1a5d387ff5859dc880c62a9bc50ee448c464ca998a986d8c1eb93b7c824ed374

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
Size

199KB
MD5

978f428348a12660ee885c1f6e34d926
SHA1

dd994c28e1df0d4b77972c4c4d796f425e9c446b
SHA256

1a5d387ff5859dc880c62a9bc50ee448c464ca998a986d8c1eb93b7c824ed374
SHA512

763bcf72b4865e3b285ceacd2385de465a5616f1993aa52b6dd3d786b68a67cbdcb196e8956efe7f49118b8e385fcb14d42ee7dd960c6b5c8caae8eb2b568606
SSDEEP

3072:2RTym7D6XCydNyPGfBAz5pttQ6hKztASqbQUbmYtrP/fFVQ1tH0j:2tL7QzfBa5ptJKRASqbQsmYe1tHI

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (77) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SaIcgwog.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation SaIcgwog.exe
Executes dropped EXE 2 IoCs

Processes:

SaIcgwog.exeAAMUUcMg.exe

pid process

4892 SaIcgwog.exe
2952 AAMUUcMg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SaIcgwog.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exeSaIcgwog.exeAAMUUcMg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SaIcgwog.exe = "C:\\Users\\Admin\\AaEkcYAE\\SaIcgwog.exe"	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AAMUUcMg.exe = "C:\\ProgramData\\tSMcEwsk\\AAMUUcMg.exe"	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SaIcgwog.exe = "C:\\Users\\Admin\\AaEkcYAE\\SaIcgwog.exe"	SaIcgwog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AAMUUcMg.exe = "C:\\ProgramData\\tSMcEwsk\\AAMUUcMg.exe"	AAMUUcMg.exe

Drops file in System32 directory 2 IoCs

Processes:

SaIcgwog.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	SaIcgwog.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	SaIcgwog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2416	reg.exe
4868	reg.exe
4808	reg.exe
4424	reg.exe
4268	reg.exe
2192	reg.exe
2600	reg.exe
2700	reg.exe
412	reg.exe
4984	reg.exe
2844	reg.exe
2648	reg.exe
3012
4732	reg.exe
2820	reg.exe
4928	reg.exe
4700	reg.exe
2916	reg.exe
1280	reg.exe
2796	reg.exe
2660	reg.exe
4300	reg.exe
4672
2948	reg.exe
4672	reg.exe
3220	reg.exe
368	reg.exe
2800	reg.exe
3548	reg.exe
1868	reg.exe
3968	reg.exe
2416	reg.exe
2640	reg.exe
1324	reg.exe
700	reg.exe
3512	reg.exe
3924	reg.exe
5064	reg.exe
4684	reg.exe
4344	reg.exe
1636	reg.exe
1988	reg.exe
4656	reg.exe
2004	reg.exe
4536	reg.exe
4380	reg.exe
1992	reg.exe
1204	reg.exe
4984	reg.exe
3940	reg.exe
4136	reg.exe
4020	reg.exe
1184	reg.exe
5076	reg.exe
1092	reg.exe
4332	reg.exe
4252	reg.exe
3940	reg.exe
628	reg.exe
1628	reg.exe
3552	reg.exe
3236
628	reg.exe
4336	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe

pid	process
1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3448	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3448	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3448	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3448	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
5048	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
5048	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
5048	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
5048	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2476	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2476	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2476	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2476	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
4556	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
4556	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
4556	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
4556	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1408	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1408	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1408	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1408	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3984	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3984	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3984	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3984	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1772	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1772	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1772	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1772	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3532	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3532	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3532	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3532	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
464	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
464	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
464	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
464	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3360	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3360	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3360	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
3360	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1084	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1084	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1084	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1084	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1932	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1932	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1932	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
1932	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2456	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2456	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2456	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
2456	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SaIcgwog.exe

pid process

4892 SaIcgwog.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

SaIcgwog.exe

pid	process
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe
4892	SaIcgwog.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.execmd.execmd.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.execmd.execmd.exe2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.execmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 4892	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	SaIcgwog.exe
PID 1180 wrote to memory of 4892	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	SaIcgwog.exe
PID 1180 wrote to memory of 4892	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	SaIcgwog.exe
PID 1180 wrote to memory of 2952	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	AAMUUcMg.exe
PID 1180 wrote to memory of 2952	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	AAMUUcMg.exe
PID 1180 wrote to memory of 2952	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	AAMUUcMg.exe
PID 1180 wrote to memory of 4556	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1180 wrote to memory of 4556	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1180 wrote to memory of 4556	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 4556 wrote to memory of 3988	4556	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 4556 wrote to memory of 3988	4556	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 4556 wrote to memory of 3988	4556	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 1180 wrote to memory of 3324	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 3324	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 3324	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 868	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 868	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 868	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 4488	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 4488	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 4488	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 1180 wrote to memory of 4812	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1180 wrote to memory of 4812	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1180 wrote to memory of 4812	1180	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 4812 wrote to memory of 3864	4812	cmd.exe	cscript.exe
PID 4812 wrote to memory of 3864	4812	cmd.exe	cscript.exe
PID 4812 wrote to memory of 3864	4812	cmd.exe	cscript.exe
PID 3988 wrote to memory of 1332	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 3988 wrote to memory of 1332	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 3988 wrote to memory of 1332	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 1332 wrote to memory of 4980	1332	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 1332 wrote to memory of 4980	1332	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 1332 wrote to memory of 4980	1332	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 3988 wrote to memory of 624	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 624	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 624	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 4408	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 4408	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 4408	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 4872	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 4872	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 4872	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 3988 wrote to memory of 2504	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 3988 wrote to memory of 2504	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 3988 wrote to memory of 2504	3988	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2504 wrote to memory of 656	2504	cmd.exe	cscript.exe
PID 2504 wrote to memory of 656	2504	cmd.exe	cscript.exe
PID 2504 wrote to memory of 656	2504	cmd.exe	cscript.exe
PID 4980 wrote to memory of 2940	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 4980 wrote to memory of 2940	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 4980 wrote to memory of 2940	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe
PID 2940 wrote to memory of 3448	2940	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2940 wrote to memory of 3448	2940	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 2940 wrote to memory of 3448	2940	cmd.exe	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
PID 4980 wrote to memory of 4984	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 4984	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 4984	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 700	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 700	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 700	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 1940	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 1940	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 1940	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	reg.exe
PID 4980 wrote to memory of 1300	4980	2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AaEkcYAE\SaIcgwog.exe
"C:\Users\Admin\AaEkcYAE\SaIcgwog.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4892

C:\ProgramData\tSMcEwsk\AAMUUcMg.exe
"C:\ProgramData\tSMcEwsk\AAMUUcMg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
8⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
10⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
12⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
14⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
16⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
18⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
20⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
22⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
24⤵
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
26⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
28⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
30⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
32⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
33⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
34⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
35⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
36⤵
PID:2820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
37⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
38⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
39⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
40⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
41⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
42⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
43⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
44⤵
PID:1516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
45⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
46⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
47⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
48⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
49⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
50⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
51⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
52⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
53⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
54⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
55⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
56⤵
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
57⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
58⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
59⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
60⤵
PID:2168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
61⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
62⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
63⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
64⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
65⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
66⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
67⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
68⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
69⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
70⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
71⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
72⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
73⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
74⤵
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
75⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
76⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
77⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
78⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
79⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
80⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
81⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
82⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
83⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
84⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
85⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
86⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
87⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
88⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
89⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
90⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
91⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
92⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
93⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
94⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
95⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
96⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
97⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
98⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
99⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
100⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
101⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
102⤵
PID:2628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
103⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
104⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
105⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
106⤵
PID:4348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
107⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
108⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
109⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
110⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
111⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
112⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
113⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
114⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
115⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
116⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
117⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
118⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
119⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
120⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
121⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
122⤵
PID:368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
123⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
124⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
125⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
126⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
127⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
128⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
129⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
130⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
131⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
132⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
133⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
134⤵
PID:4412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
135⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
136⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
137⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
138⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
139⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
140⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
141⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
142⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
143⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
144⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
145⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
146⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
147⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
148⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
149⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
150⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
151⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
152⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
153⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
154⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
155⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
156⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
157⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
158⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
159⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
160⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
161⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
162⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
163⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
164⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
165⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
166⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
167⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
168⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
169⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
170⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
171⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
172⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
173⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
174⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
175⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
176⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
177⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
178⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
179⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
180⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
181⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
182⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
183⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
184⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
185⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
186⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
187⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
188⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
189⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
190⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
191⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
192⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
193⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
194⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
195⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
196⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
197⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
198⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
199⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
200⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
201⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
202⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
203⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
204⤵
PID:2536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
205⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
206⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
207⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
208⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
209⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
210⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
211⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
212⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
213⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
214⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
215⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
216⤵
PID:4452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
217⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
218⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
219⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
220⤵
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
221⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
222⤵
PID:2820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
223⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
224⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
225⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
226⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
227⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
228⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
229⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
230⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
231⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
232⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
233⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
234⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
235⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
236⤵
PID:4016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
237⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
238⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
239⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
240⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
241⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
242⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
243⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
244⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
245⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
246⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
247⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
248⤵
PID:32

