4cc113272d7c11b16

SHA512
27ac6298bbe0cc2571673f9193a3a397d9ee0bbd596b082671c247418def660eb9c487f51b1dcb5709e4cb99db132a1e40de7763bf4e3dead9d76987e00af014

Download Submit
C:\Users\Admin\AppData\Local\Temp\askK.exe
Filesize
651KB

MD5
d7b0e47d577c463666b74108f8047309

SHA1
a8279083f41c27e6988521398118b32caba8494c

SHA256
5a222125849d1172a49e1c4151e45a2d4321c571aff00f5f9826052e668fbafd

SHA512
b73236d7d65e800275f84f89453d3e5310470e31e51bcf127717d0c921ba391e506bdfa6369ace4b589e4a0721f35c03d7d1e67f4b1960ab1a8fd686d858b8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwUS.exe
Filesize
217KB

MD5
adfc7d23d3b1e8959de60564d37f3590

SHA1
f8dc585810385664d8a05523c226ed6a4e1333c5

SHA256
7fa66af0055357034027dc04b37ec88306dd0cb3a5845a1ad7c2e3cb1b6ced84

SHA512
c104efc2fbd6810461f70097eda7c827c76ce35ce05828521fab516885b2202c5dc19b5e1372f52a5c983265b8cc0b84c37649ccd27fe5e8a788a64555ed47df

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAcQ.exe
Filesize
632KB

MD5
4f4de6e69c53b74247a4626e43137f7a

SHA1
97ab593b0e02d7a7f51d733582ea35ddc1f3253f

SHA256
86ce9c13047c2c04ebb7682bf8b265674fee20beaf598ac73237055d4955ca78

SHA512
a011110febb488ebe9f6ed75bac6c7ce0a68443c53338252d497fbf8d5190ee6e1771109d22d099f5b5f0bb2f45ea8d365e10ae52724891f72290bb30c045113

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoIC.exe
Filesize
185KB

MD5
adf618e8efeb2280382c41c9af8d5f0f

SHA1
69167bb791906086c10eccb96690143f18fe95d0

SHA256
385043bb5d3196aff1df3e1e1818a12aa1c8c54aa795d931338dec6e7602c772

SHA512
ab182bd42ff12c62fc192b7fa9bfa7ccc4a89833c17e2b4fd3df540d4d549943e72aa6dd4f3d224d1156dc48806ced0bae2f3b04406193dc9d8c9cb62b899780

Download Submit
C:\Users\Admin\AppData\Local\Temp\eogy.exe
Filesize
821KB

MD5
fb2bdabc2091cb28e4f3ec7442865574

SHA1
3b07bf3ae358823a7113bf51b8960bb5226407b1

SHA256
a1d016d45b1b6a28ff49cfc15db89e16e8c3d3e303b92361d5ac134eeaf3a711

SHA512
14a7a3a5f48463805a09c8c7f3c334de70b31f4f18865faba05e0dd78a993885682b93967d7f195f578461f6dfdd2af9238b57f0891337c31751c7e6427d821a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAQckUsI.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcwQ.exe
Filesize
201KB

MD5
f9f40d86e7b534c8c6479b4048da3721

SHA1
7a06cc371a897c219e09599a5a777d3b031bd4b9

SHA256
eaaed5cea7b3531318c33853fe55723054204e46d059d7a5e9716adcb14d39f3

SHA512
30d5a84b801941069a1fdfd94093678ff8333330349224a0bc7a1a627611ab7cc305447c6cafa1803d6c3f2c936833059fbdd2570f55e73f7d5990ced3f94ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwC.exe
Filesize
206KB

MD5
9ecfa722dfbf57d3aca858705857723e

SHA1
0863172f1cb43f7f396004ca3a3d2408301676c5

SHA256
350b1e5191f05de3af8b6f4f11ee6d5ed19cf9ce63fa2e4d703b754b01b6a664

SHA512
5a6fb2918768135876716d877c9bbfc98e2fc0196c75f2feab88b8d4b8f10eab5a2e9a7616d96f37f3db3e03785838c3097928c1b1c594c12793c6ac7343bf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsAa.exe
Filesize
184KB

