d067c9715106133877f2259a391af73fbd65340d78c6d62af6aa4272fed0478e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
Size

207KB
MD5

e3c42193dded9876352767a756e25772
SHA1

cfb23b31cc2955f593c4ed45a796ea0fb29977cf
SHA256

d067c9715106133877f2259a391af73fbd65340d78c6d62af6aa4272fed0478e
SHA512

5698e7ef79ab7accf21eaf940f9fb846df7b2ae6e86fb26595b9319addccc150a9343e0328fab37b9ef0f3e9ddf51fb7e7ed60431a9736f9368b314e4ab03a10
SSDEEP

3072:9plXxnpZtSqnxbRAHazBjDxAm+NuM2qqk5lt9B+mL/Q5CoW1lDeeXw:zlXxnftrLA6zBjDxGNmwltXJ/Q5obZA

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Renames multiple (74) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UccoUEYQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	UccoUEYQ.exe

Executes dropped EXE 2 IoCs

Processes:

bawwcQkU.exeUccoUEYQ.exe

pid process

4472 bawwcQkU.exe
1192 UccoUEYQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4472	bawwcQkU.exe
1192	UccoUEYQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_e3c42193dded9876352767a756e25772_virlock.exeUccoUEYQ.exebawwcQkU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bawwcQkU.exe = "C:\\Users\\Admin\\SaggkMgk\\bawwcQkU.exe"	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UccoUEYQ.exe = "C:\\ProgramData\\pQkwUAQc\\UccoUEYQ.exe"	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UccoUEYQ.exe = "C:\\ProgramData\\pQkwUAQc\\UccoUEYQ.exe"	UccoUEYQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bawwcQkU.exe = "C:\\Users\\Admin\\SaggkMgk\\bawwcQkU.exe"	bawwcQkU.exe

Drops file in System32 directory 2 IoCs

Processes:

UccoUEYQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	UccoUEYQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	UccoUEYQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4868	reg.exe
1320	reg.exe
4968	reg.exe
408	reg.exe
220	reg.exe
392	reg.exe
1308	reg.exe
2784	reg.exe
1552	reg.exe
5044
3492
3092	reg.exe
992	reg.exe
1320	reg.exe
1180	reg.exe
2268	reg.exe
636	reg.exe
4596	reg.exe
208	reg.exe
3324	reg.exe
1604	reg.exe
5052	reg.exe
4608	reg.exe
2024	reg.exe
5116	reg.exe
2320	reg.exe
4960	reg.exe
2948	reg.exe
4908	reg.exe
2108	reg.exe
3648	reg.exe
5008	reg.exe
2220	reg.exe
2100	reg.exe
2268
2260	reg.exe
3532	reg.exe
2700	reg.exe
5064	reg.exe
392	reg.exe
4820	reg.exe
3420	reg.exe
3644
3360	reg.exe
1320	reg.exe
3544	reg.exe
4912	reg.exe
408	reg.exe
2116	reg.exe
4896	reg.exe
3576	reg.exe
4880	reg.exe
2584	reg.exe
1680	reg.exe
3880	reg.exe
372	reg.exe
3324	reg.exe
440
1920	reg.exe
3332	reg.exe
980	reg.exe
1032	reg.exe
3484	reg.exe
4328	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe

pid	process
4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
3524	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
3524	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
3524	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
3524	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4896	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4896	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4896	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4896	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4604	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4604	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4604	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4604	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2920	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2920	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2920	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2920	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4660	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4660	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4660	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4660	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4880	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4880	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4880	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4880	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2616	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2616	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2616	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
2616	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
1436	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
1436	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
1436	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
1436	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4100	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4100	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4100	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4100	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
220	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
220	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
220	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
220	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
3788	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
3788	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
3788	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
3788	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
1084	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
1084	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
1084	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
1084	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4060	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4060	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4060	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
4060	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UccoUEYQ.exe

pid process

1192 UccoUEYQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

UccoUEYQ.exe

pid	process
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe
1192	UccoUEYQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_e3c42193dded9876352767a756e25772_virlock.execmd.execmd.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.execmd.execmd.exe2024-05-24_e3c42193dded9876352767a756e25772_virlock.execmd.exe

description	pid	process	target process
PID 4288 wrote to memory of 4472	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	bawwcQkU.exe
PID 4288 wrote to memory of 4472	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	bawwcQkU.exe
PID 4288 wrote to memory of 4472	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	bawwcQkU.exe
PID 4288 wrote to memory of 1192	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	UccoUEYQ.exe
PID 4288 wrote to memory of 1192	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	UccoUEYQ.exe
PID 4288 wrote to memory of 1192	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	UccoUEYQ.exe
PID 4288 wrote to memory of 5044	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4288 wrote to memory of 5044	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4288 wrote to memory of 5044	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 5044 wrote to memory of 4540	5044	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 5044 wrote to memory of 4540	5044	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 5044 wrote to memory of 4540	5044	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 4288 wrote to memory of 440	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 440	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 440	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 4820	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 4820	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 4820	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 5004	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 5004	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 5004	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4288 wrote to memory of 4612	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4288 wrote to memory of 4612	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4288 wrote to memory of 4612	4288	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4612 wrote to memory of 1448	4612	cmd.exe	cscript.exe
PID 4612 wrote to memory of 1448	4612	cmd.exe	cscript.exe
PID 4612 wrote to memory of 1448	4612	cmd.exe	cscript.exe
PID 4540 wrote to memory of 3144	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4540 wrote to memory of 3144	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4540 wrote to memory of 3144	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 3144 wrote to memory of 2860	3144	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 3144 wrote to memory of 2860	3144	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 3144 wrote to memory of 2860	3144	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 4540 wrote to memory of 3660	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 3660	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 3660	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 4688	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 4688	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 4688	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 1948	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 1948	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 1948	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 4540 wrote to memory of 3064	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4540 wrote to memory of 3064	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4540 wrote to memory of 3064	4540	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 3064 wrote to memory of 2876	3064	cmd.exe	cscript.exe
PID 3064 wrote to memory of 2876	3064	cmd.exe	cscript.exe
PID 3064 wrote to memory of 2876	3064	cmd.exe	cscript.exe
PID 2860 wrote to memory of 4856	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 2860 wrote to memory of 4856	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 2860 wrote to memory of 4856	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe
PID 4856 wrote to memory of 3524	4856	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 4856 wrote to memory of 3524	4856	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 4856 wrote to memory of 3524	4856	cmd.exe	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
PID 2860 wrote to memory of 220	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 220	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 220	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 768	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 768	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 768	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 1612	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 1612	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 1612	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	reg.exe
PID 2860 wrote to memory of 4692	2860	2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\SaggkMgk\bawwcQkU.exe
"C:\Users\Admin\SaggkMgk\bawwcQkU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4472