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
249⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
250⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
251⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
252⤵
PID:2064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
253⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
254⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
255⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
256⤵
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
257⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
258⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
259⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
260⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
261⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
262⤵
PID:4884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
263⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
263⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
264⤵
PID:3240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
265⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
265⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock"
266⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
- UAC bypass
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMMsYkIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
264⤵
PID:468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- UAC bypass
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSgckIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
262⤵
PID:3940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
263⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgkAUgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
260⤵
PID:3196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:1684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwwooscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
258⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyIIokks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
256⤵
PID:3408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:32

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies visibility of file extensions in Explorer
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
- UAC bypass
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOEYkAUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
254⤵
PID:3184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
- Modifies registry key
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZosMEQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
252⤵
PID:2600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcIYMYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
250⤵
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEYsAoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
248⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:4348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmMAsEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
246⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
- Modifies registry key
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMIkAMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
244⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWIQooEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
242⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMsUYAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
240⤵
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQMYcAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
238⤵
PID:1992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMIcIkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
236⤵
PID:1216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jogMAUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
234⤵
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
- Modifies registry key
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOwEooIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
232⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaUIEoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
230⤵
PID:336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:4252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:2476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:3020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQMAMIQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
228⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
- Modifies registry key
PID:4700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKsUIIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
226⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies registry key
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
- Modifies registry key
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQowMwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
224⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:4556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwYYwUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
222⤵
PID:3700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biQAkkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
220⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
- Modifies registry key
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYEsQAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
218⤵
PID:3424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmAIYoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
216⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSIgIkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
214⤵
PID:3804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgIwUgIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
212⤵
PID:4136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:5048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqAMkIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
210⤵
PID:512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:32

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:2640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XokMEswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
208⤵
PID:2076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUUUcwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
206⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:1900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:4580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaMwkcQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
204⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYIEwwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
202⤵
PID:4352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WewcgsEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
200⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOsUQogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
198⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeIQMogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
196⤵
PID:3452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- Modifies registry key
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUswoMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
194⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIgEcoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
192⤵
PID:2636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:32

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWEMwcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
190⤵
PID:3440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEkcEwoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
188⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:2896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukcoMwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
186⤵
PID:3116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqEkwcwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
184⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
- Modifies registry key
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
- Modifies registry key
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOYIMoAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
182⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYwokcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
180⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiIMIAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
178⤵
PID:1888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyQQkgAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
176⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgkcIccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
174⤵
PID:2316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCcYUQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
172⤵
PID:4596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYAEowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
170⤵
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies registry key
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEwwggMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
168⤵
PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HggosEso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
166⤵
PID:5008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:2004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyAsgosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
164⤵
PID:4596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEQQkwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
162⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- Modifies registry key
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuooosoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
160⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAogkMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
158⤵
PID:2256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOsMIIIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
156⤵
PID:3452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies registry key
PID:4252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sigYwYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
154⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouwUoYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
152⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- Modifies registry key
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYUkQMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
150⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
- Modifies registry key
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqAcgsss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
148⤵
PID:1448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
- Modifies registry key
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSMAEQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
146⤵
PID:412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
- Modifies registry key
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUUkUgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
144⤵
PID:2112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- Modifies registry key
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEoQgMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
142⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuAQYcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
140⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmkwgQss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
138⤵
PID:3528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:3116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwkQwMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
136⤵
PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMIAwIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
134⤵
PID:4464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYYcMEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
132⤵
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:1284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sukcEogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
130⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:3676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkUIUAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
128⤵
PID:4580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:1476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
- Modifies registry key
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsUIQcoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
126⤵
PID:4464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:4756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- Modifies registry key
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAogEYoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
124⤵
PID:1284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOAUwwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
122⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- Modifies registry key
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgkIAAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
120⤵
PID:1476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AawAsIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
118⤵
PID:988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:3652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAgMMMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
116⤵
PID:4528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies registry key
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwskwkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
114⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:3548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:2068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYUcwUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
112⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAQgYUww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
110⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViMgAAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
108⤵
PID:2148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeccMEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
106⤵
PID:3528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qccsEwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
104⤵
PID:4076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyEoYkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
102⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkkYUYok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
100⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fscsAQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
98⤵
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haUccMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
96⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcYEcgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
94⤵
PID:1284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeQsMEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
92⤵
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMAwIocc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
90⤵
PID:4984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:32

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kksoUkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
88⤵
PID:3504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owIkIEsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
86⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsgcUwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
84⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CywskcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
82⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lygAcQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
80⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIYsokAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
78⤵
PID:3552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEIwIsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
76⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies registry key
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
- Modifies registry key
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQoMskoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
74⤵
PID:32

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyoMsgwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
72⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DioUsUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
70⤵
PID:4828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:2640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOcMgYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
68⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMwYYYQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
66⤵
PID:3488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies registry key
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOYsMcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
64⤵
PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:2052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:5048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYQsYAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
62⤵
PID:2256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOoAksYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
60⤵
PID:3148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CagQkUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
58⤵
PID:3940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:3192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUgYkMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
56⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGosQUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
54⤵
PID:516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYkYUsIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
52⤵
PID:2052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuMIMAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
50⤵
PID:2076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucswwwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
48⤵
PID:3208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:3084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqsgMEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
46⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:4672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOUwUMAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
44⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYoskYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
42⤵
PID:4816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWcUkssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
40⤵
PID:4368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:3408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYgYUosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
38⤵
PID:464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:4064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAQEcwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
36⤵
PID:4504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkAUsogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
34⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkEkIwoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
32⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:2520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGIgEAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
30⤵
PID:1516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIIoQIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
28⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkkAsccA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
26⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaQIIwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
24⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyIckkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
22⤵
PID:556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmQQYUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
20⤵
PID:2372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- Modifies registry key
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmoQIQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
18⤵
PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coIUokQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
16⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAckgIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
14⤵
PID:2164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWUEswgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
12⤵
PID:4852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQYYAMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
10⤵
PID:3556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwksoUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
8⤵
PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaYQkEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
6⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgkcskUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkIYwEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3864

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
307KB

MD5
1e6666ce08d67e4bd954170deca5ef3b

SHA1
4cbef9b25efe69f992e63f7f3f391e4fdbd1c62e

SHA256
3d6e21d304d44e7ec63d3035b1d92aa7e69affcec83b75b9739acad9bb70b8f9

SHA512
99fbf8fa5d1a1faf6aee58c77c8c50f7bc8929f0b4e2a73b720e71dda3a37b6efe65cdd88b74b64fac070bdc0e54d453a1f2d9af1e4cc98ff6cc20a2229347f1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
234KB

MD5
7a536d27cf80b015c0a3e52afc6104e3

SHA1
378c541ea4854a424491ab70e7f6564a568e61df

SHA256
56952bfed91710420c1611f157bd096bf7ff9ff6c80440dd22da36e77f9e0846

SHA512
22ace2028672bbe27030375bb9941712fac26047972c65c450ac917eeddeffe9b9a35bad3f9ea570fee57fedabdf6cdab21182d9ad72d3fce5b56304b322eb74

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
232KB

MD5
22fc984de321a4b87439fb9b2734a542

SHA1
94483029c3c203a651b6f12c822d16617c05f786

SHA256
70825f0c24751bfe32d9be12ca1cc6778e0369b867a0ee4b37aa7eb045611a21

SHA512
824e3d09589760c36d70635ddfed6206c31aac158219d408233e95bc88751d154c70c4f75d358bea1b4a6e69a95f7d3a27dbf20e6cbbd11a49cb02123d04ecb6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
311KB

MD5
ba214624eecc0686e61139ec0c5c5c9e

SHA1
3dce01657aec417106640ab0ea4af31149311cf6

SHA256
90ece68994006ae6088a6fabb2954f716e420e0197b229b875dfdc9f28673137

SHA512
58b840453b933ecaaa96f4dc3746c6d5522096ea5d305db875116561a41dbfd92662a3ad2b15d2c90bebd8057cb4d10bf1754cada2bbeb74295890743396162f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe
Filesize
186KB

MD5
e01b575213bc960b66f2e6a38d67225e

SHA1
9704e24972eacd9035d9656de9d5d6d382c11d15

SHA256
f86f566ba2af4fab439306bc31ccb70f84e5a7b825d12c1e7b496cbaa7671d42

SHA512
df49c9a72a707a36bbad841644de4cbdd7e6185f52fff33f5068a2413801ea41aa9e2cb51eb5cee1fbe832f8b5f102d29a86177609f2c6d81483a712ee5b4a80

