4cecb2df677c152f8e95a952c2c5f05ce443bbeaf547ff401ee66a752dfc8f13

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
Size

186KB
MD5

9d3d1c00327687109407abc8badbde36
SHA1

b6dae2d12fdd7e0d8d09e3400cb3e6274cb72b90
SHA256

4cecb2df677c152f8e95a952c2c5f05ce443bbeaf547ff401ee66a752dfc8f13
SHA512

5f02912b8607f70b1585c54ca5544afa2b4d3229767e2e94c2eac45cf0b13a289d37f5de1059d917c9cd96a68d30f8254e23c295d2abb6a49d1bb9d4108dead0
SSDEEP

3072:4axc8vz5CGw7CD4h3utsYlbBSQ8MLW4B1bDRAxe3SxuekTYk/:Rxc8vz5CGwmD4h3utDBSpt4BYWSxupTB

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

flow pid process

34 928

flow	pid	process
34	928

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fkAscMME.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	fkAscMME.exe

Executes dropped EXE 2 IoCs

Processes:

fkAscMME.exeGgooUMwI.exe

pid process

1280 fkAscMME.exe
3160 GgooUMwI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exefkAscMME.exeGgooUMwI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkAscMME.exe = "C:\\Users\\Admin\\DqsQkQsg\\fkAscMME.exe"	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GgooUMwI.exe = "C:\\ProgramData\\NYIEkQMk\\GgooUMwI.exe"	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkAscMME.exe = "C:\\Users\\Admin\\DqsQkQsg\\fkAscMME.exe"	fkAscMME.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GgooUMwI.exe = "C:\\ProgramData\\NYIEkQMk\\GgooUMwI.exe"	GgooUMwI.exe

Drops file in System32 directory 2 IoCs

Processes:

fkAscMME.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	fkAscMME.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	fkAscMME.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3244	reg.exe
3488	reg.exe
4316	reg.exe
3632	reg.exe
1192	reg.exe
2468	reg.exe
1880	reg.exe
2548	reg.exe
1388	reg.exe
1812
1876	reg.exe
2004	reg.exe
3104	reg.exe
932	reg.exe
5056	reg.exe
1036	reg.exe
2376	reg.exe
3748	reg.exe
3148	reg.exe
1044	reg.exe
4860	reg.exe
4640	reg.exe
3672	reg.exe
3148	reg.exe
2740	reg.exe
3236	reg.exe
996	reg.exe
8	reg.exe
1148	reg.exe
4808	reg.exe
3868	reg.exe
4564	reg.exe
1600	reg.exe
688	reg.exe
2404	reg.exe
4812	reg.exe
2688	reg.exe
2556	reg.exe
5112	reg.exe
1380	reg.exe
4868	reg.exe
4312	reg.exe
3956
3272
4160	reg.exe
4784	reg.exe
688	reg.exe
2144	reg.exe
2404
4156	reg.exe
5028	reg.exe
932	reg.exe
4632	reg.exe
5028
3076	reg.exe
4464	reg.exe
3768	reg.exe
3148	reg.exe
4580	reg.exe
3592	reg.exe
2056	reg.exe
4580	reg.exe
4532	reg.exe
4448	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe

pid	process
4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
2028	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
2028	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
2028	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
2028	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3500	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3500	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3500	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3500	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
2564	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
2564	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
2564	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
2564	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3148	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3148	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3148	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3148	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1644	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1644	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1644	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1644	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3640	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3640	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3640	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3640	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3952	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3952	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3952	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3952	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4808	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4808	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4808	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4808	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1620	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1620	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1620	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1620	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4920	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4920	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4920	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4920	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4620	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4620	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4620	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
4620	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3476	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3476	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3476	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
3476	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1236	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1236	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1236	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
1236	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fkAscMME.exe

pid process

1280 fkAscMME.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

fkAscMME.exe

pid	process
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe
1280	fkAscMME.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.execmd.execmd.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.execmd.execmd.exe2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.execmd.exe

description	pid	process	target process
PID 4272 wrote to memory of 1280	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	fkAscMME.exe
PID 4272 wrote to memory of 1280	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	fkAscMME.exe
PID 4272 wrote to memory of 1280	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	fkAscMME.exe
PID 4272 wrote to memory of 3160	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	GgooUMwI.exe
PID 4272 wrote to memory of 3160	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	GgooUMwI.exe
PID 4272 wrote to memory of 3160	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	GgooUMwI.exe
PID 4272 wrote to memory of 3368	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 4272 wrote to memory of 3368	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 4272 wrote to memory of 3368	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 3368 wrote to memory of 3212	3368	cmd.exe	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
PID 3368 wrote to memory of 3212	3368	cmd.exe	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
PID 3368 wrote to memory of 3212	3368	cmd.exe	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
PID 4272 wrote to memory of 4828	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 4828	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 4828	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 2752	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 2752	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 2752	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 1132	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 1132	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 1132	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4272 wrote to memory of 3916	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 4272 wrote to memory of 3916	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 4272 wrote to memory of 3916	4272	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 3916 wrote to memory of 4752	3916	cmd.exe	cscript.exe
PID 3916 wrote to memory of 4752	3916	cmd.exe	cscript.exe
PID 3916 wrote to memory of 4752	3916	cmd.exe	cscript.exe
PID 3212 wrote to memory of 2700	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 3212 wrote to memory of 2700	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 3212 wrote to memory of 2700	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 2700 wrote to memory of 4088	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 4088	2700	cmd.exe	reg.exe
PID 2700 wrote to memory of 4088	2700	cmd.exe	reg.exe
PID 3212 wrote to memory of 8	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 8	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 8	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 5052	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 5052	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 5052	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 3076	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 3076	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 3076	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 3212 wrote to memory of 4624	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 3212 wrote to memory of 4624	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 3212 wrote to memory of 4624	3212	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 4624 wrote to memory of 4792	4624	cmd.exe	cscript.exe
PID 4624 wrote to memory of 4792	4624	cmd.exe	cscript.exe
PID 4624 wrote to memory of 4792	4624	cmd.exe	cscript.exe
PID 4088 wrote to memory of 3844	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 4088 wrote to memory of 3844	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 4088 wrote to memory of 3844	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe
PID 3844 wrote to memory of 2028	3844	cmd.exe	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
PID 3844 wrote to memory of 2028	3844	cmd.exe	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
PID 3844 wrote to memory of 2028	3844	cmd.exe	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
PID 4088 wrote to memory of 4552	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 4552	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 4552	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 628	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 628	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 628	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 5116	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 5116	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 5116	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	reg.exe
PID 4088 wrote to memory of 4528	4088	2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\DqsQkQsg\fkAscMME.exe
"C:\Users\Admin\DqsQkQsg\fkAscMME.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1280

C:\ProgramData\NYIEkQMk\GgooUMwI.exe
"C:\ProgramData\NYIEkQMk\GgooUMwI.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
8⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
10⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
12⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
14⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
16⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
18⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
20⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
22⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
24⤵
PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
26⤵
PID:4400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
28⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
30⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
32⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
33⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
34⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
35⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
36⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
37⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
38⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
39⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
40⤵
PID:2380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
41⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
42⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
43⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
44⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
45⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
46⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
47⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
48⤵
PID:2512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
49⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
50⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
51⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
52⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
53⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
54⤵
PID:1192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
55⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
56⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
57⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
58⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
59⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
60⤵
PID:1152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
61⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
62⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
63⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
64⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
65⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
66⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
67⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
68⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
69⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
70⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
71⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
72⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
73⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
74⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
75⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
76⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
77⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
78⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
79⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
80⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
81⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
82⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
83⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
84⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
85⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
86⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
87⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
88⤵
PID:3804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
89⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
90⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
91⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
92⤵
PID:4272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:348