C:\ProgramData\pQkwUAQc\UccoUEYQ.exe
"C:\ProgramData\pQkwUAQc\UccoUEYQ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
8⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
10⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
12⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
14⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
16⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
18⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
20⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
22⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
24⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
26⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
28⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
30⤵
PID:1380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
32⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
33⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
34⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
35⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
36⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
37⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
38⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
39⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
40⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
41⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
42⤵
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
43⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
44⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
45⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
46⤵
PID:408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
47⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
48⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
49⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
50⤵
PID:2676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
51⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
52⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
53⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
54⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
55⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
56⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
57⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
58⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
59⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
60⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
61⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
62⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
63⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
64⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
65⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
66⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
67⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
68⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
69⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
70⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
71⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
72⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
73⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
74⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
75⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
76⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
77⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
78⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
79⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
80⤵
PID:1796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
81⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
82⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
83⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
84⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
85⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
86⤵
PID:3936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
87⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
88⤵
PID:2352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
89⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
90⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
91⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
92⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
93⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
94⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
95⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
96⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
97⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
98⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
99⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
100⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
101⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
102⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
103⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
104⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
105⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
106⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
107⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
108⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
109⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
110⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
111⤵
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
112⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
113⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
114⤵
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
115⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
116⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
117⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
118⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
119⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
120⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
121⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
122⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
123⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
124⤵
PID:928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
125⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
126⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
127⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
128⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
129⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
130⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
131⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
132⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
133⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
134⤵
PID:2584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
135⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
136⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
137⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
138⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
139⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
140⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
141⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
142⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
143⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
144⤵
PID:892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
145⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
146⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
147⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
148⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
149⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
150⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
151⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
152⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
153⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
154⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
155⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
156⤵
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
157⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
158⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
159⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
160⤵
PID:3632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
161⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
162⤵
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
163⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
164⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
165⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
166⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
167⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
168⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
169⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
170⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
171⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
172⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
173⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
174⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
175⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
176⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
177⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
178⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
179⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
180⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
181⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
182⤵
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
183⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
184⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
185⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
186⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
187⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
188⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
189⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
190⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
191⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
192⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
193⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
194⤵
PID:892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
195⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
196⤵
PID:3504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
197⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
198⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
199⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
200⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
201⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
202⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
203⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
204⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
205⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
206⤵
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
207⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
208⤵
PID:3208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
209⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
210⤵
PID:3420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
211⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
212⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
213⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
214⤵
PID:4724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
215⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
216⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
217⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
218⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
219⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
220⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
221⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
222⤵
PID:4288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
223⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
224⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
225⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
226⤵
PID:4892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
227⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
228⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
229⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
230⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
231⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
232⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
233⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
234⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
235⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
236⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
237⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
238⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
239⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
240⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
241⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
242⤵
PID:4288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
243⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
244⤵
PID:4416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
245⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
246⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
247⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
248⤵
PID:4144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
249⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
250⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
251⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
252⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
253⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
254⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
255⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
256⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
257⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
258⤵
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
259⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock"
260⤵
PID:3880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
- Modifies visibility of file extensions in Explorer
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:3516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- UAC bypass
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAEcYoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
260⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- Modifies registry key
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiUYMEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
258⤵
PID:4420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQIQccIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
256⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies registry key
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWYkkMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
254⤵
PID:1140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
- Modifies registry key
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWUgAQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
252⤵
PID:1400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeQIYAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
250⤵
PID:4756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:3268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymEMkgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
248⤵
PID:1508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcYwUQYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
246⤵
PID:1352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMYsgYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
244⤵
PID:3064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:3516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYUYQgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
242⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwowcIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
240⤵
PID:3848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyEwoMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
238⤵
PID:392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKMwoMIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
236⤵
PID:3544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSMswwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
234⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksAkkMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
232⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:3236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYwcskwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
230⤵
PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:2680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyIcEQEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
228⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buUUkMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
226⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMgwcokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
224⤵
PID:1436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAYgoUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
222⤵
PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCoEIkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
220⤵
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies registry key
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEgAUoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
218⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:3484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- Modifies registry key
PID:4968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pykAAcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
216⤵
PID:4616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWsYYkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
214⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies registry key
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
- Modifies registry key
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zegscQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
212⤵
PID:1424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIAIAMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
210⤵
PID:1208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGUkYQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
208⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaIUYwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
206⤵
PID:2964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:1880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:1360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:3164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEMIAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
204⤵
PID:348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgQQcYck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
202⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FukoskYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
200⤵
PID:3648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- Modifies registry key
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKUIcMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
198⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkgYQYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
196⤵
PID:2680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCwssEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
194⤵
PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meAYYgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
192⤵
PID:4704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqEMQoMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
190⤵
PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQAokYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
188⤵
PID:4456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEUAIkMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
186⤵
PID:2948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
- Modifies registry key
PID:2260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcgUQYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
184⤵
PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
- Modifies registry key
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUAUwwYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
182⤵
PID:4932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
- Modifies registry key
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeEsoscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
180⤵
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAgEgwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
178⤵
PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies registry key
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImIIQIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
176⤵
PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
- Modifies registry key
PID:3648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOgwsgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
174⤵
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
- Modifies registry key
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmQkQkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
172⤵
PID:628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
- Modifies registry key
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyAUsgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
170⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIYYgYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
168⤵
PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies registry key
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOogkQwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
166⤵
PID:1552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqoIIQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
164⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEAMMkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
162⤵
PID:3792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iucAIAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
160⤵
PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:4060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyQMUMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
158⤵
PID:3604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies registry key
PID:2584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEEgwUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
156⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LycwgoYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
154⤵
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkkIIMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
152⤵
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAAQEIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
150⤵
PID:2680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAYcAwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
148⤵
PID:3164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zggkIQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
146⤵
PID:4708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joMMocAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
144⤵
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twAIgIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
142⤵
PID:1412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKockIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
140⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies registry key
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqgkEYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
138⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkkYAYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
136⤵
PID:4708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaEYYAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
134⤵
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMoAwAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
132⤵
PID:720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKIgEIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
130⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:3600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUkYAgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
128⤵
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WukEccwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
126⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:2280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwUAsIAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
124⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
- Modifies registry key
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- Modifies registry key
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieEsMcYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
122⤵
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSsQcwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
120⤵
PID:2928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- Modifies registry key
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgcYEQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
118⤵
PID:4604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies registry key
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DusMAoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
116⤵
PID:852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:1320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcQIAkEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
114⤵
PID:5012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KygcUAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
112⤵
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies registry key
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYcYEMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
110⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmIUkAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
108⤵
PID:3288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwkMwIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
106⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngYwkMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
104⤵
PID:4364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:3544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- Modifies registry key
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYswQggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
102⤵
PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQUwgoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
100⤵
PID:636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgkwQwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
98⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeUYYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
96⤵
PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIQcQkcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
94⤵
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aagMcEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
92⤵
PID:216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIgUgAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
90⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAwgYocg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
88⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:4328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWcIkYoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
86⤵
PID:3280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYQgQQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
84⤵
PID:1112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqIEYsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
82⤵
PID:720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIYAQgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
80⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGAwEgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
78⤵
PID:3112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoQAYsQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
76⤵
PID:4732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMIwMwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
74⤵
PID:4576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYIAkYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
72⤵
PID:2140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUkwcMkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
70⤵
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGQkoMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
68⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies registry key
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MawoIYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
66⤵
PID:2240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:3544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqgIcMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
64⤵
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:2700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geEcQYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
62⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWEcocws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
60⤵
PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQEMgAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
58⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkMQAskU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
56⤵
PID:4928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:2232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jswUMEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
54⤵
PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmkIcIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
52⤵
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUIMggYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
50⤵
PID:4132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEocIYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
48⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQgEcUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
46⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOYYckkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
44⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TowsIoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
42⤵
PID:4668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoAgQAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
40⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruAMkIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
38⤵
PID:3384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWcMIwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
36⤵
PID:3392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAoYoAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
34⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoUMckYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
32⤵
PID:4340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAYoowwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
30⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCsAUIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
28⤵
PID:4112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joUEYMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
26⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEUQgoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
24⤵
PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies registry key
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWcAIYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
22⤵
PID:2220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSAcwskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
20⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqccEcoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
18⤵
PID:3200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEIsQUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
16⤵
PID:688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUMYIkMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
14⤵
PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duwsEEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
12⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
- Modifies registry key
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEgMkEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
10⤵
PID:3812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIIMoQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
8⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQMAEcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
6⤵
PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smcswwgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcoQswsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3952

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2464

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1284

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2064

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv nuqaszRJs0KGNNDU7RY2vA.0.2
1⤵
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
321KB

MD5
24f3bf007c4f9dae81b5c817112a510e

SHA1
fca25adb4856fd9ea2584dfd8c33363447d57b5a

SHA256
4c701c2be2e39630e1f4600eda1e828e73dd2427275757eba80723678a4c8366

SHA512
32b40c91957cda2bafb7f099314896cc5a377157872fbed3d835c708dff57575c059b26872a300d76af9d85d61926c1519d3d2b944e1f3eee247b95e91a7bae9

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
221KB

MD5
a31c5f7a80a41a2ad7842331043cc624

SHA1
972189a3325a7919c49b3651fb075df45b1f5e25

SHA256
d43335c2b82eab2b7872436c1d566bd8da241acc6692add04eccfbcccd772566

SHA512
2989f3cebe95ca5a600bc03d83a5cc57b19145f10277ce77d942468da901e6a0cf4b407045613f2a1b4dc284d3f0d9c228c6be685c5e9e0b8a402aea6246ee32

Download Submit
C:\ProgramData\pQkwUAQc\UccoUEYQ.exe
Filesize
182KB

MD5
83a838850d6626a2930af1f44fff726e

SHA1
d3579e9bb732079f9e18a9bc2bcc704a8cde6348

SHA256
453330dd17cd569d9dca2cf618c5ce2fd33fc21f68be83784dbc16d08a5c5574

SHA512
278691760c51e94d30af83a598866ef112c4031ba0471b1c77af118d3234a6c32559967a75e109b71b71d083a8ba8fbef23f870cb52b484ec1ee5bdccb1d7853

Download Submit
C:\ProgramData\pQkwUAQc\UccoUEYQ.inf
Filesize
4B

MD5
a64e007eaaa8c2651e6681d654915d43

SHA1
e9adae35a4fc5db0ac12e6b7b37d407eb9ed00f6

SHA256
dd0160fc38cf79e37f19f32c4a17972f687aeb714a99b3e364b3d1216dd66bd8

SHA512
dd1438548616ec0f7064b84997e543fd763518a7c67df7db320ad9aaa5141f28283302aeb0db2beda1639f19ea5133214b4487d1cf8e8e5930e7b2f1f83c8f57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
Filesize
193KB

MD5
c93292016b9109dbc9b5453142ce2271

SHA1
076fe42ab430781148ef6d564c3bf4342db30caa

SHA256
f846623c096455fdb74becd300ff4264c70958e4f3457d30c113bb65fa1fdc30

SHA512
30940316fc599042f55f96dbc62e77ee93bc85806d04159b2f49eb891d21201bfeff37588c06af2a681a3cc3f3de3f7a26ec68ef6d334c4811e5861343332557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
194KB