Download Submit
C:\ProgramData\tSMcEwsk\AAMUUcMg.exe
Filesize
193KB

MD5
41044be759ba0e997885bb89d889c2a8

SHA1
0fd35bb6c0acf65d3d7bfdcc885a296a5ef82e7a

SHA256
9192968cccf3cfd62920556cb9cf3d323b3e8a8cbd594083d93f600dcaf8a467

SHA512
95eba38d61fcb7d215e3633701f9c1b1840aee6effffe5c81c668a39c44c20bfd97fa91a886cadb9b15d849d5d3051b9f3111b8e14afafd4630b7f6c555af3b7

Download Submit
C:\Users\Admin\AaEkcYAE\SaIcgwog.exe
Filesize
185KB

MD5
7e11884acc92a9bf395d6698bfca58aa

SHA1
f6bdb4b75a50c7cc28b83d8242f0ac1e2236f91f

SHA256
26623fc5b31f9a0eea68de2ba78f5404aedfacff48d6079a1f79e6fc4337bdb5

SHA512
c1937aab25b2b9538e0ab0bedcf43124e7b1abdc15edb1bf61133baa511ec133fe459cae773a0fc50a89ab0959ba1dbcac89b24b458ad5bfbaed116f18ab1d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
180KB

MD5
e368c14ac12bc2604c12895396689e38

SHA1
fab6d147a614d7c6d663a662fbcee726329c3eca

SHA256
2eb647604e4f6e8baf532233414d95ef27b274f97fc0b6a7b5be6ac7fb13394c

SHA512
b70c9e1790e070e7f447509f3c11f7dfa72d2932dcb21bb2337bffa03f756cba8da13d6748080aeb4949ffa3613ec654024b40a0db61025890c351160d716ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
190KB

MD5
dafc8be1d3e4d1a30b69bb346b9ac9bf

SHA1
36c94a065c8ac926e87f73237a910a991ac9d7f3

SHA256
52ae10172d605c0a9489b7e70c9cb9ce3b77d32049e9ae574cd27b76d619aa23

SHA512
d3d18822d2aada2c07465bacae5a33603f70fdaeb000418b702c4d0dbe70eec36c5b014a159a30c43e6a9274b1c853c5d8bae1d8a9e479fc1d56ee6896bf5b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
Filesize
193KB

MD5
400a48b66e2ab0fb3b4064dfc93600b2

SHA1
c689fa8bacfc2c9037a3c7c9a3ff8c1da55268e3

SHA256
2fb3873f44d2a46646635185c7ab69c09d22442717ebbf9fc397a8259f13ff06

SHA512
38ba1018a8875aea3c0347c6c6d37a5409a13f7fc7b23ae40c3576b7374245aa018c59883a3915defae25cf7a9a6e7155aa6b85ab1db7da25fdf147e8e659b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-24_978f428348a12660ee885c1f6e34d926_virlock
Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMMA.exe
Filesize
205KB

MD5
f762ff8b97a82959db4e2acd5a4c0b4e

SHA1
7dd57498eb25d028b29675ae37232a3485b0969c

SHA256
3611ecf52ce48589add629e956fab54b3d8e3c8f81de7aae0c9c40c081e5267d

SHA512
231d065076577f554f80a567975c592adf6e2313d87d9136335cf8af8aa055f9ea8a085a4cf0099fe4bd3d83994773ec58e7dd845174a035023f4f8b63d74b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQQa.exe
Filesize
222KB

MD5
352da67be15e803e1027e5712cc4eb9e

SHA1
2e859eb131cb284c68b5308e5c907e71b3714a0b

SHA256
83f0aef8c6926df0990245eb9b5e4a91cf234e5afe6a8813b246d517e36ed35f

SHA512
b99d5037a3745bf37ba2e43a57cc12199695d2be5edb283e1cd3d7564ff6ac0091a3f193049f6a5215129a30272d19201ef567ef835dc32bd96373af33a7a60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUQU.exe
Filesize
312KB

MD5
3049f835d7fb43683ef421e45e57410d

SHA1
2a13d4f3069637fb3e121600e78d2849bb7b336b

SHA256
b9d68320e8e9079f9a142c88420769c67317c4d715a9689dc485bfaa73d7a880

SHA512
1aaf3cdcf3df28767025e1882e133433257339f7525d54303b3d7f5f9bd2a074b2b43ab22de1a354a7ae36866c0f013f590ae16bacd63c33555b69927465cf2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUwM.exe
Filesize
223KB

MD5
eda097ddd19ec15e0f117155b525bdb5

SHA1
1696b3147c0e59e20503cfd422efc13e4991e083

SHA256
b9f7eb6a476931cb6f3c84e610373f96ca8ceaf673d464e135f191a72f6045e7

SHA512
6486c46feaf93cf1b5a6c37ae281a9ef33de5811fb6b845ce2bc4186fb3c7862f1cb9fb5809bad5a1222bb078914d2c1063b7f7f3572896fa5cd8456f64b723d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcwY.exe
Filesize
768KB

MD5
f4f882490004ac2e50c5cf5bb68e93be

SHA1
3b640883937b0581e85b3a0052d88e4a96c2e4d8

SHA256
a123eea553f58493d6863829e76afabedfc8ea31d08b3a4c2b099414d784e58c

SHA512
732e455a910021d60e620ee4c2fb8f4a1881e72e1df280e0e3aef7f56cfda8a2f7f229970dec147a0e686ab22982e5d1e453eda26252ba90316a8ab5126af5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEkI.exe
Filesize
214KB

MD5
b7c7cbbc4149fc62ec942f72afd00228

SHA1
1e26d6b9017754e3f3adb89705264e6250bb019d

SHA256
ad70be3a193670d79c4ed96bf3b0f5688b6f03a41949afc5eb0bdd42b467802e

SHA512
074ad808290c208bdecc900082bf06b034cf9b59c39869d32f3d08a1bca5c10c25fd64b3b22aad1c4c1a6ed04d52a73695108d5c9d392a7504e4c974cf651aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQEk.exe
Filesize
207KB

MD5
e01253a7d8738d71e44c39704d98b033

SHA1
c14e4efeabfa696dfae918b46d0e6270cd722d8a

SHA256
b11ea89a7521f5b98ec138bf879af335fb05c72964ebf4dc204405f41ecbe879

SHA512
67809ccb061ee93765c319b9f3df125157f8a38e2dd10368aa32d5ccd4bc2ad759181ca7ff33c4f0a6fd5124f6f568eac9a768e8010532526e216617eb6e3779

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQIi.exe
Filesize
651KB

MD5
c23dfd526997f469daeec7a72d1eb7fa

SHA1
862598409b07542e769e7ba6e3dcb25b6913b1c2

SHA256
8a77bbd52a9a7695f34c9ebece1f67960388b7151cc533ff8938f0d43d4098cd

SHA512
e15decb6a2a95db0dfecd2f35efce784a879accc2fdca93e3058cef187f331a69ae087b5afaf43d2d9bf4d54d3c31a27862da7e3aa4901fbecf79afd79f4a226

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgI.exe
Filesize
555KB

MD5
e2fea906a51b0b2b1d0fcee23e3cc2d5

SHA1
a895a7d6544afc3b8f008cf3d611e881338e0515

SHA256
4ded3fb8f3fd835809a3f7125733abe0b1a6c801c835d90f0480a07d51380213

SHA512
f98245a6b1a409d98ecefa03e82ace125e0b4f4a27e74e9ae3255785ef7a2bcce5c8d56ed07374b60bb95db0dc45032d90a6035dd546216f1fb93bffd447b054

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcEI.exe
Filesize
198KB

MD5
d8bceadebd425f266cf2feddaafc9afd

SHA1
8fba1906d5b3be6f387c5268bdc9843de696410a

SHA256
96edec01474b96cce268a6ab2981e283c47e79ebce75c5913674ccfe71f92d4a

SHA512
abf300693763dc5bb9d367a28391b0b273e97e14910016324fcc9eedb7320fbab67339a43977339f8e9ffa4fc9397eb3e4fed996c6dbad2effb6aa93f261819f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEQQ.exe
Filesize
807KB

MD5
970c17ec223439faac8e80d6b2937be5

SHA1
21bc0d6611845bdc96dc659dc95eb4e8ca3ab676

SHA256
addfbed4b31a713760e85a52ba20872cdeb26f5a5a7000c54f9b74f05e8f1f3b

SHA512
faa28e363b3d975d84ff5d7f26223d37c177e7fa373a9cab3f697da6c6f20d0e64ae7c0bf38d04a99cdf3d26da4d91dd5e49ec10b1fefe26db6968dfa22eef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIkM.exe
Filesize
202KB

MD5
a235c6e031ed0e90a7856b458caa5b2d

SHA1
cfe4eb9b7843d80daa0e3c278eb3af7accb94547

SHA256
d754449bafe245773a7affd24df871f5347f6a99706eb32b554ad552b6ec493d

SHA512
635ccd074557f200c6b7f4ca421241698fdd2aed1e21ec329cbcda4e07e597892459296816b8d0a88ed658c033ae32dc5a50ad231c01e923c3bacc91125f73a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecka.exe
Filesize
187KB