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
93⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
94⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
95⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
96⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
97⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
98⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
99⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
100⤵
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
101⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
102⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
103⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
104⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
105⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
106⤵
PID:5112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
107⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
108⤵
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
109⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
110⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
111⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
112⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
113⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
114⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
115⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
116⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
117⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
118⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
119⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
120⤵
PID:2380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
121⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
122⤵
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
123⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
124⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
125⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
126⤵
PID:4656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
127⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
128⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
129⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
130⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
131⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
132⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
133⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
134⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
135⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
136⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
137⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
138⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
139⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
140⤵
PID:1704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
141⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
142⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
143⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
144⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
145⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
146⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
147⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
148⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
149⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
150⤵
PID:3884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
151⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
152⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
153⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
154⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
155⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
156⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
157⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
158⤵
PID:5068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
159⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
160⤵
PID:3548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
161⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
162⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
163⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
164⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
165⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
166⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
167⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
168⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
169⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
170⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
171⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
172⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
173⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
174⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
175⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
176⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
177⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
178⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
179⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
180⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
181⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
182⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
183⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
184⤵
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
185⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
186⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
187⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
188⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
189⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
190⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
191⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
192⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
193⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
194⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
195⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
196⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
197⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
198⤵
PID:3324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
199⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
200⤵
PID:3424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
201⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
202⤵
PID:988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
203⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
204⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
205⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
206⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
207⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
208⤵
PID:4120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
209⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
210⤵
PID:2940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
211⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
212⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
213⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
214⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
215⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
216⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
217⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
218⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
219⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
220⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
221⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
222⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
223⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
224⤵
PID:4108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
225⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
226⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
227⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
228⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
229⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
230⤵
PID:3392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
231⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
232⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
233⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
234⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
235⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
236⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
237⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
238⤵
PID:1316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
239⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
240⤵
PID:2016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
241⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
242⤵
PID:4780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
243⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
244⤵
PID:3448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
245⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
246⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
247⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
248⤵
PID:2216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
249⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
250⤵
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
251⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock"
252⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
253⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:3328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSkMIoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
250⤵
PID:1968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
- Modifies registry key
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewEokYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
248⤵
PID:376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:3804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGkoMgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
246⤵
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:1980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCUoYwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
244⤵
PID:4784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oegAQQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
242⤵
PID:3328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqUYgEkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
240⤵
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:3076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- Modifies registry key
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lysYMMIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
238⤵
PID:3368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:5068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:1888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
- Modifies registry key
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqYQAQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
236⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
- Modifies registry key
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQsYEgAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
234⤵
PID:4664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:4436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsQAAIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
232⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:3028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
- Modifies registry key
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEosUosU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
230⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:1864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoEwMAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
228⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWEcUoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
226⤵
PID:812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:3500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
- Modifies registry key
PID:3148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:1240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQQwkIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
224⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuYcgskw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
222⤵
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:1044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:1736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgQgUMcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
220⤵
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:3432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- Modifies registry key
PID:688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCgsQsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
218⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMcsoIMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
216⤵
PID:3124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUcAwAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
214⤵
PID:3592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQEYcYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
212⤵
PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGMgAMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
210⤵
PID:1428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:1708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POkQkEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
208⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiIYYgco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
206⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMgAkkIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
204⤵
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csocQcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
202⤵
PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
- Modifies registry key
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VusEUwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
200⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQEcwYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
198⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:4772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:3124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emUMcksE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
196⤵
PID:2468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
- Modifies registry key
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- Modifies registry key
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyoEwAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
194⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:3816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- Modifies registry key
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwsUQccM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
192⤵
PID:3392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leUQYYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
190⤵
PID:4244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:4976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:3276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Aowowsok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
188⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:4988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGYYkccE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
186⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:2548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMAUQgwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
184⤵
PID:4160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyMkIgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
182⤵
PID:3648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igYwQwos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
180⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REwMMIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
178⤵
PID:3816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies registry key
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcswoIAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
176⤵
PID:3124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies registry key
PID:4868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOAEMEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
174⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qesUcokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
172⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:2144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcEokwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
170⤵
PID:4244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuEwsUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
168⤵
PID:3328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIwQogEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
166⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies registry key
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:3184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyUwcMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
164⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECkMcsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
162⤵
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKsEwEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
160⤵
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- Modifies registry key
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsAksokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
158⤵
PID:2564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:2144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- Modifies registry key
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmAgAoMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
156⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsgYEkYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
154⤵
PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkwUAAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
152⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgIcogMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
150⤵
PID:928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:2388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rywcAEAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
148⤵
PID:4392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:3624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:1732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUAoEUYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
146⤵
PID:3368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
- Modifies registry key
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSwckgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
144⤵
PID:4036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEQEkwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
142⤵
PID:3076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqAswMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
140⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiUcoIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
138⤵
PID:4616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sacEgsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
136⤵
PID:116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:5028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dagskooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
134⤵
PID:1192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies registry key
PID:1880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWIwAcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
132⤵
PID:4580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:1708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soQgEQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
130⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWAkAscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
128⤵
PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:3748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qggogAIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
126⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:4644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iScYMkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
124⤵
PID:4696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
- Modifies registry key
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GowEQQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
122⤵
PID:4636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqEoYEAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
120⤵
PID:4560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:2468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgAwYUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
118⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- Modifies registry key
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QecUIoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
116⤵
PID:4404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKwkIUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
114⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YscAQIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
112⤵
PID:2052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIQUsoAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
110⤵
PID:4160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tccEoEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
108⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCIAIMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
106⤵
PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAccocMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
104⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COIcQgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
102⤵
PID:3488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYwEYgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
100⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqkgQAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
98⤵
PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:4156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQoEEwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
96⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUAMoIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
94⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doYgMYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
92⤵
PID:4780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- Modifies registry key
PID:4156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAYkIMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
90⤵
PID:4248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAQIsUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
88⤵
PID:3988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkoEwIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
86⤵
PID:1380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKgYMoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
84⤵
PID:796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:1736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xusgQwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
82⤵
PID:2560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
- Modifies registry key
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgAMIMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
80⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
- Modifies registry key
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUgQwEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
78⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- Modifies registry key
PID:3148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgUoAoYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
76⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqEAMwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
74⤵
PID:2012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:2700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oocoQUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
72⤵
PID:1908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gussAoQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
70⤵
PID:4552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmQwMEIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
68⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:4780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:2932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiEMwAsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
66⤵
PID:4484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:1052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:3184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkkEUAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
64⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCMYMMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
62⤵
PID:4332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCQYowMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
60⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAUUcYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
58⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAYwEAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
56⤵
PID:1880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwkIAAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
54⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYcwUYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
52⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQkIIoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
50⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIMQAwgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
48⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- Modifies registry key
PID:3104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWQowUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
46⤵
PID:348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUMgQoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
44⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgUIYggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
42⤵
PID:3244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msEYogsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
40⤵
PID:4420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:2552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiAUggUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
38⤵
PID:1016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmcIIcMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
36⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuIYIQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
34⤵
PID:4404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:1620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGUosIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
32⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgEEAYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
30⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skgUIscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
28⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeMUIMcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
26⤵
PID:4528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIYQAwsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
24⤵
PID:1128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:3596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nScwgEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
22⤵
PID:2552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWwYAgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
20⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CicUUgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
18⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KigwsEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
16⤵
PID:4868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqYMkkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
14⤵
PID:3960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYYsEQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
12⤵
PID:2292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAMocwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
10⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEEYIYEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
8⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkYkUUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
6⤵
PID:4528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcQsokIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\figwcYkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4752

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NYIEkQMk\GgooUMwI.exe
Filesize
199KB

MD5
c1af7bb1f3ff7661b07a80e2fc0e4eb4

SHA1
8af2a5f9e692270d743bb6bcc4341520d0564fe5

SHA256
f04e04d4ce0172271fc61ff29275b988cc048579b22312c3c69b58e3336367dd

SHA512
6a3159a15c0c3e157863c5556d342d31ad06c6692e741196980cd4bd0d668ea3830b107fe7341edb9bc3667cb5a832ed29978017a0f61087c353724a6ab0f204

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
Filesize
643KB

MD5
9c439a1eb4211e5682fc98d28c85288e

SHA1
a5608ff7b3d0ea3edf44a639d1312c794c43511f

SHA256
d1b161d275e5491bcee647a0b49fcf244f39af008702bf32694d41df63671405

SHA512
b7962a301889e04a10b621e4bd4dd84f9325f3e5ac4ef85b40112f98fb012915d83958e14adf407f5cd666070a4cc072133b2484e6f913d90b4bf8e1c762cff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe
Filesize
196KB

MD5
3abbd7cb1f557f95fa4065c9544be397

SHA1
92c898832ad67fdb02cc1b16ea2d602e5080b810

SHA256
6ac9f4737fb5bbf4a51a5ded9f6c03181f7523d12d37e2a3c959650993e0adc4

SHA512
29b4cd55aad314a9fdb4e3d1e51a7af9bbdeb6aff74adbc2376a41580fea8026f55ecee6690c19f51be079a9f8f539fab78167fb0c9b1440898578e163de3a7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
Filesize
194KB

MD5
8b12a96bcec0a44f99fff5358c0c91d2

SHA1
aa69c02a32a3d3adf8948a77b45ef7cf3d23e2d9

SHA256
33391c794b72a6ba2c7e210859b24f9f6fde31d919fd2c2f8fb2599a6250c29b

SHA512
c841a2b62f847512089af99e432cfabdc9df8b0abf2fe35e4b070c2ad748536bdcbbe728622b210a1e401a86295abb46253e85638797bc97fcdf76d41fbc5f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
Filesize
206KB

MD5
40f6e544f5925c246d02b4e65632d403

SHA1
92461cfd42b0031b5519496aa9380287b545d343

SHA256
73da85b52653832510a8b2dad120c7a46f31b4f80d681331c5a9998661912756

SHA512
2d2a3129074821f226a45d3488d1e5312d18704497754aeeeb042b5035d4600e1a89d16d92c1792f78bb329d821c39fdfa7876360aa45f4bab8c556c35ae917c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
Filesize
215KB

MD5
b5e876768d136afdf0a36ad66839e519

SHA1
d6cfc26ca316b0409e865e95955e61029574f011

SHA256
60d87ed8bead860f94f2d4eaf6b6eb5a70b7db39d46b52c923339c6905e0fd7c

SHA512
30a6cd7ba7d31251315f54fd71f6b93fa0da46e99cb0beedc3271fa43eb163519514baa2b07416539e00fc81ad0c539bdfdcc8be7776a926baf08e4e6eec580c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_9d3d1c00327687109407abc8badbde36_virlock
Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIAY.exe
Filesize
201KB

MD5
c4dbd1b31563f53f8d90b6524da9f29b

SHA1
d5903a95ab79fad45b2bd1b2c00894438c9aeecb

SHA256
8feb7e06d0711c3e1a22b0de966c0e402837d32dd884908d67463895228f1ac5

SHA512
2da8be5bea187a0c3dc18813c94735d6fb923d7ab149c52295948a9e9187a9d30447c35cf30bc1f1a3c53b515875a97f61ad731f33338f965095f4043781eddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUQc.exe
Filesize
187KB