MD5
1276d5ad5fb79d1158f63ca3c1a0c6ff

SHA1
c53caf9d06d0f86d28eaaf3d4d89cae9abea9034

SHA256
2f203161b860cfa961b9b3de3b33dd606687a081c20ab7fd622aa92ead04d7f9

SHA512
97cfae432f8023a3cfeaf28b4d25120932489ac3e669732aca0dda9ef6139f995bcd2998b8aa25135035061d50b9504c7a31baea377a23c0e1d2044f3ae9d397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
Filesize
190KB

MD5
9504afe85e6be87ec4d6a1b9e72675d5

SHA1
a4edaeca0c9c25b1e55981c00dd3b5b3fe13068f

SHA256
540ff9ae0a8520b05024c73442c547d9058cfcbf83b485db266a0af846b31cbb

SHA512
7a93c43d0ec0580cb5e80e12357883dd9e1843ed9eae8af5f77b2ace885753589f82a6a3c4f335bf56afb10ae755f643e562208a93c14e128072d8aa87cafca0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
Filesize
204KB

MD5
7cf97305ba235c57e6a98837665c0049

SHA1
14a284fa0d8b8f2bfb4dea3d209a026a9d913a4e

SHA256
91854b7f262166f0ab48988e9a25bfd38c0f292270259ea3339916e9464f46b9

SHA512
e53c95c079d3e8c90b358033fdd9e34b47d57ee8ee5b04b579a98b5f608dfd528310d07b88cd9b84523008a8d311c3c1d9d0fe21bb53e4fb0e5c0f51840ba5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e3c42193dded9876352767a756e25772_virlock
Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIM.exe
Filesize
220KB

MD5
87c90b47e21e9188755db8eb5aa21aa3

SHA1
dd1e236e6a135bf3acfa151022212fcf0f29f2c8

SHA256
5ccace5052fcc0d406f86d8d1713a45b48393d0374e70c4b97464cd606822056

SHA512
70338dadad6d3356967e80046232ffeec960e7d5d29bcd8e04f1370a7f9f0e5ffb72657d9f38122d991f7e7dbf67ca8d42f4f729fdbe3c9197362a7efb844554

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEQo.exe
Filesize
186KB

MD5
7a3d036e98c80add373e4e8ac554f2ba

SHA1
9a7d28701e54600021b8f641d6c59ad3532b2a91

SHA256
87f5c62a9376763117fa95056149ba0529fffa943ad3bc05e91e40568c6a2f56

SHA512
71a2b87350c580811ff3c70ad403008068df3b7bfb3a5f5b914d16b0f1d07d0d67f4a8f7f80d6645ae6804caaf18c26df24daa19662dd17baacc0848937e2c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkkA.exe
Filesize
198KB

MD5
ef8680f282fae4be97a7fbdd9c875930

SHA1
254ed0b3c8ddc4dd487754abb4c9e87d52320496

SHA256
0c8f615eb6570e95ee288bb5bf2f0397ac3dd0a9ad7233c39392174b048abec2

SHA512
2dd6c2b2e73c4d17e38303f8fab78462afceae384d834a0dd81342440ff1d681623d7620193c5f495b72085f5dfbf1ad2f05a0ec82821d1f3ca02db87e8be81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIG.exe
Filesize
196KB

MD5
8d091c2a5bbb26d1a4741bb40d4311a5

SHA1
c0be876dc1bca06a3321f975d879464e832f577e

SHA256
fc8aaeacf73debcba34efdfea5d1aa0c468b50fa4ba038579575202e2d19635c

SHA512
de7e2e164a14b5a5028c98825147cabaf2e723a8caaf113931572aa9e5d9a798913c0dd2e633e717c601e77448fc02bc1c7d7035c4bad301163a9f39697401d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsUw.exe
Filesize
642KB

MD5
b760bf1d34e28794453b5169c64a0ffa

SHA1
11e2c2ffd6769a2db6a7aafc2a52491356d3cd16

SHA256
3a5aa277658dfa3b699f2f9bab94c976f31c15587a36bc2b6283a90bcffaf16d

SHA512
f7083d4f448b03c87203fc5731bd92b967ca8b6468d7cadf0d5959e3f015290f8bf54091ec23da57dd3caae5cd8daeba093e99ad44626170eaafd7a103adf6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwQE.exe
Filesize
198KB

MD5
03a7025df9e2a55340e9b94f3a253af7

SHA1
359b9938d062a94009b49408bd9c7d688cdc736b

SHA256
7957d5419b0eaf2bb18e9afed70dea75c41ee768628be496a37673bc224fd584

SHA512
2feb7703d8a496cd23538360d9e87a25a8b1a89650add46d1f634481f6fa029a2c7a4205780792c6c19f4756024be244ed09cf1ceca339161dcb828c1347e0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEkU.exe
Filesize
187KB

MD5
3af423531f6faecf603a998c94104c1e

SHA1
d77908264d6ed3a2947f13b3541ccce63947eb92

SHA256
b71eb7ff34d549fb3af5117d9c680dbc9acac7542ce3ab5a15c964bce3883274

SHA512
4d7462cc673b05a19db7c029b8673b705d0bd4cdb20cf15e60d9e40706496c99d770a05ec0cc81333f62b94e16965795eb5fc2952fe9f48f3524f7fddca9fe7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEsy.exe
Filesize
905KB

MD5
1c2e4729c5a5f845bfde2d466a783ee9

SHA1
fe0d450f9214c30266417494196259f5b9aec9fc

SHA256
4a2b9908643ae863c49e87833ab48e472599616eacb98e9f107fed360d687cd9

SHA512
1dc5a8f8db03715e12454880a2dc4f2438d1f33ce30d99ef74fe240417517a86334a1b309c4651b6d6bc7d0ffb4124190e74060893e143b3e71ee9825ae42a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQUE.exe
Filesize
210KB

MD5
6b909c532c8e9ece268939d0966f9d2c

SHA1
9e63f7693186195b6c376535dffb350945fdf071

SHA256
700a868873f7b29a34a481051ff2f6c7a9d5f36503d22350fa5fc8faee737028

SHA512
ad96f8ecca8c5309dc6fb0b6f4fc49313f0bbc5bfabbf1ccc92007ebd1bf05bce2ce91c4ac0154bdb85ffbdc0eef06eef845462904f1fc7565c69e61ce54e2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgQu.exe
Filesize
205KB

MD5
38a7aba52575537430dacfcd1334c09f

SHA1
f746d0e0da7e4fe0dbec529ee4d407280bc1debe

SHA256
3df5c43d677b8f94c244d5de1a7af990cc0f05c6081eb5da8f34405e4b752255

SHA512
6f0d8034d1b8909419d1bfe6a7c86c8766656e97fba47b0227a2393f0581699a6f762b79792e7be316528465f11abcb963e4c7313881fd24472a25c5b875fed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsQU.exe
Filesize
801KB

MD5
aa7bc56dcb64eb1ec124a3d7d0b4d8f6

SHA1
8ed2f8f7f2097f9a3dbf3542ef1944171cd8af24

SHA256
99cedbbc62fec3f62d3af4c1c5e9c6a502f23c94c46e913caa26d75076535c39

SHA512
92d86efa71279d24f13c50cd9979f811817ec4ba674ff322bc213010a776569fad6958a7590136de3a979e5b92357dd532bd6ced6f230348848fe177d352bff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMwI.exe
Filesize
5.9MB

MD5
9f0b27cc3d21bebfb169ffa80078f4d8

SHA1
08a36980cf501306c26e4e6f469a6ee302a59f15

SHA256
bfb466e61fbca5a32c70fc5fcc336a31d198371ba4f42357624478becf459fd3

SHA512
66ddee004f326f8d03f1c61186cbe7051757bcbb4e3d6c9e63c558cdacae893afd7a9edca4ee6e415d328f9e1a2b6a34aeaf3002263bfea332aaa3d2bd28857a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYQc.exe
Filesize
195KB

MD5
187b950d4075ecef98443c8b87cc5603

SHA1
ff1fa0efd2dd7bd075a52f63ac0151fd7c1f5d70

SHA256
d8ff44093283ac16e682d548bee45715fc1d8597b257fd5288ae8292c029fe3f

SHA512
fc54d9165f71554f6e78dfde71b14b9c7556824ec6f415dd30d37071c89c45f51464957276d2e78ba53fb970baf8c011a7d3640005a9ab676c4b641c5a92f1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkEQ.exe
Filesize
193KB

MD5
f03bea9993beadac7fb16e03c660ab9a

SHA1
d92e066e48bce2aa838044f5d4f41f39b6503eea

SHA256
396ee6be89cf8e30cfeedde74f3336859cad370626664996a3f641e95ab365a2

SHA512
8cd30e6af355af61d335e8fe71ad4055785ca4feb5ed01074590aa65d83ab02402756d10fc46f32394adbcd312c587eb63e13ccbdd82ab53e0ed83561a97bbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQG.exe
Filesize
191KB

