a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Size

207KB
MD5

17b82e64e80caab520aac1965ba4f8cb
SHA1

2e4a23c270b3e8d9324a7192f07f405ef03bea59
SHA256

a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
SHA512

e882a59ea0feaa556a303e7857f04f1415216509658ed5888c2e61b4de5f136e4cfe4f09e8e54ecee42abadec53431520aa3646401df400e87f2cace67eab3a7
SSDEEP

3072:+xeV4f7Gdz24bTZ6OoaqGGY6wzOKbghx0O8CLLpK6LC0Pybl:KeVwQiq9epwR0b5K67P4l

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwUkkgww.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	dwUkkgww.exe

Executes dropped EXE 2 IoCs

Processes:

dwUkkgww.exePYYwggQQ.exe

pid process

4896 dwUkkgww.exe
3312 PYYwggQQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PYYwggQQ.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exedwUkkgww.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PYYwggQQ.exe = "C:\\ProgramData\\OYMUcssE\\PYYwggQQ.exe"	PYYwggQQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LUMkMUYg.exe = "C:\\Users\\Admin\\WoYUoowM\\LUMkMUYg.exe"	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scAwcIQQ.exe = "C:\\ProgramData\\AgoQkwgg\\scAwcIQQ.exe"	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwUkkgww.exe = "C:\\Users\\Admin\\HGYoAkYk\\dwUkkgww.exe"	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PYYwggQQ.exe = "C:\\ProgramData\\OYMUcssE\\PYYwggQQ.exe"	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwUkkgww.exe = "C:\\Users\\Admin\\HGYoAkYk\\dwUkkgww.exe"	dwUkkgww.exe

Drops file in System32 directory 2 IoCs

Processes:

dwUkkgww.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	dwUkkgww.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	dwUkkgww.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3476 436 WerFault.exe scAwcIQQ.exe
4904 3640 WerFault.exe LUMkMUYg.exe

pid	pid_target	process	target process
3476	436	WerFault.exe	scAwcIQQ.exe
4904	3640	WerFault.exe	LUMkMUYg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
908	reg.exe
2504	reg.exe
4172	reg.exe
3864	reg.exe
3480	reg.exe
3616	reg.exe
316	reg.exe
3092	reg.exe
5060	reg.exe
4224	reg.exe
1972
3944	reg.exe
544	reg.exe
552	reg.exe
4344	reg.exe
1924	reg.exe
3824	reg.exe
1212	reg.exe
1064	reg.exe
5012	reg.exe
3920	reg.exe
1268	reg.exe
1268
4276	reg.exe
1988	reg.exe
4232	reg.exe
4536	reg.exe
1296	reg.exe
552	reg.exe
3488	reg.exe
3784	reg.exe
908	reg.exe
3936	reg.exe
4884	reg.exe
3768	reg.exe
2672	reg.exe
1304	reg.exe
1432
2720	reg.exe
4240	reg.exe
4908	reg.exe
528	reg.exe
1328	reg.exe
4764	reg.exe
4552	reg.exe
4280	reg.exe
3756	reg.exe
4572	reg.exe
2220	reg.exe
4500	reg.exe
2104	reg.exe
2680	reg.exe
1256	reg.exe
3496	reg.exe
4700	reg.exe
3552	reg.exe
3464	reg.exe
3604	reg.exe
1604	reg.exe
4952	reg.exe
1408	reg.exe
552	reg.exe
1020	reg.exe
1576	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe

pid	process
2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2648	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2648	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2648	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2648	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
652	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
652	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
652	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
652	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
708	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
708	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
708	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
708	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
396	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
396	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
396	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
396	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4920	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4920	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4920	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4920	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
756	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
756	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
756	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
756	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4524	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4524	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4524	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4524	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4664	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4664	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4664	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4664	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4588	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4588	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4588	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4588	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3976	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3976	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3976	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
3976	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4412	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4412	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4412	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
4412	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2960	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2960	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2960	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
2960	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1340	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1340	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1340	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
1340	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwUkkgww.exe

pid process

4896 dwUkkgww.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dwUkkgww.exe

pid	process
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe
4896	dwUkkgww.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.execmd.execmd.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.execmd.execmd.exe2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.execmd.exe

description	pid	process	target process
PID 2080 wrote to memory of 4896	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	dwUkkgww.exe
PID 2080 wrote to memory of 4896	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	dwUkkgww.exe
PID 2080 wrote to memory of 4896	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	dwUkkgww.exe
PID 2080 wrote to memory of 3312	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	PYYwggQQ.exe
PID 2080 wrote to memory of 3312	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	PYYwggQQ.exe
PID 2080 wrote to memory of 3312	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	PYYwggQQ.exe
PID 2080 wrote to memory of 1408	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2080 wrote to memory of 1408	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2080 wrote to memory of 1408	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 1408 wrote to memory of 1012	1408	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 1408 wrote to memory of 1012	1408	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 1408 wrote to memory of 1012	1408	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 2080 wrote to memory of 3952	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 3952	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 3952	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 220	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 220	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 220	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 208	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 208	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 208	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 2080 wrote to memory of 4036	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2080 wrote to memory of 4036	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2080 wrote to memory of 4036	2080	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 4036 wrote to memory of 396	4036	cmd.exe	cscript.exe
PID 4036 wrote to memory of 396	4036	cmd.exe	cscript.exe
PID 4036 wrote to memory of 396	4036	cmd.exe	cscript.exe
PID 1012 wrote to memory of 680	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 1012 wrote to memory of 680	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 1012 wrote to memory of 680	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 680 wrote to memory of 3904	680	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 680 wrote to memory of 3904	680	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 680 wrote to memory of 3904	680	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 1012 wrote to memory of 1328	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 1328	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 1328	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 5040	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 5040	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 5040	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 1884	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 1884	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 1884	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 1012 wrote to memory of 2312	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 1012 wrote to memory of 2312	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 1012 wrote to memory of 2312	1012	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 2312 wrote to memory of 1360	2312	cmd.exe	cscript.exe
PID 2312 wrote to memory of 1360	2312	cmd.exe	cscript.exe
PID 2312 wrote to memory of 1360	2312	cmd.exe	cscript.exe
PID 3904 wrote to memory of 4280	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 3904 wrote to memory of 4280	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 3904 wrote to memory of 4280	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe
PID 4280 wrote to memory of 2648	4280	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 4280 wrote to memory of 2648	4280	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 4280 wrote to memory of 2648	4280	cmd.exe	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
PID 3904 wrote to memory of 1264	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 1264	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 1264	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 4344	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 4344	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 4344	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 1020	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 1020	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 1020	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	reg.exe
PID 3904 wrote to memory of 4144	3904	2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\HGYoAkYk\dwUkkgww.exe
"C:\Users\Admin\HGYoAkYk\dwUkkgww.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4896

C:\ProgramData\OYMUcssE\PYYwggQQ.exe
"C:\ProgramData\OYMUcssE\PYYwggQQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
8⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
10⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
12⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
14⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
16⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
18⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
20⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
22⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
24⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
26⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
28⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
30⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
32⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
33⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
34⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
35⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
36⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
37⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
38⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
39⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
40⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
41⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
42⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
43⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
44⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
45⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
46⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
47⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
48⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
49⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
50⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
51⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
52⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
53⤵
PID:424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
54⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
55⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
56⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
57⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
58⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
59⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
60⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
61⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
62⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
63⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
64⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
65⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
66⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
67⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
68⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
69⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
70⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
71⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
72⤵
PID:32

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
73⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
74⤵
PID:4652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
75⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
76⤵
PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
77⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
78⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
79⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
80⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
81⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
82⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
83⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
84⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
85⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
86⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
87⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
88⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
89⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
90⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
91⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
92⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
93⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
94⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
95⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
96⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
97⤵
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
98⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
99⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
100⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
101⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
102⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
103⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
104⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
105⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
106⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
107⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
108⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
109⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
110⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
111⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
112⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
113⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
114⤵
PID:4860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
115⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
116⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
117⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
118⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
119⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
120⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
121⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
122⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
123⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
124⤵
PID:4092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
125⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
126⤵
PID:2560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
127⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
128⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
129⤵
- Adds Run key to start application
PID:4408

C:\Users\Admin\WoYUoowM\LUMkMUYg.exe
"C:\Users\Admin\WoYUoowM\LUMkMUYg.exe"
130⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 224
131⤵
- Program crash
PID:4904