MD5
95a70f8286f9785527957fdaf48ebf48

SHA1
e81540910ed45f0a87dfd775a28c974fe69f0402

SHA256
113dba449dc6186ff8ac84699bee4c3fd60a563333c5830293c09f5629484afd

SHA512
e0ce8179f1f0a3245c09aa74caed2a0c210a9167b9767dcf1f2fdacaed839edaaa56a59a07b7dfdb88001ae2d20b1e96972e75ab39d659cc9a15257b4d21aa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwq.exe
Filesize
201KB

MD5
80c377657a94f3adb8bf9979e4c903c2

SHA1
9f7b8b0b52ff415c4bf410fa049a63e044ba5f9e

SHA256
3642d0159b1fc2ad187f3dfefcaa2a2725ab3c8849e9fc69d85857022fe20122

SHA512
f2b3b750ea3079c54c5f98c3ed5923f2ce512ba9e0715e3ce5e31194fdf47fdb079e6aa3b2b50974a2e9d21b81480aa06e8c11eb14606409eb2426027ecfb3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwMW.exe
Filesize
183KB

MD5
577e7fba6cc6b7994f00dfc87d0e1b49

SHA1
0dc4cc894c5db6170cf58052d8b37b6a6deaf1ce

SHA256
7ca8071a80d486fdb75c1d6ca2680d8d05361da67397bef4a0b148f582083eee

SHA512
83a0567ac799b49a30921ee26187d87a38910785571a44c427050fcffc3476bc53fd715a440970e45a95c8c57f9c682eaf193e12ab30ab11d4a1bb0329ba193b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAUy.exe
Filesize
190KB

MD5
4231a36131274b36b4c24fe048a79d69

SHA1
6c3308543a0faaeb757fa8b87aa5efe5a9786b7e

SHA256
d610e9da79ac7912f0ea90845fc425b6e01f866f4cbf583da6fd81a387264073

SHA512
9f73aa39ab646c0a4ada003bda1f3d224e40e2eca3c920a7643be2248583e2fdecbd9476813d5839372b553691a4ac1f88d4ab2f790ff72bdde461db9c85a3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIAi.exe
Filesize
201KB

MD5
75bd3b5f5db63b0050e2bea7bd72f175

SHA1
6c5612118fc655a8907049b4a609eb806db020cc

SHA256
91b051fc55b060da0b84e69c13ab6cb168d656010566fb04dc366c73680950c7

SHA512
90646c2dbdd0471d354031b5fe5ce5cff50bd68a5f5276f39207d173ede1a7f45361cb845fe4e3b76269d42b883337917eafc83451586e33e5145809b5ab071d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsg.exe
Filesize
183KB

MD5
f7bb88032376e258b0070493c1ddc108

SHA1
33d26a1a1a1614dbb16369b4d9edcb16ea2338b7

SHA256
a9410dd1cbb702b01dd395c32d9eaf5429509d279ec5e2b88bca373668a36202

SHA512
bcdddf74a1db9413b1d8c282453134f86a09dd60f79e08acf203fc5535e983c11314aa391e6c4baa6ee858e6853e1493f2ee90259a245851d7d78e1816504b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYkM.exe
Filesize
201KB

MD5
84eef6dbb2c15ac7f6fd6698cc3a1f2a

SHA1
372d45518282cf663a78670351ef4cc8f188a467

SHA256
29fb9926820401dd3fbae13eac3f029838e0ef9c093f95585811cb19cd526f90

SHA512
55cbce8acc4238874a5ae0b3e3780dc7ef14ec9bb3e8cdcb4a43d32da63b759977a56c4b26e873c322e483d00872500643675566a301955a214cf13089c33d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwUE.exe
Filesize
230KB

MD5
ae3a7d51569aabe5f2070f36e08d30b6

SHA1
ff0cc5a3317fdc5d8959a9dba1f89ed340d5cb28

SHA256
67a3bee88a0495e416b3992f762331e8c26e064f6d2133785a6f28db4d99fc40

SHA512
b819c5d009e283fcfba7cb34779abf61d2f3ea18a19aa99b560c95f4cd8ceb1dbbfa47e97444448e05c616b27da41feae6be6bdfec9a469be4ef23c7e84111ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwUa.exe
Filesize
190KB

MD5
f8245baf461f299856c023db10e120fb

SHA1
9a0b561b5966ee66d859b80d7fd6e5766c885df9

SHA256
7f36f9105c3d33bd3f7d75e5ea7a191ca60abbe1b89be84337fb558a70a3d6c4

SHA512
a8f64724a70faede476145f4ddbe07af202a7a15c2b98a0ba9a831abf4f8eccf5fe609dab5a4107afd9506e1948080af0f91fd941289c60283c1dd113fc3cb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYYY.exe
Filesize
411KB

MD5
9eaa451070cd0bff72dd6293999ed741

SHA1
0a7f176cc6c0e4362cf97aa7c023e6026375d0dd

SHA256
c73ac7c00cba3e944f96f82ad845176dab12f6a6f57b13d16f6dcea1b4b31cd0

SHA512
ed80c9c77af9a6fe048bab9ab40dd8e769989515dab14df19b491fd67b4c008b13deb06399c037c84bf26fa4266e30336ef8dc61f389a457c5a5d87a18a2a1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsoA.exe
Filesize
234KB

MD5
836b9ed6ea894f584da221979bcfe634

SHA1
d1566635b5fe23df4906fdac81c96e604c9a7851

SHA256
704150dd7fa1c83f6a3b32be20f40f80958cfc9f7dc606cb9b574fccea014b53

SHA512
df7c2c8f9b783eec88d4b1da1be2dbf3d3b251bfc22f94ef4f0230b8df8500ea7fbb693f25659b5a21aabe5d6352458a349e1c6b8b0202cbebe4565ca5e386a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQMS.exe
Filesize
246KB

MD5
40442654b1b3ccf26448f03c124529fd

SHA1
dc0ed2e5d8fc241c989e0eed1000b225b99ab67b

SHA256
91c5cd98892e2a3d5646286056b0fe41f5ce7b6a5acafe05d18c036dc19c6a5d

SHA512
7e677015204a67ff69a745e94fca36270fbdf73e96776a61312a5b8c7a0983a7e2d5ab5d19af9c10c4714c8e5c5cfb8303b6243d05d169002e1227816c7a7836

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoUk.exe
Filesize
212KB

MD5
0add11425839f0c0fc4d5e7f98f17d47

SHA1
eb97b34d5e625e5c42dc9c4431518948ceece19c

SHA256
ae179f0b7ca4d525f59f35fac770748383f97c853b358feed9b287ab43bd57b1

SHA512
08bfce96aa8e635c69a32275dfc66559ecef14033518884c33f2ff628891cda850b1e656123b439936b6336dbe1ad86571fcebab20f91c61b2f9dedd25e190f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIsc.exe
Filesize
635KB

MD5
27d4805aa34c07ee54b6e25360a7794f

SHA1
f4ef781a9d0a8d83e5c33d3f4a30a3606403489c

SHA256
c28f786e8772221599234ac2644496488e394ca4feb0371859116ee7c1ae294f

SHA512
3610ad083310f6aef1854fd2c9eec3ab0fe0e145f36e2ceb4dd4b1c0da5dbe9879cbda0a506e6993f83f2859013ebc5424565f1940d1ce89004ae8d4a72833ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwES.exe
Filesize
5.9MB

MD5
5432ab581f1d9bc4d2c1aff45385b574

SHA1
04c42b01bf456db4a9d055ec6bdafb44117da26f

SHA256
aadbdbb8b1c951d451499594422b8262f050f65d1f66afc2a6363e276693683a

SHA512
524bad2594441c9e1cdbe61a94c3742dd59d497d0f66babb1f1782872890062b9d98b3b74d32c5e9a35d9132c09dc1025699b757f72203ba7d7bbc277a1033ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMC.exe
Filesize
195KB

MD5
b836384bda32656d466c9cbf7064dc46

SHA1
a42e0f1e1c11d6599235fc3c8d8c84a70e8c9994

SHA256
3884012995ce0813dca9399fa776b221841e99696f6ff3bc9d1fdf7184da9729

SHA512
6b2b4bbf37b36bc93fb253c18752611ab031ff6243dff5f84b917b84ae6aa7585bfb65e265947c13ab43b09bafee620ffbc69cf8178c96674d6ae27ddea47aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUkG.exe
Filesize
208KB

MD5
b289ca7c85e75b881735796cc17aafb8

SHA1
45072862af97c86222a0e86f82ce106c06bee12a

SHA256
d5538b745db411a3ca2dc8592709c4620ae140f0582f46a4cc6bcd176a9f1ba3

SHA512
a2b8d555c0c2bc76f6248f27727b470ff58c05c6feaa6bc433bb0447e2f8e8a72e31d0ab82aba093b887c47db5ce036fcc2b06785297b71d7525690f53776c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkYK.exe
Filesize
216KB

MD5
c0431db8aa4e110098223581775f6dac

SHA1
b350508a5312edf5dd95e12c2c41a2e6e3fb046c

SHA256
28e213ef917cc0b601a42582e3b02d7cd7a778f32d5ede03d70ffcfc990827d4

SHA512
3250ccd8cebb38cd1d2929494f92d5f7dc4ed0f6b9ec79171ed43dc1f9bb1e89caa0cfbc0501155c32ff85122bdba2c3ecf71fcbed790e5847562ff47c5fa28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQwq.exe
Filesize
201KB

