ea7fa0bc70c75c1528ec1c51a52872ab5fd55b34b2e95003c96bcc089c70998d

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
Size

230KB
MD5

37ab5c2f946961041bdcb47e5250f5b1
SHA1

885943dcc66d61113ece8dc0acd0abcb4145d97e
SHA256

ea7fa0bc70c75c1528ec1c51a52872ab5fd55b34b2e95003c96bcc089c70998d
SHA512

614e33efd4a2265223613732ad8ad04cde0b5d4b22ebb3fc2400ec7b884931496865305a0b825b3d725127b3b2f1c8461e076e385c117a8881cca734c4b2601b
SSDEEP

6144:g4XWtbS6ypV3axXT3c5TsESgQ96k1AOcW:JXQbSX367eJBkeNW

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dykIAIsA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	dykIAIsA.exe

Executes dropped EXE 2 IoCs

Processes:

wgkokgUk.exedykIAIsA.exe

pid process

2416 wgkokgUk.exe
228 dykIAIsA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2416	wgkokgUk.exe
228	dykIAIsA.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exedykIAIsA.exewgkokgUk.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgkokgUk.exe = "C:\\Users\\Admin\\sOYkksAQ\\wgkokgUk.exe"	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dykIAIsA.exe = "C:\\ProgramData\\GyYYAQkY\\dykIAIsA.exe"	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dykIAIsA.exe = "C:\\ProgramData\\GyYYAQkY\\dykIAIsA.exe"	dykIAIsA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgkokgUk.exe = "C:\\Users\\Admin\\sOYkksAQ\\wgkokgUk.exe"	wgkokgUk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YugEokwQ.exe = "C:\\Users\\Admin\\pIIEsMYY\\YugEokwQ.exe"	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OuccUEIs.exe = "C:\\ProgramData\\dAoYUAkI\\OuccUEIs.exe"	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe

Drops file in System32 directory 2 IoCs

Processes:

dykIAIsA.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	dykIAIsA.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	dykIAIsA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3816 4616 WerFault.exe YugEokwQ.exe
232 2164 WerFault.exe OuccUEIs.exe

pid	pid_target	process	target process
3816	4616	WerFault.exe	YugEokwQ.exe
232	2164	WerFault.exe	OuccUEIs.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4184
4844	reg.exe
3036	reg.exe
744	reg.exe
216	reg.exe
1900	reg.exe
4760	reg.exe
2284	reg.exe
4988	reg.exe
4968	reg.exe
4228	reg.exe
552
428	reg.exe
2672	reg.exe
3724	reg.exe
2164	reg.exe
4708	reg.exe
1812	reg.exe
1220	reg.exe
2516	reg.exe
1904	reg.exe
1596	reg.exe
2672	reg.exe
1812	reg.exe
4544	reg.exe
2996	reg.exe
4536	reg.exe
4624	reg.exe
4620	reg.exe
1956	reg.exe
2832
4396
804	reg.exe
4996	reg.exe
3620	reg.exe
380	reg.exe
4120
5004	reg.exe
3600	reg.exe
3724	reg.exe
4688	reg.exe
1112	reg.exe
2568
2780	reg.exe
3372	reg.exe
4428	reg.exe
2832
1568	reg.exe
3928	reg.exe
3600
4760
1596	reg.exe
4108	reg.exe
4396	reg.exe
2520	reg.exe
3300	reg.exe
2960	reg.exe
1896	reg.exe
4712	reg.exe
2568	reg.exe
1812
3928	reg.exe
4756
4440	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe

pid	process
1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4432	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4432	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4432	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4432	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
1904	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
1904	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
1904	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
1904	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
2396	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
2396	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
2396	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
2396	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3036	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3036	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3036	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3036	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3972	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3972	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3972	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3972	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4108	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4108	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4108	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4108	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4616	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4616	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4616	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4616	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3864	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3864	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3864	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3864	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
432	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
432	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
432	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
432	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4464	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4464	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4464	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4464	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3632	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3632	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3632	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
3632	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
2248	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
2248	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
2248	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
2248	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4108	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4108	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4108	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
4108	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dykIAIsA.exe

pid process

228 dykIAIsA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dykIAIsA.exe

pid	process
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe
228	dykIAIsA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.execmd.execmd.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.execmd.execmd.exe2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.execmd.exe

description	pid	process	target process
PID 1176 wrote to memory of 2416	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	wgkokgUk.exe
PID 1176 wrote to memory of 2416	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	wgkokgUk.exe
PID 1176 wrote to memory of 2416	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	wgkokgUk.exe
PID 1176 wrote to memory of 228	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	dykIAIsA.exe
PID 1176 wrote to memory of 228	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	dykIAIsA.exe
PID 1176 wrote to memory of 228	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	dykIAIsA.exe
PID 1176 wrote to memory of 540	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 1176 wrote to memory of 540	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 1176 wrote to memory of 540	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 1176 wrote to memory of 3956	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 3956	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 3956	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 5004	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 5004	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 5004	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 1360	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 1360	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 1360	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 1176 wrote to memory of 3472	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 1176 wrote to memory of 3472	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 1176 wrote to memory of 3472	1176	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 540 wrote to memory of 936	540	cmd.exe	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
PID 540 wrote to memory of 936	540	cmd.exe	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
PID 540 wrote to memory of 936	540	cmd.exe	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
PID 3472 wrote to memory of 3972	3472	cmd.exe	cscript.exe
PID 3472 wrote to memory of 3972	3472	cmd.exe	cscript.exe
PID 3472 wrote to memory of 3972	3472	cmd.exe	cscript.exe
PID 936 wrote to memory of 4960	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 936 wrote to memory of 4960	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 936 wrote to memory of 4960	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 4960 wrote to memory of 4544	4960	cmd.exe	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
PID 4960 wrote to memory of 4544	4960	cmd.exe	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
PID 4960 wrote to memory of 4544	4960	cmd.exe	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
PID 936 wrote to memory of 2396	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 2396	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 2396	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 2832	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 2832	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 2832	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 428	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 428	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 428	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 936 wrote to memory of 3268	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 936 wrote to memory of 3268	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 936 wrote to memory of 3268	936	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 3268 wrote to memory of 432	3268	cmd.exe	cscript.exe
PID 3268 wrote to memory of 432	3268	cmd.exe	cscript.exe
PID 3268 wrote to memory of 432	3268	cmd.exe	cscript.exe
PID 4544 wrote to memory of 2292	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 4544 wrote to memory of 2292	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 4544 wrote to memory of 2292	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 4544 wrote to memory of 3248	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 3248	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 3248	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 4844	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 4844	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 4844	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 2264	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 2264	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 2264	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	reg.exe
PID 4544 wrote to memory of 2472	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 4544 wrote to memory of 2472	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 4544 wrote to memory of 2472	4544	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe	cmd.exe
PID 2292 wrote to memory of 4432	2292	cmd.exe	2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\sOYkksAQ\wgkokgUk.exe
"C:\Users\Admin\sOYkksAQ\wgkokgUk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2416

C:\ProgramData\GyYYAQkY\dykIAIsA.exe
"C:\ProgramData\GyYYAQkY\dykIAIsA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
8⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
10⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
12⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
14⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
16⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
18⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
20⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
22⤵
PID:4688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
24⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
26⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
28⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
30⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
32⤵
PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
33⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
34⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
35⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
36⤵
PID:3888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
37⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
38⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
39⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
40⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
41⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
42⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
43⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
44⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
45⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
46⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
47⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
48⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
49⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
50⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
51⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
52⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
53⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
54⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
55⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
56⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
57⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
58⤵
PID:3304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
59⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
60⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
61⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
62⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
63⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
64⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
65⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
66⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
67⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
68⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
69⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
70⤵
PID:1260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
71⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
72⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
73⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
74⤵
PID:3804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
75⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
76⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
77⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
78⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
79⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
80⤵
PID:4756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
81⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
82⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
83⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
84⤵
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
85⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
86⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
87⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
88⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
89⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
90⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
91⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
92⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
93⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
94⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
95⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
96⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
97⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
98⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
99⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
100⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
101⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
102⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
103⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
104⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
105⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
106⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
107⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
108⤵
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
109⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
110⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
111⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
112⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
113⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
114⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
115⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
116⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
117⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
118⤵
PID:2164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
119⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
120⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
121⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
122⤵
PID:1412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
123⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
124⤵
PID:216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
125⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
126⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
127⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
128⤵
PID:1560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
129⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
130⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
131⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
132⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
133⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
134⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
135⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
136⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
137⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
138⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
139⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
140⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
141⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
142⤵
PID:3708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
143⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
144⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
145⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
146⤵
PID:2452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
147⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
148⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
149⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
150⤵
PID:4184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
151⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
152⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
153⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
154⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
155⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
156⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
157⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
158⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
159⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
160⤵
PID:1196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
161⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
162⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
163⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
164⤵
PID:3600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
165⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
166⤵
PID:1108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
167⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
168⤵
PID:1444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
169⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
170⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
171⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
172⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
173⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
174⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
175⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
176⤵
PID:1220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
177⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
178⤵
PID:3708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
179⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
180⤵
PID:936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
181⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
182⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
183⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
184⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
185⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
186⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
187⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
188⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
189⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
190⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
191⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
192⤵
PID:936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
193⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
194⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
195⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
196⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
197⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
198⤵
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
199⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
200⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
201⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
202⤵
PID:216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
203⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
204⤵
PID:1596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
205⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
206⤵
PID:1812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
207⤵
- Adds Run key to start application
PID:2568