MD5
1526421d9d599067f54e89980128e2c5

SHA1
88f2f7c76f2b2776fa932a11850d54560dcd00f8

SHA256
00cf01b5ba05a2c0c31022cbd6eb9881568d6da91baf4966ad219cd7ee82b81e

SHA512
be609e029171ef8497676f48f9f5440f5b67e06d213f21d52f5f03d37ade929ce402124c144847cb49221a70e0c242089eb27f6c83e0b5e186f9ba01c06be33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsQw.exe
Filesize
929KB

MD5
f00d88372404e81c3983c8446043cee8

SHA1
7c61d579b1b77b0882f6f50ccd28ab06130044ef

SHA256
85fadecc28d187a71deef184b086bf0f7b63e6fc0ae42d52573b8f06038fc1da

SHA512
b90284dc7f7d6c9dfb4e36b44be23be9d3b041803c6fa1f3f64231503f61a8703e7422bfd1a512d52ff44d6b4da76f6997e672d38e78e17275e2e293a6478e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUkw.exe
Filesize
5.9MB

MD5
127534d1267249af9916f8e9b69f56a9

SHA1
75a1ce9dc0cf6a9f6be56c217967b292ecd9ff6d

SHA256
ab51895c6ed2f1d3ee698c0937069bb7862b0c0f16855a1b936f6cd3224ddd96

SHA512
738aab2abd37d559dba3bd52fc21e6961661c13e09047bf8f006f4810029edff7d01c920b6253c50f053c15ff08c24af0b300eed3040a537592de47db735b943

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIki.exe
Filesize
1.4MB

MD5
645a80f2bb598021e2df083450feb829

SHA1
882f52f3eabf2093708c7a8928f56cc37484d4bb

SHA256
a733e7137bae0d6cbde43d3210190a33429e0145e7bd326263d8f54968e65cca

SHA512
8a17cd3e569ea111128c8b1539556d0d52f2dc6d6aa70425b965bf048327331e06cd47987126cd53ba9c15b0a39a38e8213629aa23155814bda5cd6828d074e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcoo.exe
Filesize
645KB

MD5
1c801aaf5f415a34c81cf11dc6845eb7

SHA1
9b019bc84c5adb1c677115bcc244e3051b87be2e

SHA256
8c27116bcc65b70c21515d0b236b17872d92f256b026fe5813e87a00264866fa

SHA512
5eb9c8dda7f295bfb93de456a443ee3810f66ea7e696b833da6f9cfe279d07f8dcc5c1b84968a247d54d3804db9fa95be0711ca45968c9176cdee43810cab017

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgwG.exe
Filesize
202KB

MD5
df26cb3e6a0a9c8a0ac02486f9dfe294

SHA1
0049b365af60f0a05b2876f54db17f33c829c025

SHA256
a2bddddc5e60bc259bf9591c7ffc5e9cdc739d13d1d59f78dbb33e9ff217b429

SHA512
94097637ee317097eec78c2b240d6b27a28fb5742a2f4bb05b7e2ff8b102f4be48f081fcfda25c9561be8b5a6a105ff997fc6d2757b28b2478ba29fe648698ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAkS.exe
Filesize
235KB

MD5
11dd0112c3c5ab2f352c2b68f5e07647

SHA1
41f59ab13d7e7540c93042ef585e3ddbae23321d

SHA256
2b09714fd07d2fddb0698fc5d2b30f1550a240d692c14d1796837093d39b977b

SHA512
a8a8264f4ea12009545259926538ebfa93575f8231080d0050a0dba5ebc0918729abdd2617a98860f8e628913916f6e5545d0466256de8e887b31a617b40057c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUkU.exe
Filesize
199KB