MD5
be2b416b49a3b5796fdd97b7ae90d236

SHA1
c669665e27fc7237d974c5989b1aff352ca0b570

SHA256
a885f499429b27657870e0e505aa7bfaa656ab7bdd5cd2675c590d691185fdec

SHA512
570ca871b61914030dd5fcefd504ce04ee099f6f4e7c6d598252bd47089cdb38fc9fc609a516ebe5ed56d949fc9f5c5a423d25e5b48fed1d6de097a66070e558

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsEW.exe
Filesize
573KB

MD5
93e180bdb2537983a4778598906aa86b

SHA1
3da12996a7ee8d42e198b4712e051c0c0f39c064

SHA256
5039650fa6839749333389fdf4d99d297f8777cacb7880ec6f38b8fc7e0ee93a

SHA512
d31bc2c99005e7339a6011ef449519f16f514189d0cbc5a1f20497e799499d9d4d9a0479bca89131ac842664fad02fec67dccd37a1c5d24caf5d31beb5b134dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQsk.exe
Filesize
209KB

MD5
eb378a7cafcf332070fb69c2903ff9c1

SHA1
fc5afc19e1aed8b9500a823632ec751cf1f40a40

SHA256
3084af9cc0fca33b027ec49fd0c2cd852a9791fc263c0a8df600e1331fb5cb83

SHA512
b49f67823645d10e6f3d3a1a2e38f03d50ccf3ab88f96a7855c661963b695134c02d7c57f006c615af8acc830a344e457e43c7db00649fdf378cabe506805bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYgM.exe
Filesize
191KB

MD5
094e67ff79274964587eee94e46bb6df

SHA1
190c767c4f53f16748f587eb8b21eba6c58414f7

SHA256
bcb2539ba13b00f7dd4261f1d70bd1c88d493121fe352e92e91a741f872d2fb4

SHA512
db421fe4f7fd4008fa98aada4df50d8c458224f01acbca92237b8d212c3310b8c9550a716a710d6d6741cd0a140cac0aba5bf00c0076a735cf9f98ea55e10484

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwwu.exe
Filesize
199KB

MD5
d7be0053f5a4601bbb76713c888529a4

SHA1
2c6cf9dabc8f18e5fb84550252e24a409a6076f4

SHA256
83cf81a6c3a5d9a45324e9baa22766e2c8e03e9c968961fda75028416e17b5bc

SHA512
d0df5910e80b51b0c3e0ca030fa237b22118e2f3d3fb431c10a5e7a9f2a36bda5609114537af561d3c249a6c064cd05da6a05f4b7fabb5eb10c06462c045d75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYIW.exe
Filesize
557KB

MD5
b93fecfda59b2e743345fbe282efd2ff

SHA1
cb14d78b3b447ceda26c9a3b5a6ed80395251aa6

SHA256
e4c0bc63b15cf4e67a3a6659d0f0464b0681375497c2fb5fbde44d85c6ea91b0

SHA512
78cd65104d3253283772cde0930326803f7c63259982def37520a793b37652dab3a7f85638cf5652dbdbc6ce14f4109fe85d106463f38d0ab408131c6ae28ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkEm.exe
Filesize
806KB

MD5
04243ab020b9550be5c9fe66b9a83c1e

SHA1
83c76caebe9f7e0966fe2dbbc57bc729644fdd73

SHA256
8302768a071108ef360365d4434b4b7f0830c7eeaf70516d73c0fbdb347e5976

SHA512
54dbcd6bc1f85dd38b7b214368746bd8b42d647e300a207e22910f1de6a9769e0b878e34a8eb5997945a103dc57e93bda92e9aafa3b77e2dc183b25f0062ee9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAsi.exe
Filesize
824KB

MD5
4e80b21298191474a37401e3e7d12bac

SHA1
1976d63e3351ea1ce958d4d78508f7142e313dbd

SHA256
0aca86c48672269bd9fd435d3030e917cd738ad70f9b0a4f070d1da6edecf601

SHA512
356c1745300e5df30f7fc1901118298bbd3d0b883eb5b1e02b8b783a580c561e1b62347b1e85f648989a776d0270ed1d24253b6031b60b2507c0a004bc06ed9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcEC.exe
Filesize
240KB

MD5
5245d7e41d8f5b5ba65f9eccb6059e26

SHA1
d16bb0ce5c689821151de23abc27f1550d41de3f

SHA256
c28ce362475d8c4274d2ca7765ba57578c446c0b1cda053ea7d99eae032c3aac

SHA512
ebabcb9a72c9f3b56a022d6b63dc7f6d9c3d9e09b8da289a85720fdd5922d7be12e16dab747902b14c6490719eb19df88110c8d651491c76da069bb5fac67dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogoe.exe
Filesize
187KB

MD5
74ae06167058bfdda5514b40f9574a81

SHA1
2323ea2dbb7bbd9d636be6b7febba9709f0f7f4a

SHA256
7ba10cca6dfbc1285d12840969c2911cf2480c71715fe213acbc0970ef8195bf

SHA512
2a1f86765dcb890fe807a751d3793d972aa3e2ec4f42a0425acbc1f160895c4adb21be61c13f070d222b6f2835c88adb2ac1c3306e6e6494f00bc39f97385d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkEG.exe
Filesize
238KB

MD5
92f37edb8cdcc1d39935a735f551f4fc

SHA1
0bc8c653e5db3dc242728b2c9e271b3b53891e98

SHA256
b3a15d086794a8326525f70e20c2d3fa6c3e84af4216aeda49d9769b5e489de9

SHA512
73c740715ca3b634763c3f3f4609b39821d004cb1507e0dee88d59dc92207fdad50029289adf57227c7c9f7ea3fd2c9ee9e86dbbc82eeaa9488947af2b97dd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoYA.exe
Filesize
201KB

MD5
4a3a04ab634e0176a8d6ea10a1d716ce

SHA1
c7118f636fcb3a0a889e49326fa248662e9ac99d

SHA256
fbb5b883c776069677af4f9dc3b159a7c5476fbce7165fb57b7afbb16f2c18c8

SHA512
6d3eb158ab85a1e2d52fd3adaa767418cc10c48714905d1d0bcb3c14e28d0b2f7773b7f844969bcfee7ecb6e203010becfc60942142abd1593033c9c6aaadd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQYS.exe
Filesize
194KB

MD5
3b09e91a94cc957cfff85954bb48ecfe

SHA1
15723874e661842521fa0e6df21fa2cbcfe63f92

SHA256
5e602ffddc5ef8c42e20262d83975336249e0d79d3eea425aace12b2edcaa781

SHA512
6e8d0b12a52613da76fe9c04b269ef399e40f1e30fbac27b7eda6ec1fedace01627f0e52ed1a8b1404340d62504b2634c3b3f1e42740074d6f8fe95722eebf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUMc.exe
Filesize
194KB

MD5
5a06011cff88951a65c171f10c4db94b

SHA1
702ebd22d9ecb106d5d24a7ad1d5a90a692e7380

SHA256
52a1ce8321d7e792922849870ae2523eab44b4f611401f427c86dce0fa96db07

SHA512
87a0da3d76d0be1ff916b228d93956bb6ace615eea125d1ce3e764f6eafa308a7540692445202f5beba28b7bbf5593ac20ee6764233d6cd36b13c7523a538abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUUO.exe
Filesize
202KB

MD5
366853a87e0ab69b1d2b48ab8059edc3

SHA1
8838e4c96c1ac5c005fa1a7a10cc501c9b07710f

SHA256
f594f9cba4413c300aefd9fdd4141cd0d91e5a119164e4d5a4e7fbfac7a1e3f9

SHA512
1950636a57bfeeccff40d7b13cd9755fcb8f8aea354364a41e310571331a78b9746aa7b1e8144f545e5c78a95713b1cbff3d5e5b95a312f268bfb77cd0375219

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYUu.exe
Filesize
5.9MB

MD5
7775b286f7e3e7c5954c3e6c5357fbcc

SHA1
d7ae9b5b5bd364250654bb6b220eb32ebfc39ab2

SHA256
b28618d0c491ccc9cd6c0ec474758384d55a3c431d7b0bbc2443c95d59e82235

SHA512
1886a937418fe10aa47bb9297e29e5d79aa8402531fac3fff076ba360dac496c8dc67967f3c498e98ed716be6896a8cba31ed134baff66275f01906eaa0856d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoMq.exe
Filesize
184KB

MD5
3c9da15d0195a9ceaef2edeaf14a0dbd

SHA1
d288e1e45a681c07e80bdc5ed6daf1ed2f15b608

SHA256
b4ffce3effd516667dac8277c73c87dcf743a980def658687161c8269be107be

SHA512
5c7ed6abd88144b0fd1bd47ad7ae8146be594c70f00cd9d9d583f7563f29cf15de31d6d2cddd1df8da9f89aa45e1c8479a8b6f8d36f0672c471c7132608a0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUES.exe
Filesize
190KB