C:\Users\Admin\pIIEsMYY\YugEokwQ.exe
"C:\Users\Admin\pIIEsMYY\YugEokwQ.exe"
208⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 224
209⤵
- Program crash
PID:3816

C:\ProgramData\dAoYUAkI\OuccUEIs.exe
"C:\ProgramData\dAoYUAkI\OuccUEIs.exe"
208⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 224
209⤵
- Program crash
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
208⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
209⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
210⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
211⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
212⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
213⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
214⤵
PID:4960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
215⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
216⤵
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
217⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
218⤵
PID:752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
219⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
220⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
221⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
222⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
223⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
224⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
225⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
226⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
227⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
228⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
229⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
230⤵
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
231⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
232⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
233⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
234⤵
PID:1848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
235⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
236⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
237⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
238⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
239⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
240⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
241⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
242⤵
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
243⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
244⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
245⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
246⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
247⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock"
248⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
- Modifies registry key
PID:2568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYQMYsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
246⤵
PID:1108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:2516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSMUcIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
244⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:1256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIsgwUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
242⤵
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGEYcYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
240⤵
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuAcEUcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
238⤵
PID:2168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:3620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWAQsook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
236⤵
PID:2284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:2204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgQQMEUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
234⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
- Modifies registry key
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeYMsAwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
232⤵
PID:4764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiEMgEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
230⤵
PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mikMEkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
228⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEYQAQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
226⤵
PID:2084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:1380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUwYggwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
224⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmMsMMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
222⤵
PID:3036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:2960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYEwYwcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
220⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:1412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:3164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:4672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCkYcQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
218⤵
PID:212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gukcQcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
216⤵
PID:4228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaYMUcoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
214⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYAYYgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
212⤵
PID:3300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMokkUMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
210⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEgkEMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
208⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:1200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwIscEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
206⤵
PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:1424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOkswkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
204⤵
PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
- Modifies registry key
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAkIYksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
202⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEMwwocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
200⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWwkMUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
198⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:4836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYokMUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
196⤵
PID:672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- Modifies registry key
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIwwgIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
194⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEocowAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
192⤵
PID:756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:3464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocwwYcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
190⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- Modifies registry key
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSkQcIkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
188⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wckcAscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
186⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- Modifies registry key
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VawUwwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
184⤵
PID:3620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raEgQYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
182⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKUkcccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
180⤵
PID:2520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQcokMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
178⤵
PID:744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:2500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOsIUYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
176⤵
PID:1776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:1108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuIgIcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
174⤵
PID:3632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- Modifies registry key
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuEwcwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
172⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
- Modifies registry key
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGYcgkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
170⤵
PID:1820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- Modifies registry key
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAcEoEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
168⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcwwMcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
166⤵
PID:4184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:1872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QycMcAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
164⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:2284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySQwwEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
162⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGgoowgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
160⤵
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:3820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqwEEgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
158⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:4044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fccAEEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
156⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:3676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:4760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcscYksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
154⤵
PID:852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:1440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUwoAEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
152⤵
PID:1720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmAsYMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
150⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEUIwsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
148⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkEwckkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
146⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWcMMQoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
144⤵
PID:3664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCIAgQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
142⤵
PID:1200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- Modifies registry key
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziwIcIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
140⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:1384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIUUEEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
138⤵
PID:3620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYAkIcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
136⤵
PID:1720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESAwMMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
134⤵
PID:2952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAAIgIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
132⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
- Modifies registry key
PID:4620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWUIwEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
130⤵
PID:4576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsIswcYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
128⤵
PID:3816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies registry key
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- Modifies registry key
PID:4228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMwoYEsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
126⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMgoIwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
124⤵
PID:1196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oekoQogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
122⤵
PID:1896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\issYAIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
120⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkkYUEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
118⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCAocwYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
116⤵
PID:1504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEIYcQgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
114⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
- Modifies registry key
PID:4968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKAQgkAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
112⤵
PID:4236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEEYYcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
110⤵
PID:2452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiYQYssM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
108⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- Modifies registry key
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcUoQQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
106⤵
PID:4628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- Modifies registry key
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkQAkcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
104⤵
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:1108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:3724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCYUQggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
102⤵
PID:4672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:4616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuwMcgMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
100⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUYYUccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
98⤵
PID:552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWcoMMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
96⤵
PID:4776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGEEYgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
94⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:4444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkEEMIwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
92⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foAwwYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
90⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqsosYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
88⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKMAQAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
86⤵
PID:1716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQQooIQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
84⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcQIsIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
82⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies registry key
PID:4108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:4688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWYooMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
80⤵
PID:4708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
- Modifies registry key
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psIcoMkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
78⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAQoEggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
76⤵
PID:4968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmcYogAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
74⤵
PID:1196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQUUMAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
72⤵
PID:1812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- Modifies registry key
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSEMAIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
70⤵
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmsIkoQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
68⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGowUoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
66⤵
PID:1872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkYoUccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
64⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMkEEEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
62⤵
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAMkAAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
60⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywAkUIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
58⤵
PID:2916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:1112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsMUogEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
56⤵
PID:2452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMEQwIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
54⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgkkEoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
52⤵
PID:1812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gycsgIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
50⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQkwkkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
48⤵
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:3036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMsIgAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
46⤵
PID:1800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiIcIEoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
44⤵
PID:4460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgccUgYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
42⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCkMAsYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
40⤵
PID:1200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSIoEcMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
38⤵
PID:3720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmIMsYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
36⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deggMsAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
34⤵
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCcIUUoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
32⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmsQYEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
30⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:4196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:1904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAYoUMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
28⤵
PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQAQcIQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
26⤵
PID:3856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQgogYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
24⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgQoQEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
22⤵
PID:2740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIMIAEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
20⤵
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zogkcckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
18⤵
PID:4456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSEkoAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
16⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMsEgkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
14⤵
PID:3240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqAcAAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
12⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkwYYsIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
10⤵
PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgEYgAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
8⤵
PID:1512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsYwAMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
6⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmgssIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYgYcQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3972

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:3000

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 7qDJgvaIoEm4mb39VIyvMw.0.2
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2164 -ip 2164
2⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4616 -ip 4616
2⤵
PID:4708

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GyYYAQkY\dykIAIsA.exe
Filesize
184KB

MD5
1e060db6cfd38097b27207db69ccfc04

SHA1
2c6608a021c875cc1ea2900f2bc2a792b59e69ea

SHA256
3938b01f84c0b6281660ee468cbf5ea476e5fb4072f5cbc14811bbc8351f71db

SHA512
9cd13a53635eb01b2dd2bd3b9886793ea29f5786ec7441ebef6da5542cdc158861345cc22a21ba0e7896ffc6b429b84da970e917f7ca143a9ff4853128e0ebd9

Download Submit
C:\ProgramData\GyYYAQkY\dykIAIsA.inf
Filesize
4B

MD5
40ab2bc946c08dd90624ab1d83a02889

SHA1
742b419e7a0eb9faee4cc8b0e39214153ddac416

SHA256
f9cda7fbc3d0ab6453468e9f82b1e574758fa6d37c7eb5f8f479f25e6fd3b34a

SHA512
66c2efbe57a3a4ce3ebc6a0bc716e24b005e3cc1587f9a8f9bda0190c612393228edf4ddfff039d6ed476cac36311392da2a66634b6219b15f1480fcea51d6c7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
323KB

MD5
c90423d480f6c353c6ef14ebdc0fa929

SHA1
29392c24dc29cd2a471fa80d100ac5b31c3dbfb6

SHA256
8178459d053127709af445c28d284f5d35b84f0a27d59a42af0abb91503d25e6

SHA512
f821582fc8eda709d13110cabcd1adc9d0299081301d90af02cff1778cb5887a99634e9c7ddea0da1852e4cd4fb3354af4fd7b99b2b7e15454241f66a3132ae0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
Filesize
194KB

MD5
2e072b19194adb45e1a33df9eece2c26

SHA1
b02d5ba05be38edd36450d478be14a518278e589

SHA256
8c5aab8d2296f8773cda51ebfb28b61f4341a23e8fd6e90f3a6517d61d4f3c16

SHA512
8f8932b193a1ef408b08560e42e9eaa2a61034584c18635ffa6c0da430e1bfceae2fea7d61f71f543217984e58cf3ec1be671415d34134d7ffdd02a05dad501b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
Filesize
776KB

MD5
64d6fb47e5c243f3264ec92b815e3b17

SHA1
d0558791b5ca5a3727a9327e0cb0cf5fffa51497

SHA256
7e80339d1810f046ddc32e6f5100f7541982ffec71bd92c50f06fac9c8b058e4

SHA512
8ce4cfbef1e14d847d18af79ce1d582b1e109ff5edf0dea842aff12c11a65178c8aa052bb67686361ca2e3357f6aff9b0341cf6c6ac800624e9cc0988f4c7e0c