MD5
2d131074a00f3e6066016ad85b9325c3

SHA1
9e20b3da568d4612e125201774c4bcdecf891a00

SHA256
20600a1a398c4e6c27709555fc0704a114d27b3d363dfed52856d6e69b653ede

SHA512
29fe816803a503265ea479e6760f9c53be32a3b64d37601593ed9c10933de25650be484ac096a4b605db2eca507f02daf1282c85e3c50c9c63e66795370cd431

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwAO.exe
Filesize
631KB

MD5
e6a9454233280ee38d7eb437ac390d18

SHA1
09d41025b5dae230731b1016261b8224842f04dc

SHA256
82f12674691547b56999401bcdf232c0ef01d8b2467d3148064edd7a0a10f9ea

SHA512
3c8d272575113120855feca6d98526bca9bc0c7b432cead118d4104cec482ae01d3c53ea13e30250b971befa329a89ea11981064e0087e179c13add330ed823d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcAs.exe
Filesize
632KB

MD5
3b2835455a0e1fb4112309a8b6fd1c1e

SHA1
407cb5c2a14a9a6fb9541898fb8d1277f49e2eb8

SHA256
c7dbbfe2a2c026709da7dbf388d2feb7d009d6da1167d28a207fb12aeead654e

SHA512
2f735381a6f7ea8eb524ddfe22b09e470469782ee9a2d166106ae940c9b1bfc6ce1aebd6133b54fb6711624446be91c8b4f8f03fffe071ce093b5c1ee53c06d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcgU.exe
Filesize
1.8MB

MD5
578c8ea96fc75b74d1dd5a1906e2cf33

SHA1
543929dad33442dd0bd1ea9c834c09e3600c619a

SHA256
b4f60bda0832d1ca7d940c311359174eec98277d7d0edf241d1a60ec27e2b1fb

SHA512
ab40629fe5fbea955c099c88bc76166c726fc573dc01c1121b4a0b4b59e7487ce4ed49e78eaee05f6bc094792ca96bc9735b388f0cb9f86e08ee28cccc5a5614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIkm.exe
Filesize
5.9MB

MD5
b2e0140215bfb3a55409877b43e55508

SHA1
4538fcd4ce2d8514f510726e306f30367b076863

SHA256
a1b62bd96001af1e1942bd6e8b6376276acb63b439f287229afd3125f606f812

SHA512
2bc6e2471ce485c0bf41cdedb7fc04b5f16cf6a1b1e279e3a69b97f00330d39880eff4c4dfe92987ab8a64d40388bd4061ccb60521d9984e0f5731b9d2dc0871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMIA.exe
Filesize
195KB

MD5
a58c45e2703fa625aff935a47f0c029f

SHA1
f5861fdafeeccbd09533a9a412dd366d741bf3b0

SHA256
79524b719c071486b774d510460582f0f07f0046ef4c2a78fbdb89e1564e75c1

SHA512
b09423c299da64ae24b134bf03bac9ba96ae655ba178d28c4bf8626f3c18f72d4759f5615f6c773ae6a86f15b482c6af76a74d2f980e2d6afa5361521ba94e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYYS.exe
Filesize
648KB

MD5
6facbfd085a643be816f20cd7f18a179

SHA1
e164c702edaf2994f67caa475eca92c20653f2e4

SHA256
304f6e8707640b72bfb494acd54236a30af47515a8e410b69cb8b00a6237c7f4

SHA512
d3abc2a170498da058cb4cf7c7480c9626cc4482e1d0fa4cf6c475d77d1d7952396208a073f8103e1079c9dd0acd6f01dc2b59eaaf6a0092cb5996e5c7e6b3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Igkw.exe
Filesize
192KB

MD5
9ab2878b669ebc6a208acdf9af2cd4e5

SHA1
1272e1cc2793f9ddb59fe4d97892bb9660cc57e0

SHA256
23a681b797d4c41ce0791f97990ba483282e0fdc12a5546444f378b892b8ecf8

SHA512
ee4dcd479e13a832900080903e0c85b3f05c74f065e06532babb4768ca8d240e08c40cc40bc1c911b3608238915977a323451e0fe24208d801468b9eae9a2dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IosK.exe
Filesize
203KB

MD5
9b76bf32c5e479d505b83c7aaf889e4d

SHA1
eae6618a3901f4b20b80b6538e76fed56375e21d

SHA256
3cac5d7d392eb285dcc30997ea93ee2c5f0bfe24e4a27e2c9e1788a67b545978

SHA512
cdf8a7dbf038bcae32057e519ac841fd142ce88b2585e2437b610ba7892c3f1fdfd65cdb39d61acce0e54e35eb13a53b9fec53b5c94ab45070b1199d344e0551

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isok.exe
Filesize
625KB

MD5
267a4bf9aea7523d96f794d5c2f9de92

SHA1
e58c10d116dbca8a4ea6e76da3acb714dd286ecf

SHA256
da93e3cd5235e7e4df523520575059b80dac90f2ef90757cf2fd42c8668f0d8c

SHA512
c28b4f7da868d49e9e36eeb26cc1bd962278ec3c1ce16bae20b4d797472fd9ebc58ca9f1ed8ab000c71bf6d662c4cfcd6e965511cffbfcf30608add03222d4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkIYwEQs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAYU.exe
Filesize
207KB

MD5
a703e36b6a36c90980060c7996b5e92f

SHA1
7edfbd1543979a9b2800010ba36c04f0f31bcf20

SHA256
6b9499598c69f3d5c3379c49844677f682d96a63bc1cbb425de9d249ee8cd456

SHA512
328912805e9cc0dff07efe3214b6fa2c0534b4043e261517a3964ab3432da2f3132bfa2aa6b30eec9fa816cfb0bc86ed904fa81e3859fdf8cf25a6e363237a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEYA.exe
Filesize
791KB

MD5
39cf258fc951d264d1c1be945720f690

SHA1
4b6df632498a7525b3945c90a4ef8b4d8c4f420b

SHA256
7eec175dd3c2670fae436c29b004d3cf87344ddac596f3395e79f2ba8b5b161e

SHA512
fe0cf7104c8f0996b3bb85c36b96ef732daa8f1826a99fb78cd403582363642e32da581e6883382152a9a973085f6bf031336aaabd86e38a4ae96b4fe0ce1e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkk.exe
Filesize
262KB

MD5
7b8293720d58ac0e42285687cf09ab3e

SHA1
e9bc20adbd580c957c8a493050178b4a3659d2ed

SHA256
205234e8c967407f8fbf19be067f149ac8a044d8b5681b1a3245eeafacedd7fa

SHA512
80c484147542e9f07117fa15d09ae1b5632aa67bb52384ef8edb8c3dca77aedc4ce5edf659202c2b636fd502a56cbe6b3cc5531d742f2724079f248cb50b1b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KckU.exe
Filesize
236KB

MD5
e28d55653ab3dcb24bff403381180bc3

SHA1
41e8eaf8a60c3d7dfc50d870721fb765e8927223

SHA256
99ee5fb1a434e65291268f6f8b0ced4e5132b1e51667a14898e22ae60d5064d9

SHA512
be754f04cdb9d722d9d771c23662e40a50641136219f7b4ded2f08762e3838f7582e8b823477e3f8bf80fb2aa204fa1fcc9753252005399f5d8aed7ae8cee0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcsK.exe
Filesize
196KB

MD5
b3450b60e820b4c36c7e41fecdbd488b

SHA1
a6cd35fde2945ddff0b1ece48961be4c7d8af2d9

SHA256
4e41f85815ed75c7ba2fe9ed51a52d206ed8e485200fd0fbbaa86a7e08e53408

SHA512
8331fc5b784c56c2a348fe547af3a6dc7c376022c6ea38a6c401ffc2b99c2905d5ae64ea519e18274ce3864f855fc36fd5fdf637866946dc578312cf7d648073

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkwy.exe
Filesize
193KB

MD5
f3e9c231d1f643263a9cbe4aba804d36

SHA1
f2ac85b5fd5f019a6a2cfeaebcf9c7456372ec61

SHA256
444d6d3222a1680b83f02505ba6053a1afd28af873aa8faa2a39a31f5d350cbb

SHA512
cf62d8ec303dd7a7955dd5093c7bebfe1a88c9f9cd9c4e467c170d1baf823368553f7a5f6ec15838d718c17619a79e0105b82bef63a89819f151057fdda7102e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksws.exe
Filesize
186KB

MD5
ffd8ca4798f3db3081968ebff3af15f9

SHA1
2c75110ef71a49d1097d07aef61b16e6795ba860

SHA256
9629015b02e67a03756b764571fd3752240496e129dac2272b04939432953d42

SHA512
aa451e0aedb1bd154175fb8e7209a605312d863f2d699c287a3757163b1d4844d1cfe46fe95c4b7dd44e7899b23cb65c07a57d82d14434908950bf53537ce747