MD5
11cd46f62b30a925bce4ed1f8ef2b9e1

SHA1
1603126bbbf173900c11522deac9d5386ab5c3d2

SHA256
7c2f1c82fa857f3163e167493f17d29fafba32e0ed8f0e89eb580eefebbe3bc8

SHA512
e01bec769b11a533dbaeb3ae38274dc731c3a8959c22a05b1a59e9c54b1a3f59acadb1e27011f51fb3f5222e8f1768f7370e0597f75fc440d36e515b7ddf1831

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYAk.exe
Filesize
239KB

MD5
48557c41419a1803de654ddbfc282307

SHA1
dbe789e39b6fcb2d952a72cf4b27ce3931c8faba

SHA256
2ddb9857f3a9ca7e6e1066c994192aa8d606bb39b91cd3d1df774e62773dc0db

SHA512
24158ac2d08b18df65589a4c4f3be732d60642d173924ad10cf00645a8ab13bdc57887d5f40bf5ffac2c4c5326889353ebc0ce2594a5839d62c74806511ba64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwMk.exe
Filesize
227KB

MD5
0a61437f827b44db31ce159a105277c6

SHA1
ea3ee2c366f0c15191a2768c50addd02bb5c3c7b

SHA256
e9a722b47e020588b170bdb9865ee4f3587d580aec2b4153c400d77b9759bdfb

SHA512
7551a1e5b16507a8b46da66c80e30eee70d67b7fdf0d1df0b65f34be65680c66043aa2e250b2829827f45ba9a7d4dcc0fb78364e0f9efb1c4cf0215e1343a3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwQS.exe
Filesize
188KB

MD5
834d1518927397f5dcc3d641f36d4fd9

SHA1
547a68767c6d67e2ab007520b02841f5755c342c

SHA256
adfbc3b8ac2901a43f9de2d3eb40d8c54af748045130ead72907c23758b6c095

SHA512
5032bb6d80ef7156915935b2e69af5495a70e7aee37da798ff21eb6f22106ebe43b06c9496f16b43abd194a0a8f4755829ae5999550eb0cae5491d667783d6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIcW.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQYg.exe
Filesize
188KB

MD5
a1fed0a265a89d959dbd4122cad68102

SHA1
74db273dce9c3c33fdcba37608ac50f0ff2fe503

SHA256
0668f3d08b3988940a032520b0e6b9c6a66f5dcf8354809208b5be76e2922b98

SHA512
7f0a9ab49e098abc2a83fc00844152fd0f4434d658e35fc658b05f32241c0bfbf502d825e436c070ecaca3c79f881909ed66ea126fb22cd14d6b8fb0dbbb79ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogEe.exe
Filesize
198KB

MD5
3b0af4f89e314797123f68210f65c462

SHA1
7d5d9e189befc924f7953c112420afeb1222af12

SHA256
3d28aca1f3ea600f3c3a6707ac2099a25f243afff43dc701648e91db70ee9f8c

SHA512
1cb4f7518a1aeeec91615fb2f99840ce1ab039d7462e80fb32dbab1beab21f34288a69c211d3c49b59f832d8a0e8431779734068c4d8c0037e5f0a7fa9707657

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEsy.exe
Filesize
204KB

MD5
a2c7f0fd1673e285623c7bab7204b25d

SHA1
419a1f1a18715b893401e545f84513d3260617ee

SHA256
8523da5256a36f29b23ec35b663dbf6c216c9cd716f8657d3904d03df8803024

SHA512
999910fccb5c0fbd2650b9c255682f6dbadfdcdd713646fc6c8f12f7a7a716afc973b5bf9472570d17091286b078556a75143db4b1f5e3eb740a65164d12bf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYEu.exe
Filesize
190KB

MD5
9c4ac38dd3fce777a3a14aa765425856

SHA1
2a2cd444aadec4d8e14910298ee62e268538c687

SHA256
10d26d4731a9c9caa68249d736298b846803fc9f0d7b906d48d82396aee8e6fe

SHA512
87de994ac9ef7edfc06175dcb08472a0b16492d75411e37326779ed2c75e9a64ee878e80619a9d89dfd47c114671bae137dbdebee9d4d2a627d6100b3197578f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAoa.exe
Filesize
206KB