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
Filesize
636KB

MD5
6a4e95a9c4d5b3fe70f572fe196c8b35

SHA1
ad8d1f0acd0673a212e59821713f27fb824e264f

SHA256
7062810d4a0a33636cd6c2961e8becabdc810832e55a748b57d58a517262f52d

SHA512
62dd2d8129777879eac73a07b38d9ffe175663f6fc1b4d6b6ac3909fbd10c383961e4f428696e84017fe588bd1aeb698c7a5da5ca1337e60d466f1265233da2f

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
789KB

MD5
7b9e759f7dba96a32a1ba3a2701f3771

SHA1
75992287839c57be9aee35e3300d9584f4f44eac

SHA256
3382c49f2c3aa1ce4b492acb48c99b362007afd3ccf42ca2c6e750fb5b792a15

SHA512
e5e306b6035c4c9120c0a040ce69db9b6025a1237e07e6044ddd5191dfe05d8239fcf7179443648ab5b81cc3ec416c17c2196de1b7b637028a40b589d9e6bb82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
Filesize
186KB

MD5
956a89d117bb3b5f7bb440d577bf0955

SHA1
572109cc52ae9d3fc4e4cfc96758d316b6d6c110

SHA256
fa54b7199c8a09c299a2316aea745466da8359b5448e8ad0393655c8810397eb

SHA512
ce148883a82b38c48b0044232f4039e68dcf2bdc69a7cf3bfac7753c742f079b9f5c869a92b08f55598981a2a260970ea0a32808e0c73a2491bc492aff3f54cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
Filesize
222KB

MD5
7843021d6aff218f0445997803bfca4f

SHA1
0a83f1b435a103cd61503fd87a0765be4977ad0c

SHA256
74a6df6124bf505ca2936af0ac643b6091209401f94deeb54a7af52284fc3ef7

SHA512
63d13eac4c0e344e32bf3a391b40ac47f3b1f0a5ad4eb2221bbab2bea278b1a39cb5637754af378b3ec4327d5bb03398ddfe5157adf6168ada02e499a5fc597a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe
Filesize
189KB

MD5
093e76ceb6c2e1251b3ec4cc99c69fe9

SHA1
59ec1b1c13e6fdc6d2c93345be0acf82e082b859

SHA256
aea0227daebf0a87fcca379a2df3887c2f8509ac56b7e9bc1d2569ad8b511275

SHA512
697478b85be89a63058a7aa1834ab1b1b6bf2d2e0f45ec8a8c702fab5ea0f92a6feca94047b9927d26f3032c7bb34ce68df5428aab2f0759f03b3b4ac8c1d4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize
199KB

MD5
39fecfa5641e1edda1623533dad50439

SHA1
63cf055f4eed9d5e34eda814adaa7ee3dc190b4c

SHA256
8b8017c08157c8fc5e18010371a02e92e3ae867d4a4dd5d5b47a3753f7855769

SHA512
7b11e501200fe4d20ffa222737caf182dc3e0da55d1c5e4165ed1939c32299115d6d3284ba424c5511a68be04d6a82eeb1f277dd5d4dd43b89380c3c34e9dbb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
Filesize
196KB

MD5
ac532406011091b811b8598cfb073b84

SHA1
fa949156b9a7fad7c2a996358e89f734c93cb33f

SHA256
6b7476208113d490ac4b4762eb7ddd649f9654727cb16d1c8bac0eb385b2ba59

SHA512
96eb194433eef31df1b9ce00e4989daa41e200a53bcf54c662d72893c902ec859311c436364f46a51c9e45bda935299f311ef9e473c472995208b64ec58afed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
Filesize
201KB

MD5
cfef40b33e730c0749051c5f7e161019

SHA1
0ffcf7950e613330ba27a3c56c19cde8d4dcc671

SHA256
a3d668f8883b7a255637062ec285f069de52476343c32a1af7e0a6d8c14b7f97

SHA512
e1fa8aa1e8eac40f866c60ccd0181f7039b048985ee0a26cef923f76ba7aed27c6874e4286caa06a977f5f129e021952b08474bf930931462d726e91b1fa105c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
Filesize
559KB

MD5
fb0a9600d7e11e61cb281f7e5e3c4046

SHA1
5fb836fa22464e29f29a349a76d81541e61c81b3

SHA256
ef2ce104ffda27556c264740cfeb7ddaa2f7215ea49eabd763adef3c4ab964da

SHA512
190fd2c196e67a4ec715ec9b836684a828e3b6c00494593307452086c12197c62af7f7cfcabc34b05725f2fa1c19c13f7ffe54ca19d6f69e4289e8b49fac5b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
Filesize
199KB

MD5
989c7bd759312c41694d1af3a62a2bab

SHA1
d6af318e5055a79db720738cf3a5db3c67510cf8

SHA256
e8e841785d2aa94b9a85c61cef4649ed76d2265a5e3043eab454c54a3b27556a

SHA512
2a2d8ff1226858181d82dc0581b439d7c64edd43350daf87b71140c23261800dab0cd2f21c69c51fb86a7b37b8758b109eb1754c2be9c93b07f72d07a8ea6164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
190KB

MD5
efcf65cbccadc5976c1653b2f35b337c

SHA1
72423800ca406119f1846780774a08de4584deaa

SHA256
c6cc32cf14ec407fa51c23f7cb2a7e98c051b590610bb5de3c6a83ccdaeaf310

SHA512
09c31f0747882cb37cb40511e8084e93d99481363c39975aae73cbbfc1356a7580328d3645502b3715c763e595f31b36c94d15feaf3ee43c9ed359011f0904ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe
Filesize
192KB

MD5
83b04105f18c620b23e39a4bbe2c8625

SHA1
2db90b70622f8bc1312dcbaedaa546dc730562f8

SHA256
395dc100d6da56011fddd04c4cd590ef729fa76d2b654a0a6668c9b053e0f043

SHA512
29c79f697cb6c3dc6ff7f54c74c4033ba135f3514460647d4a29d24ed78a7940d876db05b3577d835d45ee1bbdb3a3ce2f740911498bffbac5172a4770ac035c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
Filesize
203KB

MD5
b22b503efac82bcf13373c6666df2ed9

SHA1
ad963a7cd7ba33c369c6e27052c65cf3a97f4a62

SHA256
5979d42d7de6c641c34a687d9460314474a0a236a844ed463a027e9dd4cff668

SHA512
4b9d497159e77988c4c007afee1a257cfac4fea6abebc5bbfacd5f02d6d36e490f2638621269fc92e066f5c76a4556327b128c93f47ccf1e0fba3b58a0dfb313

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-25_37ab5c2f946961041bdcb47e5250f5b1_virlock
Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQoO.exe
Filesize
199KB

MD5
9f5875e6c4309bdaddc90b5dd31bdd17

SHA1
fb01cf6cb47ee7a02304abcd405b8c4686948d71

SHA256
33f15353fad8667abb3d8e73ed25f288a131bd0f3b4cf6904fa32814e4e5a1c7

SHA512
063fd0f7911d5b3b28c9d23eefa79c17bd4967548f6033cc7ff8884c30c44f7a2bc0b064cf8d6c6e7168651f4b12855ea5050944f25f8eb33c8e4a00116a9004

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcQy.exe
Filesize
232KB

MD5
6f69cf6dee93874809dcc0e84ccc5ce5

SHA1
b4b3c8702956f519b2acfab9d1d2741b63caa228

SHA256
3991b9b55e6cde2fadbafc5ab41ffc8912b1c09f9e969340b9441880427f03b1

SHA512
220205bf23e6ca2a305a2ce338cb50aa67228c44b6ae30f008af8158b3598f381a16363d9e3f9bf2105e7cc90c8b376e8a205dd706211d1bd0de5776406971dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgwE.exe
Filesize
1.1MB

MD5
2da43e8a6032345c0889c971cd7069f5

SHA1
f91e905dd7a8d3bdd5c22a8f1be355ed4bcdafa5

SHA256
a6672e5e25dfaef85773ab39197541b31ead1e6b8221567956e5d58e545ab1fa

SHA512
6bbc5e43c7717b71c0f493ab4f175c82a99de9175faf84de5927bc8cfd1d2450719d80b2f7f51d6d7fc85a0f3dcec73f510e7d8128713f86764edfc6f1e061c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsAk.exe
Filesize
220KB

MD5
bc177d5fb7dec8b917b60691513bcd1f

SHA1
90d691023e5c778862d85d8ab73caea2f5ff962e

SHA256
a43d6a40ac1dcb26d1191e743c9834cddd8fa4ff28d8bd20cff7f92cb2d0ee34

SHA512
69d1b1282dafef8db9d525453fd0e24f64e2eba1a728737f8743ef85f1fc8f761ed3aeef4c466cfd96da26294cf51e9314f2794364a20e9af3395c8d51766069

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIoi.exe
Filesize
786KB

MD5
746fddfdf42a70c67e046841ce480905

SHA1
6abdc71081e3d04e5e012ea29870487095dab351

SHA256
493a72db380b2b1315dd639743f5fb9acfea6fb5b0ce5b7ed88b469fc1a3d176

SHA512
1209266da9d9299bcb116cff38b89217ea00cc99f50f242f432c43c7cc5d34a584198d995e20078a2364a8d35d8daf4918341beed78d0b4cbc5b923f7af898d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMos.exe
Filesize
224KB