C:\ProgramData\AgoQkwgg\scAwcIQQ.exe
"C:\ProgramData\AgoQkwgg\scAwcIQQ.exe"
130⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 224
131⤵
- Program crash
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
130⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
131⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
132⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
133⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
134⤵
PID:3344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
135⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
136⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
137⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
138⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
139⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
140⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
141⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
142⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
143⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
144⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
145⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
146⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
147⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
148⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
149⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
150⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
151⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
152⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
153⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
154⤵
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
155⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
156⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
157⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
158⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
159⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
160⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
161⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
162⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
163⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
164⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
165⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
166⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
167⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
168⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
169⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
170⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
171⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
172⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
173⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
174⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
175⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
176⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
177⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
178⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
179⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
180⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
181⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
182⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
183⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
184⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
185⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
186⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
187⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
188⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
189⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
190⤵
PID:1372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
191⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
192⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
193⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
194⤵
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
195⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
196⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
197⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
198⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
199⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
200⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
201⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
202⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
203⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
204⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
205⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
206⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
207⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
208⤵
PID:1148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
209⤵
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
210⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
211⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
212⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
213⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
214⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
215⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
216⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
217⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
218⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
219⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
220⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
221⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
222⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
223⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
224⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
225⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
226⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
227⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
228⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
229⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
230⤵
PID:3032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
231⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
232⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
233⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
234⤵
PID:3552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
235⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
236⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
237⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
238⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
239⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
240⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
241⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
242⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
243⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
244⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
245⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
246⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
247⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
248⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
249⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
250⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
251⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
252⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
253⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
254⤵
PID:2908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
255⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
256⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
257⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
258⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
259⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
260⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
261⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
262⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
263⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
264⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
265⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock"
266⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
267⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
- Modifies registry key
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
- Modifies registry key
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:2104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
265⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pysQIIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
264⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies visibility of file extensions in Explorer
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIEQMowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
262⤵
PID:4228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
- Modifies registry key
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- Modifies registry key
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsEgUcYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
260⤵
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- Modifies registry key
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEgwUYkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
258⤵
PID:3604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies registry key
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
- Modifies registry key
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIUkIwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
256⤵
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies visibility of file extensions in Explorer
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
- UAC bypass
PID:3464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuMYgMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
254⤵
PID:2836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOQossQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
252⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies registry key
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
- Modifies registry key
PID:1020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUEIwIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
250⤵
PID:956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies registry key
PID:1212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:4248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCYkMYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
248⤵
PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuIYUccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
246⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QasEYYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
244⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocMsIYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
242⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIUEYMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
240⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:2364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIYQYoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
238⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:5116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUwgwIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
236⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCIoQYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
234⤵
PID:680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
- Modifies registry key
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCcIkYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
232⤵
PID:3968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies registry key
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:3588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqUswkYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
230⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:2848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCQAQMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
228⤵
PID:3408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWEsMYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
226⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkccMYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
224⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:3764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:4092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOUsYAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
222⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muMMMoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
220⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqgUwYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
218⤵
PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
- Modifies registry key
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOQUcwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
216⤵
PID:4892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scccAUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
214⤵
PID:3476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMwoAYsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
212⤵
PID:4020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies registry key
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:2068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwcYggYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
210⤵
PID:4232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:1924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tugAUAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
208⤵
PID:4140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMIcIMcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
206⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
- Modifies registry key
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgcgsQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
204⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:32

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okIQQIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
202⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loIkwUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
200⤵
PID:652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWUEMsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
198⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCYEQkEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
196⤵
PID:3588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:2788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKQkQIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
194⤵
PID:5096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:4192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEAEcQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
192⤵
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:3388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
- Modifies registry key
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mosQUMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
190⤵
PID:768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIgAoYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
188⤵
PID:4648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:3032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keYoooUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
186⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:4192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
- Modifies registry key
PID:3616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgIYoAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
184⤵
PID:944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyksQEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
182⤵
PID:1012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWIkAskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
180⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGAIkMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
178⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- Modifies registry key
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWMAoEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
176⤵
PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- Modifies registry key
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcIwIoEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
174⤵
PID:4844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYMsQAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
172⤵
PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCkQAAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
170⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
- Modifies registry key
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAswwYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
168⤵
PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcwocwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
166⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEcAEksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
164⤵
PID:3588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaMMwsMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
162⤵
PID:4184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:3616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qksogoMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
160⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIwkccUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
158⤵
PID:4760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAkMswgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
156⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgcAgMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
154⤵
PID:4184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwAUYgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
152⤵
PID:3480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
- Modifies registry key
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWQYYoAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
150⤵
PID:3864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
- Modifies registry key
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieUAskss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
148⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQkQMIMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
146⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYcwEQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
144⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies registry key
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIwkscsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
142⤵
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMoEogkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
140⤵
PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwQUMUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
138⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wygQoAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
136⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWggoMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
134⤵
PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:8

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:1552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgUMYEYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
132⤵
PID:3284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGcgwkAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
130⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BacYwYkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
128⤵
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSAEAMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
126⤵
PID:3256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:1432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgwkwUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
124⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMcAkIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
122⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWYosMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
120⤵
PID:4232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaEQUcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
118⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMYcYEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
116⤵
PID:3660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:4256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAgYcgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
114⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgkcwkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
112⤵
PID:5116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEoMwwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
110⤵
PID:3636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:3432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YccUwYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
108⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:2068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCEooIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
106⤵
PID:2808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- Modifies registry key
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GscYAkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
104⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EykcAgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
102⤵
PID:956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyooMYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
100⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaksIUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
98⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nggMcwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
96⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYMEoMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
94⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:5068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYsgQgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
92⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYUQgAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
90⤵
PID:3256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ccgwkksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
88⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huUgwgow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
86⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiwMQAQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
84⤵
PID:4412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies registry key
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyEcMQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
82⤵
PID:3256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gogEMsIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
80⤵
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUYoYAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
78⤵
PID:2504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:1268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSkEAAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
76⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:4240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqQogAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
74⤵
PID:3932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCsokkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
72⤵
PID:3276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUwwoAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
70⤵
PID:3640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:4316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGkMoYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
68⤵
PID:1032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yScEEMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
66⤵
PID:748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkQoIMsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
64⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoYgUwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
62⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAoUgMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
60⤵
PID:1476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- Modifies registry key
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkkkAAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
58⤵
PID:2660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwYEQEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
56⤵
PID:1360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYcsscEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
54⤵
PID:3436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcYwEYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
52⤵
PID:4644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWQQEwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
50⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACYEcYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
48⤵
PID:32

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEcgIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
46⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSIocsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
44⤵
PID:3332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:3476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgYsUcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
42⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcckMkAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
40⤵
PID:4868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAEMgEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
38⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuAYoYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
36⤵
PID:4036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKwAggUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
34⤵
PID:3660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUcUIAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
32⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meIwcAII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
30⤵
PID:2604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWAscgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
28⤵
PID:1392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGUcQAwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
26⤵
PID:4620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOkwAQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
24⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies registry key
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMYYUswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
22⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KccsIkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
20⤵
PID:5068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwgYUsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
18⤵
PID:1392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waAsQccM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
16⤵
PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyMkgAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
14⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWAUsIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
12⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkYAkIAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
10⤵
PID:3604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIQcMMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
8⤵
PID:4228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMAwkQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
6⤵
PID:4144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yakgAYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KicIokQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 436
2⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3640 -ip 3640
2⤵
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
320KB

MD5
f1bda16e46c6dbff46d08f11fef9d07b

SHA1
a722f672dd0d5d6ffdcc5ce20ce6014f5a73126f

SHA256
91cdecf5aacbf225a408ec58042a1456ef97bee526f1f8a0866c53ac0a76ca87

SHA512
897287473c45d8593849fa961d50f2608b3591f630797aaffd300621f8b49accafb020d256c298066bbf9c36bab90212c53ee0c3c319305e72ffc74df342f617

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe
Filesize
209KB

MD5
936beaac1dbe01829d2187da821be21b

SHA1
f74d02d64fa5e2ca64f7c98b4a57ef9967720da2

SHA256
db322d87879c45dd86da52e76400eb455c1600adc9faf065db0d539dce719b40

SHA512
abfd1ad1017d5148435ac34f1ea4e6e61604b967afacdc5b019cd662baa8f21dd1dda20a6873db694c166b62e4d9ac832dc595e5017b5bd3ea629e2d19a2d7ba

Download Submit
C:\ProgramData\OYMUcssE\PYYwggQQ.exe
Filesize
190KB

MD5
76eadd69dab1b12281b20973197471eb

SHA1
ca0eafac7ffd45ae55ef03a1668c59753a62e091

SHA256
c7ce43450ea4eaaae41c5825975d01165d29157742bfaede1c63db8c8659ae6c

SHA512
79c120e4e69572e006418fe70c9d331a113ec0b19e568ac5eced56957d64481b9ebf90b25c3514d327100f76ec209e9c9c0c00fa3c4c03e35594a4e35df97197

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
803KB

MD5
6542e46ddadaa5e2c569a6e7827eeaf3

SHA1
7193c3d085bd1ad10226f22b48e730b3f496c7de

SHA256
9e6c5be78364ce31472c4a37578f6575b2f7ce910e8e0d70668a203b859538a3

SHA512
266ad7e341ff48463aa256844df14463db4ee0defc1a90c452bc0a0b4571e1e777e3476a1dc373bdb54ae80f63a4b2424564f187f7b0ff51407cccf7e7161e8d

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
Filesize
657KB

MD5
251119c59b44461b4ed5b7b3b74adf13

SHA1
ed40c5f971b8926fd109771456d664c990e8c66e

SHA256
3576bdb9df997b368c90b3998ca09e0d2c7e85b6bceccec0ef2d4ca820112f2f

SHA512
34c5f30c463eec98c992112274e3f662a7150e6fe1d3cb1f322a045b181752decc878e8581465ce887068af372ac479fd4a31fb564f3ef15aa132f7cc2163400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
Filesize
206KB

MD5
c22e4410b1f635b667c9a07bdbe5cdff

SHA1
c1a56b28c24006c75657698ff0816b0abafb28e7

SHA256
b3bfc9251db9f765cb31ea1ab5040f5e2251892b139ccbff15a2e3e448ff7fe3

SHA512
27a694c107154e354facde511f162db7a28e40dc0cb1039e15d5e5d5dfe5d4a67171bd56993d6ff5aa0c87bb925132a084a641e23934f8f8b380310cd9fbf8a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe
Filesize
196KB

MD5
02687658a5495f7d1a7178043699d192

SHA1
910a90bdb82ba82f5163cc211ba01e82f2e9b084

SHA256
ccefdd3a46eb814db00779e94fa9fc21639290d41adc65df560b196512513f80

SHA512
728287bd5cc93df9bc913cbdf67327a5b7a61442ffcabb5ee36802965ccf118e4be041e85d1e3c1c3789f244d86a7d0b69452e339e61fc6320122636bdf41212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
188KB