MD5
1d734197c3cb884044cab9b5ac3f7b17

SHA1
fb4fb7b5ebd378d28066417194f70df6eb5066b3

SHA256
54bac8665ea58ce4b16aa8f1d4ecf4e11caa07d228ef6c24265d9bdd85d0d37b

SHA512
5ac5341a02d44c2d1a264fdfc43403a9ecf9fd755ca453d3d40e8a1ea86b0c6b8b4f6e1300d8463967fdf057a50d3dd92eec30ad6debee4d545c46304fe914bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAsY.exe
Filesize
192KB

MD5
a2d1c721742792f2afed01b02c056420

SHA1
34c6febf1addb6fe510750ba679e636cfb1fc4e7

SHA256
cb254ba979c37ee9ad2473b216042165e51c30da7f77a1743116db9d20189974

SHA512
424b110de6e2efa129e587aa0266703aae02206cc21d7504e7f3da3038fa8ca4f1146d6922f22c58af9e7ba20778b38078ce621f7a42dc9de4a62faea488aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEcW.exe
Filesize
217KB

MD5
f1fc342f8b3731a18d7b09d9eb3d1ad0

SHA1
ce6b42b392497b9b4bb5692fcb2bf4b7c6acfbf9

SHA256
196ea00009d9fb8b8a854476b12b2941c98003ffeb18f7a15eac2fbaefef6811

SHA512
989ef31f4a167b278793c9bcf8bed30828261e74508f3e731cd7b9d45ac2b9dd0f7ef47f87b6fa2893e25d462bfe755ed9e806fcbd38db2bc200ac76707dc372

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMQy.exe
Filesize
181KB

MD5
435f2bea509dab52e0caf18f038d36ec

SHA1
1276f2209032b157c24f5dfecb119dd855a623be

SHA256
903a01512da052a9454e594c264f1ac8f96687f34dd0e7c9985d6f3fc2328ffb

SHA512
001b81b3712c8df058fd67c85e5b2bca24cd00dfe1caef558285d4ed4c84b03d3773b5c8d375c2715885f945c82b921837085160700a4d24d78b2f8683a54aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgII.exe
Filesize
189KB

MD5
ad8d21d76941750e2244a6a5d925b7c9

SHA1
15bb5c996a70e4427df853be28417f952232a37f

SHA256
fbf056958d778c60839d390a318458a6df72ef692b5c92289588a2e4f213856c

SHA512
608ba2bb75e75be2c38e0db08c124d1937ea5caecc856e24fa8647a4fc53131e4ba43078f19e3a5700e5a724d0902536426a6271a0d1310a3cce458fb84f6fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYUI.exe
Filesize
201KB

MD5
443922775689ce32546dde6e7c7bc760

SHA1
a81149511f74ff7e7c17a41b1095bc3aa6d8dca4

SHA256
d207864e7a2956bcdaaccc457808b8531d9248626732c918c4de85075cd89b5c

SHA512
2d494b5ca572195d7a9685ab0d12a578909dd3beeff9ca5d734b6403ed560402ccf77fbfa3a7e8c61d362272f757c79f839bb355ad0d003ef884e2636c8801ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\uggS.exe
Filesize
225KB

MD5
790610430e79099c4b43c55c276bb789

SHA1
3630322ccd1a763a65d27f7fead701efb13ce285

SHA256
8d823b0a9d1d6093f4f293a2de022eff3c9d06690a7c6a2df8383a3dbfd10f4d

SHA512
41cccb04235a9e06697ccb2935531ff6a6c373f3482c489bf54fddd09c4f98412098038eab19ccbfd0db9b523bc9db0ae502ab420d48963f38776e1f9f056221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukIY.exe
Filesize
184KB

MD5
fb9f7aca893eea33499b0d37c2816134

SHA1
4a20341534a5e37941b78efa43e622cb2eed8636

SHA256
8cc9e9d315907686df4b290e7086aafa1b4bdce6f76cd103cbb85ce8d4a0cb19

SHA512
a6d739c6ee1de259fbc366770ddba27bd14626a7e3fcbc9c8848aaede2f32aa9a0cba0967a7213d68e2d86e137b37854704a101a829faac6ddd626824a611c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukUu.exe
Filesize
772KB