MD5
6481edccb473aa92d16bd34eeef304d8

SHA1
4dafa84d9300b9e99886ef2cc012ebd150371472

SHA256
40f488658ce8a1a2e6fb4e201116cfa5c9114a60bfc802af0cc836b556d5e153

SHA512
a340bed34acb0a624eed8af1c2fbdaec3d029625a90b6896cd843a6e2af10b9864e0d18cdd9cef7cd534e24540ca2707bdccf4f789fdc612498430d838df6661

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccge.exe
Filesize
206KB

MD5
b478361976cae68fe3bb0e9020a79bfe

SHA1
68c65bcefc041f6ed6b3c11c7c26312d2183bee3

SHA256
34624c2edb43324d99d41a1922215065b0f9dd0eb665c68e04bb926912b15155

SHA512
f2b0bb0ae811db8c46a508b5cc8ed25c0fcb3469b85bd59bc917e1b607c10aff9c78c8559b8fd56327ad9532cc64605fae8b3cd8c4f3038ab4b15b26776c6aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkgC.exe
Filesize
203KB

MD5
717d7a96f18f157f3ca9aec7088c35c7

SHA1
b82dc7ae495470398c5fa6dd586ca1efbd4119c5

SHA256
0bda6f8fb33aaaebe41953a6ea7f8e37383a46f0fe6f2a34692479c7e171f0c0

SHA512
e7d738cab5decdaa841d27d85d938960e0535db5581af1025e3e8d406611de1ebc58a16af99a3ac3c5e78f33ad9f1bdc1e79adc81d7551f7f2e0f8a4a4d15f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwMa.exe
Filesize
238KB

MD5
885460d6187d6b0bfa8729a14bcb2bf3

SHA1
a261ff844a73e4ec713dd105add6ae0d49edbf7d

SHA256
60856cde684a37105aaa9aaa61914f60c71f8721e3f87650f88e6bfd600e976a

SHA512
568922bc22408a239c9d76f05b759e8195d8fc8572ed52248cafdff586c0494096e91080bbfc7c2bb6d8f3ac722ed38ec2636fdd490f1a1d5558b0840bfaae04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYgYcQIc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUYY.exe
Filesize
809KB

MD5
52e02fff92ee0d6915df70642f4790f9

SHA1
281ce9f7719fa94f16343abefecaa5d7c6e6a5a0

SHA256
868bc8f6cdb93b0437bc3bba6206c5a5d4778a5af348da5e2a73ad57083b9dc4

SHA512
deec3c57e92a25ba7b1b51ffb2ed0e61dc3caccf00c93cb391cc6865f5e104ffc207fe1b6255bf5d4e94149cbcdb688cacddabb33aaa1607c63f5c6c9c228ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoMS.exe
Filesize
207KB

MD5
1159bbc93b9a03e17b6e8ac344dc0895

SHA1
c6b2da612d01dd12989c4ba5175e6899375a5f1e

SHA256
2efdbeddcfc3bea61c069d120e0d4ffeb02c90ffbfb9e85002483704dc22358c

SHA512
e6a6449699832f4e1a1ebe70f5b7a77c38a56bd0dc4e5a1cb04807a0dec454139b463a6cc37974ed1cf22c394b8c8c70c2039001cfdb516f32e2aa22b551a18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoMU.exe
Filesize
200KB

MD5
8cb4ebe6ad41029f6bf1e55027cec169

SHA1
8defca1bfc5f36f31c42b2ba9ea310ba2b935b3b

SHA256
acc7906fbe628c7cd5f866f1c159fc443ec8f078ba7b4d06b7e853d0a5df263c

SHA512
6e4ea182d13fba759209378d03e8780ce957782a2b54ec8ccf9b094c004208a59554b767fe91392106c70bee248a13e5303e5a06919a739dcf23ecb11cad67e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIAy.exe
Filesize
194KB

MD5
83ffc52b05b665e7312ec93fe4c1bfa1

SHA1
6ad197ed4dc95433db62677e2f2abee883396101

SHA256
656ae04019011482fbb0517b53207448ba0d905336dd3f0ff405a32fca58572b

SHA512
82591bfd0c2b1b4c7e75b11c65ac337f94d99547cd7112b6115d200c780bb6bea76c7a1ebbc328548d7e914ff82827c9f7f28b91dfc079d5f7471f553c4bab9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMgG.exe
Filesize
182KB

MD5
fa32a257c9b69419c1b4bd1ec1719c12

SHA1
de0e0565c23e88aa5263697d3a092bb425b4b44d

SHA256
80034e02a7927087dc9587da9ac1ac86c0ff45e4e0997d6d73c43b0926a2917d

SHA512
1621683eba740fcea4306ac667d86bf4cddc366ff17260366ebe3756b8cedb34f9edda2c8d236a0bd8e80d74f5a8400ae8d46d367d3619509d04c21b1851ebab

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUcW.exe
Filesize
639KB

MD5
12b32a594ae57787cbf5e3ae82393c9b

SHA1
15f27c53ac41da25df685a0c7c16a5d15d64cd4c

SHA256
3a43f88e3c436d0d1ee9454395cd61520c0e677da486138c498136eb106756f2

SHA512
250d5bbb2eca46e522e2303636c613331ef68ba3fc415823425d0e5377ced5badde192be8b74f4a2029593e5e4e8536b12b69611421efb33c80a0c906e7f13b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoMQ.exe
Filesize
208KB

MD5
fbb8d4b1af81c450f01a48c200578c81

SHA1
46ab2bfcff3c870890ce28a2e6ad6964ce673a23

SHA256
c83157eeff9e584661d0d1abe7f5a36c1fd192b614e8ea03a507286b028ac715

SHA512
35a0a65eb2008d4ca2203e40cbc666de40f85f290e9ed707e6c5812953b0237734f0ea7a87544cbf7cc39f38f6f686796b2977db0e16e4dc1a60ae8745fae2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwQe.exe
Filesize
190KB

MD5
9e9d4351be62fb2c644c26dd5afeb834

SHA1
2c00426d8fd520113232ad97427ca4bd1090a168

SHA256
882a762d5ff50ad742fa8ebd8be488ea3bc9f73982e7ff5d7f2b850204cc82ae

SHA512
b57451bcc490c11868033b0f2c2ca3759899e568881532ba6cfbd8d6c9d6a8ce6b8ba652d842e4ef0587d78b2cdc1581464aa5ef167124a347df3479ddedbc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMgq.exe
Filesize
210KB

MD5
0e482a7c2a1325d41cf5449a0c566e87

SHA1
b4a729d280433b9c23160170e271d5e1bd10ef9b

SHA256
f2fe250f2baf510bd88a94e8f352db9961378c054730e3e9c8d7a2ff2e9276a7

SHA512
4f750ac665a24ff8eb6ae3190137de909ef47c53d51f59df61ebb64540c70050651289570348fb35d3a9e11c2a306c15c84e4899f42dc81a79426eb2b34f0e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUQy.exe
Filesize
657KB

MD5
2437c8d0ba7ed3214534344a58ec52d0

SHA1
4d8ee214bbd9b9eee6c154d563222d6da0f504cb

SHA256
5dcbed01db96180ec3b8d6a7b8f9bb90d76f41cd5d7dc3e1270120ef91e87453

SHA512
6e94f78fad8205a8c680802972edcb8c941af576fd6e0ef07f1f954b951de4ea3e8894fda29cad0a7b55e33acc06c51218a1b06d569abf7f410020a5ba6b70ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUYw.exe
Filesize
194KB

MD5
34391f81c8fcb708d215768b836ef720

SHA1
dbef511f9634c25a96347f692988aa0086e11ccf

SHA256
6779bfa63659b083efa244553a1de7feda6a0eb7a906d700eae770af5cda0106

SHA512
df44b857bf1bd5512475132103d0ce83b4818adb84f078f5af55f74eabbd95b3e4e788876a935acbde4069e3449bea844d60763f16226d9eb49aae7286191e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcgE.exe
Filesize
205KB

MD5
bd603fe4038b5a06f9d3bc607edf7583

SHA1
d4711abe565c4931ca6a8266fa4415794c59a15a

SHA256
daf539ae18d29d1b38fb18992cec26cf041f83e2376ec35bf6ebc03bc0dfb020

SHA512
8156ee3d5b067ac6b08d8aa805c5625c8984927735c9d5e05ac182cc422add23be234ef08c69f5112c502e8d8fe344056dd29c071b99f9c271f7f3222d1cd597

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgu.exe
Filesize
189KB

MD5
e8dc2e20e7247764e3b3ddbf69318bc5

SHA1
cf9cb301deddfb13c82d87eb5716e9a29806b681

SHA256
856109ec8c97a76deda1a61e4e165a2ccfc3e53d5c9921668e676d1a30b3ada1

SHA512
a880e2b78d3fe9bfa680914b427e188ca535a080ff894f19b2b8c43e4c82b0a36344b0ff39b579b61872efac5fc8af3258a7669a69a124536d6bebef4b8badcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkwU.exe
Filesize
1.8MB

MD5
6a582cf5210f04da58fb656bf836005e

SHA1
617b23e1d9488cacf3314da5c18bfc494d129cc1

SHA256
435760b9c08d20334e6634319453ddc6b3f4a17ab11827b39b5aa19c05b29435

SHA512
d40db20a3c3570af315e89e4cfafaf8131418575375ab1b06cefbb2e521b96a17ad9a7eb914f5e1f2a9bb7eb10dc85bf7c1fbdce56206b5b63a34ac49b1ebb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mkwo.exe
Filesize
823KB