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQso.exe
Filesize
210KB

MD5
d93577d0d43d7bbba5badb7937fa1503

SHA1
3a21d4fb51d61f3700da9709c0a9cd291199b2c0

SHA256
91a69cd031eac33937f7d4fb7eb15f9ea4a9d866c830befe5741efdbd5f94eff

SHA512
8987a5844b3759a176ad6901b193fd40e3c0fc793c2c2c71a50b1a40d9f56c77177f9b3dbfdf73694f07018bc6228da874a1b899ab82c16c80cb7b2b202626c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwMy.exe
Filesize
649KB

MD5
ae768041d2c6a70b3ec53541de143fb8

SHA1
59206fa6dd81ebd5fc0f9cef529177617c63692f

SHA256
7fb3736fe7c067f7e11eb987ed7d8f12f14f3cab2b52fbdf9442908cfbc6f458

SHA512
c9ad8e581b1303d0927e1fb72206e8bbdaf21cf8b30c5887da557fe6c770ba1729b700c3474efdf1787d258e6b0d3ace103d7d49318546e4e9ce586c05f4f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwYc.exe
Filesize
194KB

MD5
3d4d4de5cdeaf9fe90709e8c4b510442

SHA1
90f730d03ec76944e1ea77583c9ad38df9e13af0

SHA256
e27c5dbb9ab5fe5f2ac3a99ecb9f9b0e29114410c343dd01ec42187e7a62ec0c

SHA512
d35b4f671f341e0dab3fbe374071026e572aef71a842ef2196ff25e20e0ec46dcdf77fa4a91f3870d95133a638aa642955bbd6b4f6d6389e409587e6093a1e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIMe.exe
Filesize
182KB

MD5
7b5ff8596270c54fdd1fccf7ed1594b5

SHA1
dac75ff4e714284cad04076e31ac131ba46eed92

SHA256
bbe48bd5428d28b4c11c6ccb195dfccde937847f121dbcf6b193d26e5adae887

SHA512
1d1dec60a7b6b664743c807497f60ca267ed7cda173884a6f000c4cf22246c218d62acd5294ad34269d00558c1a15b090a012945e50c56567d35508903654a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMQm.exe
Filesize
187KB

MD5
7801dc89afe675834cf785aab8c89874

SHA1
d2660908603ee1ddcf9c1b7cdec6955e462452e5

SHA256
7ab9271c915c1fcb8d28c52fcf14956eeb38f9d4d3198710dd8fb2367c25e79a

SHA512
75524d693605ea4b0d810ccab5151c9ac46987f0774d253ee3e8bc24e2482f83a58e5a002e582c28f43fb6c9daeb58257bc93d30111403a90ca7ebdfd4f41466

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkEE.exe
Filesize
200KB

MD5
71f2c5a7ba781ef5a7a7d9802a857448

SHA1
4f185be1d99890665793a3c184fefd2122c50ce9

SHA256
d00f73268bab7cfa951be367f0cc1287381162442981cf99f43050f0883d17b2

SHA512
387bd46026f81451f9d71482c7ae6add434a6dba54f058ab6eb78225f4c587cd83279048e2a1f3ff9f7b2d9257dd41057581972b6b2a014a61580fcc154abc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwYe.exe
Filesize
192KB

MD5
579e4de6a313f6be5c70e2a087c0215d

SHA1
40133c10552c764a87bd2adfbcb2059dbbf759ee

SHA256
31e4c7a967d0bffd4678491151b051e1aaffa1814bf09ee807cb696081b3f3c9

SHA512
e619b3e9a387c321906ad6f514b384fdcd4bf069bf7792e962a8e5b45b93c5908af6f5a7e1bd5f322fd2027f2a2a9408dc3ba83a82e65b6428723a332eaa305b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMou.exe
Filesize
802KB

MD5
de05919ab1c25239a1643ecb09ae693c

SHA1
33c317ccfe0fd76470d0be9f1b7dee7330e7bab6

SHA256
0147027e2ca0dffe2a1595f1e7a78cf278122db9efeb5eced068cb0c0b33d2b2

SHA512
da9d0e0afa4b8ba8472c14749d7660a6b28ba52a3b3f4e302f3c57b0602063ba455d11fd8b8bf3c8205c688757c87e4bdf7341582fb37d4958ae4e5e7e9ca757

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQUO.exe
Filesize
640KB

MD5
c1ee28ac39b5a90da1da48d497942f4b

SHA1
99c7755c414cbb89a1fd8b2ea81932d9fb98cbd5

SHA256
4f77f44409ebda7fefb43258662a52b27279a319fd2304ad989f21511afcacc5

SHA512
bc0a3f0390d3698f4442ead0454e4efd13bd8817aab0aa621925f32858c5c382c67979eae4e39e8ffe68be4bc61121befc60e2f22de1c830730bae48b1c8bb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYwm.exe
Filesize
194KB

MD5
7f9cab0f4e9ca9aee45cf61478e6f398

SHA1
f5a7b0824e750f78556fd77bc686f42fa5266bef

SHA256
424f44bc02deff1223f3afe0cbc2393e7b784dbd31db0902905932b0d1dee16a

SHA512
0593614b00beff2b6288154f3a5ff834eca8a49e2a53af4d51729963ce78418ee6b4596241e2232d5642c6e279b24115832346a065f6527c8a0e74f4b69d583b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkgO.exe
Filesize
197KB

MD5
bc6112a78f69824acaa2ac16d686bdcc

SHA1
fe368784f9f82e3b5f25c553713a15d65acb4032

SHA256
70607486c06110753fcdd0deae66f4cc251f6b292ca7f71f4da5c2874f56c849

SHA512
0941cc8c649cb3db41fc6ff63fc510a07ca75326712445d8d0d8ef27bd3e470772ad0be90357141c9f02c8e9ccbcc78de94f25ddf46c99cfa594af45fc475444

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYE.exe
Filesize
1.1MB

MD5
4e09d9ad0a054b750005cd9f5619ab47

SHA1
6d0e8ace203b805706ec582562f5813b0d3fddab

SHA256
abc5401622cf8abb0cd23a6d9f2b88c11ae25d763b8c394d399d50cf6ccc5db3

SHA512
bedf0ad4ab10eec2bf66f6f169d6cb8d6773b90a9be8377349ba347f04c6a80a85bf67e5b16e59c3124a373e935b98af0fac273c40d815e6b8357580c61ea936

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMIS.exe
Filesize
218KB

MD5
20f55924e2cc761f9f5dc0b5bd686735

SHA1
0a59e778cdec9ac19817dd6c460e266c4b1b0cda

SHA256
7586fb12fe268b4fc997172fa2a8a458c1a86ae2d75d88971d36fceacffe9123

SHA512
0d6cfdac4fe4e9df7db9443e1b5303e0835ba1d0a8f496cfc350c29211c721110a6f55a68d454fb6c65eec59e9027a20689dc72e904c8547c36b845d86c192f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMgQ.exe
Filesize
204KB

MD5
aa27aff996d851a2e8aa7d28dce9e5aa

SHA1
2a61698593e333f255e18a2eb4f61008cc1005ce

SHA256
7b7a7c9dc01ddd7d0eb49c076bf2d82cf5d3aba45ac8b1816ce81b1ea1e98dcf

SHA512
bcbd95815220f2a9260bea4f17e2fd9ee4c5f68bda43bee16af54238087b439f6fce3b7b3bf01329ab00b5cb3b1c2e1c7804752f1d404138340cf3c3837172c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wccs.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgAS.exe
Filesize
814KB

MD5
b678fee035f3fa6f4bf2cebdec9e4617

SHA1
fdecc636520b022b43045346edc685e4f39a9176

SHA256
2018a19c40d75f8acdb555e713d058eb00e42eac57f1afd2183ebbbd7fcf8c37

SHA512
16dd85f50699322b4df657ec407d3370cebb6aff783c11c9ba6d8b4ef83cdf7bad69f25423b2731427b8f18e6cb9585efb92b9fb8e02955c0b7c27fe4b4e4588

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEIm.exe
Filesize
202KB

MD5
a3ff50f176a3675f19f24e37b48d51c5

SHA1
bc6104e08f0071debe5a855a1ab2c3afe1ab462e

SHA256
889bbc61421779bb243206fb8f765c1e92eaabef05b5753e784784dd44b461c6

SHA512
77083aa9bbde88cdef85655cf4521bbcc4feacc5b58750349b19e5df157009e13cbe1d9e41d4a0bf36fba421fe7b92033daa554a9bd97df48ab062c231dff357