MD5
83d54ad0413e4fdcdb039275aa3741f9

SHA1
c8d93d04bb3ba6aa041008c22528af7ff1b5e2ad

SHA256
36dcbc4670b01b07b3989ccaa0ee1397ef1378c23b17bb537a53b42d4af7d2be

SHA512
853907e27d8e9cff248cd0ea30425eb2bcec9e137a5f22ae48cfbb3d47551cc703a11186f377540ac0faabd88b76e7ae3ac9db63b515b1772f90d40ab9a76ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYoe.exe
Filesize
541KB

MD5
be44b31e5a473f46b9cb4f6394eade36

SHA1
9ccffb3eeb156a2922b0eea07eff939eec6c3329

SHA256
d85e887fa98abcf2cbec6d1a383712023456cb48fa557650b24d54a6c5158758

SHA512
79f3eb96abe971d6611eb169d1b1afc7d779dc0464fd85f7838e74989e19cb6755f032e1c2d1b3fa0e89cd611d1c73bb0a459815933e0d2b02d788b3ce4f066e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ngoc.exe
Filesize
201KB

MD5
f1192aeb9647f5f0dcb70ac97ebb2623

SHA1
c732e24927131635fc1552148e6836757b24dba5

SHA256
2cd7efaea13b925ac470f4c88eb1e33d4f6fcefaddbd2002e50c4158dfa22ae4

SHA512
8ce8d817fb6fb4ca70a86f6e0dd16ad8d2856cc52cdb6074bf3ef7eb726c5b5c5bc9d96f7190e289b9a614f521727f68c371770e2e09b4c67601e4c8878d3a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEQC.exe
Filesize
323KB

MD5
02b62ab0b3044f6f7260f49e7c8e8a2c

SHA1
5786569f4bde4821d86e5cae30af486fba5e9874

SHA256
449da031f990ecd07d00844a01152dec3c5593ae59f3c8ad4afb5445af8e47d4

SHA512
2196ffeed5218cc61c6feb957b45b50b6713542c7c4334675e8ab9a6868953030b5c2fb865e9a502f3c758c8f1fe9970640cc007e40886852ebd2e469190a7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcsQ.exe
Filesize
207KB

MD5
066cf3222f401cc227d8138b1aef7e4b

SHA1
ecdd2fc269a2ff5e0371ecf396390a1baf703966

SHA256
d10820098533c00bb5be9cd8fd7775531267b45b3d7c5c7a9aad4244fb98cc2e

SHA512
1b03e826be5595ceceee0b6adff8326d1d3e8d8203a9a3816a847a90490202bce4285d9366a26ca1e624cffc57d95c45cf06b96b0efaea602f9ff99e00ad0054

Download Submit
C:\Users\Admin\AppData\Local\Temp\OksE.exe
Filesize
217KB

MD5
5749a09a4c9b1f6e0166abeb6f54754a

SHA1
3d23135e36a733556ca9b245b10bde12771cd069

SHA256
619b5f54c80da9469b92c26d6301054668e11244d2e2f732166d4292a106c0ee

SHA512
42c8f5e58c0f68b610e1bfede8599ed1795fd2fa8da00f98578819ea8c3643ce15af20adfe31e3fa09cee9a883a53118cf21b5f4635532abb625bdbee073522a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUUK.exe
Filesize
208KB

MD5
348716822cc40cb031c91b4810c7ab3d

SHA1
45cdf3e6f4bf2707789c72c7623881aca1cbd758

SHA256
ab195ebc85a30cc0766328be0e5532b12f12d943b49d9bfa2c3e40556a09d88c

SHA512
07aa60b7a50fefdc88d436b5d68940fe0b4b25814f7c703a2311c317b51f745be59b9efc18076e7ee5d15590668d9b618ca1e6e9492fccbccacd51e35bb0d056

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMIm.exe
Filesize
206KB

MD5
44932c763eac04a400b451f774cb2b83

SHA1
89d6b4a353daccf490dee06fae4724ca95f73e7c

SHA256
fa9845b9882ba120b66ecc6454eafb21bbf2ec3afc8c6b17c8ec748a5bebd39c

SHA512
ada29b97e8f1723282ebe4c77f1a2622d096b0282d20f27c6b898b61cad93b6456bd3c97ea8fa159dad3e2d56965e0d09f54e7841a9572f2d7086967cecddf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQwO.exe
Filesize
1.5MB

MD5
c4b38f3c3aa85740f6d51989336646aa

SHA1
23a9492dd062e6c7f9b5fb9b9c6de06e3ae86751

SHA256
4df8558eec561d29b9f79b75c11bfc53148f600e896aedecc161f31fddcf2892

SHA512
089bec338615f35a8091d0dd6e55368ca903e65908452b816ebdaabb7eb498fee68fb91b649738c08e07c4bd35cd8944f5340ce553b7e9c0bc70e670ffb25352

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYEW.exe
Filesize
202KB

MD5
f4204ad9e8314f5b9a128d2ca747f574

SHA1
62da6181773d006b507f78d10ef3cbddf2c89899

SHA256
6419274e374876f375c455aa4e9a04e7ba397d6c44cf4d52bd57bbfcbdb79990

SHA512
991b7b45b674751f2905d0751291c647de411bb30c4571c74a579e13798f373792e4941609a784c67874fd72db1104d30f04796e2b11b621b68a1d6278f5100b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QooY.exe
Filesize
653KB

MD5
1b947f4a9ae704ba013ee31c5f7e164a

SHA1
6924580e7f6aba2ec15b3e867df421fe5784786e

SHA256
d797fde5778ebeba31350307dc08e8ed31c691cd1f9a78c61399117e141917c3

SHA512
8fbffb9431e8ca2a2dde84caa4098eabb157318ef1d67dce6d2af08ae111eebe40779ec617edc4e2df0614cae2b2efd6fa96026f51896f7dd18c3dfda80d00a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsoA.exe
Filesize
220KB

MD5
4317903555a0d6cb3af93734e9e49e6e

SHA1
f6072c68853ad5ee5c03341ef2a69a2c904ecd65

SHA256
073267de7e7e5c677becf7f6a152b139941eb65fb89eb8b81d4eaac6e23a837b

SHA512
c10fc6038410832589de8a818932ffe94118a81c5a12457a0695ae72987b48fbec6cac4f5c7481bba07d5af67d30bac8422f737c0700cf1323873bf76e3ec3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcYg.exe
Filesize
190KB

MD5
29d9c6c6aa0938dba2bbdc7e0ff8ff97

SHA1
58e851597a79a482e7722724c19a87da17140971

SHA256
438a0f1f7f1bf4a8b8354c5d26511784a77e48f6a26f3055fff5d9c52beb6e84

SHA512
3aef3cd179d59816c5578cf92afc0a44b3951db504409221c85ef144a007f6816236291517b155708345632deab2a939a6383c05de88d711d0b981fba490f003

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkAQ.exe
Filesize
247KB

MD5
7a124e52165e1c65677089169e82dcaa

SHA1
ea463219e44d229297a3db65bb7bdd5893f30000

SHA256
99212da9bca65d53d28d4249f9666c9b319003505a2f4a28e26d379ce65d7622

SHA512
19b14ca31130f0649dc7bc660c009498fb635f0adaf418c800f5ded70f43cd09bb8be5432c11a84cfe65f8d97b6a60a1d2ca2e396d9835a818535522926ef327

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkES.exe
Filesize
199KB

MD5
047a743c73840b77e7ddb82cef7e256c

SHA1
3947c4eadcfaf8313f758ef6e3222646779e090c

SHA256
2406d319a83e0bce748eb76f0a212c922be9c741776ac5415c9bec1fa6e08225

SHA512
6b15151b877dc3470544124df6cb50228bc27ef50f0606f0a388a5dafc3cd1df414e5c7d4d8727608003471ba34525d531980cbebeada9a14b608150bc0ff6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwYY.exe
Filesize
329KB

MD5
749dfa27086cd40f8f969dfcd9680d7c

SHA1
655c38a2a88e1329b84d277c96e72483dffa5afd

SHA256
d3500cb74f1a44aee3c4a50438c90a26f2b14d0b97994ec82577416c7bcd2dbd

SHA512
bae72d13999ca425602d69e3954d884f468c6f8c54a63452983715b91f0a67efb16f1f3587f604463fd6dd14145c73d1b4c0266b3542ab3b473062d6ee36d0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMAO.exe
Filesize
785KB

MD5
dacb0596e1abe95098bd9de1b704786f

SHA1
f456397330263048e77a33e1d87bf1a3d9808b45

SHA256
1a9b74c33f887774b90c69d15e9d70db7829f4fd1ba08cde8136acd67d4701e1

SHA512
df4d1f7098d8313ebac4f651f5152574bffaa6f35a4b7908e49428980893918c74d8f76f9c37c0ee4333458e69c3cb8c951a46ac5dfb19c411dd89e41eb3e4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQoo.exe
Filesize
217KB

MD5
26616aef44638aa03c392c867c44cbca

SHA1
086b6d89228d7dccdc03499860c098d69646c10a

SHA256
b7e35c97086bce7edaa694f57f8bf03afc9222b2d67695c5df70a0253428d095

SHA512
5790ddc4678b7cad9174d19d4f456365570fea611e0e6b9ccbd8c1583a4c7a8a0965f6534beb979ebb73dabba6445c5f0954a4d53df818f6e66592f9545817f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUg.exe
Filesize
794KB

MD5
769f72d542ea368187d4cbca4c94435b

SHA1
96bec92639bf31b5da21cdbec86c314f3b96853b

SHA256
6a2f7a50b3d3ce03abc3a7b85ab2cf3e5afbc8b705ae7b6ae85ad1831e61355f

SHA512
1986cebc8462e5db7ddf00ceac2e73e1ab9884b1cdbc0ea4a7e67ccfe47ff518e3901781e0fc1239ac90e7ce7c48c7fb6e3fca7db798a679082813a1c7232545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukko.exe
Filesize
182KB