MD5
eee89f10041c54cf17824f1d61c616c1

SHA1
d33bdcca856e29ff10521dbec205fde1050111b0

SHA256
d4e7dd66bd3cad5e1ea1e200d07ab481e4d73321f802a0e87ab7141be1584b91

SHA512
4b30377c1b5a2f3d581380c4fc10ba3aac2ed2d10e8bffae59fe27826663cd7912b11be5cc3e3faf015fb032c59b8f9ebd24433be823704edc235a857ea3257a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
Filesize
194KB

MD5
f48ce157e44a5f32ed4627e1ab86c4cd

SHA1
487875e8b85833ba302a1f330a9762223fc4be85

SHA256
0b9673f2b087f9cca65204dc3aa4c43e73ba84688eb811249333f4966b08adaf

SHA512
f786ec24a28522ca4ddb8e4e9df43f90992b14c4d3f62124d585b7c1750905322273a4dce29af9d7223209bc4babba84bce41a8840fc3a5d761dccd202ba49c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
Filesize
194KB

MD5
324e21b73e8cb58462fd01d98afdd307

SHA1
f457b2108831b684de7b24004ad5ef81e9be1b6f

SHA256
867529b96aca5b9570a190d9ffab0fb80fd6ee8723b65cce2483da7219aec4c1

SHA512
38844460ed4df15921894d81e0a273ab876ea7fa1f2296d2608f6b26b3eb8081addd989c45697ea01574a8111ac3c78691b8ab64ac8c525f9623450cb9fb32fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17b82e64e80caab520aac1965ba4f8cb_virlock
Filesize
6KB

MD5
c5a954c9c675475ac522b45ffd52d03a

SHA1
1fc5bf8d724c665da276aa3284942b1b9d822935

SHA256
a1030522425b3258e21b3fd2a1dbafef2ed07154142dead7e9b7f4ae667c8726

SHA512
8828630868f5b8b694c4cbcca3f995ae55f2edf7a93e970aa11fccddd484fc4b869389dff9875c1c890e7e6c32050d669e42f009eee8fa519f94e865e4164da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAoM.exe
Filesize
567KB

MD5
ca2a433c54748c3a09e93eacdbd692e6

SHA1
2f4876546666b81469b68e9fd2646dedd95bc386

SHA256
1f206df3a5b726a506a8a88b95c9687f277a48eb313310747a9d9d77f06c5176

SHA512
7307d03bec9ec5848e31eec8928d43c292469a30589d2cc4ec7dfb6199357ae0adefdea3d40bee7bf0a5c1adb55c714aa65bd5a161091336c61cc131504c3eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIUM.exe
Filesize
199KB

MD5
bda9a1dfe84f793ac844657e8d8b8c4e

SHA1
c6593d8b9df3f24fcc1726ee5caef10e567b8b14

SHA256
c9c1c2ad7b42f4aaf3caea7f2ca6b268150940a864efbed8f9a70c71b24c2793

SHA512
fa1b131d29cb78a708c8c9a1ff0e486bbbdbfcae16f93dcf81a837d65d07eced827e68d51ac6977001d33a0a303459e677330fc7d1e56ae2120630950834bbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMEy.exe
Filesize
196KB

MD5
2e0ebb317da8ed47123f3d46a51e633c

SHA1
a9cc59fcefd9ad9c06c125bf331820afb7a795e5

SHA256
20b60fb1fb2e92ff62b053c67cccd87a03e53d117bf8ba8cbff98eb1f4989634

SHA512
fc5bb71dc70692695d6c2d0b510f992b62d87a0a14bea70746e8526613a3e5b0eee4039f83b55e0c952184744e64bd58e0a3c4135abd553db7cde3303bff4014

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQUs.exe
Filesize
5.9MB

MD5
ae87d22c1a85ddb45dfda0e3931a761f

SHA1
ce55f4f99b103fefb67b1b74d28b25d5c0b0ad3c

SHA256
3f598271a8074cec361984cc10d8333b0124ced2bffc32563f4de8cb1e391d0c

SHA512
35d63eed345ffa98d081285b6dea7ebe534965b3dec0e7cffcace9d723c99909c5e7c11c3fddbd3bd69428921329b7cdb4e8bd7964674a9c7beef2eda9ebf360

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgQy.exe
Filesize
220KB

MD5
04af82277791d01d085bcb534f617691

SHA1
e6fbffeac7f7fdd177739bb48525291300639a51

SHA256
94fdcf8312961632ba250384d37159c4eaa36defd9a9339637c144f89891efb9

SHA512
054907b3357de9409651b117d85015ebae4ddf0c6a403935b3a109ecf4988521e75f85845463b81e6b21849503b617340a7d749336da3c722e88a57e167b4948

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agkk.exe
Filesize
198KB

MD5
7957e4e168ffa148d1ab5578c617fde9

SHA1
beeb5d5828b2e4971353ff9bfcd74dbcb5ecaa7c

SHA256
e22633c3308666055b7dfa8e4f43a984124fc94d33ce9f7c5aafe3b59a9cf072

SHA512
da73f8d0a3f456853fa29a9288c6b5fe5526e70c4c1411274f4e9bf379433a161ad519edddd35357c03ae21c6133aa974866da1130458310ad7c19fe982264e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkgY.exe
Filesize
210KB

MD5
7918e0f619b4c2cdf116d9008c740bd5

SHA1
b6467abf8eb51be0f450300cf9de4bb57ecd8d61

SHA256
48ce2f24b10cd2c501c0ea899414a35a5be2704656313ffa7f5530c55177e66f

SHA512
e5b37ebb34ad72a696fcee49b8e3d97e41c9d89ad0abc0de53b49438628fbaca961d889d58def16828d95f5f749d1dd73bd9e6e1c07c0124d6982795b23baa4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUI.exe
Filesize
221KB

MD5
9d915a20db13c2d36061e057c37a85f7

SHA1
f8378fb6f346057017957979fefe6569b98107f8

SHA256
5ae4ec1fc2685810c41fa75ee48c6e420e853e2c16d611772c62210434024917

SHA512
6ff83ba9f07e9cf846620294e165924a3a82c79794f1a71c1a1547cacef75597d3a1aff106f933be7530d0dd604165d5e07df476bc2452c1978d7bdba36eb5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAsu.exe
Filesize
1.8MB

MD5
25b480d7d062c39230762b5da08e4c7a

SHA1
f372ef11bda0e7001adbb12f1cbf584e2636c00a

SHA256
cb3d66789362556ca70f6402a88efcf480663c5732e3a98d201d4b44a693fad6

SHA512
8a8fad7f68ed614dac52a6f37655671990450037f1b5acbc2399e5ed3c5938f4cd8fd1b36365f0d9279e7b9d863e23a7abf1c42d58e5d9c1a4bceb4a1b952b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQIK.exe
Filesize
629KB

MD5
49c0de32e529c4dda5a95c0110bdd3f1

SHA1
dbfca39060e3e737cd6a4920b900e5fb046952e4

SHA256
b22ec577f2fb9059ce34c0a349203d20b06cc05c25ed43975ad856842e20ab8a

SHA512
7b6fd7834d83d1c25b4c156dc63dc4fe421167778d614199b3dff91719e6c9ba9519a3f8c7161f9b7f01402c141f60f98ecfb4103ebcc1471dc97d7df164474e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgUK.exe
Filesize
779KB

MD5
4a0ba91d99041f9e28bc55ab27cafa36

SHA1
86ef5c0db269e156210279ea05aaaf0fd4095dca

SHA256
81285f39e30fe822a29a477999eb171a1e673f4df8dfd348c86fd6dd7108c83e

SHA512
8b4733e9ff875e67190764e33f6d1c2e789fde82d4b9239ed3b8478eefba8ce7c4606c457ec73dfa8972e0b8fd9ad9430d088f517ed1ae773c0ccb2aa9afafaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckcq.exe
Filesize
652KB

MD5
ab511f2ffae5f4752957a9695f84a50d

SHA1
558551405fddee71cd81349d41c6566fa227254e

SHA256
fdaa218d2ede7787e59123891063a1034316a819176cbf3e8fdfaddd7339dc21

SHA512
394e8f4e2769bdb8e80b578183f6ea4753d2b71446c1a50b354bbfd7aafb3dd55a552f91d2fbadfeb6fb1722129bfe70286d51c54b34a361a606724a113e626c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwIU.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAUu.exe
Filesize
190KB

MD5
a813266f09689da34e060ea21a88103d

SHA1
51c8ccc111eca87dfb82d08bf67dc0f93ffa3833

SHA256
dbc3dc8a6ac66ec14195471bf7ad8effea22377983fda72ca7afb954dfdc430d

SHA512
3337e615dda84072ca8e161a8d0379393cb615308ed77608aa478c851abb18ce4eb4934c94843073e769485912ca9d765b0ccb8a691d88564f2f8b384578a538

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMwY.exe
Filesize
240KB

MD5
beb29da7129bd8b27cd965a865646adb

SHA1
729bd2e39d04ce73ca7daec917d620a7c13e09f3

SHA256
7418bd9f72ef07a98741916f2435dc206d7f10bc9ddc8f5a4b26bb76490b17aa

SHA512
7bef9253543866cc5fdfeeaaa1a2a3d8a10ef9aec5630dc5f91527d4240f99fa792586d723ce4156b51836f0bb0e9d007cc89d7dd4651fbd2b3f0d00472ffdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQQS.exe
Filesize
235KB

MD5
3c848548622a341856777b7be5fbbf38

SHA1
f2ee7668e3e7acd4f3f9298eb2a897d0fdeefdc0

SHA256
d3ce6539e1061b6e17a8dcebe091d02a84b9f5357097b2474dba24a5d6cd9ff7

SHA512
a25330336e715200f5ac2d201b4cb02b0c4192ed1cd209f8de8e784b14d7642d4fee5a76f35f34e9fcca89c90361ab1c3821283dfdea6299389cc7c6a9ea4171