MD5
752fa2acc7f82ef8fca041fa15a16fdc

SHA1
be1e6053dfa285f45337e37e0216ce431c1d714c

SHA256
b008082a83fe4d37c421f7c0dac26c3a1d00d14d4a1a21785bc276f1892739f5

SHA512
bee48f2e0e3fed899db739e806c51c34d8514b5e59daa9b3cb3e24d4b9841aece668745aa111474a60ff4c54b7b68075a13527f858b401ebda82004655318745

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYo.exe
Filesize
200KB

MD5
6143fc8bd4c165dc814a92e0c0accc98

SHA1
98745854d940f62dee4e0d8e106d5914b929563a

SHA256
dcedf85ac7c36d28b155057ce1e0f6fc2e6e705d9287f21e13b1aa19a3853bdc

SHA512
1d647ad2d2d60eed54c838647c0021877c5368729df343297779b27d88315657bf6dbb3c19bed1673c34af0645c0c9e5b8e62d67c69fe0ed3eea6c24496d83d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwUK.exe
Filesize
1.1MB

MD5
b55dfb93b5192adea25676e724c8ccc7

SHA1
f1e65bdfdd3c7597b0f6d15f86c2f90426b95872

SHA256
7d0bb80ee0541f61fcc2c02b62a1e160d3495c7b4a2e829e15464155eb67d915

SHA512
4b109791b9bebc4d8907305b632ecb797f11d73f62582a57f4f36adf9b9d92cdbe9c26b7813af042664db75e1cb4868ad360ee764e9f9a2b6789a9e5ab286f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEcU.exe
Filesize
189KB

MD5
a65a46710b05134395e993d510196a6d

SHA1
5794956446625499c254ec316b5f1b82c7e74ff7

SHA256
240adbfc5c20fc86f0e2d54308745e6805bda8a70f041561697229fb118fe9e2

SHA512
80b11dda67354ea998d01ce01d74133c687d262ea88e35d5d5b28538c212f2a0b76c323d0350a0e744dc6a3acb9001f772d95df61f0f01a1195f09ae4bb22d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIAs.exe
Filesize
206KB

MD5
5898a285f8597a600acf53d306b247ee

SHA1
5df9b15373981bb8dc0103a05d66befff115943b

SHA256
62bfb6edc247fc5491d3b157854e4cdbbc3656287749d62ca52984086f42b5d2

SHA512
b8f230cabb30e3b2736b1fbcea943f355f7319f5b3100ea8f2e38e33e6aa5701729dbc480edea3a1581ebd4ddba7351bda227c7eb453db2ad4b02e9c5a28acd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogoq.exe
Filesize
197KB

MD5
cd9f6e859b21c7aedf8b586b0a5410fe

SHA1
fc40aeeda8f427f6524484b85b4df5bd5c9e4f4a

SHA256
99aa173ca8d596d4df956c3978d8de41f8adf084b45a8f8ae11b37f26c37cb79

SHA512
e11884e0c1cafdf557b082633429ef9861f6d3e9454768c7a11a3452c071b1eb81d27261dc5897ecac9225c43a770904490904cff3ad07f78100e8670e199c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkoM.exe
Filesize
197KB

MD5
7ba1bbb2e1b4024d47f5b364afde57a1

SHA1
fc6aaf79fdd09c2dc5eaf7bbe516cb047fd0a481

SHA256
17527380c4b8c717e51733e8cd18935d98ba969cd3d33c52d61128717019e26a

SHA512
b0f326be25f5ec4ecc9900f4a58565ef52a62665583f532d2afc1a38a89297794a5a470265232c6af6561c36a11de52cc05d1b2d8a12af0acef396e33ac6ed9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMck.exe
Filesize
384KB

MD5
1832fc8385556e3ae50e73cbc85cd75d

SHA1
c0bf4aaffb665f6aeaeb6f34595676d089f4e66f

SHA256
ac2ad18df15246a2de845eeb440e96a7d2e940c4d0d5cea2e23de295d8b29926

SHA512
6159aa04f16bdc1b921f54bdbaf395c3314a8ad3ffcb51913c9a3618f155866b13e9cc8ce22e2c36ead40236115d1f5293e4f3fa89f1f507dc6e5485ac7aa7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgsm.exe
Filesize
191KB

MD5
bb1738c7430c85abd77902868e6a9e08

SHA1
1979f2941a2c3667803122d4536e4873390c0581

SHA256
17860cff2227624f5712d2bc389bc7a57ab3953e6d94c7e15657bb202dc24b54

SHA512
b801553347fb6aa2dc74719d3a3d3fb39f41cdfa2bcbb37f9444653d56a4c326b65a9f3d068473eee72b121168bd575a28874c63520ff643c38c5f24da019f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoUm.exe
Filesize
193KB

MD5
35e46690f091b17079942d4635aaabe8

SHA1
e178be3a3bee3425d5abd8cfb975684558036f00

SHA256
71c81110d237721c6516f29b50423cc99d5c1c3c63cbecf8cd496d3015c8c359

SHA512
45523c50cb2928530739620bce6b129bf7732112be126045aec2fd62bbdae0cad2a7fdac1efe1db2b210262f548792ecd6686cecc66e85cca40ede2599f1689f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAUa.exe
Filesize
994KB

MD5
1c1540f9c0de80f7385acfddbc414a17

SHA1
577a8db4b690e78ca06a199ee6479494cc24f8ba

SHA256
fcfca16659142dafde7b8d8b2e04c8a094f1b03a954cb837b5e4ac5206722128

SHA512
c01fffc8367c9b8263b1ead5f51a82f8a5202b1dca10fe8e8330d5f5b3db1d2263171aa67f540675ae37a4fcee319986648e1ccd88c41e4368dfd3a33fe6aac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAgY.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkwY.exe
Filesize
818KB

MD5
154bf996c5786acca98e58fe1c40ffd1

SHA1
8c7a01012d55535e41534195dc9a5b58c7ac9ee7

SHA256
fb6f04754b72321ee759868ad126dd2e6239ae6e45857fbdef51abc719092a9a

SHA512
4cbcf6a0e3d32b008e5bf12c64fa2ff70741c7fb76792b105e8baa1bb6df1b5e095e5933a22603c2f22f67be96c57b8b9dc2edd293205a29159d1f32aea1e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\SokK.exe
Filesize
780KB

MD5
303672e43bffa337484d356ff3dcfa04

SHA1
510946a73115bf64c5ec36d70f38a8c0d8fad479

SHA256
8c6bb12ab47c016c623bdd50a1c15a3d9e44930dae780e1306485ab59e1f96f6

SHA512
72da3f2d8dd1d5e20d9e4544304c42cb48ef78b2b0baa0a8ba2f43e0eb2b18ff50fd7b074950f9c39e7597334dbf455747a7f23f738092c80243440f99aab654

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsAS.exe
Filesize
432KB

MD5
a2491540497218fbcc6bdc7b623ff0c3

SHA1
0fb75106ad0cb50df72d2a827c2b8a3a799daf0e

SHA256
19964c0ec9e79b06dbb21ce845ecfd45bf0b465c56243e9844b57dd557ce16f7

SHA512
99db46a43031893ef5b7fdffdf53bcdd852e2660e58c32939bcdff8189509f252fda953aa8b84dd15c2133d355438f1c4ea4c3f4309c5eb9297fbe1e581276f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwgC.exe
Filesize
197KB

MD5
8294c928d70d9dff44a90557e0b4c72c

SHA1
74a5098b554b15f5f64650e1ab388e877c768b6a

SHA256
de3ad17ad6851516878310c3063f83f8895782f4d722c8f57531532471bb18fd

SHA512
6cde90e282f9f74d8fa7cf68a76d8cf9c14d66c7001b32b6e7729fb2ea6008bc3bab08102c3ce0fabd0f88dafba960864c4d85ae521c63037dea76907caa72c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYo.exe
Filesize
198KB

MD5
0083ea0ee7ea62f862774523c293f85c

SHA1
8d50a707500d4faadea91bf41b7d0b58194358a0

SHA256
e4ec77ed531d0fa4b13c6982e35ad05cf5bcc8c4b63d5ffb74c41912e082ec49

SHA512
d54e92be82669f9ac5738a693dcab7ae5a8e7775c2c584c5ea8e5b8e5e09478fa08f0e78aa123f1d62cda1339530debc28ef043fb473b7e70b34b2735510082b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQEy.exe
Filesize
182KB

MD5
862e22b3104da4645c2f02794c24c9ef

SHA1
3c0d9d79ff5bf8fe42792f67468443b3111688e9

SHA256
b06fe14038bd2ec3001fcbeae12f5d2107cc94654b84520576dca65785474790

SHA512
07b3c405ea8a1f10412d1465d8d648a70a53ff330f67a928d793dac3717ad8f541be4439fa2ea5d3278db784a377592b10da739ef642c9234b5da2378c664f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkIY.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkQK.exe
Filesize
231KB

MD5
563b5c97cc86b2c8797e27e63e11809f

SHA1
6b87e254cde8ea6635eab7c87445c24b0e95726c

SHA256
c0b84487c586147026fa8123221d1f08c719b10424604058f6232d671ca21f17

SHA512
bdd35d1ad1126fdbe20216e4e985fe448e06a7003de7c48a3c845d2881ec424cf22a346b70ddd978633b6fc9b82584fab6f1d76ea2d09b740d7facfa77393586