MD5
c3e7f8a41604f9a95d6c250e6bdaf203

SHA1
7598dab994a96e9e530220238f8ce26615ad19af

SHA256
6600f2c9c555bea81fbdadc95c1bbec3db645605de2de63854b5247143c182d7

SHA512
b3a39d9fe7e585edb355373d6f621ecc90209570d622f07d90729ddecfe9d32e8790d1b7797959a705934f285ada577ef12a6e23cc36d8798d7e1b5f9edaa24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoAy.exe
Filesize
1.1MB

MD5
a8503975de9dc6c776f0b10dd92f6893

SHA1
0984f86f459a16797c2c8de47cc03f421f157771

SHA256
e87004daac1761cadb93a782d4eaba897ceb1b7b4f46d4186e50eaaad0301887

SHA512
a7cb4a892eb223815588973c25b02bcc66634f41440a0d12fce168dcb04b66da918ba1d5fc9d10237be207fe8edbb0a25a0759041dfaf003905de9b911430cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsES.exe
Filesize
207KB

MD5
e91e2cbf5cc4bb57d2da339cce6b85f8

SHA1
c85eb7a43157f6e6e59d4f5f274f203ad9493c26

SHA256
5ecac0cbc931578f5021ab6419599bb01290a1d59a770de2315d08f937491d3b

SHA512
bc859ad2086722f5f58359132b3e63e3533bbaaa1e4e5d2269eb0386dff7d10998f0477fe2d10acf9b854a39602e2f017e211021c209578ae4b56f64253bae3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsES.exe
Filesize
185KB

MD5
1ef67fd5603465bc63559244366d9c8c

SHA1
a5cc429ed1b5fe0095569f48052710b6734c0534

SHA256
038c1734bcc7bb27a6cd7df7915bd5829ca02157524a67109016f0a1a425479b

SHA512
bd27ab5bda816986bda67249feba6f1b3ea41a87170662a813ee48cf41d417e563de9f79bfceb64f98c2059a305285253a27497fb5d0da2c0978610796b5cba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsYS.exe
Filesize
203KB

MD5
f6c25107cdff00863d31621ac4735aa5

SHA1
80ad765a5ef10a4bbc623246245fcf275515ecc5

SHA256
9c326dbce061baec714c7791127993081130b5b246e9d99f9e49762c86257c28

SHA512
dc7faa0dae419c6da6aa593573166b50e95b474bc634d8efb2e3f00e86404e36e34de0719b04dce021f1e30c6fa32fc8de243909c6e9695a96601f8cf6e75669

Download Submit
C:\Users\Admin\AppData\Local\Temp\UswY.exe
Filesize
193KB

MD5
274407c4895864d04488ee088673d6a5

SHA1
cdc63dc21d132fc10b0d08532f3954503e14da07

SHA256
814c342b98baf21fea038103f9686e4da004cebecf31d8dc9ea501bed553db94

SHA512
669de8daaf24b5b6ca10b994d99852e67b4025f18f220d7f70c26aad45f4a65972ea9a4c03ae06d327c86e62c65dd05a9143c34edd333c9807c42130d4410468

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMss.exe
Filesize
209KB

MD5
30407020e3a41760f8c40d9ba0277d2d

SHA1
28a318ef8e13e764444f9c57586dd38883e79ee1

SHA256
b763bd056e5d210d55dfc0230ed08146d13a43035420b9fdc2d9dc56f1b7ed14

SHA512
1ba02933c88e6b38d6c477e2b725f14e7fc651c0099671b634a79862b420b7c963beff3e6afa8c84ff4704d3e0110861ca5b8494742e8346da0b9c19e4826f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUUg.exe
Filesize
5.9MB

MD5
ec8daea5657d55b09e410d5aa3da5654

SHA1
e9574bd530a3ab7270ee8b8b66f8d52a1da73ef8

SHA256
3f8d8dd4e1b1d81f95752d4fe267fd20b4a9bccbd3ecb803fd184551c6a665ca

SHA512
c376de40dc902c927645433645ab71813e1cc4438c66a1dd99bfb8eed242f968759820d030873df288a2e437e53c9f82691c8880af758cb7ff7edfbb558b8012

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkcO.exe
Filesize
647KB

MD5
3d3bbc14a68cb022db84b6314883272c

SHA1
8550e69cfbc02686610c8fb19a5d726957d4c5bd

SHA256
6e784abc5254618602d715320f023a5d4ddde65c654f05ae68af57ede82f95d5

SHA512
7518800a6263db4653265c5584dd9b4b31fc5bcc2d0ff10e7e7b9c201572d835c32e2ae946ad32888b32c585b6e94b3dd4ce8f3ae98ba88f0ddd9460be69b0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VowE.exe
Filesize
204KB

MD5
785a2b84620228d9aebaeb87cd93d897

SHA1
a6a5f92d8af0208a37caaec90ae62803753750e5

SHA256
bad5d0b56c42849ae0e8c9ca211698e5b93bef0dab4ddee44a946c01c929ca91

SHA512
23ae313b0cb5c48fc6c6b6cf57eafe6c716e8c85c9df833f1e4fcf3615c5e6c61f1595b4e6de2daca34864ab957e09df5619a1736be2ab7f40c687d97b1ded70

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEgo.exe
Filesize
559KB

MD5
00759035f627cfead43a94f8786d2398

SHA1
44b754df3d1289666530522666579e190892af0c

SHA256
a43b607281fdd9648d2991fd8f29c2af6b0b1395d34d86db13a1a453f0a2def1

SHA512
c2c0bb5872c54e7039f655e427e4ff3192fe0fec036d58db0e2647de2afccf8a8ab1bf5f09e5ee4dffccb1d01772b9cb3a56b11febdbb9a4b98ae1f2d9ca9a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYwy.exe
Filesize
807KB

MD5
6506d98419aa4a08e052b46e582e30bf

SHA1
8066c1ef394e1509ee7cde8db9cb4352d6893b60

SHA256
0e452868d056660f68acb327219ecd106112160207feed323215f852b35dfab9

SHA512
7f0c7d4778e8b7e913f425f4e6f023b3d16e4a3d43967aeb44bb29b049e7268d82ff6f7bb4d9d3d2a5b43d8942221e799e390c951de1e341f8ad0720408fe396

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEQU.exe
Filesize
189KB

MD5
a57ed442aff17ca7363d1858814bcd1d

SHA1
a47b844fd0bc87f0642717bc6a5da3e77afe9d52

SHA256
17ed035e3642f96f3c838ab78a6e1493cc85fc2032c9c818f2464e03102934e2

SHA512
aad754927127e70d92818c3278f6c81ffbf5583d3f3c1e7e5efa7a9e56ac4afddd88f2a3dcf4a098f37ed0265523d06a4c674ca3f4394b2759375a7cba3fef28

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgEA.exe
Filesize
191KB

MD5
b8dfe2a66921987a03b07d96b08224fe

SHA1
dc366a769dd4ec9f0b91cc2cd0b2a7e59bc72ede

SHA256
cb6cee472168b50977beb8a7a32c9b9e55901204bd07dc4bf1ceb760367e2708

SHA512
01f6e9a1cacbc2e365a98f8b7b03d3bf45a5c89b165adc67fc3808b59e9781a61c1bd7c66a634bdb2c0b7bfc696618aaa770d4e9b239e127d111a14e338e8ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yooe.exe
Filesize
202KB

MD5
3b2da9871a08fbd29a7ebe46bf047c30

SHA1
40dcdaf7f59321f64e2b726989eac17f5a66bed8

SHA256
97314041585f6a7f9b715331dc8d9f86dbec03f98c1fdb00843c7c8fa96e8df5

SHA512
98c0f88ee440910d3614e155d6436a3e7d7c57b94bfce5bb4cd16496384153501560535786bc511c807fc54cffcf5b6287fb5326ff9093b6502f2addf6f5a88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUgm.exe
Filesize
198KB

MD5
41a774956e1140baed0e4dfed476a896

SHA1
f7657ca9543e7d2dea7a10ea02d85f33c0833898

SHA256
314a1b2ca25c19e23f11cbbb78b9ac3295b71f136857d2a048b5d68554b4a8ab

SHA512
0fac6df53d5ece209d1c4d7d67edf483c580cc66f50826be560e4af77ae7d99aa0c2fd402d6f589f0fc04be86e6d6a14ca84e6dc49cde164b2894df219a66ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAkk.exe
Filesize
205KB

MD5
6360c42ad5686c46171dcd3df14cf561

SHA1
1077448e48803d5718d3eb7e5ee7cf50fc577df3

SHA256
f04849b30d622039b84eeb4cc41172958365f33b9a476d6701d33107ed1efa3c

SHA512
429f9631cdd469cd44564dd843c93ebaf2b7136acfcbe8c76f95b7eeaa44334718995f13123834596362c919c7a9a3c27055a5d4523a73115cb717a5fd7c8a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQwC.exe
Filesize
395KB

MD5
6472bbd983dca4473fe1cceb96ff2201

SHA1
7d302da113065365fb8f9bc16e81801e9f3e2356

SHA256
1374f5e084c303f46ef221e39824fb73bf286711a0c9e4c99b964f087ea327ea

SHA512
2fe8966029bd937c1ba10aa550b10df5f968bf9c57262369e2356bc92039377a1f0949e54876144b31592c72109136bed75d42d22fcd9f6fe56cf8eafef8221b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUcc.exe
Filesize
792KB