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcMy.exe
Filesize
201KB

MD5
7d82753a33b604596f8066f783d95aaa

SHA1
8b43c357711d87eed9cd8dc29a7502f1a136b1bf

SHA256
1cb0a32339f043eee64900c70550439b10bf714b4875c36ba6ddb5ec59434a23

SHA512
bdf6e9ee3284830454811d8e5e520a7566dcdf431487c0d2281ce86553bd76db90d83a7c5570470ad2e72696e2c3859dd337bb3d5c4bda893743c67ae67b8d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekco.exe
Filesize
496KB

MD5
4266250f4daf6d86a5222ff25b35b4ea

SHA1
d2f8ae584aea936b561f070deafab42cd75008aa

SHA256
d99f4e8ef28553032facb06679dc942c5429f1b651c8f9fc65d8efea5b58fab1

SHA512
bfb0b3e8fe7565bd75d2ffde9053b0c2812deb6deffb6030b03125a574aa2a55ac7e6fe97a8e065fc36eaef18221d059f6ad82e594db36f118b56c2a2fc910a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoMk.exe
Filesize
212KB

MD5
687c64c47478e7c685cbbb8b2b6ba70d

SHA1
abef374ff8edac24f4542be5f898883aa854b06d

SHA256
0a1702afd012b0a9aff6648f134024f931d7df44b12e7827ccba212c4ec5086e

SHA512
18a16376f88118611a12d5fab5d57c17356bbddd544c96c1918699ae2a6b095985ba606fb66c52d9c1fd4aac2d3e983ced32b6f23fede889840c6fa82264aed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsgK.exe
Filesize
204KB

MD5
a1e5b290f252bb287460f7b745307f76

SHA1
8476261ba06297f3bf67bdd8c0465f9b6fd60b23

SHA256
99d60ba8e1da942f2daa35c6cc9521700546d643c47f4456c9a92f1fd12a02c2

SHA512
8a489292e47af1effb058cbb90e9291954a10dde5885509a4fff35c58b54e062fc643b083ceb2c412212ab3b00dab26ea2998ce3a66f7e82c3a48e43f81a93fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIEW.exe
Filesize
5.9MB

MD5
f675b774b6d2828d002086c80b2facb8

SHA1
c757fd86add7c118b5fe7b786fdc5e11a0b5ed3b

SHA256
cee15503c95a48d31faeac43647953dd70a52851f129317c5aff9a3c515a3ec2

SHA512
4f45d0527a447f86bd7bf45a61fd1085d42cfe6722b85d403bdf31367db2e95a6c9cd14dffa463137d06efd29b5618791320656b033b4e826446dabff3f8b19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMYe.exe
Filesize
196KB

MD5
55a0570aca2b13c52b1a13861ce2e980

SHA1
587101e455bae8809471ebd233fb4927d7c42433

SHA256
653145cbeac3bb980c11a9183a58900f4eed30e9ec6b40b260c0045d97cf6d39

SHA512
b092aefe7b62a83c1931a18af65fb00cae47e727cb7059be2e6a4b781d9cd43abd8c1724aa430a16d9ceaa597e59c8695cd7b650175a6c89d05470e4a69b3d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgkY.exe
Filesize
184KB

MD5
2fd7944ee7743e62481e3085fb11eb0b

SHA1
7be0ca00b4b3f60e365e773a5a8f88bf922b0858

SHA256
36066dbe93a9ba4c7bd39fa40ae3313a1136618158ebb1b41d1713dd0ed5bd78

SHA512
8d203f142ba6f8080aee482b06134a106eade2cceddde645e3e6bed7be46cfa7aaa571cb1b70d5b420aae749831e8468c95702ec704985a577ba906bc249af16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkQi.exe
Filesize
205KB

MD5
b09eaf6eaca61ed9f901d64e8e6f8223

SHA1
69931e27b814d64f87b746b58b22f980d65a4f39

SHA256
9a06b435c89b885c555dbab6356dfde8424f8e7d69c6bc7c21360f807bdeac5f

SHA512
d43c99e42666fbd51f9d371f2a01080a82eaa9b8b4b79e7d16a4d7e115a60a7957cb1bcd525ba1d4f54ed18a4cc20b7cb55733cf35ecd897fe22a925ff5355f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEIo.exe
Filesize
1.4MB

MD5
76c8ba58a9590f533e29b0f9bbfd186e

SHA1
7f17b91f78dbff6a564ec3810ca36d368e35fcbb

SHA256
f5a2d89a75381cfa427c0009c8d4c49486f98e94c220c5133ee265d7eb57661f

SHA512
2184cc584a0c00a75bb0d3d2188876b3a400d0db16342174dc6fce49caf0364db6b61b32b59652b89bca70369ce451772a5e41d0c7d7617dcb6f9ae162bb3ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMAu.exe
Filesize
199KB

MD5
f3b386f952b32ff90871ab2f858be0ba

SHA1
3c646d0c65367930fb94e81d7f57a1d8206cb4d6

SHA256
dd312e1e16369b28c605f15bd24921789098c2bd9bda330af511fb4cc09cbed8

SHA512
0e0c6faee602f5486d97037057ce50a419370368e8a22af7f4dbf87f4170ea92bb248ddba2858a90ed5c979cb7b3aa9f02b305ffaf943778475f81293ae6180c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYQ.exe
Filesize
191KB

MD5
1e6d99ff6f39f1daec3a0e0fa5f289b1

SHA1
7dbd1fbc6cbb60ff967cdf51bc016eb8c14e96be

SHA256
00c3bdecb479b8387a13af7bcb8121d1dda8ef02ca89fbb46707196551b1834e

SHA512
6220b6bc4ea0a466956516c6a7633648208f12390642a4e5173a7f7a11a8fc63e9e5a4ca1f809814375c76291b54463904cd4653b31e113a85ec81f9d7f7a193

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQs.exe
Filesize
205KB

MD5
fbe14ccc800f9e83f65886e4766c67fd

SHA1
e75b09aa1f9d3bff35c21e938abefb45a7812268

SHA256
fb11684c6c387cfd3ac8de632ea3359041526a33a0a7ff56933dcd1336160e64

SHA512
978298c14965679bf9eaebf96bb1e64de3ef202b11cacf18388fe2d11524c01ad30a69ecd1cda0b1237c35d897cdf82f7ffc7b7e5fe7ada579b13a20b5d4db47

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcIM.exe
Filesize
197KB

MD5
0029874fef0ddc23077c7b481a87434f

SHA1
b0eb70a0214cef6c2041ed72749fd6de8d7b242a

SHA256
ce5964dbc90bd6828f9c65dd59adff1a5a4fec1baa58e1f480fb1dbd349c67d1

SHA512
7ff8f5c0a4ba3b5da3fae731a67dda0fa369425c7bc1fcc2754dbc03b0a5024fada2c47096be86179eeb3dc90b135ac17369e454a321d2f1dd8a03b90f03cbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KicIokQo.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoUw.exe
Filesize
187KB

MD5
b329f8a8324f9fd26250346169b8594b

SHA1
00aa8344f7bc127057da9645e4bde9209830f5bb

SHA256
d81b6d9f5ab3e80fd6a1a0f4e5ee376c0ea68cf85488d0715cdea7050366e46c

SHA512
4d72dbfc81a25e772da2190ffd90d26dae5fdb47d03cf158902df1b372de5ba01813d5fb4cc44ac5e140959deb0ca168243dd1717dfc9aba8cde3fc1d023deb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwMq.exe
Filesize
192KB

MD5
05e01f681035ee22c79b035e0e5a98c8

SHA1
f56015841b5873003047622dca6c8e5565982b3d

SHA256
bd8fbfb8cc4369f140bb7060e93f9e79b9b5e260a5a6c92f6464d7c8761772e2

SHA512
dbeba2ab8844a93ed8720052cb20bb395dd3ffc8ab303bde47f40c11619edec5c1b3bf46192c419ca08e32fb14b8a75df354b2e008fdaab155caab04abfb4d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQS.exe
Filesize
247KB

MD5
3c2fbf3b20dee9ffb405eb3cecdabfb7

SHA1
cd4687d01a63955042fb1b818bda11848133ddd6

SHA256
b650a7b377fef53e18df77b2564cb2ff16349355081870b81f2895ac463385b4

SHA512
7c28c672375d6437a3e8b3ff245b70b5aa3c11c7e90bce5ce609f465b9b4aea2e0e59b7d224ddea77e928aec463087e2d5b5bdd30931b9d2492df9a90aebd47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIAA.exe
Filesize
199KB

MD5
94987323f0f134ea7085c6e160dbb1c9

SHA1
15a81358bcced0b5115e147786a4723c2fe01322

SHA256
374e7f175c3de4b3042bcf1427ded0914a9cf3d7a729477fc80113b9d84ae48b

SHA512
521eb78bc29a6e9fc38729cd18b51e49e977f53f6ec0d6815ec91c2d461011277d477e5268b19c45b76505da0ca9bced07be050531c8aed7dc494ca655509b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMsM.exe
Filesize
207KB

MD5
a66cc45cafbbe8a77f0cac11ad4a1b92

SHA1
1a160d612aec215b8de68f57942b63b76434a7e7

SHA256
40177ffef2e70e9bdcfcc71a42dbd5382496eb725059551fee2a41d8921d2dd8

SHA512
a5c7d873a729a184a82de8a734d90852bcc4316432168255ea63fd408bfce142a0e807c93e1e4f108a851b5e122d945274b2b3e462d0e53cc8b9570f354d0d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoYg.exe
Filesize
852KB

MD5
2a3bdc57af5c2335736954f3257f16ce

SHA1
ea934e3457b4f88b088fda1e549c18bea3cdfd5d

SHA256
cbfd0cfb7084a49eec7f297252cf9f750a9e7dcba92f14ca3c163b76e09d5722

SHA512
417d45e2b2e1c919844f41df65833c3098c77a25c7706364b8b07676b9010ce602f5354b91450ef20a3163d95d771a1bda21e6acef75967dfd7b0e85e2f9bfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYY.exe
Filesize
190KB