Download Submit
C:\Users\Admin\AppData\Local\Temp\WksG.exe
Filesize
773KB

MD5
2b2735b80fbd474620e4264355c703cc

SHA1
7beca58f556a2c87f746e73d23287ead009fde2e

SHA256
3e2c588a364e15fe3f36d9eb4ad64501f5815c30e79e513d4676f87fc9d07bb9

SHA512
87fb591c7b4de85e0fbcc14d34f7f57a0c032840ba149da3814a08134a4c38c03f71b7233522acd8157c932dfc9059323eea491b10440d43e7a4ca4514c58c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsEO.exe
Filesize
186KB

MD5
8cb87bca23c39931643e68d32fc7afb1

SHA1
ca6598b6aad7f5b8a3f51098a3ee1ac46eb4f601

SHA256
033237e7f94bc6d6409dc9ecff5ba0c59c07122c47e92c30f1b48b13fa62d4fb

SHA512
38b21611ecda518eb0f74f945eea6ebaaa8f87a8c581118977fcda51a0bd80e5365c8f6260bcb0e0ce6adc1359544c0fe2c6e46c13182b7f82b1758e2e533771

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsUS.exe
Filesize
199KB

MD5
d59977291ad8c9913437ed9bdd18da57

SHA1
065849010890528aa587277086af5d7d90f1f9f3

SHA256
de548cf9571625ea7fc32311784b6a153c7df2a429027b7c9ef6e584a41d057b

SHA512
ecf2b39c296b85660eb10975ca60d59c8e88f84e94410fcf0ad0ea7aa98b50e7533d9ae87fb826f82fb08927eb2a152301e98ff485b42f956a4f49c01f7ab356

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEoK.exe
Filesize
204KB

MD5
fee8e44f0a07005751568ba3c24e03ad

SHA1
ba42abcd59d9eff83574896285209b85e2a8598d

SHA256
025ac35ef3f334f30dc6de7265a7b86fb12fb5227bc00806660a201897711eeb

SHA512
c4408246d0a5a4e271e1b4f4ac047708f2d55317e703322f0236318e96a4f4240711891fecd2df088d053e3685e422ed1a8a2c665292856f60ab7d39ba9afc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIMY.exe
Filesize
203KB

MD5
dcbf30a868c317684e838ddb86fb039d

SHA1
7271092ff1cd59f0d1efe7d45cef10df9477586c

SHA256
5f3e2afcecd0e52360a586b298ba33e80976d2e8154db0092f73d14143e3ce20

SHA512
405f8716aab64b1862128f9c7f0f515d6d31ba9efaf113139ef1c6f93a34144ce5a602877e77d8ca104e7c2306e58f8aed00b30637e4a97adffd0d2d680bf7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMAC.exe
Filesize
636KB

MD5
fda683a2e36f59877c4ff52270fdce98

SHA1
f841dfa3f3295d271a326052f8c7335071c8152e

SHA256
c913eb7b446c957f0508d20040afa5c29452478ff8dec226f629450c3c51a736

SHA512
ad5601a4383e71b8154fadcae5ec9c8fbd6cbd129580632758df2a7eb34fd8da14f68bb937d815adbea9c1c8dad8f70af4967bf76845616e1b8f76d4115b9cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAs.exe
Filesize
641KB

MD5
f203db2108ba2d8cd69df266d96ce2d1

SHA1
91ce878e4d3c0988d47a24d1ca4a943cb40af944

SHA256
3cc7c5b62f82e6ad321b684f4b872a3ae1f772bc1776eef6bda6610567a24350

SHA512
7abe56479c23bb974e476233f29acca83e868c71888391ff50275f279bed184426278b2609124d2defa712e1002eab7d3b98d2f9071295bf4568e5384fb38473

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYcS.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycss.exe
Filesize
5.9MB

MD5
f9a3cf12f767ca11e6cbdb01c1920edf

SHA1
41be26c73beb185a00dda78de219b4f997b7520e

SHA256
4d5e2082a49977fd9380db7872a072339a7bed6d399afcc2fd4bf5c4171a7e53

SHA512
6769b8301c4ca12c71de4e73f0f26fda01018be1fc4d377e64ca42dc23f0633406d6f3201cd438a17c72070b5ab7459dbba8bb8b1c7752b7f4ea2e8896be9cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEUQ.exe
Filesize
315KB

MD5
a17f196df48a211982372f3b09e05a96

SHA1
e57bef84be3b653c716196e78cc15a701a336c61

SHA256
b8fb14fdf05733dc9bd22512b6b380a446da426bedd6e1d73c9c6c5f5941e7a9

SHA512
33db4759bac7e5cf9fca550b12ca829053e7e0edf4cdba51a03a39ce61caba638730575e462e1b1892d536c04c469acdbf9e9ea7fe14111186ad4d2b51d8678a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQYi.exe
Filesize
185KB

MD5
884ccddb856f0eaed027b7f7029f1576

SHA1
1e4a651a5085d14abcf183ff1b2fc20ade83a016

SHA256
be3cb10d584ab3db949af356ea5630fbc2c83c2f035ede103d3652c5ee01b829

SHA512
1561e45685b7b2c4c252a2e307dc80a6742f443b46ed3fefcf8102fc5baafb9d06d1a36623ca0c49f0200f6138b7e30a73f33bee9669b5fec1383ff34f37b542

Download Submit
C:\Users\Admin\AppData\Local\Temp\acoQ.exe
Filesize
217KB

MD5
aafdb8a4d1001501c0a6d19ab92f59d0

SHA1
9b6a33aec493c879a90bc7cd5d6eb589d3a4b830

SHA256
3172c91f6a9f74367e081b38f95c50717d9c6a919f225b9343d8c04f9f4039f3

SHA512
9aafa4b4ef4cecfee11fd0d0d7399558305e9b7984ace345e74e2e3b4dc94c0f7ac0fe988d9d3b9db7625f7b5c2eb63547e523677e8e05b6ee61946015f24673

Download Submit
C:\Users\Admin\AppData\Local\Temp\assw.exe
Filesize
5.9MB

MD5
854fd4702abdb00abd64bb7753ecdcd3

SHA1
e9c04ca59c659667077d2d66f8be3013ca7cbe07

SHA256
7313c00252621065ae0886aa5a834f8f8f6d167fc2b7572e3a93b5c068e05bac

SHA512
06b066392eb6534f184e7f4059dd3bcc3e3a44df77ef01a45bc5a5f336f00e9b828e1a0d7b0a655233497fe81c8057288d766e3bde0db9b16c40c8b88fb3bfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\awoI.exe
Filesize
191KB

MD5
4b39ccd2847330ac2f0d303801c8201d

SHA1
2e843b6dc9ebd41af8864822eee6d23f99305aca

SHA256
1b78ce71ea135abda955b03192da73d01fe3251a9c284c0517aaaea3b199ff86

SHA512
b03dc11796e62da1ab2de57eda2d0d6c2c776e1f057bf0bc5dec9bdfdbfa3841590a58f0fb05cc5ef4568d461e7e0f1426607da1610c7ef19e2673922f9779e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAE.exe
Filesize
184KB

MD5
74c98df91ddab4a78f793e512eb7300b

SHA1
96f382134a0907a810e0fee6f45c0435ff3acef1

SHA256
5e725f5dc9f9b5f8775ac165a60162270e73345ee0d28d2ea1bd8a28edff0212

SHA512
29553ddb1025e1a5aa386cf0cd0d6c241d10ce0079f4a6b73bf9b085505181a86977436b3cca005d62c321b58384f79004bbddd3a90b4ee7828b373810e8788d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cksS.exe
Filesize
196KB

MD5
1bc32eff451a710ac8d756834751bffc

SHA1
6f0f51cb04fc02f64b6a6794241164330b709432

SHA256
2efeebfe11cb56bd2bcba682708451d3463502ca16cd220c86ac66cf1e1bf980

SHA512
b46ff216ace80009f6ac8a8ef9a6b71f717017d7f1b0f6e3760b82d503bcff92a8b3f4b204ca2da8ecdea0dd4f9036cab0a6c553a2c34573da7cb15ced65f7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwkI.exe
Filesize
261KB

MD5
ce4151317ea5228e694971906000944c

SHA1
601bb841da88d29b8ef49322cc12673c5eeea1e5

SHA256
be21ffeef6202000b60b6d3558762add3923e9ecf042fad2596a1a1dfeb426d5

SHA512
1dc348337bd07704487c352dac1b4f58ccb2840248c47a243afc49b5f391328e4e5a678df39cefe98de8b0f536e7b1dc68c274f438ab42d25c33ad7be930926f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMwM.exe
Filesize
198KB

MD5
a198fe51fbb1b314465f92aefa615851

SHA1
ccd85affb6507c52adec740966bf10795a33d340

SHA256
0b0a9076aded90d3a2c1bd50058d5a8c7875080ae104a69aed7db804ef329f0e

SHA512
7df741c688267190dffaa84fa9bc9b9d73f28751b1f1ce2fc0ca5d9651b5c6410e1da4b15367254bf3eb6bcb14823d29192f27444cb9c978d479d1fc3533c164