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEkG.exe
Filesize
711KB

MD5
f7e4e16e20ea6541120a716f5672d9a5

SHA1
59456d12efe61057159e47eac27983d6cf030eaa

SHA256
0fd20947d6e4cf8cf3fa7ab0e804ccb1416d6feeaa5b3022f765751dee995cf4

SHA512
b288a207842b78a757e291d08801383e56c1f7480145cc0a449f9bf84fedec5b0a377561ceb6fc35660536e3a63effc2db47581b9bb391c9e276687827f500af

Download Submit
C:\Users\Admin\AppData\Local\Temp\YskI.exe
Filesize
204KB

MD5
211873ac935c4c6b36f0fc1ead5ab5a4

SHA1
04dd789f8c4731348f1f2a712146996103c257f7

SHA256
8e19e54d5bd9582ebe9c0bf7dc975f6010fa59bb4a0405bc321fe009d8828085

SHA512
c1e5bbd5cc1546b295c3676738194672d8fe7f56f6ba817387762747e8acd14606d2df24c332b42c5b52150aecb541da5703756ab4d71e87fd308fa67220d7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YssQ.exe
Filesize
554KB

MD5
ff6283e109dcb1ab9e9c7bf1b2350313

SHA1
41c4ad2160750704d0bc1e2e3d9b8afc42cd63e9

SHA256
b310ae1cf074ada9cb99b2ed4b566da1659aa69bafca2719442f67b8bd388b6c

SHA512
ef5c56661ae1b4a2b9dcfde4253a5c1909b5e779d3edcd771927f3660dedf5933aadc2f8f0100a6043fc68a69a1414d6b26a94cc3f984203c01fd6d5c9104ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\acAy.exe
Filesize
210KB

MD5
45d244dd3b2e6c793b4a4f071d98e801

SHA1
3c3487bbfb7e156c9506daba34c111c0124f8564

SHA256
0abee86e56a379cfaa8e33b988844d40422dbe2e4fb941bf70018168178936a1

SHA512
fbddf520f4e504148240d5f389128e3d3a8312f80a8047b4bb70bb0dae3246f6a3e70a4ac8997975f951163ad5eb28bba0e3c7f4f785ccaba1819b0ba993a229

Download Submit
C:\Users\Admin\AppData\Local\Temp\awQI.exe
Filesize
189KB

MD5
e254e2b4b3793b7c5e85665eddbfb6bc

SHA1
ecc7a21a9e2bbe1212cb433a3eeccf6eca3a91a3

SHA256
db3bdca492e7555c2e066ddf4cb26b0dbb7b0f3932b37963bf9c852d01806f48

SHA512
12c757da6c65eb531de2666f24de37eeafd16953e169e488493ebd14984c6b9981a3469059be2b31aff1571d6ac1ddc1c7c15dc010516c0245cb46e7e86bf961

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQMs.exe
Filesize
194KB

MD5
165ecee308a936d13d96bd17fea6db25

SHA1
8cb1012a399d3100777b352e10923dadf47648c8

SHA256
c8077563bd5a2f3e4b98c8013762078e76cf55f39b838f868c3465604844a9d4

SHA512
a8899b8aa3f068ed5415ce82f176938c0ecc20ee5870bce0e49b056c9b68280e4ac542490d0dd0a2faf39c505e965253c9cac78d449e367d3aecf21078a041eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYYg.exe
Filesize
189KB

MD5
c4a6c3e2e830cdc36546c625f579edf0

SHA1
e72cf3a3b37546f6e6219c60f03553614654c5bc

SHA256
f2b5aa2a6df5065fbb6987b147416ea8f565b7305bdedcb5349ec1fbbcd66197

SHA512
24ef0bdfc425de27dca26373691c0639de2b2e4af174f0e9b71bb83b83db6ee414ef0906807ee329678d110d0017439e23f0052168425321fb61ed914331a06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgEk.exe
Filesize
806KB

MD5
9ebdca34435b2cbbbfb712da6a6b07db

SHA1
f7193e62b11f0f3a8d7dfc56903362586fb6edb8

SHA256
27f8c788758cda62e8e4a78a94c48ee640d8d85e4f438753c550154ef5b0ccaa

SHA512
b06bc2d6e9c10b0f9c0f06f12d294a1e3739bc51ebc8d926f1889411b5d50663389135816659300419e9ae41480b85936de9f2732b28edef0fb4f62ad56bba34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckES.exe
Filesize
194KB

MD5
d1c1f34337b06e97d0295f6ed5e6f7b2

SHA1
d669448e7e44f22d6c651e7b2abb6bfd7943078a

SHA256
2c9c99280818c49f408b4bc5b12ec446cda04ae10504544c9b9b8578afdbb44f

SHA512
42f5008f809d2f5d4986de4c19e0a77af16d3633d7059a8939bf19e568b0e8d3d3c7312fcece44e7e1839c84ae6b03ac8b20206b0c3cd5a801704412ea6651c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cocc.exe
Filesize
439KB

MD5
10958817d061e3316baad94da753bb19

SHA1
d022657a4a0c64472af82844dfb279fc964e3688

SHA256
473e3e263d5b2a9197e8a325c63926339f06d7740285f6e679f7d5ae9a0cacef

SHA512
a73d4db2fd99fd16388575f663fefa7a89d4c1636cfed53afda8fe92725902849489c40074abf4e7fccf6c318579b59e4593f7026fe6d7c2ee5bc8f49dc44162

Download Submit
C:\Users\Admin\AppData\Local\Temp\cowG.exe
Filesize
185KB

MD5
9b6a59e46f10cdd9d7f4f831e367b87c

SHA1
a49dc956bc604c43ef8a50b14ab13e5ce23335d3

SHA256
b6c247e5107f15a99654f8b0fd2d3cb1de84f93e4b76dc6931f5cbc1bc521713

SHA512
0b1e8a63f0f97d45f33f15cf0a0c39136c2f74ecf3b5e7c27f87d4a587033f5871674295e965a584d067fb667bce9dcc6bef874056e68a0fca19649d7ed2845d

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEO.exe
Filesize
831KB

MD5
e6ed3a08d913fec51f5825432c485b1d

SHA1
a32bdbebf04ee42a3476e72d94a123c949c60b82

SHA256
ac0a37ca5297b3d1270082ec80bc47c0014126c1db05ee44f049773563d94ffe

SHA512
7974da49aa8dc7a840b1af1fab73be8e5b98cfc260ffcc65152cbbaeb4be78804ecc8e4c0166bc2ba966aff513f7abcd7bba47ad7efea9e0c8db27569a473f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\essi.exe
Filesize
194KB

MD5
9ead585d819fc3c13d764e09ae30cd40

SHA1
db7b1bf7e7e4c700772a6c2f6c4b7294e3171d09

SHA256
82a1d2593e6161a0867d93cdade2e173fbbd7dcbd85fa41b18ea8bf48e6a4a76

SHA512
8b5e4a3e0415e932960d30b07821308bc7b3b6eb150dcc468ca1c1c2506ded2756641acd8ffde0420df0c19adbc515402244b15c1b8b3950c595d0ffc18c8c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAYO.exe
Filesize
202KB

MD5
2f8b007d9e9a9f9ccc934d1b3e0d3ada

SHA1
50f0b0076cc36dd791e271c4365766c592780acd

SHA256
cc28f64012a40cafa5c77b4e0acb9deef170ff2b7c918b7c24967df34003f009

SHA512
5bdea95d2562395d93a8ec1681526f74f509bb9039684e3322e22ec71cae45958a8898fea10454d5397eef609385f05770ed5ecf85a297840483792310853e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQMa.exe
Filesize
196KB

MD5
59a13969d2bb864581d4ff76ae774d21

SHA1
0173d6ba3d2f80c9ff8ec1ac7a27f0902caa2007

SHA256
9747039c1dfe40b7ebcffc0f88a581f9af4f77442c3317180c14be7680b23568

SHA512
1981a468c12cea8e86363a9f5b38cef2d4272e6bc1a89e7eaab97eb717458a72f36e137e1ea0be127a5ceb826be260d0be6ccb70e37ec97a8d0724d75941eebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQwy.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUAc.exe
Filesize
213KB

MD5
295649bc4e43b1c673d5e1b697d18c94

SHA1
673d6e2ce5746e8d05fa4b05d30d11baa17a2ef7

SHA256
cc4db3af5fbcad940aaebfee83a4da225e070818fad80b8c969bfac71f2dbb78

SHA512
ed0017f9bcd69a94831f8bee84c1c5c959e8bfe32121c4e3153577417f3aea8ccd02986457f956f6a9830c7c54cff4b22d94fd80746d025dafad64e6ee8c4148

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggUq.exe
Filesize
239KB

MD5
e31e4451aacfe219bffaebf5a30e35ba

SHA1
d03a87b507889eeb23d5743cdeb6656cec2250f9

SHA256
be2e6018b990e6021a598d7cfbc6fe5d8ad8548f617ee274f090c8afe44a71be

SHA512
89ee1ceadaa9043e11fccde76340a3155053dc53f81c37e41eb018c79f2163bb09c305ab2fb81bcff9dd55abf368b3657efb3351e2210fc06c62c1ed9bbcb22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAkS.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUEo.exe
Filesize
899KB