MD5
a9f1607a718a6da373698f4622539dd8

SHA1
e27ce55f9519498fcd05cf6a4da19fc864ae1c92

SHA256
2fd936c495c4391aa32b57385d2b2547770fefc9435f7d0c88fb497eb306a6ea

SHA512
19cc4ffe63a8f9147a1b1484467c1ba26763b81684030cd841eb5ceecfb791729e6b2424dc63a24f1d3f25c36696b192b74baa99d2ccb129e438406639c7bbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogki.exe
Filesize
204KB

MD5
3e07c2d7c7949f9048fb12e1fcb9887c

SHA1
6d225cc891a48ed3dd8ae8571ea8fd9961694f66

SHA256
68387bdbe188cc8d10c2babb05079e24210d91992a92abd5dcc38e77996cd6d2

SHA512
e99bf49e5667121475585dbe9d4ef52746476009103549466b5f4fbd7d82c12750f1f093f1879c5b02369b03e6d8c8740c24e777cbaf3c5c587dfad649cb54c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkMC.exe
Filesize
205KB

MD5
57d18f3b7b214da992c2659cf1b6a9cb

SHA1
8eb33afe38efba977899b987110a01c89a0cd162

SHA256
349d8f312f154632bfe4dd736d8f2d1e4ef15e6e54fcc25d315e59ed7244c572

SHA512
69d43fff7d7895da4333d61fcf43d300c6e9e0c75610013180e6ed26f82a3a3a94ba48976777664bb09b2ac83fe8daa501fc99ea74e3e2ed910f69f9629b250e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OscC.exe
Filesize
437KB

MD5
6e89572a74199c45892e66096f226063

SHA1
3f936e05384ebfaae017a3f872f9ef6cc57fb331

SHA256
9646a972112b8bb1d394b6a7e92b5808da6bafd47ec81dd684dbef549860c3d2

SHA512
89d486e65cf5eefe2a7ce554df4b109d5e6b67ff24446ad6533e1c1d31f8d1f9c88edff184c86b2d24154d5975f9d2668f84505348435883d1957ae9c86cdcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owka.exe
Filesize
775KB

MD5
295c5eda6d43ccceb295e22e9e4999c6

SHA1
9a46672d51ac21d410e85e5a1a8e6251180eaa0e

SHA256
67a2535ecef9cdb81498d0bae7007a8e52258aa0ac00da1265ce94875f0dd9e5

SHA512
1cceed277f2c85183fbe849bc5c774d51bcc3d66a5ac9f10e132f99b9e3e801e425a9d01cc90d1709418d182d8c0b724abc185578fa85fae0f91dded2d8bdba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMwc.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUUU.exe
Filesize
324KB

MD5
1a47a53a6668a24bbce28479347d1707

SHA1
ae3701f013182ac9f7ddff75a1de77799745958c

SHA256
30bf3dd15a7853021945e1d2c4e20332efbc8e1fe8f9cfc6fa186e31d9c69236

SHA512
93081cb2de175627e7d4bef382904e94bd19deba41f34726dcab3506a18e5d0dc2cec9dfb6f9614ec3f0fa76b6d3e2801866e7ce817fbb738f6a1ac9a755bf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkMM.exe
Filesize
181KB

MD5
201137b6010b2d673d0ab121e73f2273

SHA1
56f0acb9216c1aee62a3a13fcdd9454ee5999dd0

SHA256
de736d403f65e3550407a82843e1391d3fc8f3a5170a9c1d1cc4d2fbccb32d1d

SHA512
ccf7e6c5347de53a78b2d41697497638611f784f8823d4aa675f6be5156b955226270530e7bfe07adebb7e679af762d968b7629f8ae320b1777adf71e5552f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwcG.exe
Filesize
447KB

MD5
ed5c093877577cc0f122c0d3ea09d254

SHA1
d9c3cf063908fd7af402c363d52844c1e7140fa0

SHA256
cfdf7c588591f34f62f26801df33f4ca4a5ebb539812141c3e63019d0e02c592

SHA512
b782a7e1751b4a908d1fe85e0a9db7d5e1f97d196ef5596b1e47d3aee23f0e64ae48c28e2fb74bdc46256ec03a68732a0684819e7a5dc28adc9cf496fd1e4c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIQY.exe
Filesize
409KB

MD5
752bca2ef26618993b22d1dda261bce7

SHA1
16bdd63717b088fc33d391677fd4b18c0be1a830

SHA256
f1118da71023cee04ab559809d40308f3fae4c23925f053e68c396a2c82a602b

SHA512
5a71608df425aeb60e68171d53a64fe2cf0fccc0ccb2135a28afabc3cae02f0e11c66c41a71e644dd6909dd1da26943eadfc5c04cda83d7a0c76043ddaf2f261

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScEM.exe
Filesize
5.9MB

MD5
6d006b6de5969149ad4f3010cee06b90

SHA1
6d53634d24371d41c82dcbd303e4a5c1f4563392

SHA256
4cc3c6c6d60d471e8a72f6025bc7d4a627e2772e05dbb1940a21f679e7d19ee4

SHA512
52ed94fcb9d63aba700fbbd63a25ff299bdfeff6f86974d8bd12dacbf30cb7e3f07ee95ee479258b084dad599745b0cde2593e200c1d7002970299f92874468c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsEm.exe
Filesize
834KB

MD5
a69ee8e0241f1503f89af9dd62adc456

SHA1
7c3c221b207bfe2f02a09c1cfcf2af873db612eb

SHA256
ccd6e317b1869c2d9687e1846ec5015ab8158ed1f5f92ba33aec8556f972f76e

SHA512
9f330eb74cd33b8a89171b554550f70ef6a99e3d337e5daf8a2531155bd9d8ae3866a34a8a5037fe753876c72b859ffc96ed0e6222b8acbe5477d2afc16ace1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYsc.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwEo.exe
Filesize
199KB

MD5
fdc1cf5ac3d0e6709d8de9bc8663f9cf

SHA1
710ba0c144edda411c0b327eba0797bc15a69ca3

SHA256
8291d534c75794e4bac18395eaf7c520aaea73f1453443b258a7b2b730777ecc

SHA512
86c66d826ea987582fbe6cbb5dfb4b04a9d140237ee9532870a8be0acdcdd4ad7abfee646c2786572d45dc3f2ca5011f1407c67b1acfc2859a709a34766baa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYcQ.exe
Filesize
247KB

MD5
dcb4f635f2f8a09e738596ec04e702f5

SHA1
fa7db4d6c2d697e8154fe75a3f999455713a4bbb

SHA256
4d1070671cff84b1f28114f043d0f460313d30f0975efb60d2207858823e7396

SHA512
c779b1e784b84245012044514478e51d7c481470e87b67b35d39f04f79ff84687690757dbd176905163605966c451d0836fcfe8e1f71cbad78b9fea37b7de0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsMK.exe
Filesize
188KB

MD5
607efdc4739335d1bde00b1414ee451d

SHA1
def9631efab1ff4efcb5f1553afd316f58f78b8c

SHA256
394709ed5028670a1ae69ab9e341c7a2f413e480240580a554aaa02b9a7df024

SHA512
5971b5d847800619a8542a17f297a2fd2abf68b63420433c6038b420fd121f75455172156b4ad6902965b6d4f887fd603ec949405e7a84ec7db83d0a3352c636

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEUu.exe
Filesize
212KB

MD5
1cd5754775396085ebdff6ac01288677

SHA1
6569d501b192b45f5a1902462fa2e17da0838f01

SHA256
6f6231f118d62d41d358b2f2d1468d138369ac6799217d0dafd39ed5fb37d47c

SHA512
c41c7fd276330c015c3a1ba0e2fa3941859435e45bbcab547b24f87470e1e92895d9c154d8f393104e9d48d36dbcf308ea5d08efe6d2de711b707cbce1c5883c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEs.exe
Filesize
736KB

MD5
0b5b6c8f50fa6266239e88dfeba8f2fb

SHA1
b80dcf5cda6669df56fb22ecd2cb63881e6f29f8

SHA256
a346960d039a586de00a68be8cb0e81e2fa4d795b672cb61e66e8cbd5f501cfb

SHA512
8f847174df6b12a9c5e5a5ed57af190a55a0f5541a65f9933d232048a96e49a7e2ad53dac2da4817f247038ee9a90f5b3a516e61a29588660fa0db4c25023b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwwE.exe
Filesize
199KB

MD5
9bf67e00614d603d558f35c4cf994566

SHA1
9be0cf99092e1597abd51a17eca009e1acf2e591

SHA256
7dee476a841af963988aa86748e92859ce69de93c680fd810fa2e2015603f276

SHA512
ee4f4ac13c8fc8b92c97164d164df0942a13ae4cd1511f3c06ea7db83d2ceeb4aced2bbf64545787ac2121d0198a674f1fb03b9915d1dab979baf38b3b611866

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMQg.exe
Filesize
191KB

MD5
65e10aa5fdcf28f42665bad111aea100

SHA1
00219472d89edb315f417fb1e8c7ba6bbdc893cd

SHA256
ecdc6241ad037bcfdf2262872c1e42aa83ce58ba10cc4273eda32f29abc979d0

SHA512
bc9ebdc72e64f85ccd544583b2b6c94456f1a28151c68b3a75bc1306837fd0349903da02cc0f02e78af950b8dc066587286ac9561665e10b0e9422245f719e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\aksg.exe
Filesize
194KB