MD5
1ce9f2c1d4382ddb62d7204229190ef4

SHA1
0cfddf5fa95f9716356aaa4bfc8e0419932fc50d

SHA256
e8caed9e6e9eb3e9099afc3af0fb4ce276f2e88b1bd559ab41ab16f291893872

SHA512
88db9562805972776336a0e981aea2ad6bcf202a69fdf0afd636152e81e19fc65cfba5b463ec57bb85297fec74efeca742d6a2942e297126711bbf0a017548ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkAe.exe
Filesize
340KB

MD5
6d7d264d50097d0efe256ead606c66e8

SHA1
9b0d77d9e922a0a72e918c13005ed3285de1e301

SHA256
0c670a4672ec2f2f086086ecd0fd1b47003fd644d97052acfaec274cb57377c1

SHA512
d084c2d077928b7d5f1dc60a80222e4ecd2326d31e75a9a57bf46ae8e1bd8f68f075bb5a394ddb2f6c3c5a8f12dda112a7079900c4917bad98db8e38ddc65b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIsQ.exe
Filesize
200KB

MD5
2a01819c83aa67a2400f8e2b08a8cf26

SHA1
169ca92c363bd6cb3f8fa0c5ea084cac71db8847

SHA256
119d55d628f950dc471928cf2168bbea5200cec210852147a6438c8ea2b24423

SHA512
f3e3e340385988a3ec3c918f8d24e5515dab3b67e35cf0f516c42f474e656efce6d675ef31c06fb545759cd0ea6f7a975a40287e4f05ddf04d5ed61ad9d2f106

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAYu.exe
Filesize
205KB

MD5
18ee7f2862c72d5e1b0ff9da3f940e45

SHA1
046bd20308aad6833f72b1468b4e357b4ac54fd9

SHA256
b51f9e65fcd71b30abaed4e79a9361cddb944521b28faee3f3e7c991552d8876

SHA512
799d8e444e1b1846160280fd0fbefb5d9e762d4a3ac627e54d46c2338df3c61d7d5b0784466d75aa488b28886307f012730ec691953b59b6b58a8e2338434176

Download Submit
C:\Users\Admin\AppData\Local\Temp\figwcYkU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAIG.exe
Filesize
836KB

MD5
b79d87f90b551751e70f1dc327277559

SHA1
0d530ed22aeedebbed89619f125503368c069580

SHA256
9d981e0879f6648a612b217d4b6b9dd602f448e35c8a08e40dd48bf902249300

SHA512
bb2de0d7ee5746873521d05346726c1392ab90f6b6e048f16a4375a08c1a32350468f6e95f748444fa6e4e20186128043dede967024d7ad4b7950d815173ecca

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUgW.exe
Filesize
189KB

MD5
eec731f30d5472e27aa0127a6c4b2392

SHA1
ed19d90153fe4ca0524719d8ba44c8beb0c7f548

SHA256
32a8b7fcbe371e868ca94793ad99a1111bddf982b79fedc740f3daa88a287843

SHA512
5f602f0207b63fc2a9052b5a1b9f5b480058915d0c6829c34bbcd773f44b3912f6f7fda501f0142afa7211dcf899909761ffa7d800a20daa04eba2bc16b9e647

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkYa.exe
Filesize
1.1MB

MD5
71c893c85e6c0ecb30e44e90f7188000

SHA1
7269607cb58a10bf8509f99ad50b3f6286ac5ae0

SHA256
e3151cbdcf99157e5fe2c1db2de0e930986a94ab2d71668226e694cfef57b58a

SHA512
b52824a1921d8e571f9550b9189921eb2aa86e739bbaecc6970defac6ca68a1971761c3a74bab3da4b99c77af77c2fc60cbe847d85df5d449e53e8941d7acd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\goYE.exe
Filesize
205KB

MD5
d693d7560a03bae022742cf5940c0d39

SHA1
02004f97aaca2aaaf25c7604215f647238ad69d7

SHA256
3ebdc3ba0fdb7806023ff14358d4bc796a32acf9913228ee3a755382d89a2e06

SHA512
91c66e084ae9f031836602859b03b32bc6ad6f8cc32793d8613b0750b2db8f20c1109fea9380b5887e79912fe50cf627ed53460abcc940d27877479a069a2065

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwS.exe
Filesize
204KB

MD5
028b654c64e4dc5db04d820753a6154d

SHA1
9e72593dcc5209ee6a1d486b1643e77a09579b17

SHA256
8ca210613f8c02cf227163b456eaf4ce9eee8b227aafdb741b19d3938ef175c2

SHA512
ec808632babfeeaba70b760f0a6d42b4977bfe7b1d38d811c7fbeaecf386a76ada36655cf7b7c59d38197f2bd7f433c15497122cbbf542d3245ee10fa1f966bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsos.exe
Filesize
422KB

MD5
9c5a00fcb7a909908109e9f9ef32ba8c

SHA1
eeffe4a0bb900f52e1bcac55cb046af5e24ce022

SHA256
e65dd0e83e9dac69fc39efa1b92f3ea47d1ca842b64239c5f2c6f6bb5e96d071

SHA512
f96e3f8fcb7e28a5df9264e37227367c491cce563569a28c6154432263ac5e0ada3f341cd9f89bc5aa5dd818c2ffbb16c8f2488427197ae70457b90256430fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIAI.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAAM.exe
Filesize
788KB

MD5
e424e3b8670e490185da8fa615b7ed2e

SHA1
6b9ff4c25881e7e05df29431402a3123542be1b6

SHA256
a49bd7ab280ab1b7094c584a5c435cde63e810f23c67005d4e7e0a873487a14f

SHA512
6efb6fab03301a079ae08646736fd5bf0ade5f4e3688fbc684f2a61cbdc1047ecd2e1ea2583ead4a10f2ff65141e2dbf2fbd79402b43285fc616d5a033b5c319

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAkI.exe
Filesize
426KB

MD5
81c88383c6ed8be0c2e29c36fb664b49

SHA1
24ee2f383cd34e4beb759bcc0bc180edea1bbb77

SHA256
9ec0f7a173363f5e028f961410470a1722732a7b6adce0d9c192d6ea1472e96b

SHA512
f6c0413573a2d31367426c6bede2a746ea502a7f6cb1ca7a124ea13b2edb30dca6b67b80591d3b8ffb63b9562f2923d5ae8e0afa2ed47624d5636f56c524d43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQEi.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUgo.exe
Filesize
196KB

MD5
66f1e00a744807b0289b6b45d6b7fc33

SHA1
c8ac10c5eff04356017bee5f06b0d3f855c1444d

SHA256
353c502a37400f0a4d9f7bf4ebc60e991beedae64d9efe0f12634869b9dde5b1

SHA512
d9d9f87688e1aaa28416e0d5399220820951a84740489f4efdb92f099273526ed585b8cc92fe42dd4f7a20f0fd078de3691cbdb0fa5182ae911dbe825c3425f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcEw.exe
Filesize
574KB

MD5
29a46d69e4450f1280287cdc7944a1c4

SHA1
fd100908988a6d7259ac8d6cacb4cd9afe612f79

SHA256
ed8a3e435d2737b28bba47089e09816564ae9338fa31d112e498eea96e45d297

SHA512
1cd47ac11f66acd405173880fec7a491ae9dd61c15f644ee4cb49779e785edcda885c31e08933b5e959152f30c5f8d71055748eb52658b2e3d4b85e46b798e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsck.exe
Filesize
1.8MB

MD5
0c5f2e5bd1c921113b9d20a4d45d4f5b

SHA1
f24081a2c96e225ffc1df8c110424ea0fff915b1

SHA256
835cfb39e2ad118166f93c249ab06fa6af7db77cb12f3865abb6bbcd154a0806

SHA512
b20fe966df6eecc301f4791f5b44de9a7db8fa1440b669337a9447cbb55e956e887178923e456ddd6596c0dc8924062580f2537ba3323737f62e8a2105352781

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsoe.exe
Filesize
790KB

MD5
1c9f8bf8d0c535fd33569e7d50931479

SHA1
dcdb1497b0ef203ca5252b1e2594bb3fa21856ee

SHA256
573b333659205c5bdf7f492715dcd9bdb5c2e588cb44a0011ba204058bb5524d

SHA512
c15d357c3ac72cead4f6c74abd24472d856a764035a3f56d029a57be852ea13d33db3b52df6a59d320f080e9bdaffe7bd7266f6fb302e35fb18d1e8d3c78ee94

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMwG.exe
Filesize
192KB

MD5
a75015a9bf8e6e75828be0021e293e88

SHA1
f0e362fb5dc956facdc012ccdd9094f8c4ac5efa

SHA256
d8d69a9248b584f14fc3c8c047c020b156e0aa7a8b33eb8c2d6e09e7dcf96b18

SHA512
84d66abf81c207bd2c324af471aa3cd8a076c48db9cfa089efef3e5e846b4e54761f728cd56caee9937db017612c69d7ad3903fa8445955254f1878afe09616b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAgs.exe
Filesize
447KB

MD5
17bb8b5f58aa3eaf9beaa55aa4addebd

SHA1
dc582a14dfd1a2e8bf7ab2bb8a12a7294ce0012c

SHA256
5b7cbf707a393ff40d17eef60eff4ee6237d510c3844ac01ffaff712b1bda2a8

SHA512
0fcb7ef1ee5614619486993fd7f9efedd6934a22a1eb41f08c05a1d218bf760e0a18bc30defc0e96c083c556503a5c52627319341feeb005a381c9d6115693cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkUk.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\locK.exe
Filesize
1.1MB