MD5
5dfa459fe04e4e0d7b5d65a944c321a9

SHA1
879e467f729fe9490519e27872646719965c2f29

SHA256
760d051e2c4f807fee969385f4c5a1273919e4c34db814ace4053c79662c4acc

SHA512
62cfdb57181f512a7890765565423a44bd02f1b7dd402c7db669c3cd4e19a3d7d3738b6a6e86edcf2c117e4bb2fc21b3dd76258e04110a1eb471ca179d61cb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgoC.exe
Filesize
198KB

MD5
bcb6a0a38c6446ddcf114254ea996079

SHA1
97562eee655cc98eed26d2bfc58cb94f9e249557

SHA256
519680aa4a17a960f8b41f6ae94062eeb125456aa406eee421d24c83281fd90a

SHA512
a14e1e11de7f714807e3276f7fafd3c6fa6c83a3900b77611f0fbea1f190240608c385b7f764861931a0e9e2f5f67bc069bd3bad84c68e3a2f5c70a61bbccdc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgwm.exe
Filesize
183KB

MD5
4dc85de7b3d93e0265c977b98c02ce57

SHA1
b8f7c2e8d05de2bf15d4b0f7fe9e6e88556e7fa3

SHA256
83871ebeb5656aa67b96dbdc1501a5dd1c1e0cbb348480d36cef436220f68161

SHA512
de9410824b736592b3e9454be00503f7166d327ec8354eec74de6cd2e82d55f8c499d3d0ab120e1b2745ef53cd05c714400ca5e8bddff6c467a4f321ded3b329

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swcu.exe
Filesize
199KB

MD5
4ccd31205032792fd3281d31198406c7

SHA1
2985b3aca65071d5bbe97997083a59c7cc37e3e2

SHA256
8829c737645f47fc24183139210d1cbfd3b6b9d514df7a4f0d70a93c4072bf89

SHA512
30f52b3029186a3cd7b7bdc2e4466468ec53398c495e5709dc3603c11255d70ebdb2ffff4e25aba6a919354a4cdf43157766821802a902702e6119ae946a6080

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwgM.exe
Filesize
641KB

MD5
4a7da618d7cf991438717985f8e222fd

SHA1
3126ee5a1ab98dfdb2266f605ef5ea671a51cf6b

SHA256
6660e65ecb6e954adc3c013a6ecd05808c7523eaac4dda8c8c398852b577e502

SHA512
9a856bf38a0b0f35d828c686a841081a02bbf31c1c0a361019aa56d6636aa51620eb83a01af7bb2e823e607939f66e64aa9d906c1cdf9dd3f3282b302b60a894

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYUu.exe
Filesize
639KB

MD5
e45a15895ea113fbeceb0c656b3583e8

SHA1
123aed119029a63c2da23bf77a5db891ac605920

SHA256
7b16cfe634e53a759d0aa553a35d52803c7444df2780bf5718ff742c6da6bb50

SHA512
188911e614fa3a62a1783f7b16b3cd22e252e56b4df30e23bc7512630727b928f00273ebbea355b55ea48f9ec5fd8d271664d8cc80fbed09a1eb0961644e4ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYwi.exe
Filesize
971KB

MD5
3bccf3d08bac712522339ca8cd0a4597

SHA1
16dff77c41826f302baeff82c5d43e060ef1f4f9

SHA256
34470e8e93b4dc0e1f1a3d7dbba546f7a61285f24198ccbc91131fa28c78bef5

SHA512
624dc95705e5a1188a1340dccfd8bef48d096250d0c0c0c868939e3af7c3fc483f7c74d23940ed485cab0c2f07da3255afd33f40cc2fb749ea1caa1199cad303

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEc.exe
Filesize
205KB

MD5
7b44741ce7aea5ceecec745bb6acba32

SHA1
f42260a6fed291b597dea6fb591f012be48b5faa

SHA256
0a492ddbeabd5a8464fda547d5ee111dc521effe2eb4465b99e5b98351535083

SHA512
74db14c7de7a6947ad524fc7fbc61fbe49f2cda8b57892ffeb1c79168101f800e83f68d8788419d33b0e1f607f38d2a1c264eae977b373c9549b1025befa5740

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgkC.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UosG.exe
Filesize
208KB

MD5
42f0c40ed418f704a7fd2dcb18764e4e

SHA1
5adc1d517b0b1c4ccf953e76008007ec3f6d7888

SHA256
b897159c52a9d7763209e704b655eef8cb6d20a03d211c5ff21a8c72cd8115ba

SHA512
fc5adbe622d50c8fd9798ab3f6fc69ed6ef42ca1023062a0ac5fe32eaeedaa307e43af2f62f6a0958f1a62db771b752b6c757a3789ef42d0f0897c4fcb6fef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uowq.exe
Filesize
188KB

MD5
b295fee453e6295bf1c28c189a772536

SHA1
90958d819158ed47fd1c0943ccc327fda6df2e63

SHA256
40ea0b51c6cc50f3d1068c212ea1583a4753f841fc7503709bb6ed65ac556549

SHA512
635cec7167b5a904e5df30edd1d0454fd89c90f761c1a87bde79065ff2f9e47df2c92b9357769075344c25ca7fe29ba0c14737b566027669a964d3553d73f6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usgo.exe
Filesize
189KB

MD5
49cef777b72cfd5822bb6e4fd2fec7b0

SHA1
5d3296bd60f881a511925b370c96ad5f0d603800

SHA256
41e89fdef7212da9065b453d1d73b70e9f74dd16bdd88cd3ce6433b9d22d155f

SHA512
2c18bcd3434de6d317b461c78e79415969fbbd0a6b28cfd3e3405adea791c964a0deeb1d36cd68e5f147e02b96870e755bf0010424141b32a1005204f1b26ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMEw.exe
Filesize
187KB

MD5
be433df10e2b23fc19b0b299cdf15560

SHA1
c22812d3729e63a57e5d7bd8a0c7bf0bb0f65058

SHA256
af9cfc0830cac351b1d25e1879a3819ae063000938d21ca81cf8dbbd8bf7366a

SHA512
b8b68ce234df4d5951673bcc748eaa8c7d19b8098397d11ed7451d4bcc3a6eb81e69ded59a29b3f7a7bcfe2530ba5e5d7ef781d8d755152cbc74b44623139b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsUC.exe
Filesize
701KB

MD5
8a3ab3c81b2d6193d7afea6b7d13a897

SHA1
20c8af888f770f41b9182ecfb7b174ce4936d1a7

SHA256
74f7c7a0c5bf7c2656e03c2f4df4b831566769dce1f34d96e9815f96263e3698

SHA512
8d65afb0f9e846546a5375d0806f1e0a97a1e8ec12962cff2efd7e8dd430e6cb872c7ff8a26fe2de9d27e65b947a03374d98f9acc7e48fab8a427ed836c3542c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIIs.exe
Filesize
187KB

MD5
b91264102ceee227af4a3c1500b70f2d

SHA1
3cc6425dd5a284adada17bc044e6c2abb2dd15f4

SHA256
c05a545d5a67de1bee9c8be1fedbdc88ba660b9323d7852c6993bd843f776db9

SHA512
e3b791f1660831b854e8b5aa0dac752a770d31abe8cb184b2ea1f90d44d7befd8b28b1b9a02333a75de2ff5260c7df29122dc9d1cc478df2c6865dcaf948c505

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEm.exe
Filesize
238KB

MD5
da968b10826caef77d9e18e780a035db

SHA1
1adbde5afebb2f878cf5bf93f4f920f6c52f2b25

SHA256
b928d70ac6d1023002477ce4b5a706bf3cc21704306cf649f79c6b8c11e1dd40

SHA512
b5deb78813894eea535234d3fca5d2a368fbd9aed45046eea06c30f560d531fff1d1db9441e15816f80eacd05eb4674c775011a90ccc4108bdbb04eef32d20ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkq.exe
Filesize
431KB

MD5
8b7f70a253221294962279593ce9de03

SHA1
a7c6abe9186465bd987b1a4696f541e1d5a68165

SHA256
63c18a2d16a9cc66bf394677c13bed90d9e451c764894b5fc458b6d16c632ba9

SHA512
b70a70c39581f116e5606628e741e548d573d9aa8ae2abd915c72e45e756682a55a5296b4e6e49b59aaa1fca96e245940dfef17a996bfd3a51c40bbb3d82ee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAwg.exe
Filesize
214KB

MD5
c0427fcef4f0495b043d637612fa0a47

SHA1
c73cf1e114f102e6a1347770fb0921809d03fc0f

SHA256
9eacd5ae70642915cd81065ae05624a0dcbd5c7873e0b2778e9222e3c30d309f

SHA512
1e413d9725b7e097a2059fd39a094fa606891d28be3ae31647ba2ce2c7d4b8718026e894a9470457b3906b2c0d089f2a7cc4e13554ab817a5c0618ffbc242e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIwg.exe
Filesize
766KB