MD5
8344374fd91411ac0fb73762075b9da4

SHA1
2ebf8b653849fc2e2af5cd6c6ebb70d3bd438998

SHA256
0c6f6bb05db1cd95532d74415aeba6f62874bcc8258e3d14372f25b5a83bc7c5

SHA512
cca310690c7b3fa0c165e7ed19327cb522d3b4387f6dbcf89922c0cf1d094e8df49e812e737bceaddd8a870c0c4660d4854a2e7e040a6fe394196e8624a9e0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\asAC.exe
Filesize
851KB

MD5
77a4f75790de0beb4bd5016fefd3fec4

SHA1
af25dae3e165c4601a59cf2c543678193196f538

SHA256
369354b395e2c149d09803929fb9293bbcab9705fa81674e6b41aa4f29d7f0d8

SHA512
01f1882b117d36a69b3d7586f6d573590064fed452e7254bca3340e0cfe76c0be197cd560c97eccecc365a163a57b2ada8d28cfa48b3ecbb5567b7f8fd07269c

Download Submit
C:\Users\Admin\AppData\Local\Temp\asko.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIAM.exe
Filesize
204KB

MD5
45c6db3bffec9bcdb7b767d5a865efcf

SHA1
193cc8904e3a4d092494807e34a09ced4c14f7a5

SHA256
d60f82670d39f312b20607e3922653bc0455b18fc5921b3568b1f572082de5d0

SHA512
9cf2e25834429d0e2d38bda8e24b3a3c5a8554be4c5b0a43beaae20d352c82926a720d50e1209883c4e1b085e6fd491250fb707d219c0330f885713008409270

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMEa.exe
Filesize
205KB

MD5
e80e89d97edff119674aba3716072b88

SHA1
5e301abbb005da7cf9bf0e7262c04584cdb97304

SHA256
1d2ffbbc88f963548b36e42a8b041c9f661304a621d2f3340b9cc01939faf9d3

SHA512
32e55f524bdd26f7b756b9f37976b99ae41d1210f96d2ff6c8943af448085a213f922cb734e24b389540eda255793b7d19118a2784bd3cc5254c10ce4511ef60

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMMG.exe
Filesize
200KB

MD5
36bc9705e67ecb79b8f497ca5b072aa3

SHA1
eb944746a3e9b67fb49a2d5c51aa056310ed8bed

SHA256
2a609117f0f10a8ffb75ca61b38fd281dec761472d5a3b1bbc71fb69f199fb7f

SHA512
aded5237dcb589d78c45b78bb5c141aa7f117d5295ac16f07e45efefe8174cd3fc7343b8a6ca56bd66b14c9e909e08d5148dc3be7cdfda12a0cee43e1e7cd029

Download Submit
C:\Users\Admin\AppData\Local\Temp\coQY.exe
Filesize
789KB

MD5
15fb17b1d66dd577d1ba56d51339db32

SHA1
e8970b4b123060da487162c413ff65f9baba6170

SHA256
ed63d911157d3949742edc6cc5cd5ff910929821c31e2763073aaecdaf444ec2

SHA512
3f73ba0569d20c3be3acaa208a8d17199bed7f4b3def6170aa16153a675e508890a18562a237b46d7278416bfc60410dd1348ccfb5728f044635e63f0123e81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eokG.exe
Filesize
187KB

MD5
b23c5d0219bcdf799dc1c178a3d494de

SHA1
617828416dda3e13af168d70dedfe8df7699c86b

SHA256
7cb7d7742af5e3cea2c201ada21fee21d10ee839a9fae8eb7b0f0a6a06e8f904

SHA512
1c2b745b92724a28b8d53c2c1781bc2f3abd28089e69264c03f4416c951f2115148d812562c4bb8e24c12628075824b997eccd18fa177e32af39f6c4e466bca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewYc.exe
Filesize
586KB

MD5
80a092c56b704045f563b9d4406773e2

SHA1
3ca52229a4dd356c63d3e777d2e9dd9b7a0803dc

SHA256
efa82c5717c8d3b65943d7e9ce3edaedd509e6d9b2c6aed26b1181968a17caca

SHA512
04335694dd9aa1f516f456c7f5b1132ffc44e716c0688e3413c9d12ac3bbebb1f2c9270d29f2677a87036dc43b4164ea72b4b4c4c3e551a51ffb263eb4b77f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIcs.exe
Filesize
204KB

MD5
04ef0b804e528858ef3ce9e1bad1394f

SHA1
92a20a4d5584fa1f4064f5fedf35d7be2e4c6416

SHA256
d60e6ab84b0389553667ddb94fe73dcdb5b0dcdde99155b32c7096ad0f1273dc

SHA512
b02549b94fbdb0a85055337adafc021b354b4876357cb3deaed264158ea65be3d105d64a55cdf2bdb295f533bfc19fe32390c8a6b3dbc06bb34fa5df42ef7bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMYW.exe
Filesize
225KB

MD5
6624bb03dea0632bdfdc15169918b01d

SHA1
9eca7311fc242a0427f9f4186d45477fc34d119d

SHA256
cec11d2df01f33176e91d0e7694d6a8b207727c439a947ce634b2f4eaf5a0ec9

SHA512
9e0a0a24684a352c24e4fd8b805f78c2009fa9119d00653d94751b92d6bc4298e024679632004cff8a3278bc5a0b5e04931db851b7b43e079d71b3a4c492a2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUUE.exe
Filesize
445KB

MD5
15a276d530f2d41969c963ea74695eed

SHA1
ad1845f647c4e68c6b074df5e55f4a5aa132bf15

SHA256
4ee94794ad11ffb320df368124f6884855c3948e64be606b26fc0e097df95a5f

SHA512
061a4b06a7e6b33d3a355b78dea6ecd1d356ea02e71a2cac2828b7dd19d5cb946db2022486eac15ff16dba8720afaf341b085d0d4e8bf6cff8ce4c0850aed029

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYsg.exe
Filesize
263KB

MD5
5952b9e0722fe33f47e864b11fa02a0a

SHA1
67ed1a09fd01c161c7759f11c2b8e521403f366b

SHA256
6dc5a7ee7782699040ec8518274b843ed2207575ac9ab6e83f0c24d2f81df02e

SHA512
f0010c2ab6a2a62bb1799d232bd1c0c8597bcdd4f2485e036e932e226f82f1efb2e73dee80bda4ea60634edc3aeb60411111cb9425ea8066f31182aa47c9e57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcMS.exe
Filesize
324KB

MD5
2b71f9ae04d1adab3a9596cc36ef07b0

SHA1
fee624cec5086ae4b3ffbd61cca3f4b4f2c942f7

SHA256
4192c3d7e50c8b7f99980b1622cf459fd46e15632d50c7a0b698a367e1167d46

SHA512
615860a483334d8cb42f477216feaa89777cdf432134c84a23d70cc8600696e284996fe5f1d394afb9e9fe2d4d148c559d3b44a03ce9e159559715ae115802e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkkS.exe
Filesize
684KB

MD5
3785beeb540df4681cb9cff41100b2a1

SHA1
39b3c0dca02726573a89ec1d2466189f5e855e4d

SHA256
1aeb3384bc7056ef35a88d59176391e5228c3afb9d0f7652505213ec8a8f605f

SHA512
4b751f1d71c95a5ab5c4a7d7f42c0cc42bba49d16eb1e2f2255e5b45dc52cc5e4b7eb2e3c4c858ddcd0d84470f38097db48b82dfbb1e94ed54a5ada211a292c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwUo.exe
Filesize
775KB

MD5
36bb8052387c5fdf397e0117191fa48b

SHA1
fe2d272cdd46413139f409d402ec36d1c21f4bed

SHA256
fa9a133cc56a96572982f2aae7ac80d267b08a5c8501e1cd65e38f4e37da0450

SHA512
eb2eb53ff5a9d4089dcb0fc2139a8864c09d43a815177aca9e3a7959cd88c1d058e4f750c042ae7489fe029e7e33a35581ff23c8cffe1a48db5105102332cd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsa.exe
Filesize
208KB

MD5
d2ba790f27f9f1fcef8d486d75b7130b

SHA1
c4544761df4e64d80b9c5203d977bc29dec716bd

SHA256
68849e2368554c171386247dbeb35baae559c6176405ec3dfccea246b6949581

SHA512
c0d27ba92922981ee76a12f48643bbd738ec0b05e6d92a40ba1fc7974051196cbf2c613b5a2f1c044b83ab2cd39bb8103961fdc0757e2dcef9bd1c7cd4401099

Download Submit
C:\Users\Admin\AppData\Local\Temp\ickG.exe
Filesize
5.9MB

MD5
e5dd696ae79cde69866a5ca169fd8912

SHA1
f37adbbe3c4b39064eeccf24d7bb4d8cee71b043

SHA256
556fbf711b59ec960d409a5feefe1005ebba30aabc552399a590115af555604a

SHA512
4c526719866076d668b92ae35827dc9b3fc7b63862281151fc3cd56a18ae7c31a4451fffd9beb7ae4670523773cb69547ff5280a1993971984669a7cff8e6ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikkA.exe
Filesize
212KB

MD5
b3154353e65cd23ec0377fc4fbc52b3b

SHA1
632b3f1f9e1f94fbe1345417af80533c929acf34

SHA256
bff6dd6fe85df938fb36ddf1f23b88c212cc21510ece31aebafb0982087e72f2

SHA512
b080a185aebce8b3b290c595d8c38270fb8fe0d7862c25d06cfa177ea744cfb730821d8f84bb40396a07392c7c85a2a2d70fc177aa61b4ea39c59e857eadca39

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEA.exe
Filesize
1.3MB

MD5
84c6fff18634f0fa435763b40238b4b4

SHA1
58f9b6775755aa5f95d602c4c3fd14bd9773b423

SHA256
50ef092da76dbe38deb6e7426d21a560597068e4fff6e96fdd0989e76df28638

SHA512
b3d6603a0a7f0b516e0866ec845c79797c982a6851398c516873706993caddae829d2e9f6c5b17b30c2503866fa2c098e8ddded34f3392acbac851aa000534f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEIa.exe
Filesize
831KB