MD5
df84c05e00dd3de8ffbec4c378f7175b

SHA1
fbf2e4d5701a1d0be2d0f11aa96ea7314f5faa7b

SHA256
10786238aad2211e44657d4e6b259d05c12af90a446bddf9f0d523a0516e3c9e

SHA512
0ed6cf5930cb2bfe92535167112041ab2b27e1e45718b503c3705450f896f529e025afe0146a22c9c6c0cb85e8a5b4cfe009625c1984e98cc976bca36513d2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUAU.exe
Filesize
205KB

MD5
5aa9f25f77e9f1a2d594418b94bed0f3

SHA1
e52948d03f4fd771ad25c7774c39c423c7442a49

SHA256
aa52ea29b8ad19ee4dfc4d963c3bae6fb5920714fb8fbe35557da58258c7774c

SHA512
29d30da1860b6ace31070c8f06187bee675c0a3ca002d0125144747378f0e1dfd86cc3fb8f8d9550ba68ce4c17b0aef90c62c4b5598399ac1d7238181f87a6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkEG.exe
Filesize
510KB

MD5
42b258c597ddaf9eefb1c07442e510df

SHA1
26002287816739925a28c58885ac6fe8cf24ef92

SHA256
17bf8415b927376f0b9ef16a8f6c0c0a8f7f74a209323b5e2d3bf961722b681a

SHA512
de6af000f61b0b376d977befc709213f25b4f4413a30853b1c07b8b95b6ce794cd349bbf8c4ef9a64226af94dd96c631ed2a7150de380c81e6170e04788e4826

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncsg.exe
Filesize
182KB

MD5
963ef6b2f64002167f914a1395a0fadb

SHA1
72b20708c883a953708b7d04882e1d705c779380

SHA256
a17c611ffb6599eff1cc96154c6e413d3963cc5ab89e2dc2360c60f183d54ccb

SHA512
aefbf88fb39a3b27e52ecbb5ada0744fa2ee10cf3bcc7f1d244f8bbcf1122119f99ba78fea11cc3083705865db91877b36ba47b7d4744650b293fc8c474db13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMUA.exe
Filesize
193KB

MD5
4040c1b8a1d579bf40fac9a4b7848ccb

SHA1
fb90a570e0c857db8da1f9aafb8e518665f22973

SHA256
ee863f2ec34691db9669d5a3fb3dd3e9ba80949cfd85e53b4c14b1a3f6c4a0a0

SHA512
20382be23f7366de95d01ab31fbe8f820e7fc3f04dd912d075b229c2bd0cc1565eb2705578226e7c29aaf963930ea110357f840f3739c6013a1370b5a900f796

Download Submit
C:\Users\Admin\AppData\Local\Temp\okci.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAgS.exe
Filesize
189KB

MD5
1b9c597e40b2fa9c15e91fb7ca0f30b4

SHA1
6d3fc862c07d05c7f7ac03313cd8bd9458c50aa9

SHA256
6ec3bc172ce2169da86821dd2a57582a284b675dafd03480b6e9b80599e46480

SHA512
3036d90d8fb3a13309defc951ce5a9599c06133e5430be7515502a9f5a24e6ce6d9f3e363a9d5dc707576cdbb1c9c1911bf5676dbbeddf65e7f179d8f9f526e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUgE.exe
Filesize
326KB

MD5
9514a74364e3a9e54e03275ec05c53c3

SHA1
5fbffeaf1005c6ad8c4d66e759c57b49645a712e

SHA256
a9568152ebbbd5eace98b4fbd5721473bcb9df73df95240b515eb84466b0ff9c

SHA512
841314900d1b7326dbe0c074cdd08b5c68d6e2b06aea2f58e85e924c68134839c5b31eb5184ab68951efba68dec3f8a05934ea10bfa25d05d5971de69b477870

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkYY.exe
Filesize
200KB

MD5
8fe792b96d0d7a713d1218727e9b7cc5

SHA1
cc74d89126b84733a536d3af68e2837d9bd3e5bf

SHA256
deb287f92b23cec96db619a3960092c50bc8ce5e588e1730931cbba6f07c5d0b

SHA512
b4d80187061faa60d1166bd0619f139cb012199c8d724d88f8f0ef736628dfeef676bc5df5e8d35013d41d14e2172a7fe909febe132b6529f9287d23e4368107

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAoi.exe
Filesize
245KB

MD5
93276f7e8ce61970d9c8060c06fbb8f4

SHA1
a0b47e0bd055d05842cd3af86d32122df2bc3827

SHA256
4077f3d79e0780701f000c9fa423ba33da790315a2806044b2076068b654b626

SHA512
d851dcab15e2aba414ea5b62be1f6c13676c64e00989ce9f9ebde7a6811cd3a9769ea6ef0ed3e197a9702ca844cb36c642005fd7ceabe4b4643c1d93b5851c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUoG.exe
Filesize
554KB

MD5
40476223f5f7881c83fd641d2277cba8

SHA1
356897f597ff8aeb3927c57cf0003f282630d6da

SHA256
ae34694247814d5cafecc0ee26df3a10a21ffd53eb32ddc9e8aaf40f6e834b37

SHA512
910c4128fda5a04f0239325588f1b9d07124a809747176560faa2ca073acd40c0ddc95d922442806cb250e9837d4617ff6ab4d5e9d1242157bd9e6376a51a91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAoW.exe
Filesize
185KB

MD5
06c92a6c7c7c6b91b019e3559f436874

SHA1
683e199f56f115eb14c019adf4f1b562b45b343c

SHA256
9f9b61bf3616647bb26c0bd3263658a54906c3e7d4797723fc5fdd910f5c7662

SHA512
89c8d84b46888fd09aa90ed8fe8177f163de2df7b5d90566ac511daae7b9f12952912aa0e1fcb2da3713210ee3ea8eff1a48c0bbe907401513ad01060e1a6cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMYg.exe
Filesize
428KB

MD5
2f18fb33e4f9b5be577589d327a9f6b2

SHA1
fe1916b3b9bf65dafd9e4382d1da6a3214acf998

SHA256
69446070cd6a7ecd8ce987777e4caf4d7dfdadb84b0087aff6e2cc1af0987f4d

SHA512
5f23586c45afdd6ee69b0978c1b33f57a9bb71baac728a8b79542a1412cea1da064768a5d0d65fb72afd0b020904a5d6e8a8ed83d3142e10c6f6449ccfdc0db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgcm.exe
Filesize
189KB

MD5
707a7d9f2f4355647ffeb66627375c75

SHA1
d7d5ea98645ae19887096dec3bbac89774c24d6b

SHA256
72149b7ea88ac3990d287cc2884c98cf8ac051cb36788b3736ec50b9853e4aca

SHA512
e0d48429f996cac0a5ae015de147ddce93a740dcb68106968114223572c98ca70d9f0ad8f68be693f42e729ecc86269884b5957764bbb903d70d6822cfcc6415

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYK.exe
Filesize
659KB

MD5
6deb9cf840e4f1c413c0cc62a9151844

SHA1
a74e5f26af9fd02adde8583694528be3004f723d

SHA256
2e6b386eccbff58911c31ec0717c2c726a14b7722aeb009adcc4eadbeb0c1c71

SHA512
bbd25831e3edb63de0517d23fd46ea8f86f3bb7b279837bffffd450a4ddb6c85ce443bcb8cfbc007d3114085a029b5a44bbb80ff32ff180bbe5629c6fc981235

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQky.exe
Filesize
773KB

MD5
c285854db4469abb1d8d72f30c7dd5db

SHA1
4c7403bffd13f5f783e0446867d07e513f9d30e0

SHA256
9de451c8baffcbf7ae216b9439f7cb3ce315d829ff611e67ccdb78f62e42be5f

SHA512
6b9aadab9e413901b67d8ad86cc8365568ec3cbb555ca762c28ed3bc51654156d4c9f0a5a3544ff9ce31e864e7a42eb1b9e9aa94ad644580bbd89cac8953a3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEE.exe
Filesize
191KB

MD5
8690eecedaab36b8bd08c891746e59f1

SHA1
58eedd72470b120ce426d126f28d28f7821dbd91

SHA256
4369c01a30087d0400578917327a574debff76988c07ad7d91c4d985ce7b9b76

SHA512
c07aed87971a8f62320bceb04bb51c53b143ac1feab2649181f64c7e049a87351c420a189ea7a412b109ce5cc4825355570f6ef8f6ce566605230fdffcd45016

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYoy.exe
Filesize
456KB

MD5
b873b6210dbb2d8dea63213f5afbf188

SHA1
634c4575178f62f48fa015d51662361fb85341e0

SHA256
c8bdf40bdba590d0af7a1eac2bff1d16c4b22ed3164a73db6dc40ef3cf37cfec

SHA512
c5d10923d8caaa896ee0d2c7732c1944196660bfa3c862e4c73b1b439d92f9f2d79498392161b187f067f1ea474b5479992c087046081bc0591639699702066d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAII.exe
Filesize
198KB

MD5
d6eb0afbae2718b47a007e4bf8d07582

SHA1
c94ca62bf37c77a7c793e8893ab62af80e153c49

SHA256
495d7769a14c1b2e70ec973a97d059487482d18da0934f62c4922afd086c76f5

SHA512
5502bcbc303abb5525620ddc29097c4436ad4396c9e0bdae01571a6fbb20e9ed3103259ba851ec3610562aa62e8cfbf3f3c2aebe6bbbe0ceb2315ac0dd8c5f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEsO.exe
Filesize
189KB