MD5
190df65329d250c8fc7fb51ec568b117

SHA1
0e20df781da3a1d88955d29816aeb8972ed828c6

SHA256
71216b5a48f51527667c33afb748fcbb0cfde8c9031e3231f7267260ebb10baa

SHA512
10d5f77d6f324c529965f26e0086002d0f8346ee3f3b56c48724f4f552f7253bf3defce9f17c6fa89d53a5d6738dafa7ccf23f70623b0dd9fa7115acf71fd134

Download Submit
C:\Users\Admin\AppData\Local\Temp\igAO.exe
Filesize
220KB

MD5
40b9ed54581b49a520fe8d7f0d81d528

SHA1
556577ea696b0586c26d5f9800af2dfdb73adf10

SHA256
cae6c0ab737af8d42d65e09d467544a8e014c73dbc9a54adbcce27bea56c49e5

SHA512
d472df14c28d294be456cffcefd1db30e4614088d4eccddd4ffdd7b965b59fc78220b6013f3395c72ec138ea10a1ed11482616dca0bd7915f19a458a10e64dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioMW.exe
Filesize
869KB

MD5
694272e57877c415cc47529195de35db

SHA1
550ccdd66fb02f4e55da2e4fa9e506db2a76c8de

SHA256
bcec086ff9dd49f59ee79bef655823d8df9025d0af9cfe5a95ed75d5882f5b5a

SHA512
ab59459f5e2c45b5eb9d4412d188ffd1768c12357de2763603d2d2b1cdbfcb0b7b709c18727c083916f540f80fb72619d42a8016d34f635754af36a3a59c6258

Download Submit
C:\Users\Admin\AppData\Local\Temp\iogS.exe
Filesize
189KB

MD5
2c9afb7bef5ae1ef34acf7deaabb295c

SHA1
ee421f8429767f90071eabf2b5de8b15add0bf46

SHA256
3a733fc41d00e3cd066306d60e4afb540605b63fd06ecfc62af7eead24191448

SHA512
e5554294b0ae424e7db9f2b69070ba3d1a6b0b66971b8ea421a70ddf25803dd6463ad77ae86a98479b3f8389a341023aee574479098860eb08a2f623bf60f586

Download Submit
C:\Users\Admin\AppData\Local\Temp\kowE.exe
Filesize
191KB

MD5
b7ef08c93b423f92ece419bed93470b6

SHA1
a53b0d43c94c9074117dd079d445f0c4eee400b5

SHA256
4bf786eddde58d3e14c3e462c46695524224e4095dfac258aebb94e20b11472f

SHA512
4c78b88ab17845509b6bba9c4751e6ad8de8e94e796618df887eb8fde6b66820c29cdd87de1aa4dcd57f6063bfaffd4789155807afa84b04870d10c148ff38d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwIk.exe
Filesize
215KB

MD5
094f13ba7591db5b59c31197ab081477

SHA1
6cdb5be9f70c342c01a1901c3064406f46933c8c

SHA256
3b14a84c2f1ea429c82e0c6de498a2bfb47c6b37234d44082177b5756bb6231d

SHA512
4674afeebd2e9d2865e9a908d92fb2f84a7237974406ca1b8de355cc6de8469fddb51358a5637e90586695644f12d2127fe3667da6d9ebaf27bf51fcd34aead3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAAa.exe
Filesize
227KB

MD5
45802a01d61fae26f40dd7a8bafa3908

SHA1
da665ce6cd37861fc4d4572a174bd52ff4a8c637

SHA256
a1f104359162b231134dc85e5123e63f8c93354da01133cb4802283bbb593d12

SHA512
117acf43ee07590c5c3cbb90e433cae2239050656ad6c70ff840ce6c42c3c834a50843cd22c960f6d60b379b843dafc007fdb1d55eb3bd658c4149570fe1c181

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEM.exe
Filesize
202KB

MD5
4aeb18fade9f4a300eaf289899d73739

SHA1
b9a714811113ae157ff16bf453aafce5411efb5d

SHA256
120ea6e2ce9b702e8075a3ba25a6c550730dac0d5cdb6f8b87de2e4bc0d55a90

SHA512
75b8907cfee89ea6766a532a69b7d41d646eed15fd2b7d8b18abab9bc50386f52cd7b09809d6e375d7e9e589841875b9869b5df34bbd7bc680ba0aa3cb4542ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUQM.exe
Filesize
197KB

MD5
a07d83301a8fadba2cd790ac7d2cf21e

SHA1
c6b332e467b175c30203b8fc618c7ea3c74beb8e

SHA256
d2764a8a2efeec7ef488cfd0cfe3dcdd79213f517c3cae7d36997d9daec2a31b

SHA512
3bb0c2ca8a55c8fd7335e1c49407072d03ba9c6c9ec4008ef473dc1aaa1a989b2f749f15742e317ccdf205f04b172ff9de6d184d43f3ef192788cbce773fe970

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYYi.exe
Filesize
194KB

MD5
0e633e16413d3eef9c12002cee782f86

SHA1
2fed16310f11da7c86438a4a4c3b06193106b107

SHA256
fc41be113a354e9ca6f28cb367552aab64935d947ca32a02e7a2c74c1d1ba557

SHA512
f0bc8832087a7037bc4494ce59b69cd49e3d2d9fbd10f57b9757aaf5e74823d0992021d3fef07cd3a1d3e1546ecbedeb63864443412ae2970233e188a4c09b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYsI.exe
Filesize
190KB

MD5
137a5e1fe80356a4a2c5d8fcd7ed551e

SHA1
8098be9ae33b90fe8585b35c98f3a04e48740531

SHA256
feb5ab867577025c6d506c11f575e22ce50648cff0bff8e623633f5bf40728fc

SHA512
6f13c255f0aa4305fc23d8b1a85ea051531480fd002a2d8559b51248a77973a5433cb1d1d3beaa62a5429c8dd141b697892e7c293d47d5743b6b2218ff32705e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcoE.exe
Filesize
1.7MB

MD5
16c09b06ebb928895b752636abae04a1

SHA1
5e833e908e207963913bd0362e9f484bd2e6376f

SHA256
1054dc294e4c73328b3cf60cc891f9dcb413cd6259b440f22460286cb4102d1e

SHA512
82619802a94ab169a1efc4cb166441f4a0ad64808cedb9e33f0c7129433a8b7e051c2c224e6eb8961656a704d037bad3f93d145e486cdc6afee6015511fc8259

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkEA.exe
Filesize
195KB

MD5
63036eb5748d994ba3c3597f455fb8ec

SHA1
29aa9d4ba9c9955c9665032acb59bf6cfc43fb05

SHA256
b30371eab9dc22efdd42b080d9ac598e4df30436d51cec951c4c4796625be47b

SHA512
d037caf91754d7d5deb8dc72447064eba4f68b8b9fb08a243782d359afc63fa82c68dfa2cd7d31f833ac2ad557c97c8775ea744577cceccc1eb2828467d84959

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkUG.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEcE.exe
Filesize
188KB

MD5
f6bd846a19d2b265509a1a8937e0cd8e

SHA1
ebb159c87e45172d969c4bcc09a4179928b946c6

SHA256
b04b0d538610f13bb216fd1e66fd4213ee3dbdd3e344d115aa67fac2bbbb686f

SHA512
c0ab654b508fb50d8048c724d709e4c703a9c7fcd999c1da6402838bf3507c9af3d2ac1175f6c5a975953b32d2a2dc6b63ca226b20428a1035842e1b26f447fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIAu.exe
Filesize
205KB

MD5
a0c42cc98e9e91011f2e25f4b711c513

SHA1
3bdb9d9a61bf8624b41e973e466479a2212f4253

SHA256
1d7f66928c793753761cef9bed6e30ea015cebdf6ef41df77d8da6b6ba7c9c6a

SHA512
b044cb057035805f8c209aa87b21d6a9643b533ba573791265c59a52d3100b894da1bb3eb64a2bc11646dd0d4728cf07d69ff0073afef0f40de04c84f111c7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUAO.exe
Filesize
203KB

MD5
abdcc267101462dee6b8889fa3c7012e

SHA1
2269778660bab55b21832c1b81b54dc6bf50b971

SHA256
d4830c1ae5d72e70ab74c0154698bd84fb550264f8fe7e2a21254b121833177b

SHA512
757c59619a1627ed5f4c82ddbc7ef2a8ddc7007caed3c644570451c6f0eaaf5b09349be13a1a4fd9e1e9d037197a92bd6676e461c0d96b58b14a86e23c25038e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUke.exe
Filesize
190KB