MD5
47370bd32a46d6ada23641b1db3cd8dc

SHA1
e14357483f4b0b80043a954edc85f2229bd4cd1f

SHA256
32d5b6775b7ec6bb0eaef7eda7e6acd5316a9136e80ce98b1dd9e100f188b4e5

SHA512
5cc7e484269dd2f78aef685d1ed2bfd9e094032a5d2ef91bc877eb9b4292818e283624943ae5812469a88dcb8ec5585d159025ddf35db485884045efec4438a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\acku.exe
Filesize
1.8MB

MD5
1b4752231bbd7a885d737bf3c4d8fd33

SHA1
3aede099294f57ae156d5345084778a046e08c14

SHA256
da01adda931ef5882e4b9ef0826d92ce4d112f883ad166ac9967b4271555e517

SHA512
ebf9e9f9375c230c80ed8165a1647bebd7a8a2cb152e5b210a018f901ba057f50c10c3885549b3e8384014709b638e2e55d8a6de7ac282bca88fd0640fc22e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agQC.exe
Filesize
5.9MB

MD5
4ee3672281fe44fef914ad42d8c0120c

SHA1
e4261b72d2a3e2c5a061a0b1e80d79978c8cc5df

SHA256
1832d5ec2c6fce93712acdf11490b056d67dfa9199ce265dd798b3152c7a1d87

SHA512
98c021d946712cc4979a3f83feb063dabbc94a9e5c82e01a17fe61c6f9497823be9eb82474566a442234b869ecdfff5232f59b2efdc4c02fea291aac1b6beac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\agYw.exe
Filesize
649KB

MD5
97a62b86663a164be442eaced93a1da6

SHA1
87c5253ab7531b8f3c6ef4784affa59c5b2f1c58

SHA256
a0939196955e1e778a399754336977307211526a8478d9620abf349fcf6c9b57

SHA512
f8b522212310c65a5fef4d16e96489eac8629cf5ddf795862e6925641cd5f3e4e6f1d53b4b62ff65712dbde4899d56ced139f0ece28a8af74a5f57a0a5e23e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoEG.exe
Filesize
594KB

MD5
f2c0c9d79c14fdb5e2d71f32e639a58f

SHA1
7fdc6895f05fb2b93becd250456ba4f8922ced7a

SHA256
67b20846c7f17f0b769a629f13a7fc5139e6b4876525ae9c13d329bbaee1c9f8

SHA512
46d79b944420a98dd4d28a2df9634e9bdb4acb39f45d95948b05e8d15c19e1d123e48e96ef380b2fdb87dbc7c686673a141152e6a2e210f0a143fb8a8f8d17b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAcm.exe
Filesize
203KB

MD5
8f2eaf28f89853582242e147b85b52d7

SHA1
e4c3cdf9f5fb4c320acb76eb160da5eecd825373

SHA256
73f4387c0fc8610c9030d742eee63445084a2f5065fa0ed2afdc52b1de1c97fc

SHA512
53178df1b3bad308ad76d02bea9088c8d53c4e14b3d90602cf0faf4377c584d550ab42e58748d38652338b3cc7d4ecfbcb9b1f0ffe9e146d0e1b79be3e8e45eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgM.exe
Filesize
221KB

MD5
98b4b0a48e9f65028e2e0dda83515ca2

SHA1
a20a474260ff68768d57b7f6752a76d859ca4882

SHA256
437890be63433bdf15f1c246beb1ccaa64bbe299b86c7f6339a1ffaba507f017

SHA512
1c2d70e7526f936682bba700dd1f9e04fa2d6c5de0f43262b18e9752015ffd7b520708549d17e5f49204904f45a36a36e569ae1048c76b2d612893ea1a18918e

Download Submit
C:\Users\Admin\AppData\Local\Temp\egks.exe
Filesize
186KB

MD5
1992fbef7688e1802a655f5f1380f614

SHA1
49cf38071093c18b9896f8c340f62ec24dcc5313

SHA256
3a4db3eeef52a1f96b4144dc05d4808423f7ec1387233b7820d38edbab73b41a

SHA512
8a649fcccd140c97a0efcc3b74445fd89519133913804c83595c494b52eeaaa1b6a830c78ceaffaaf9d1227d4133dc527f439424ba5f7be388c448d33ba2f6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\esEW.exe
Filesize
185KB

MD5
d1ca6a76012f0bd8d33a045c044b083c

SHA1
89a33c81b06fcb0dfc2b9ab20a71df9bf5f76c5b

SHA256
7c7e9cde921e29cc23847e9defd83093fff004a24cbbd5f811d16bca20a841bb

SHA512
c0bd798a7b6699b452c4f0fffc69b9346f630a097a7b3288d3b96ee3ea46de9adcc4cc305940bc83cfd6bb565108c340df3b7bcad3ed1f4ebd271ab50e00d206

Download Submit
C:\Users\Admin\AppData\Local\Temp\esUM.exe
Filesize
203KB

MD5
23d160d46cd544a859885e8ee1f5b89f

SHA1
5336741c74f86cc4c61d9ae7ba8b3ee03cbbc72a

SHA256
16483931f1c65abb24815826ef104ed0f417987f736edcacc2816e1377a83374

SHA512
14266f35e69582399de3796987056359ef7fb934bb9c4c76f2e1004b8e0fe1fecb55fce2669141679c445869eb447cbc0a1177eba12760ae264e08ed7851becf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewAs.exe
Filesize
868KB

MD5
75d17c393652e138da046efc5576d18c

SHA1
48f6a076a1cf63e3d33e341cf9b96f0939df4fb8

SHA256
30acf65d48e05f019407828943d36dd65bad655579729942bc7b3d1b8c9eb906

SHA512
0f24bcf7d19a7e7c66b1ac6f996e316ac15305a6425d247a964245fb861400a1f1ba2b0f1338389bae03164b68569e9bd9d2f08490a7cbf815bdb1c7b25fbf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYgu.exe
Filesize
204KB

MD5
d76a5f3ba32dbecba58c2cb49612fab0

SHA1
286e0b87ee5ba8115a90e9db261da1bd30664b75

SHA256
c13da455ddc8571931f4ad6dddfe8d32d30735e1573e3e711e4fee57bbbe0a7e

SHA512
5fa6b1f9f91972c2f90086c0f893d3a0bc7b1a1cebc2f27977fad07d33ba99c4c180747117986106dba38963c92b03accd2e496c932744d792f24b1fc5745dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYoQ.exe
Filesize
194KB

MD5
5f132e0ac13b6f54cabf1453c6208d4d

SHA1
0f5acf7de56de33c65c2f65f2a9e2cdb9e373b5c

SHA256
cb16ace55b8bd51a1616cf6a45db30c85e4266acb51657ce716ef2faf628bfc9

SHA512
5fff95b678fc07a8bf529c44a35ac419bed17d46d3aff448d95a23a86d01086516b1c19d555f46fdcb44af2be7185cb2d2feedcd64d2db4b2c2e7864feac8dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcYI.exe
Filesize
212KB

MD5
b02f65d66d509dad59287fd2caf3b7ea

SHA1
92e2577f7af45af74cb9ab40cea559d402d77482

SHA256
88c4c8495896a37747c3ae3b32b2d3e58766b4624dd62c4f8095e641a2b2c3e5

SHA512
cfe47d7fb2cea6e4dbc76dbe7f44cd1753a49f2a407d751467b696f2893bca5f5747bb7ae2c45cd393d40289ae0f92decc27632a01a9caf4f22e57af9187c263

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAkW.exe
Filesize
209KB

MD5
9284b9f8f2a8cdbe36294703856ea680

SHA1
15dc21218b96a8f563054469b111dfb3a7eff9b1

SHA256
93a468b3609c71ba702f1b8289cbe82faab8bd28bedf42fbd0285b2df15124f6

SHA512
530b862d563b03e11231d47cdf4dbbde9ffac9939ff70098b8582f3f2c8a3dba355527ef87bb3dfc01a8b2bffd70f9b4ca08c58805c3c4c86b16396c569b1348

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAsc.exe
Filesize
824KB

MD5
f7375e5e52cf500905805cd78ac33e23

SHA1
bd07e91d79cac6bb231ea0b7a2e7993a6bc586df

SHA256
3fc5930a4cb24a3b4aeeb854cd21faf052ded0274eea19d7f65e7e2e25e94dcb

SHA512
8086a1838c875017870dba9c619d20bb9be7491b09c3036f2a3e1f9a58735a62109217f987f68240cf60643757a2f47a29deae3b840bfdca0ad47cc615f2edf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIMk.exe
Filesize
769KB