MD5
c8e81485da5f67845c2900e71cbb7f89

SHA1
63ae9d20a7820efdafc57fea7f971cbdf73c54ee

SHA256
6c6e83ac40192e7ea903c03b4dfc7733632fb7d221115d102c85f84a7f0bdc49

SHA512
7c9f202bb4327b1e89307bd80a690f6554b19ebabdbd2b11a2f27d0300d65e06edae6c64543f1d608eee7a3a9f153617cceda7b386808cc5cdb7f4d5f6cb0442

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkgU.exe
Filesize
222KB

MD5
13ef1b1f4c4d8c363fe45514ca8de6d8

SHA1
97a1e4febe8f897b24cf6631f47c92d16557ae28

SHA256
c495f5152b3f20b32db3a6ad7512c2c00f7e0ceef97f6905d0b5d3286c50c7c7

SHA512
a1f6be5da1d88ee9e1b410eb32745c027005e9634f0b06b167e1d0beb16e74bed8c583ab6c6f240af1364fe9c6b8b13e884bdcfe57d1cf32f40b4fcb5a9cc9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAsO.exe
Filesize
387KB

MD5
30de1e950fbfa29a5196ae806caba07f

SHA1
34a3b09198eab75e6fdb90bb2455493b3c0f7a4d

SHA256
7287202bb3a814d1bfde3841e7640881c0b73ee70d7249b7d34acd5f48a1f82e

SHA512
4d23dd0cb534a433180f113f0c1edbb82598e1408e5da2483ba8e3f8e7db03f4f6f73125772ed43fac80058454c2d9665188d09949bd21fb7736eecb98c21d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEYk.exe
Filesize
204KB

MD5
3fc5b16b47e21546629fa1b3a9346ca0

SHA1
f3f5f8cd85b81ee6346a79cac5f1a1300da9a1eb

SHA256
ebeee342bd6ea83385f61072349f9e770b5a1348a3781c349e88ad0d3a3ebcac

SHA512
ffdba2594621e38fb58e0a834a6965a988e847ddf3130b6d48ed35e71b32d786658b18bd029886b1f8adbc7a0ba90c546c96e62bdfda06e3618094b888ad22fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYIe.exe
Filesize
209KB

MD5
62954e2a67078d3d4ebb1cd9bc2b63d8

SHA1
7aeb3d2d8daff5a2ce26eb81e66b841f28414da9

SHA256
e1af096a18a5fa161c574bfb96fbb2b17fe46dbae748daefa0e2c38e4dd4f82b

SHA512
3bbca85088d59808700906855d0815f145df8390a0cdbab84af5cfda236ca94898b44bb2859dd43a0d793da78bf00cd20e29c5065bf51b6443446a8d1a24abd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkkI.exe
Filesize
197KB

MD5
33859ef14ae01ff48c5521b4c0a871e9

SHA1
837bd26e21ab072dde82eac82527b988fafa9d71

SHA256
a760d8216fe4510a9dbe6f18602da48ce163f5b685de2141fccdc10c70b51e32

SHA512
e3fb6e444faf10b058ca540488e9edc60cf1027e2f738bf8af03d717910ac30bb5305b7736d63d40019b14ace6ac7c0c2c9afd5e25f6a8ad223e89493122e2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwEG.exe
Filesize
201KB

MD5
601be996b1e33c973010180acb174178

SHA1
a92aec951121889ff64ce1db0dd5e532eb82f3d4

SHA256
2d7f58d4248ad8c272ea9de33fdb82cad65ca68c477a3bb3ee809dcfd4826d4f

SHA512
b6af51fdc7f3ea2ad8198c939398ec044464c9308a6970d12599b9aa3453852d1fa1933181a68eb04cb10b2fce0e755c4d9d4e721b3889de74b2d6fd5a9bca53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycMM.exe
Filesize
836KB

MD5
ed8c7829203ee4b7f97b2613229a20d3

SHA1
908cc621c6cb9b5edbf29b659d17125fccc132a2

SHA256
365184428a49279b209c23d5743181217746ed01cb44be6d9720c11388d3a99a

SHA512
7839423832be58523e63a6a4dd6fa9d82adca9f2c151fcc4a70ce0cbe059eade29837be1e725aa3ddc4075e1be550cc20914b8ba3f916578cd176028bcc298b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykkU.exe
Filesize
709KB

MD5
d0cde7b79b97c859dc0c64e4739ab600

SHA1
fe3a71d40b50ad92592791a9a1bee97cf55dbce1

SHA256
b492b04a63945ac9d751a0b0d76b002ba534563187adc3c58c05f6c10d9ff367

SHA512
91fa08ba9e1db62f62d0202e52c9b14dbd8de89304ed4b5725794e65760247a528b1b23c251e334a6b0c18763370e30628fe4a7147fb39586da8cba5e68e0f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMwg.exe
Filesize
181KB

MD5
c62049d1d5699de07cd8ca41d3617540

SHA1
7cf8282441fdea0ea907c0346ba672d7f3308cc7

SHA256
666f7049378cd24f76e9670f800b5b787bc358948f7e2a9b34a92fd0b8504433

SHA512
23042716cedf54299ca863588d7084c704d3c2b0902a136d3057e9ea4e9ee93885d21e4383c44f63a1d037a81171a675b453c21acb01a43e3fece81f6d149cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQkA.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgQo.exe
Filesize
327KB

MD5
bb55b4d711a59ece0fc72490d3ac6035

SHA1
dc7dcf31950d2646f27ba1a226e237a25dcadec5

SHA256
904c5c75755eeae01457bbdd67e3cd1878c1a205a92551138f6499ab71c03b0c

SHA512
d9347043190e06588acc64ace6d20a17b93ace9b5a014489284451e4ee0dd6ff92a0a4e71e36ba5dae7964cf07bc86858e33ab9ac47c8a8b771aca285a283ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsgs.exe
Filesize
205KB

MD5
f1163da578a68b86f8a84a0049389ff8

SHA1
397f228d929f5b0c21ffad15d6cb47dce90b65d6

SHA256
5ce9d0437a7e147126ade74941dd64c775860b7cc2714fff2fec16fa1c755605

SHA512
896544212da935860c12eb47ffbdde2882e6f510fc30a98cb36c8e8a2b326a26c0166e21db57b145c6d2db42057de985b149ee97df33288c75b236fd8a69688f

Download Submit
C:\Users\Admin\DqsQkQsg\fkAscMME.exe
Filesize
204KB

MD5
e993c7e225385ff87021103dea8edde7

SHA1
a216c76ead9268420965b19b26833e51091ccb6e

SHA256
9d9ea169f97f3f897c32ba3d04c9c7edfb4b03a15144f90292280d7d2eff4b0c

SHA512
d99fd80ff61f568e7506ae2564b8ae89ca3dfd48a5a7f083258016499a735ee4e867577cc10c745a6b6cd0c9c7ba52b5e515e79488f09dd4fbaf1b0fb6e301bc

Download Submit
C:\Users\Admin\DqsQkQsg\fkAscMME.inf
Filesize
4B

MD5
633bf622546a4d2d74cdf45f4984a61d

SHA1
1304c00a07127107c3db1c7700156b73da7550d3

SHA256
d89b1dd50e55da8f30048d331d5bd1ab73254c5650ac4dfbbb4214f51c3f2ce3

SHA512
ae3d1321358d4188299b1c7b56594d4d4b88f1de26b9a288e3755867a59fa0e6a91aaeb48f7a125db7d041d3d307182701315c98780f2ef9dbf296e10940c9e3

Download Submit
C:\Users\Admin\Pictures\ResizeShow.bmp.exe
Filesize
462KB

MD5
815facb924773de2f8256b6e5bb33aba

SHA1
5bac6f0790e558f4008b0626fe9aba13b3683385

SHA256
0dc92cc7f83627ca41ffbefc3bb468ac358f34b589b12b1eb33a6c05798b5b32

SHA512
47323127efde59a6f1c4cbdf2e4825148aa4f5a47fcb2fae59ba347f0a6ebd3c367aff6c27f2d72659df3e50182c5f2f7d6e9a5a73fc64292483abf81f3e0d8c

Download Submit
memory/676-373-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/676-383-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1012-524-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1012-512-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1084-421-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1084-409-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1196-420-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1196-429-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1236-206-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1280-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-506-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1388-491-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1420-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1420-286-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1512-336-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1512-345-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1620-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1620-156-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1644-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1644-108-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1864-327-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1864-313-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1936-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1936-289-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-455-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-466-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2012-232-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2012-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2092-449-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2092-458-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-229-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-244-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2292-436-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2292-448-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2388-389-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2388-403-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2564-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2564-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2692-532-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2692-520-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2884-392-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2884-379-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3024-477-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3112-257-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3112-269-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3124-354-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3124-341-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3148-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3148-81-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3160-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3212-17-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3260-365-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3260-350-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3276-303-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3276-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3476-495-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3476-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3476-482-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3476-194-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3500-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3500-69-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3640-105-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3640-122-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3660-307-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3660-440-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3660-294-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3716-473-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3716-486-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3780-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3780-260-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3952-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3952-119-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4088-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4088-46-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4184-321-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4184-335-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4272-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4272-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4404-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4620-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4620-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4636-515-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4636-505-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4752-374-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4752-362-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4784-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4784-220-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4792-542-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4808-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4920-171-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4920-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5028-412-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5028-400-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download