MD5
47458cb20dbe95427e634bc4a0c15c3b

SHA1
a43693444f71b4ebfb532415dd842cb76242c608

SHA256
d750120317fd866c977918b5b84f24efcb985c916bc00e9513859783e46bfe23

SHA512
7d7fb3caf352c546e57c229c49f2deab8ab56f587aa2130181b296b06b26ba6ab9f427d69794d8eb44e73f5ba101bb7bdcdb2684cc98546ef71cf16c34dd28c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kggE.exe
Filesize
635KB

MD5
181ed6aa1a62216210ad350a1ad5fae5

SHA1
2acb8cd13ba0177c8ac1d6f09773d86949fe5be3

SHA256
4eda137628db011fe5b23d0ab32935c856cb797adae74828d3c64036317f20b2

SHA512
4a5108070416a377c20a7b198e567bf41579cc1ee82f6f3586ceada97ac3f3c5542c73f122864621e3110a3e06a81ff88474368b348225a5c025b866eb1215c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksQ.exe
Filesize
699KB

MD5
41d87337eeb5f17c82ba6eaf07c38d3f

SHA1
fb59c590bdeb39421822591d27d19412c9ca5f96

SHA256
863c67eea9be86c7bde5409a1bdc5e6c5629fe5e4a629c30d1509d1b67e188b7

SHA512
416a644f4ffe2d91d4b7823fc45858d83be30bfca0660b3d2864a89550687bb123784e1622079ecdf223ecbe89a2958c7d88711533a369a5da1dbfe79eac0ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssg.exe
Filesize
620KB

MD5
3d4b6f0bafcd7416f3da7da63b436b53

SHA1
d209eded40c1a30721b9acbc4accd77f9fa25dbb

SHA256
7e3fbb93a9d5b2666af5ddeab05a8437e01dbd9d9eb26e8c8552ef7b416c90eb

SHA512
5a57b4bac43850291575ed82dc13750437fb15873629358161604ed32651678e800eb80c552427df10e3c58747999d620098eb124f0a1c7c8bc6b8d7cb23775a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwA.exe
Filesize
201KB

MD5
ed116f1b03b0c56f15b4e616ba92cdea

SHA1
8cd33943eac704f3b55ea4b3497b9f4adbc6123a

SHA256
1c716307de1717bf32473ec75e25d643d16bb6508d2267cf890f97879a6a47f4

SHA512
ff3d57ccc57302803de2fd31690feb6df5abb672ba787614299311b1cc67363ba46dd738f2c58379d46eb8548a9816155bf29b5f62f19534d77044d15be5090d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUMW.exe
Filesize
185KB

MD5
e89a57bc909262b798cf6af233ae4748

SHA1
be92924f86df1fc43957ddfa1cbec0c41f8e34a3

SHA256
31990c71bd182ea61488bbfbaded62491b33aa7910d8561094c89cb3212139b9

SHA512
8f72bd291a9ea90e49d8a9d314ee4f780ae7fd89977650b0ff13b7cd785b28d8b2c1850c9eab56ce026a06ab3a2be2c2b79eaced80000e92135d3b060a462f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcYK.exe
Filesize
628KB

MD5
f3c39b209ac46a48d58f3ab0d56b421a

SHA1
8aa616384e132f196e24b12088d53a36fde6f3d8

SHA256
55af9326ef9746b82ee9d006287f1fc752dd1dfd94e06c6e8c48c91a5bfe3254

SHA512
437623458563fa6fd67c92e598f569cc8aca19b76e5ec75c0c581a49f5ae6893322db6e994002b76cc42187e4e9c653d0172e946654fe9d1dc39a95215251245

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEAi.exe
Filesize
189KB

MD5
0a8685f232441b563476b98a40095a3c

SHA1
421e2ac28d49fd224c53aa262ea7720b81080bab

SHA256
f5ca6087e8c987a0d846f06d858097c3ebd242e85e76a33f16f733238a591bde

SHA512
ab36a45076ab7c22821be320200a30540ef704ffb6edd12965d81d0965a3e65254a8751fba5611d33d8f735887b18b8999483979a3e940b5dc5a921bd35a878f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEkM.exe
Filesize
197KB

MD5
10d2bb92b2a9db6fcbb9313d7e4179dd

SHA1
0be95161b31d50b85d1a0661725e416fa3d36235

SHA256
5bb544c4f467e77a8956375e0e989c15fdfb4b1b55d85ea92a0cc96328389ea2

SHA512
950965b28fda369e829526bdaa8b499852d215a38b14e7a5e4863aa796cd01fc16f4c7c08ea8aaf3d08174a6d9be8f4c594e2cb7cdc00ca039461989c747e3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocQy.exe
Filesize
201KB

MD5
d2438b2af42d6b65c80683ed745fb8bd

SHA1
ea1ffae21ca4f5dd6f66c00b879e68cbd4792325

SHA256
925276b888b532179455e905a219460a45bf957750609432b11bd43b8291215d

SHA512
cd41e2e718a75d2ba38fc06e5243af5bb5879830ed616ec7fce928f88209954b25cef6fd1635ec87225edfb6d3db7f2b020f392c7c592e7210f032ef69480fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocos.exe
Filesize
197KB

MD5
ef11749714be8423d553e53e0620b272

SHA1
198cfa03344c099225771c4902b52167dcc20553

SHA256
1d080c8b5d14afe22de151d124037e9125efb3e28dc192a2f6411d92102f224e

SHA512
246a4be96f7e0d471b472cb7289916724a97970466737dd51a6dfba3936f2973816c3f5c6f4246de157c3d229b595f667b89cc05455951a40c6d15370770fa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkM.exe
Filesize
323KB

MD5
2dd0ba2c6204c9609e5f6ee814e40a07

SHA1
b54e07e5189a9a2099bc1b4fd5c7c2038d2d4b75

SHA256
01686d305b4a2d007628891675f9cc064e1df23bc35e7150c9f17ea3f28b99c4

SHA512
d3722c71ab38f03ee17cb57325067cc3e9a8e29e0fc167509a80e25d0ea79eecd67ed5f5fb92ff1d3ec323efead3d7b38bf25ae1625aa9fd4cdf0afc8ee3001b

Download Submit
C:\Users\Admin\AppData\Local\Temp\osAm.exe
Filesize
573KB

MD5
167138790cb53ef21f7bff76b6eb2a09

SHA1
e82ef3f5d27c8289b7eb35685d8526bc77349c5b

SHA256
887c914a12fe0226af38bcae06bde95e017beb67bb2f9b44f3ca41fe94cd219d

SHA512
029ab9a3d61c3467c9919e7392f2b272d1795f81c79d6d5a12f649290f3bbf4dae8ff8abfa3b534161fad1f77a317a0775f2bf4247a600ee444e9cad816cb9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAou.exe
Filesize
808KB

MD5
cb0a4a0f4adc61a0ae52758c45cf4e5e

SHA1
636bad526ad403902df5623a1f21b30bf6857630

SHA256
5f51870c570834da2401ccc06d8829db0d7be5196143842040b63dc0ecf38114

SHA512
cdcb4260ed52a660418699480a000d7b6279d5cf86c30082a0081d278bac31553b6731274ea69b837526a64a71547f752b6f5e22b43fc661e7278c00c33b03eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQck.exe
Filesize
204KB

MD5
b6b5d47c9988bc3eb1087891595040d0

SHA1
59e4e8639f6060f166ab26bfcdb9e1fffa6a97e5

SHA256
08485266b3cdbfbb0ceb282be07ead9cae52695d3bd3d1337bc1dbad4ae707a0

SHA512
6987c2bc97ce9fafcd3c275aaf11d0ef50855dfd438923a614edf497f3c2cbfa7a9e1b6f9bf1863e07ccbbc9de79f383abd995ff1abdb7160445284d49db4ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYoy.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUM.exe
Filesize
181KB

MD5
6d4cef7ebae788fff901e81ab44e434d

SHA1
97df15d8ad5bd0ffe07a445106206cca9a7731a7

SHA256
541deee7a43cd8a0886f911d4d9741783268f8cce37765350b7cb65f3af252c9

SHA512
60959e374f2f033dab72007ee0ff042c25874b302170088774a147dc08df4492cec552604a7cc1f192b95ae290de1c1193a1fc8e838e0c0a9935112015e2b85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgEe.exe
Filesize
203KB

MD5
c0f5500aad9c6d167ad6f80f3b428228

SHA1
5f69b4763cf0a6d70a15360261656c8a74535f4c

SHA256
485ed0e0f07cc3782ce59573244cbcb249af97f483ec37903e96779cfb484973

SHA512
832f36bd89bab67fa6479e134f57034c5de6d45604c3b47cb836437a4353df638838db663d593040ffc377d5659f32fe76076a87bc8faeafef76070100d2d6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQQ.exe
Filesize
827KB

MD5
95e7353b7685ddec16a4e7ac189ef9b7

SHA1
5d4b53c2e9addab2b095e5a096aadbe299a823cb

SHA256
9f160ad932319a71938070531a6851fd7c0a8d02c273c6a0554ea7845caea50f

SHA512
2403ba5b6a1bc02aef0d98daaca606eeb0cb2596e9a7550751cffdab5e837b99b999e667db8c1a3c0046ed28a28a2e1bb4a2b04cea1a95bebc64498bb268b573