MD5
717cf19aa751cdddaf8ef6e03791e206

SHA1
3ce87773c02ebcaa8db485e42179ad7c9ddedb71

SHA256
5995e36d7106301ef098120ee44d243b04d4f9ecb711f71dc47f3721cc6de630

SHA512
7c8e53c7e2f6bdaeb4a7d8cbbaa3dc2a2a7cf80b5704e6a17cc6580b691252dfc77792d4ee20721f89a2fd07d5f349313d8107169be4a284f6b10e401b0b50d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosi.exe
Filesize
192KB

MD5
5295c90217f0f7622a6e4340214bd643

SHA1
0dde2e05ba4ee22e0a0fd0b2817c1ef19cbbb531

SHA256
aa8d72ec1cb379154e061e0cab101f43317b38085db16402ee9a89ebbc924a55

SHA512
08000d67a78bf4f4c484a652a40a3785f7d4431916eb928d0a7f9ff8e9073ab64395a6bcee77ee1bfbf06637707e5c5e64ac464fb4eee58a2b373c62206dde7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\usAm.exe
Filesize
327KB

MD5
cfd0ac65d18e81f1ea4d44aa8b709e36

SHA1
f1f7803ed3ddebf518a3cb1aeefc469f8f0bf7bf

SHA256
4159bf3a9998316802aa958741538a5c6b588fb2cdb13cd20836cb7dbeb2c1ce

SHA512
94cb55e9f275c1c525c830911353f85b2b11033565e584c807d6667ead6c0e78f838545f6d06a420ef2500a491fb7570f3af07cfe291e02127b46fb6d0c8417c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEEq.exe
Filesize
189KB

MD5
3ea9a255f8b5c5b0556dc163f0e43b2b

SHA1
42d788d8b27c34e7240d4c51954ed7d35d099c0d

SHA256
d7c9e3eb1a42730ac554451307bb337574b188af0c5f9aa7476493351c92be06

SHA512
8168770b5c39b1aaf0e806aaad51ea1479c189ba9a12b766d2079cd3a333ccf3a075e36dcc21255539c8aabd02ed44de5bcee81747ff8b442cfaad1f7bbea0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEQY.exe
Filesize
814KB

MD5
d5817c65b8c81ff44ffe744479e05b6b

SHA1
69972399fd4d8af36a3bc3b567d91714bf72866d

SHA256
a3866a56e563c7f26bdb2a68219656388502c05a845c7e55a04760cdc697c7ee

SHA512
6e605148d07c3b57ff259fd74054f2c22f7431191a13b15f272dc8801e196a896b2434969ef01694a3685475ea529188f36030ff27c9f1172a02524e7fe7126b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYAk.exe
Filesize
656KB

MD5
050b8a227faed5d2257d93bc6324bd5f

SHA1
381df2776354d9a94a209c6b107721cacc9f020f

SHA256
eca398f5d56323f29f8e2db60540ecc1f1b766ae745cb31d6c5fc8976519f5c6

SHA512
40e4555ca98cf8d970911a8afe6763048a5693b4d8f563d6b8672a5f3c9c8d0e98bad5a98aee2133839123074657bd66d3d52053b732fcae7f74de54f4cacfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYYg.exe
Filesize
193KB

MD5
40b5795263c5acd3c088db63c0992be4

SHA1
44ca28ca6304d83ad5293de91f37c2c3d930a273

SHA256
51012abe9c4f73c430b9c787a4c1790a96f4c3850c49e6adb60917592f31099d

SHA512
68d536f7404ae1d3ea2174c8e8adbe5f775c72de2563d3ab43c64348043f3e6ef5347d83fcfac72b0f71c8316a078a776a0d76a074e3e05d1e41296f3def1dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgIe.exe
Filesize
199KB