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgA.exe
Filesize
195KB

MD5
82a1f52d0459a6d7f18155649431566e

SHA1
559ef3864ddbb8d4dffd87cfdd7c7c1ab41cc420

SHA256
6416843783777d627e368333143e488641779ad9d31286e6ff52662d6bc7ae66

SHA512
0ff7e05613fda482e7ba3595a0910f287627cdabe5213fac1d25a0aaddc9d6896525f0340864c2cd702c0bf3f2b46a77b77f04ef351c76a445576908f308a5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYEQ.exe
Filesize
205KB

MD5
fef34611f65c517e131aaf628d23c796

SHA1
f2a1c8cf2bc96bc28816221ee5faba187d915254

SHA256
578f2f2e58b474216efca561bcb9b209a51ea73aa041a34c92b368ac8e5a9974

SHA512
0c7fc19c0b115c3f247eb68ec2228f28c3d367a0ca594409565d215da2c43be57e54e9bd761f96cab3d5306e8bae59fb2591ec7a6951b1999f20804513a96016

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYwu.exe
Filesize
208KB

MD5
82936606f3d31902d7e744bbc0878a1a

SHA1
ef1f152108a7590ef625d68cd854110bf6464ddf

SHA256
782a307677265eb48b5867eda6944b143e1c8ff9ce1363640ed3fdbb9591c899

SHA512
1dc0622a538769d1c9d26102ec94ad5382217e39c37fc0e321800c5ea31e48a17767f71f430078dd97ca80aa8f7b00090922b5c71e3b02752211d0cb609fc0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcEs.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggwi.exe
Filesize
1.1MB

MD5
ca40b6bacfa30b6e99cdd59444bcf38e

SHA1
1ea29c84c990542e3b7b44a785b8c5121eee29e6

SHA256
62a68ad97fb8608a7b68fe5e2fe45f701825848e1f38a838a6503c4daac52895

SHA512
9a25123ed2afd9329ba271254eccdba38977243e2b26b8a1676944047ced386d0a05b11b1ac294893c002b844e14b989413c9c0142082b7ade3e1d1a4c9a25d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwg.exe
Filesize
188KB

MD5
c7d4703cf35378ba18648da1e095ab0e

SHA1
ab9c4d53613f0072ceba5c56b796dc725316fdd5

SHA256
6d55681310c86f8886207da6189d38058694b35f7acaa1dc396f14e95495183e

SHA512
f66ebfa0a27b1f16ce39b56166ff3d44cf30426a2c0eaed94563e21b14e09585e8c1c908577a67b1452d2de25b55bf97fbe5b6e49b528201dcdd13bdd937f895

Download Submit
C:\Users\Admin\AppData\Local\Temp\igwS.exe
Filesize
192KB

MD5
0aa6a4726e8b5a0fc19124c0c177ca03

SHA1
780a2fcbca4065eec914d210050c840fbc7739db

SHA256
9b83e586896d0f159a88ab6902411cf7768219274b436fbae31686e8cfc2def0

SHA512
ddfbc37f2088306240cd4cbc81db6b7c68b835adb787a4b658dd59fdb95d6d3b9b2433734cbde56713c8ed3da92d58153f2db9fc3aa710e2a0f983daf4aa5566

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMoS.exe
Filesize
194KB

MD5
883f1e6c9bdbad078e2cb6e7075aeb25

SHA1
e98d690144e997e73bc7e62823fb9eae85ace9c5

SHA256
4fd0f1862fae1f60db66415857edd59f447f02998e273771f0b308f69cc4f3f1

SHA512
60e8c05ffe903252fb350d0918f50ff00b777949d81cf3285a110d6c6398f9477105874c8c482a905a059a211a67e67fd1bc3f3243606f84393309d97dd6c29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcUk.exe
Filesize
203KB

MD5
280d5887d14c7dd957df137c293b8f21

SHA1
ee4b0ca2dae9e28d744a8a8e6200b6f6684d2593

SHA256
6f3e5d1bb963bc522ffc58b042f996eedde63634142b1b4c47b9c0500a068eb3

SHA512
feeec9b563fdfd03ab46ac1d7bb95f924d0733cac3aa68cf4d3892f3416ab14bb6ddedf35a54c64b6fc576ed5d0a3b61bedf7be65bdc73901c4c23515604177f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIi.exe
Filesize
200KB

MD5
775018301799bcd21bd3abc59374635c

SHA1
7e29bd21683fbbc9a5f06befd7a6e769777770fd

SHA256
60727520f3749ae6c70477f85337697a1cfe0816effaa820bf78f42825b8f144

SHA512
2641dc31021c82494b0c3fdc4d34d7c6ede1585e50e7a0e494808786ff356d73c6939a496cc19b3efc95dfa31d992cc28bdfb2d9bbfe7f736071e37a0e70f014

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscU.exe
Filesize
203KB

MD5
8ada796f0121dbdf276299a535d95720

SHA1
67b942f9931a0ec7ae7b4298b5ef61fd33f66f8f

SHA256
ccfe6e7988df425120267c72c027e3ea9957f88c1353b6408ef9e3fcde3db7bd

SHA512
4d7025f26e0d6223e8f2ce5aea2da7d44e1272ce10849b27c1d8c40170fddc65fdca834a50b4a61a968b95e98c841ab224ebcbfc0402639cd057fcc102b5e313

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgc.exe
Filesize
228KB

MD5
68672cf83aa944113c2afbe067e86d8c

SHA1
1e1da246fa2c4f0f7bc3fba68417c8a2e0cb8814

SHA256
71e9ba20484572e889fa554e5e2fecf3e9554190a223eb2c2f852836386bf3c4

SHA512
c648052776893c8ecb026bf90e5b61e0c84ab8e2f982efbc459044defe4f8e1400185b59e04ed34896e264c2cc23e1f7ce234ab3193b3225a4d192962fb8fec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEka.exe
Filesize
205KB

MD5
bc69f80880f0dd8593525b8ffa852b1a

SHA1
9455cc3975b074bb92e1e28115b4fe364939ef59

SHA256
7c4e54c7549dd6e53cb2c828448ed7fa6cfe346f47ec1a535112da8611013e56

SHA512
0b96f015e7a78dc567c0a3d001c5f850d54eaf1550c8eb288b0cb7d7e017dd6014333e1b2dcca4908d35c244382b9187ab2b297e670d71508be8bded46af98c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocYI.exe
Filesize
187KB

MD5
9c30cb2950a8705dc8be9f0274ee4cfd

SHA1
e46db477de23a817b5a69b0b9667f4624a2c58e1

SHA256
668e3e646c14f5984fc6c07bc7271f76227762213397f8382d06e5c7b7eb66ea

SHA512
cb1390dd8d1ae646811d5e2cd7990d27d65945e13a961aafbb7893a3f97ea78cf18a7d6d5e779a639692cd97e6f2305717cd49a9d906a2625fd7bf99e56641ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogoI.exe
Filesize
425KB

MD5
3a6ae0584085cff5142fee39e977de36

SHA1
e9dbd142e24416a7270f255e9e611ee9640d2559

SHA256
0b2dbd5e4600c555ca67c2d851dd42e96256cc9e7c8c9098d92a62eeac260204

SHA512
bc1e6b13131493586b62972e4a2d9aa5934c4292ffdc62064563c8c8882a711844d9a71a3271a242b53217406e52d1f7592cfe48555def0aeb1b47295ad2d67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oook.exe
Filesize
791KB

MD5
049484f92c05a247b9a9e847d993da68

SHA1
ce290b90d5412639d1076f63aaa59be67b26333c

SHA256
42b0907d7c825c100d4ed0d3e3e817285c527c544c702ca669a39d374886e937

SHA512
e55140af222f4ce47d08f87b826e766b50ae28281844ae9008a4c047385c1c1ba5f18f40c003b8e9adcd90df81da3754445ca2352c658dc2c49ba56588d82af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUUI.exe
Filesize
322KB

MD5
6c2cafc3e5129232565af7ad7b334fa1

SHA1
582a94795e1e120fcfbacf13f60fb8f9bf5114b5

SHA256
007ecc6edf122b747c4aa3bdb94cbbbbff907a72fa3e0655e5f4154ed1bad6f0

SHA512
9ad00428ec885be011907fa03210ec0e116feb80527c9c5ef9de4fe977c7ff90b9efd79fdeb8cb2119a52899af2c8800c41cb8702fe58ec74f71a904d245a96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAoO.exe
Filesize
321KB

MD5
27579e70971e3a33f7f63a2931281660

SHA1
4a477f62217070d9f7fa9eae124ad96a7daf3f41

SHA256
07a23576af16a3733319a9be650f02981f986eec2b7bbad5c8932f86d6df9726

SHA512
390ed2f1a7d11956369cc9388676349eaa69c8ad7b636fa047969ab6d87c027cce4f659754f1bbe63c76da25e3e6a7e588bde5f680db50377b28f2f64f57cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIsq.exe
Filesize
194KB

MD5
6a5b47504043b92fde6b3679991247e7

SHA1
7f4fbab83fe78cbaec79da21ea01c71d3878764d

SHA256
5e1dfaf52e99d74f919437666b290f73eb7fbe30bcdbab23a27c96b2febd966f

SHA512
400e2e55bcafe9fcda87ce538a98d56f6ec513fac4c03d023f83420008a5b52a76d4b8330b9239caeecf74d13f2a2525227e7e5ff6e7649b5b79982c5f62bd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMsE.exe
Filesize
1.1MB