MD5
cd5138da7f5b43dfc8ccd6bc6bce03dc

SHA1
82412a327c7025bc8930598d7dfe69a3890b8d62

SHA256
b417d3b5b5ecf70af4950cdfff91489c6d27f4efb7b36ca46628868a8ea7ef78

SHA512
f770a35c11420ed55e62454b970aa14d87c42f1b32808c22d3f47ef02a1705f1607c80e4daf08a78ff5c0e927af3b4e2b8afbe162619627fbe8b02cb4648d86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAog.exe
Filesize
203KB

MD5
916fa1adcaea957946caa7bc92234622

SHA1
4aed04e72a8c1d4cf9cf429f7bc1f978cb9be6ee

SHA256
134aab77f603085f0e572c67f9350594d0b793e2113d725c3b3ca0e6464c73c4

SHA512
84b726b3218f9be5fa3743dc60f3b093d6847cf9c7640d7010cbcf58fce8561439298600e57b8211f77a79b558304f45ee69c02801f52979d08792debf69cdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEYI.exe
Filesize
217KB

MD5
6361ff5903719c1c0c66deed2a6020ca

SHA1
d1f3bfc0814af83307f3ab5d42f287be8f2e0bd9

SHA256
4d69fa2ccbb203a7791185b0d8195c8d46887f31b12e9edfb6adff9edc9e1176

SHA512
00282038a9851e3481941c3c85b6aae6fe8eb1f1249014fb12791156b8ed63e102d634e4a51bf2e29b2e83da4ac7a34750b91a877389c41b89793cf1a4af03ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYQE.exe
Filesize
193KB

MD5
167c7babdec2c1f9b76bfbdcf337af08

SHA1
8de8c8a4dc101352f9479cde4d5908720c3f4768

SHA256
acf4e2302797d65044ca996fd1b9843318f4852e93c5c86212c37afef059c451

SHA512
7085fe562c5f0e8f1e9947d48131994d1a9319ded0d7923611e868141853574b2cd4836e7fd2cfbaf9cc4d4c63f6f10d28a905d534b07cf8ce0b25e2faba9aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgkq.exe
Filesize
203KB

MD5
c75f50c3d174dfcf012f7400f29a3c52

SHA1
76385e6fa23f0a2469cb760ad965e38e39c594a1

SHA256
fe8afdb18a9004d3de5d32960547b5082461e7cb0a17dcb5ce3792c0d1e53ff1

SHA512
c85b287f7e0ad195fc0b7424c4564f6890c97180c6cfd215b7cf96ce569e4f07949fc8a3b1ee72e1e6595579f512d9260f66b26151ab82560a52ab9b54a904c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgwM.exe
Filesize
190KB

MD5
27539e4f454cc0b4df5aa042902fa1f7

SHA1
f4d27e3e2c930cf9473f19f5160c0b83ed5baa0c

SHA256
1503b29495f313040092014c2c606cbc9890c4c2d0d1ac6cf5e7406929fa7c65

SHA512
629c9f9a0faab379dbbb014cea233665b6b88a43a1e3f648190d975731062a27a6fa770cf46ed0d19adead73a2edf8b73b9cf6515cfee60e3f6f13fe8f366c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAgq.exe
Filesize
197KB

MD5
bf808ab666a194a14759d2a39b5565be

SHA1
31386e02cf9dab0fa65cbd0cee547fbe65bdbabb

SHA256
ac77e05576bab2b804ebd8d873e5e80b1e996da925e63c8aa4e5b4133d251556

SHA512
df66066c86cbb9fc884808778f304fe9e159c903cdf38ff49558fb2edefdcede8080a2203f0f49f29afadbb4f0bf7428ca461bb45bcd48c38227b27b9e69f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIUK.exe
Filesize
751KB

MD5
87b1769112eada1d1477bd84d0bd241f

SHA1
8715aa6696922860f264c43b375d4b79090dbc46

SHA256
5967b60d8cc33da2ae117cc329a6267f23c54a18101846d0cd9c7f2fe6f3d948

SHA512
dff025072cda9c71a81e4da83df91dfad0dc622895b47b515478da21e3c45804b7b19b5f019c49bb2aa02cbc79b435461d0c2caac4320fd64f6b34b386be3581

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMEa.exe
Filesize
326KB

MD5
d37feed6ee4a2b8b71c0abf53c1b1c26

SHA1
0ea6f8530791d9d0781f9183cd7191916fe545d9

SHA256
e8e3de418a96b77b4ee0f3d7bf28f5c926859e7ba5a67a90c3a6ee3b897c6320

SHA512
143007b7b93c77e3653e0afcb3a3917b31345a253983ecb3475754c24433ff447721c1f243817a0f840952f569ad5a1cd7acb949facbec5c9c1c2260b02f5cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQUk.exe
Filesize
193KB

MD5
1535d5fe73e6e400e1756a6e9832f0ad

SHA1
d50951bf5990692cd3c788ccea2397af20d05703

SHA256
611fc71903b6cd22bf4ed98997796c3b6e3f5e7d3d34d9de6ef832815ed8d1fd

SHA512
b493f80ccbc8d7fdd3309dd4678d3a0c2f990b2ea084021f513e8a58205995960eff37f779ac6f4c91ea4a092c6471367123a16b9bd1fc01db6ff37efb99de1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsom.exe
Filesize
485KB

MD5
8950b4b075895794b60a1b13dc75ea12

SHA1
e56aebfaea8d912867d8c0c2e19248db74369c64

SHA256
f66fcc656dfbf27c2f13a2bdcf2f25fb77fd92cdc4039bd2236262bc390665eb

SHA512
9feb66feadb95e7f0fcb995b863d0cd8457639008718caeeff1a5381a04ea16476038c49c19d31cca988294d05bf0c42d34026fbac72192b54e17d472d0e6d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEMK.exe
Filesize
871KB

MD5
a60200ea8768ec5c13b402b653eb5789

SHA1
3313193fcc7d7eb511d1fb0017350290ca547b1f

SHA256
73fc8ad002af6c32746d1d1c37b543106174396ce2d4df38c97d98191f4e4f1f

SHA512
c55dc85ef2861ef79ce31e814c9e273229fbb83c4dece7d40e9ea00ad4916e047c7b4f7b04b158bb77324a9338d18eafca3e999affe166b8bd1b817eaa553e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIUu.exe
Filesize
184KB

MD5
d5060f0c011566cdd89156a4c10d997c

SHA1
2d6cbab46f5024a7f94c3a4bddc445ac7743adf0

SHA256
2edc76bd6674cf52e4328891718400df013ddd76fcbf51561b1baec0370fb282

SHA512
54430ad7af9345148f1fc76e45593b62dfb495bfd69a3e7b9a81fb315cc15f5207191319068e20ab7a0f0485319b07741b80bcc18b2afc37eea7039e0e393269

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIsq.exe
Filesize
196KB

MD5
70bc260574c1c34e6c79c0b5281d4dae

SHA1
64694ef407fd0ee0dc7a61657a3113419c3511dc

SHA256
4dad1a86f10daeab41828d0b8fc0e5b59217bc22c3eaaa8098e2eda7d2f7b115

SHA512
cdb886a11bf45bfcc9eeb83c9d01ce52a748e5aa90ae86b52f8e8b0fbedbd50aa961a5231af36466e32ddf66e78c3a2bac1c1625a40043612bab578b4c09f315

Download Submit
C:\Users\Admin\AppData\Roaming\RedoPush.wma.exe
Filesize
700KB

MD5
a68bd75ae4f12be3b9cefb6e930821bc

SHA1
93579d3b80e4fe29b06c7f7d81ad9dd70b1c7942

SHA256
f9de24aee78c856dd52e8dc5eb3984b4f779743bd2c7b390c6ddcb7569ca95b5

SHA512
a5ad174a17f9dbbd062a7926ab8fdc35973b88a162e415516265ca12773a4bb62a6c33b7f47917505e808474b58f04d21d55a1239e8e37b6a528296035e0968b

Download Submit
C:\Users\Admin\Music\ExpandCompare.zip.exe
Filesize
652KB

MD5
9e096659306cb43b02e11a89bb439226

SHA1
9ed903e81e4e7cae3b6ffc5b3140e9cc7fe3d58f

SHA256
bd318fbdf5eddd3216ae99a4e739604982f6ca00b5be3ef50c0cdbbf7a784b8d

SHA512
aac61c4d34d328e1564bfb4cfbc8d57fd006040f9623e76d1bdc3c550702a97a6e2b21d5d70c0f6ade1290665325ce9d63d804ee046bdd1fb5d01ca1b34fb815

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe
Filesize
5.9MB

MD5
84470019f1467cd80a833011f4a358cd

SHA1
9851dc2328159d14b9beba2bb490bec8caac5fc8

SHA256
36e8d3813a564f903be81e036584b3fcd94343beb42ff0419cae9efb4e092c95

SHA512
140fcaba04ef4acd3c4ea4a9e539eb2493b727c447add66aef3dfde455a5f1f6a2ef453204c6fab3985943ca4cad0871c5d6dbb58e5e9fae26f74e5784f96f6a

Download Submit
memory/368-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3220-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3424-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4972-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download