MD5
5ae9fc0d9903abea62d426d6816bac29

SHA1
01b34ccfb72bb5972b515c4e0e735a5b61a56424

SHA256
e48e51d7d5feea23e98c6eec315d79cbe34fec6be36251bbfa17276d9d41c1b6

SHA512
d5e73cd3499f16ff2c7b289bf8c710ae63354a8a97bd3b6d6c02d02bb71e3eebd1e712b109d2a2e12a5d05ccbf3ea45a590ca9f480b395c117dec008aaef8a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwQI.exe
Filesize
202KB

MD5
86b98e88916ecf9414db87fc66bec710

SHA1
8eb4d3186c5985cfd58193746a1d68831d551fa9

SHA256
92d0e9f36290c6613fd05e9e3f88f1b0837d39c49a6323d5686822ee7e498ecb

SHA512
fda378d38c99136d9bcaf037b17b037842b9b5c6fb576be97aaa9753ef4f08a52fb62739070ef5a83e22a82b1f2d8dd86153131f6df4bacddc090b6d19cbb79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMkM.exe
Filesize
789KB

MD5
2a5425fa774c2f066732a72a1b3383e0

SHA1
9d227640c85cfad91465898e913dedc324641052

SHA256
4af45be09546b64138ef6f282a6132303ab6359c8c24cde3b4a1936d3c347258

SHA512
3612d47bc9da99779197c3c9e3653ab9b1ba90540ee7260373b88b6cbffa54a7b979f64e8d65f17fdcd5ff043a40901fb78e378346f1b9777eea18f46f55302e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQQY.exe
Filesize
428KB

MD5
91cac28b544d8c60fa7b2eaa455982f4

SHA1
86eacde3e6804562f84df8744e9263eca24b3873

SHA256
82d667b2288301584b36a96dc907447cacb01e1536f8cac3b272efb14af71365

SHA512
3214bcf0bf7949bdbee598f17523508c5f80e406339a2777ca2ec4af0a9735baee8a6e8a30858f8a4ea9d074ca10cf1bcd4d4db9896aa57f9f0d2cb4975f3f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYQm.exe
Filesize
795KB

MD5
2d91ad04985b7fc251053327b8a9c8cc

SHA1
2f335d2077f7de8bbf6f9bbe4c0c50ffac794ad1

SHA256
d8bfeef8a6adf82cd0ab8fe30ae327e7e7a3c8500716b91f58f7ffb795a46a8a

SHA512
667131447d1be2cd7619d6c70bee3863c45eaae67adc3f63e6f7cbbf5940c72b14061d52397dfc3cb85d3a6169ea62300925a2efd41fb1e1df78ced10b801790

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycIM.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycQK.exe
Filesize
223KB

MD5
fbcb79abe98a4bb6abb2b64bf030bb36

SHA1
55d3ea2b951a1adca4aedc7e248f3a74aff66cee

SHA256
e84c8117651b809d91b72c0f3ad5354becccccd661bba0ddfdb24796cd89ec4e

SHA512
c526e5495d2e8fe5c37e85f531cfc6114273780510ab82b336a92760dfa1675019bed8dd70aee0f385fa1e1a822306344a4a4094a39be9e529a65d7d594f1d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygkK.exe
Filesize
5.9MB

MD5
dfc5ee7f3ceb37082bcdee83b8ae639b

SHA1
21f16a5a20d061f80708b3bc51b082a4fb8f3958

SHA256
7927a9df4a2f6e4749cac12e8925189b035d7fac603e7328ff130d90bd1af2ed

SHA512
1c3cb6d681289aee3c2bf2acdb71c4c472438e961af973d088a9701eed657ccfcbc0863eabf4413c5ac056df555d943ed3b726bad2a5d21a2a1199560d402827

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykMQ.exe
Filesize
195KB

MD5
040e39984497f5ce7020390091485534

SHA1
51574d9d1be1fad8ba39eea7be2457a477ff2f13

SHA256
98095643a9d12bbf0e9f2ff9f3adb223bfc53a28ac041754956434f745a58262

SHA512
6a74431c50c82abac399577eba34b29c62aa632c65c0b40a9fdbe300e55b0042602e9ebe88135d4414c446a3b07135483806014bae2183086b05043578aac516