MD5
f5db6580dc811b0d8b7a70aabac9c021

SHA1
eb090dc5f649a9a4a46fe355b6ceb4a1e90bda38

SHA256
17ccbd23c8bd88f0914669af7412760ef8514636e29f8594bd13400a61f8077b

SHA512
0910893488c1b3c896d05c2fea4705af93f8c0e3d8a476c21c47948a79a4e80c8ed4522578ca4ca864c2c99493366f73fd157ddcb594f7b3ac880ac9e0b5f842

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUQK.exe
Filesize
606KB

MD5
3dc9a02fe5e76e25dd854f01c8ef6e5c

SHA1
e3dd8db4ecb2308a36907b9243dddd4afbb7d346

SHA256
850d09dc4127cd5f4b330ae60fcb7c8ebbfb4a444381758eee590305a8157e17

SHA512
4a9b545e23b1249cb3acf33305b7bd980a7ab1d05279254ff813678c4d79f35385f99b6098a0fe335bf7aca26fe6b80af6df97ffcaae2fe33513c0b359a3c4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\skIg.exe
Filesize
843KB

MD5
98bc453e3caff4be6cb381ca44bbf425

SHA1
b21b0d961605843285836c89a43651187225df55

SHA256
0be029f797fad51a2fa0e7532f66a6ed7e5bd7b3c4a155c9366a2507c135afd7

SHA512
3a24925af6c957dbe4e0d40ed6662a6fbe104915bee911735b208d367cb14fa441899b2c07cb2db4e2ec2084dfe42f5690061f1e6a5293b06357d3901a2d5e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMMU.exe
Filesize
228KB

MD5
282d289e68947822bc42ab54e8edaa56

SHA1
33bc6a89de10ba4c696c12c5be64324c24982d40

SHA256
4cf0c8dfd8195447b2984aeef8c643be17e0ddee827c473b0706d55a2f1b9221

SHA512
5ffd3c171fb3f8c1e1365832bed6dc3c475f3b69a0f277fefbb1ad6c074c1e3d372f327f6783fb390fff28969358114328dfb50e7b7d8e37fa51e60565ca14f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQkY.exe
Filesize
5.9MB

MD5
7a53489d70f92c6109c16887d2b69a7f

SHA1
7b21204923ed05095686d7609347c67f0944a4ff

SHA256
3f922f718cf966ab06ffdc75da95a6aeb6d8cefbc3adfdae3387778e96fb8657

SHA512
2fdf944f8baf8db053727be362b4bd1b0726e769ac2f41547853fd25ea33f73d3ef65a44774b71c89f4670b44d81ce0bbcbc6533242c198ea99921ebe2c3a6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwwo.exe
Filesize
200KB

MD5
851667a19f6ac44705cf9b187ece9d3f

SHA1
a72bb677a9287e98ed003f7b8bf6c63b4dfa87c0

SHA256
8cdc95ea26b00a9d6b75587dc46913eb8c9170315715da15147f97ef91ed901e

SHA512
603f03757b17c51ce990a28ee262f8263727f688a3068cfd6003c87058910d1b3665b70d80c2dc25e169f0d53acb95e4da1520ee7fc2997576d84a8b3c2f02f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkQi.exe
Filesize
197KB

MD5
233c581e15d5ef7743717e7dbf6ecc16

SHA1
685fa65c2f441158911bc69f20058bd95c4a9611

SHA256
f54c65e05bbb7abd1e2eff5ae9b56a7778d72b6b5e84207797852cdb43430a71

SHA512
381a9bf6b91b178ffe1b79ebbb6a4fa89f8b3db30ebb40148e7d428e67fdc87c745ad227323498d21ed05df081408c76e707d783835da791466494c6ced873eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkku.exe
Filesize
192KB

MD5
bfc9be45c49e8c854ec761be3d4f5b83

SHA1
33e55f6334435f547f68a2cc0c8efa75bcabf208

SHA256
1f277c177dd0f09d77ee056923029840055ab6d87fe8bc65b1f18030fca64267

SHA512
939647ef4d26ab7f3c5e8a1cc2a3f29751f941e5d5246f48d45939a90b8058b9c6a8b2ba4d796bb29c5cc74e8f748b84ab56bf6e8a0a5b187bb69baa2a7a4df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\woEu.exe
Filesize
198KB

MD5
e0c80773da5ab8e186e54b702a2d9a1a

SHA1
fddd9e0d1efcced75aef9df4bd7757085720c4d2

SHA256
134b1e64dd5538c1f05201181f3b5dcdddfb4c7605973636f605e58e71b6cf65

SHA512
e0c3221dafb303b50e0d85b8440f9daadbab678b38edd727eb0298665b830c3507d2742f9947ca24ed072403b80fc4fb650fc166cddec57ef9eeae97be46c4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\woMm.exe
Filesize
701KB

MD5
bce9ac27c26d3c4a01f1eb53d104a4ae

SHA1
f49833c9dc4139b8cdf1f0da9f35eee9da4ff49f

SHA256
d9ca08d74bc638bbdb8bb1e24e2e7e17bb425819c029ee0556d41a1e4349974b

SHA512
9e649affef05927588d7bca44b0ea8afb1897eb866c374c67bd62f5c561cf6d890c6be54ed51a5b177e0ba109f523722f936a744b23bf20c5188ffa4cdb01101

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsEk.exe
Filesize
698KB

MD5
eabd21808126e13ff76737f1b3bddc10

SHA1
30345d8336876603bae424e20615301857e68ec9

SHA256
5db6ae6801cb74283f34930640314ee90bac7b0efa0d5343aa2bde38b9d9c85d

SHA512
e27b872a793a254b0031870402f45fc18623044d6c575b1247bd0c897df8af4159d76816d6b10fb2214d412d9a2124a8bcdad7cf501837646279ca2e67d776d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMAq.exe
Filesize
186KB

MD5
b28128e122316d168893cbb91615b1d3

SHA1
06bdc66a525ab0877a492f094b9cdb77d34cc493

SHA256
a299130153e624601b1299c4cabdd16adddeb7b5e7fd957b134f5dcc58fd5a5e

SHA512
9db986e667367487d7346ab420a34600514a970b0df9acb2b5fe30b7973cff981706c23a7455d49482542c0f96950424565992afc63f7fad532e9e69d378e70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQkS.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygok.exe
Filesize
181KB

MD5
685606b9cdc95ce8d4b26402dde77026

SHA1
73e294556373d3570ec88d14ca30606abe72ba19

SHA256
cd414936ba5109fb5956f173d9c01c4bfb41dbf29f6da143819fab71a0fe949c

SHA512
0a117caf47b51d67b4c9e4cf7898508aa863caae42da493ff72890cd661dc314a53819916553e28ba6772d4a565e89bc5e2f2d4f854a2631641e16288a83bf3b

Download Submit
C:\Users\Admin\Music\ClearSwitch.wma.exe
Filesize
1.1MB

MD5
27b64666fe5d94516f348f1163115b89

SHA1
fe05f3151dd3df305192f83708db12d0dcbb774b

SHA256
1fc9a1b07fe266e4a8778002277f68d78780b4f9c7e412a7a99a53994736143e

SHA512
0c397fc2b4858e9525f9d9ef4b1d8c2c574e6bdec8e9d08c140596dba5af4da7038bc0260f4b995410c15924dc8cb4fb38f5d8dfc207dcdde079a80661db372a

Download Submit
C:\Users\Admin\sOYkksAQ\wgkokgUk.exe
Filesize
192KB

MD5
a6ba39b88026d54ba7902d9530f45222

SHA1
3d223ecc2d54729886da588e762f0efe2e282fe5

SHA256
c1bf093f69b9f8fc39d426337c566d8502e7eb69fdb97cff51f067cb6e52f0cc

SHA512
1fd970f57f2409860425452792fd8dd726e64d91ee20417aa04b5b9ae5e8642a0d31036dec65a62e80be4ed349e9c73515c65ac302c5bc23259a5144a962138e

Download Submit
C:\Users\Admin\sOYkksAQ\wgkokgUk.inf
Filesize
4B

MD5
3317840daa59f56334af56cded14a7b9

SHA1
544afdf46288b519c8d23ca4b1d19fa39e0d8cb4

SHA256
f45bf37ad50d42f2e799dc56c48a55fc63c7395fe78725cf3485e0dc9d414545

SHA512
1d113099afe26f4424d527eecfed609b6ce2a284c26beb70920e8d76646c6bc4eefd61437cafbbb93cf045abfcb8f1944917041771e415f76deb2b0ad42630a7

Download Submit
memory/216-550-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/216-538-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/228-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-475-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/232-486-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/432-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/432-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/432-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/936-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1104-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1104-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1176-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1176-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-508-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-522-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-422-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-568-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-578-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-580-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-587-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1780-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1780-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-529-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-541-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-523-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-532-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1904-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1904-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2248-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-567-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2396-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2396-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2416-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2452-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2452-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-491-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-503-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2676-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2952-476-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2952-464-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3036-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3036-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3580-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3580-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3708-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3708-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3724-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3804-512-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3820-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3972-105-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4044-458-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4092-495-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4092-483-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4108-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4108-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4108-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4108-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4140-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4140-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4460-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4464-156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4464-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4544-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4544-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4688-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4872-440-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4928-559-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download