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMcq.exe
Filesize
191KB

MD5
7ee0a80566e7ab0766b045c50c5f3536

SHA1
2bcead66cb3be0e7c7bc4f9779e8050d1477cdbf

SHA256
1634bc0d5dc6c1c851f8d3b82628e3ed44ff24ead4a52777c1bfa74c42fb9773

SHA512
5d12908b69ebcfc13d58d9de5d7eb053750f81fd7306a305b2155fe7d97e88d77872e561c22843878f372702ff0670c0767a3202920fe839576f095d7acec4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMG.exe
Filesize
183KB

MD5
3b7856b2a0a2b08fe051a6634da6be6f

SHA1
00bd2c367d05430a3fef9677ce674dc4c1f6926c

SHA256
caead5faec3f170da5ae70aa8fafd2f964e1fa2820edde7deaee2c8720a57df6

SHA512
ee6330e89bf9316e117b338174b8eb24c6c9ecbdbb9faeeabeb49c540e9a5e1398f768ea3338a8e7fa3181df38d34a2800038b02a37443ab69ed92194e8928ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYAG.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYQQ.exe
Filesize
201KB

MD5
4f6947d3fe77b8abc5f4bb2d35608858

SHA1
cd23649e33a51b608e6f8db5be24a4a8b2dad69a

SHA256
4ec79e3cd1462622bdd865bfcf56c41a5669cc40f0adb4f2cac2503f41f5d882

SHA512
a000ed19b52e17cca408320f7e79c0fa5713f4efe9e0151ed2e1cd8e8458c3fdcb1d4aa8bb253171e4f90c759eab7123d1b5cbc9193583b1e852dc1f554543b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgss.exe
Filesize
198KB

MD5
b78e634b50d86fdf8a5e7aa39323ede0

SHA1
1fda6c538e34e210fd2a02f31341094758f5f41a

SHA256
b833543c7d8485fcecc608aa5cf3c34cc791c0e9edf2025026ec71cd9e77b2b2

SHA512
287696eef789ac62063c60f9b59c502b2204b1cf3942d6c64a93d2e0f491ee40214eef37fe43402231bf9e09d5a7a8b8ef1e6cd605f5583646b38ffdc4e1bdc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sosa.exe
Filesize
639KB

MD5
375c5988a0da049a787707c78867871a

SHA1
cd94f41fc21106e5020d9ada4c6afb2106d9f446

SHA256
c9672770d57f8465032c7041e159a5205b46f8db1caf8e0cda3d7b9d638f21e3

SHA512
7847cdf8813704d1a5cc169f23193a96749a55766ddd7ca987c3739eb7c23d45ba61b9ba51c2b8b3de1f815e435937036768ba6598c83fea9151d327a55c194b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEoW.exe
Filesize
202KB

MD5
a2dac91200f0530436f23b42722075aa

SHA1
32f36858a6ddf4917339044a2d5b3f5b7bd692cb

SHA256
90d6a22b57d8d7ea0fff51d6e73192f4093db68b1c4a56b0159096fa3c518e77

SHA512
b97aa724042ca41a9d64d5914ce9b641a2236f03d936e5e3c2497cfc43910f5d11cb011174d80f8059aac6068f848aacc6c7cdcb72dc18e26587dc2b4aabbd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIUY.exe
Filesize
194KB

MD5
3d57046770d1319f31ab55f6265b9e3b

SHA1
d0f895a03b57e928bfde8481f4901e18ba56c497

SHA256
4ed5c01c1ca80eba313fb4898f12c45acaa0cb48cca2e6102a495d747e9aac38

SHA512
57d8b12b5e053fde962f9d4dbea84f8b369ba8ad2f38ea67c4a445d67cf4a156de733bd1591350417cc48745d421a2a81b72f5122eb07994616006723377354d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAsM.exe
Filesize
308KB

MD5
62889b08278cc6ecf55c4bddd0bc6733

SHA1
4825853dbc16920dc92e21bec53d903d9f7b3517

SHA256
1a1939111f11962ce34f1db0bf5c178462b1dd2f3bd3cbef231d0142b6b8936e

SHA512
dd16f76ea745bfd6145533d4526100f8b890a986f5b9a3f6565e31663679b7a7cbe5a48e7c2c654c3d483ede271fb56c803b4dd69e22f4266e4cd4a4ff2955a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkck.exe
Filesize
205KB

MD5
152ce2f06d6b573e87aaa71768ec82a8

SHA1
825598b3d38d2900dfaf58258b5653b4620cfc2d

SHA256
5889132a83ddc11a837ec410abbe1b8a7cbe171a0980611dd24239442b768117

SHA512
9ce3aa936e22a2793e06bde0c3ef8662443a40e93dd83ff92e6267ad444e1d6e10f97585661c24aff8177d6f067821dded6512f1754d2d1e1b2f11e72993631e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAYC.exe
Filesize
187KB

MD5
b805c30a46d97831e9ca4a041be0775a

SHA1
3f93a8a3853b13c9e9725889907d6020024e251b

SHA256
3be42d0b6e74f99f16c885abe406bf7220045bb5363330d8299f77570fe84097

SHA512
6051171622c7acb9fa958439614dbe301ee60aaeb5663b2cb7e8419e3da937aa2aee11d245c233cbae73a823bdeeba379e54433e116b592ca24cb68c0f0f911d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQUy.exe
Filesize
198KB

MD5
7387ff978820b2da368c89b280a5da3b

SHA1
770fca280cd4c3ef86bec1c88748362f0818188d

SHA256
0ceb63a2173629e835f26d521c7301c650e97bc47e7fc14dfc3af9a167a63ff9

SHA512
3b2dfd42fd572a42babeaef826452f596bbc18b892eb08c5bf293c6694a0a4d5fc661a7ca47c7eb021f36a3fdb8ede0086d7db501d8576ee88300d2e9d964f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQcQ.exe
Filesize
334KB

MD5
bde4e0c49caee3cacbce6a0e2da69898

SHA1
08cde452eb3b7f51dd50100726c633e51c9bd6eb

SHA256
375daf57ce6421950267d37a7b8621c84539d8eb0a277cec9abeb9a4923204c7

SHA512
4fa8d0d99ee5cdfab375f78d37a840e2c06ee6b8f1b6fefbd020e58b19e5bf2e4b6e3d9be7c081851389f8e42da7df7b6728db9961b2193846013a944b55584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygsW.exe
Filesize
207KB

MD5
ddf3a8d364e8c38d888e962003dfbf63

SHA1
6d057960a0e41d5fc97a22835dfde9f651ee7b3c

SHA256
2712cef29c530e7e5866fca0903692c069231b66422bc035d8e9f88142400f98

SHA512
9c04c38204fe713fff68dbca100f4c755dec68dcc8ebc8827775f343ac519ce1daebe56199bfce07f5ad5efc7e281d9b17e51726ec33585c5917f02ef8a4b8f4

Download Submit
C:\Users\Admin\HGYoAkYk\dwUkkgww.exe
Filesize
202KB

MD5
a8749b824f70b93a5a4abdbfe06a6f3a

SHA1
f21f53e03c6192ecb41ad430ec0c1f2b66568ae4

SHA256
939cc38a12fbb718f71c3aab4446e3341cbe6ec7d44d8da5652f2892cc751572

SHA512
2eaa6c1e8b2d60072c3d8c7d5986596a782c68674b0958adb547527a96091590750f0b75add4bf18677e7ecc8eeb577eed6807c8011813724727576839fe1c14

Download Submit
C:\Users\Admin\Music\ShowRemove.zip.exe
Filesize
786KB

MD5
bcd710e59eb0644626a274e324a69aad

SHA1
299b2514d028f5882c80ee0f2566c6c8781d3c88

SHA256
2c5ee327e51d844cf1432742225d9b805f853ec404a4d6539c9ed7b921ab0d3a

SHA512
baaa83d566647016f2079774c3e98ccf66135b48a16d30a7b247c1044653708d13895e646106ef2c5a6f1f5f23df2ffb499985c49ee1809ea6964e45744fddb6

Download Submit
C:\Users\Admin\Pictures\ConvertFromMeasure.bmp.exe
Filesize
622KB

MD5
4fc481144917436610ef74f7e33bd06d

SHA1
5c83889808d82d4c7327af15105728aa58f483a2

SHA256
1dc09b29a2c7186d0486535891004620689915bc8eb8d1e3770d0c05cba370c3

SHA512
2065b2bdd5e183bde8bcfa4b27c5b07335f1caf62a8c5184c33f316e47da4380fd0b66d622631ae488be92b50860c85a649fa5bc4c9e4c71890ada21a11e0437

Download Submit
C:\Users\Admin\Pictures\RedoPush.gif.exe
Filesize
521KB

MD5
db7dd8cfed8ba32aa067d6e978d6a318

SHA1
931db9b2a3a8a6b141d5072031c414e2e66306be

SHA256
9b7027fa582323fd42cfdba4c4a91132678070ae4e9d6adf2214ca3fe9787e84

SHA512
e0ecc9c55fa2bbda335417d3f5e77b01010c7c0a46865e64c70607a296e1f2c5848e2e0c4378eb01301a8d7707f78aa92a39d4577b766b3358cc9eec9a23b6c9

Download Submit
memory/396-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-78-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/424-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/424-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/536-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/652-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/652-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/708-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/708-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/756-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/756-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/848-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/980-519-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/980-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1012-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1012-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1020-536-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1148-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1264-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1296-498-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1296-489-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1340-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1340-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-560-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1552-571-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1668-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2080-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2080-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-509-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-517-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2828-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2828-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2960-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3312-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3388-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3388-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3396-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3476-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3476-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3552-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3552-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3856-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3856-494-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3900-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3904-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3904-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3944-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3976-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3976-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4048-397-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4048-561-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4092-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4092-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4412-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4412-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4412-166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4412-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4436-488-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4588-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4588-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4676-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4676-433-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4676-480-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4676-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4708-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4760-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4864-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4864-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4868-471-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4868-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4920-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5012-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5012-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download