Download Submit
C:\Users\Admin\AppData\Roaming\GroupRead.wma.exe
Filesize
780KB

MD5
9a6068eaa3ff9b8699a1481e6f211b4d

SHA1
0001d3cacf1bf37f43190af66e06c8516a27e3c3

SHA256
884a5f4c686c01bc8f9da36985bc1fa2b086473f7d800b6a644697dfd0f366ca

SHA512
6931a97ecd22bd065ce35cdb8c81ed066e5e180cfd77318fc80f16b0ea73c2a782d55cdd89a35605140a44b5a56fcc8f58f03a40612133bb742e980353c5be9f

Download Submit
C:\Users\Admin\Music\GetDisconnect.xls.exe
Filesize
365KB

MD5
49dfaae3efe14d92deb18bd46b940141

SHA1
3d51fbb07f65d63de9cc5b4714f459a4acfd51f9

SHA256
ee2998961bb6450529ca9d58c565da543c0e1e3a175a346bef0311dd02c5fdba

SHA512
f574ea788704a14efbd5012fee941d87183b7f3237e95b26c8d2fe42cb3c035e4c95dd814e2370fac8911466bb0ad7756a1bbba13df9cb74dfc097ee3dc5db0a

Download Submit
C:\Users\Admin\Music\RemoveClose.png.exe
Filesize
351KB

MD5
48baec512ffb6507929f1b47407ec2e6

SHA1
8b4705817c78e4a02bd462950d59436a2584f383

SHA256
402dd09612bb43c0e71d9dc795005b28a7ff60ee45529a434229db44f7d43d2e

SHA512
d766662c4e4bf81f6b3b2a4e66f7d37f2f8c412d71f80cc96a2a59c0eecde924891f5f1eb00c52971294d4857219a7ba6981d01fbc7cce104e00cc01af4b61c1

Download Submit
C:\Users\Admin\wuYksgIE\yWMsoAEc.exe
Filesize
191KB

MD5
afb6e891cfe561c39b3054f876e92637

SHA1
e66c2890fb62aee86d18a29f3de7fe45c5a187ce

SHA256
42f9b8d0fe026bcee17684d8cea5c8dc243d09761fd4761bb05e7d134657a455

SHA512
110c989fc3c198cf7fe0bf29bd76098ba7a3fc31c096d14c3f0db82c23692ea829aa9dea3f671d7ec8213cb1ff2ee578647beb806cc0f74588760fd43be36e65

Download Submit
memory/64-290-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/64-305-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/452-349-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/544-449-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/544-441-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/776-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/776-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1012-420-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1408-543-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1528-204-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1528-188-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1632-479-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1632-470-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1632-506-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1632-515-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1692-142-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-241-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-253-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1856-294-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1856-281-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2116-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2336-200-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2336-218-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-276-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-264-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2676-330-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2676-366-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2820-83-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2820-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2824-421-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2824-430-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2844-116-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2844-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2984-151-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2984-301-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2984-313-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2984-169-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3000-539-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3000-552-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3044-102-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3044-120-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3044-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3044-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3112-106-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3192-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3192-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3208-240-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3232-507-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3232-496-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3308-376-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3308-365-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3308-340-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3308-326-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3480-192-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3676-249-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3676-267-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3676-460-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3676-469-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3680-155-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3680-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3704-345-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3704-357-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3756-578-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3904-403-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4024-569-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4072-384-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4120-579-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4144-180-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4144-214-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4144-229-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4144-165-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4260-520-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4260-532-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4260-285-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4260-273-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4312-450-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4312-458-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4424-321-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4536-524-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4536-560-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4536-551-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-478-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-487-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4728-495-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4772-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4796-385-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4796-393-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4904-404-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4904-412-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4956-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4956-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-429-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-440-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4988-94-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4988-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download