MD5
8740b9bb1a17785f10c8d3d9a421f62f

SHA1
27e102518bb3f73e1ff3e50c5b42dc79f0554b52

SHA256
8461730a62c2ddd54cdd91f70a7f2025eb77f1a5de3ab23ddd62d3ddbd9e47ff

SHA512
1e4b107dd3404c5d78c902eed053139fd0466a2bd368ef9ed118e369545c2172ab40d4e8c85c4918bcd8f723ebf47413849cc26633956c13af3ebf3ed598b0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUMQ.exe
Filesize
196KB

MD5
881cf445fb08d22f3da1105115c5f146

SHA1
294d60dad4a436753fd1f96da65a8a48a5888341

SHA256
3e6de14067b851b3460f00265bd45fa0ad3a90b4b15e461a49ac23fa1b87fd08

SHA512
958ad139a27f7d306df5a65c666332650dc311b19610b3effd7adff87e52fcecd2d8291415098d49369aae3ea648a6d0bf8f20ea1e1161712d811495bed5d7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUYO.exe
Filesize
198KB

MD5
7e032ab84c9514ef7ed0ae26a31dd51a

SHA1
d6e7d58940835e05351d95d27c05c4f7ef2582f4

SHA256
3998251613c0433054636e583f032d4bdb7024beb3f6e056b2cdbc200499cc85

SHA512
3caaa0c2dbceefaf8a007ca39c7168b600fdb63ed95230ee975d63998cca14d933bc383b4237593a87cddb6835945c7ae576e077e8a98e36e1baa726ea219c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYwA.exe
Filesize
195KB

MD5
38045a19cf29bd504aa047500e25f01c

SHA1
f95fab47c246983f8c2e3305dccea9bde951e479

SHA256
295b85c1013b8d185f2a211a84c2fe7b9f0ee3240a50628f4f32a40abf06238f

SHA512
ba28e111877b432d88b58f733dd8820795af1c13bdf34c0668376d9319b0f73c71c69293dc04a78d9b996dd3326074e1a281f72533c16657cb8d816605117f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikgk.exe
Filesize
187KB

MD5
6301d0d95d98cf629d4e5b053939fbab

SHA1
f5c5f07084071fc1dc9eb36ec4d3e524c9f79a2c

SHA256
8cbfa28db1f70b0f87dc34deb508b5641bb8fb2305ce0dafb38b79c1d57b0ea2

SHA512
4715a90d89034f888620bdffc25cf9380f5ea72910421dd21d751bde094cf6aa57d076543012182888a1283d7eecf2afc78d09c6f32dae7e7379bfa9210f0f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkAU.exe
Filesize
406KB

MD5
ebbb5202e3534d374b80f24f27716a19

SHA1
16d0f98aa8c35de6531082ed9c68478e8a942358

SHA256
0c6b78b563f23208735a719ac79bb960f967c71f7bb3e608b0a77ef4a8b44f0d

SHA512
ef7b3f11ec4b95c89c4f819249f310db313f95642454b7907d71c2c76f9f75af4f3161d26d79e91d8d31d5107eca5909b4620f7a553a5a9fe3a59da3b1d997e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkYu.exe
Filesize
897KB

MD5
970740649d632190b04b8259eee3f844

SHA1
c9f39735b72f9b8b82a07ed38f71dc379f08f215

SHA256
ee2a83a75153b849ce40864eed2a0958a94503c15a3f1ce71b253f9139baf5af

SHA512
524aa9f8dde26785a1f6e9c12463a5e5855eb116b4ca4f2fd4b7718ccfb7a0ba8755469abdf72d7359aa52a5f214891ecc7a6fe383ddbc1e7b5a60f109e410c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kocY.exe
Filesize
195KB

MD5
a86c2837f6fd0fd8d8369c11b1ce7396

SHA1
43b367856a600d09f18c3c4a3eb5ecaeb1b9b49a

SHA256
3b79dc4154398891846601f064eec7b30b59e36da34d38598d87a1d247c176a0

SHA512
0b5ac56ac7d04b7570c895da6847358431a33a5773224d019d459645ac45b69fd21f34a85079657f62f45006da1ab398f32de5a96609fb31be42dedde0099bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAQA.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsm.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUci.exe
Filesize
189KB

MD5
5b8c7a72a9337feb4ac4f8bb0938d9f4

SHA1
5b816894e90d90d758be8a610443520f1fc8a59c

SHA256
40e177698feec9784e856e1c9473719e8a71bb7998bccf9adb9712c6fb8fd053

SHA512
c26646b39b6b3f95204cf60cfc5e19feabccc18a190dfde3f510e5796eb32b4c29e7989fbe3959e3944a338f6334316e80d0c059044e0feaec03b8dcc4b0523f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUgi.exe
Filesize
191KB

MD5
942a3a17a3897b5f27a09396d578d159

SHA1
d82813dc535b44deea4f75053db07e7b66cd1a8f

SHA256
ac51501d17ed1352f1776bd8475415030072d4e5751f540d21aad630142a83b4

SHA512
b7db2fbae68297a95ba5db0ba8ae9c1e74f8376901f3836b9a2bbd90a083d26044e5989e2958de86d3e72ddf8a74e7ae02eb8c02750fa923cf2374efdb6f8424

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogYW.exe
Filesize
801KB

MD5
733ed2f2f7587eff054889c60aa2afae

SHA1
05303e88e2e84e7e1becfe52fb53c80cd9c55677

SHA256
370c120b975799495ce6ef2ea44409f2dcd8858797f0ce04d9264b265421a43e

SHA512
c55f8869b46151c2188a63852560ff83a08dc10cce63fcaa8c283e61383f40feb2901fe216735f5423c39cb45ced779f37fe716fafed3e94ea8364ebcbb41909

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocO.exe
Filesize
199KB

MD5
b263e67c1fbc529f27f61c12f18e3530

SHA1
0c7c6deb7a93720b33b8bf7afad2516cf3d449a4

SHA256
f7446d5df80bf282b31b5e096fe0704260c26b24eb6501dcc3374fbea1c085e1

SHA512
7b98461ce9266091820ea40136df58dd709342c504e45d4d858e289e21ee78a9abdb42e0d00081b40eb453dbf0276c58ba0796eb1d2aaf0a11cfac4202e08eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\owYM.exe
Filesize
186KB

MD5
6a11a9cf60935b85a801ce8e9e33fcad

SHA1
92080d9e642d3bffd786067e522766f1de3f841d

SHA256
1373a1b7922879980ad74a486612c2f8414f4974d64adb1b5950971e75c4cd79

SHA512
c623827f039dbe67fd5c0e82078a292492da388ab2b6f026b7af4c443cce3dff11b7fb049c7f2151bd18f0bed635e93edcd19ebf7e54303273f0f56bc72b6496

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEYU.exe
Filesize
1.2MB

MD5
f7b25e17e25d4168f3b89ef3a12c100c

SHA1
9db0f3784e4854f8f3ce8550a230498937ebbf4e

SHA256
e43184e300a2e4cd6bc685d78c45a4e94b5621011e386458416891e37f806533

SHA512
9156a4fa30a14e42486a3261cc2c8101d3616f29f360b7d07cbd0d067028a9cfa514c59e37ece76c6730cf5da9e8ed7303497e314c1a7b50d472db2f4802257c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEgi.exe
Filesize
185KB

MD5
744678a5c4082e597bf71b53e668ff0b

SHA1
7c5d956a8154e0bab9697edab577002a64007f31

SHA256
e5b96442db49d8fcbaa77859c3fa43a783ef06f5345a5929883ebafbfb29a117

SHA512
a17e0355ae99dc3eab1dad810fdeb9b67ace3671487db672f408fdf98cea2c588d9a93d401dc0861ec93c417e8f2278f1391338902c67a71a7949ead2a345e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEoa.exe
Filesize
238KB

MD5
6989f242bb86506a14c2f1ee52790afa

SHA1
ac375923b779738e0e8375173c2d66b9a000c567

SHA256
7beafccee6f6e36aaea4a369d155074d3d220610eb1bce5445f8f4853a887dad

SHA512
2ca432ada0c3fd9a54ad7e66682d515911e0c6ea9de0624a7ed5560dbaffb97c48c7b0915090c31d55c3b83595473c2aadb68f91899938d896c771306401fd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUEQ.exe
Filesize
197KB

MD5
b289ce6ad6861c910419e65e122e6b74

SHA1
f041f269e9c2bd9093272cdf6c8ef3fe0cdbd74f

SHA256
24702648e514a04df7bf023613141e7dafa30913a6820911674c17bbeca1f016

SHA512
61fc1f56beeb13d5857076da3dddbfdd5f1d9d3e0864da225deacba6d84f94c57f96ae4ae428b196f3e7784f2b820c13e8601354dd293c1f3ccd3edac10858bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcoQswsA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkEe.exe
Filesize
333KB

MD5
5aac077db7746fa6836709f00bc45381

SHA1
88ea1bde0e70bf1ef1abffcbd067506df9a1e08e

SHA256
de7e42058a4e17057141188485e5130b9ff82dc02a52c33be2adca10938495c7

SHA512
7967842afaec2cbc743e37eddd5858deb55ebed889cc6887163ca562d3f09874995d4f972f9b4e3156d0019613f96db2efa101e8bd2ef0edaa4d3873e932a0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwwM.exe
Filesize
188KB

MD5
dfeeed829c65373fc85e58bb05dbbdc3

SHA1
071c41d93b795cf0f1be2b2ad64beeb58fe701f0

SHA256
d856556ea3bb1bbb85ffb377cbb8954c5e94c175e96902e8fb393adbcd10a009

SHA512
95c56524c74579ffda37474f363b2b061ed76504d82c4de372a8b43691344affc6cdfb7e9171d4f13a69e926387a7aeb1640c5c29c63c8f4a1d01133aab3c4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scQS.exe
Filesize
206KB

MD5
31cfa97a2832d4118a1463a354ebd42c

SHA1
2b532be0b31c3fe8044103ac655f3147c9e2bde5

SHA256
b85a3bbee6cdad0737092ba07cf061bf7e4c004ddb9a135dc43f70278a62daf4

SHA512
bf41b80847af7ae79c2c573d4036e5d5010a8ee8ffbd9e1cc698385e5fe833754bd2e94866313738c5c55f062637dccc82a485218c2fd049aa7ebdb77674cdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYkU.exe
Filesize
196KB

MD5
caa9d18bf5363ba34ede37d3d9b4df1d

SHA1
a598000048259beab45df0a5da62c125dfe27115

SHA256
2f69b91ea79a107cd9b2a517561c115b91a2d0c55cef0d5480179163dbdbc489

SHA512
da5bc8ce75fa372c5b67582572bd3039c5a84715d83fbe29ce6819837aa3ffcb9a68e899748df4422e47eb1f4be70490127c2ece3960549ea6d905ae920c858a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoAE.exe
Filesize
199KB

MD5
a0bb8989a4fda4cbb6d16be5b40b5d33

SHA1
ae75745e6f53a928733ca93dd4822fdc57e7ea60

SHA256
8f3f4996f4ba0b0c8c9dbcacc3b170afaa0057663d8fae23c68a3fbe359d7489

SHA512
3450f810441c86c853a854242e1c4d8159b8c13715fb0d1ada834dcb541649fc66347bfb13e4aa45cd3d7cbb09863e932635e7495799e52a106c1e8d70da71ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEG.exe
Filesize
260KB

MD5
3db61bed0ffd31a17bde25db531d06ab

SHA1
b85795adeae252743406211826289f3adf2877ca

SHA256
506717a0e9cf2dde93d5e5b6f2ee25d3fac1808a82f3712729e11121e14c65e2

SHA512
4c2881be1de1c21e5e52cbf2ae64e4dbaff4bc6491a8217f28b5cea8f035a558024faec0a6d35a547c00117d740b33a2ebcf29781ec15f2bb7a715ae6a4a652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uswg.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIgW.exe
Filesize
328KB

MD5
b00de47c7956511a7a2c9850eeb162a6

SHA1
f4e1c214430e769b6117e8f1c71eb8c48c7c8682

SHA256
8b492ab602dd84d432dbbba1e18c32e50edb395cd7d8392a714af589b2110567

SHA512
93d2029984358e474a172e06340e6448e7eefa598b7662031709d521946db9cfa254d3352db2f8647874811010ce0f7752eee01363aa9660fd4d78ead64344b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcYK.exe
Filesize
205KB

MD5
b749fab66ba0937592b51b593523c404

SHA1
9ed3e4288c3812c1f215d58ba258be0403d5d610

SHA256
af3b7f2bda70728559383ec0df0caed4fd5c549b0908e3cba287abf9fa5df06c

SHA512
7870761630a13426ecb0534e5e680434021ad5949b0582d30499d8289222791d65f27d2abb081ff631ac43a76b182aa1d76804b9bfde55b6e411b35d7c361636

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcgI.exe
Filesize
194KB

MD5
312ede419c8d68d6f3a9768dfb19daac

SHA1
a32c96843e3db303600f37b2b2254df3b4075e9c

SHA256
ebceace26fb2ca670699fda33281b165beb290ec30c22ac6bf6ccb93b6229699

SHA512
689bb9a3dfd21c2b455b111f227459a3f7be6cbfd8b2fd6efb65b0f4d2aac34ec767a06999d25dc8163da5f9e1b6314dec04af6125865b47ff9a72252e16b876

Download Submit
C:\Users\Admin\AppData\Local\Temp\woYK.exe
Filesize
198KB

MD5
78657cd3813b4f305420624a74d457a0

SHA1
7d66400de09fdc0c2eae859f4b507c784de0fb50

SHA256
0f8d322cd1643476a1f292af91e68460f9eb8a41bb0a9bacc5e674ae3c5875f0

SHA512
54d51d211bb10621aff3f1221fef4f0ee02a6441530caaf03a30267531f12fb55416f728253d74c5abb75c41f221f6a147e9688ef6778afc4592fec3c4e05e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIsq.exe
Filesize
634KB

MD5
d70a5b2566487016554d3147d4b85420

SHA1
8d8a755db69ae2d72c9a4fc955956130c0bc45fd

SHA256
aa000e9062f911c1b1a6fc0e45f49d5abaf303b6767a2a48c55270f1df56f839

SHA512
2d84a8864167ea4b0302a91c4f9d64b221f78ad94782bb9279a3d787fe7fb5e97c88fa8cf5ce5920ccbd3da7f95d8686970babd7b419f1246bc8a6069bf9ef5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUgu.exe
Filesize
201KB

MD5
36192c822bf88810be952ccf89399eea

SHA1
e0e7b90ab4026cc4a90393bff94cc31d53fb0a13

SHA256
942b74c24442fdec716ad4727eb9312c2202e68320858109391892710f9e870f

SHA512
b7168dde3d12fcd0afa17de91276ef1bc69a92048fb397660ecb9d50ef8686102d3a86a25cf86117d9924e029095415ceffb9b726565f0bcadf3adfadc46437f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yswA.exe
Filesize
326KB

MD5
f03b0aababbf907a7f15b7671d069282

SHA1
2f7b41dfcfb827fb54c2e1254cea140253204e12

SHA256
8cd7a8c1236cd2008c3c55761b3b39b262810bda0cea09b6c78838cba72df961

SHA512
dfc767e9830f4cf28b00cebe146142c013c5307c50192dd21cfc3613486a13ce199d94385096ff4a1883ba410a0e60b304fcbd586666142e259b58cd4fb8f035

Download Submit
C:\Users\Admin\Downloads\UpdateStart.wma.exe
Filesize
817KB

MD5
48529d657be2518068b43f69f9cd1958

SHA1
f0e434939ded262891e77db6130a054aab7d74b4

SHA256
200af48ed7f03a364b19ee3313e4dde960b3e0ce081ca0c04bde8857d8524a09

SHA512
fdd6c00a172af4e1f40d85973c60bd773da398f3092712607ddd2df9eced9a7aac0d20fd1e49ca8fccbd115b6a253eca52694fd89c7218ffe89321e9761128a1

Download Submit
C:\Users\Admin\SaggkMgk\bawwcQkU.exe
Filesize
194KB

MD5
3c404c5d5179ed7ae3562776f30a5842

SHA1
ecdd340a3b16c0ca04e691eeee06b304a4c70f4b

SHA256
a19840748c87267ddcfbfbbd2a39874f34da60172e07a25b15d2e59af992db93

SHA512
bc477d98e14e834415cebee134e265e2786103d4de420b207103627d53d6732a6f9b36f741b68af4b3556564da49474f26d9180b201fb439ec31c5f3eed93433

Download Submit
C:\Users\Admin\SaggkMgk\bawwcQkU.inf
Filesize
4B

MD5
012ad0a1b79b3e563de71c9eaaa43744

SHA1
1809a14ee795f5479b3ae5052a7bb701028d671c

SHA256
45000d55356c8c3133f7ef758801f1c3b6ed3709c588ab79d8c1196678c88ea0

SHA512
0528b70f35e76006404c73a7962eec829d32daaf86ab82a775d3afa3c7bb10a37fb92baa5d5a00107581d462f7def2b261660f226e92ec377c1ea9c474b781a7

Download Submit
memory/220-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/220-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/320-462-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/320-475-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/556-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/556-512-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/752-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/752-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1152-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1152-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1192-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1308-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1400-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1436-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1436-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-219-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2388-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2388-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2508-443-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2508-455-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2604-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2604-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2760-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2760-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-426-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2860-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2860-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2920-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2920-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3140-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3140-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3224-447-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3224-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3224-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3224-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3316-528-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3384-536-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3504-492-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3524-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3524-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3700-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3700-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4080-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4080-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4100-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4100-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4328-547-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4328-537-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-548-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-556-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4456-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4460-408-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4460-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4472-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4540-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4540-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4660-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4660-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4860-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4880-122-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4880-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-511-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4952-361-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4952-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4960-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5044-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5044-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5112-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download