98d75a3c50e0f29b199a323a902f33a65bebe169a6532f5d2569e93289a1f654

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
Size

117KB
MD5

b6862b585b36fabe2dfc59188bf8cb07
SHA1

7c25b7b864b2f5fed4f9f916664fe0446e27b797
SHA256

98d75a3c50e0f29b199a323a902f33a65bebe169a6532f5d2569e93289a1f654
SHA512

b6258a0b4ce28aa8b15d83b9369e5d04533d0123a0e0823bdbf71908f5dbdc3383fe649bd9cbbae1cc472f623b852d4bd5075125d1bedaac3b12366912e4b59c
SSDEEP

3072:LcCzV5J5MeC0hivrhYtrS22tUb0XqiMa9mSg:LcyIYhSYlPQXP8n

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jYAgUUsU.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	jYAgUUsU.exe

Executes dropped EXE 2 IoCs

Processes:

jYAgUUsU.exengoQUEoM.exe

pid process

3416 jYAgUUsU.exe
3572 ngoQUEoM.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exejYAgUUsU.exengoQUEoM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jYAgUUsU.exe = "C:\\Users\\Admin\\TKgYUgEI\\jYAgUUsU.exe"	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ngoQUEoM.exe = "C:\\ProgramData\\baIIUAwU\\ngoQUEoM.exe"	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jYAgUUsU.exe = "C:\\Users\\Admin\\TKgYUgEI\\jYAgUUsU.exe"	jYAgUUsU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ngoQUEoM.exe = "C:\\ProgramData\\baIIUAwU\\ngoQUEoM.exe"	ngoQUEoM.exe

Drops file in System32 directory 2 IoCs

Processes:

jYAgUUsU.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	jYAgUUsU.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	jYAgUUsU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
396	reg.exe
1536	reg.exe
380	reg.exe
3196	reg.exe
792	reg.exe
3600	reg.exe
4520	reg.exe
3488	reg.exe
2976	reg.exe
740	reg.exe
3740	reg.exe
3580	reg.exe
4748	reg.exe
3108	reg.exe
4928	reg.exe
1688	reg.exe
1084	reg.exe
3224	reg.exe
1360	reg.exe
3148	reg.exe
836	reg.exe
2240	reg.exe
3476	reg.exe
3656	reg.exe
4820	reg.exe
700	reg.exe
4592	reg.exe
2192	reg.exe
1740	reg.exe
3528	reg.exe
2096	reg.exe
3320	reg.exe
4232	reg.exe
3036	reg.exe
3304	reg.exe
3160	reg.exe
212	reg.exe
3236	reg.exe
4424	reg.exe
4164	reg.exe
2288	reg.exe
612	reg.exe
3092	reg.exe
116	reg.exe
1996	reg.exe
1864	reg.exe
2176	reg.exe
1944	reg.exe
464	reg.exe
1524	reg.exe
4340	reg.exe
3060	reg.exe
1076	reg.exe
4776	reg.exe
1572	reg.exe
3868	reg.exe
4884	reg.exe
3344	reg.exe
3908	reg.exe
1604	reg.exe
4256	reg.exe
2556	reg.exe
3708	reg.exe
1000	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe

pid	process
4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2632	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2632	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2632	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2632	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
3024	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
3024	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
3024	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
3024	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
3524	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
3524	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
3524	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
3524	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4560	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4560	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4560	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4560	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2444	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2444	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2444	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2444	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4852	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4852	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4852	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4852	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4908	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4908	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4908	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4908	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
1920	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
1920	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
1920	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
1920	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4340	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4340	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4340	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4340	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
1688	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
1688	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
1688	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
1688	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4912	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4912	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4912	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4912	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4992	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4992	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4992	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
4992	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2472	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2472	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2472	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
2472	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jYAgUUsU.exe

pid process

3416 jYAgUUsU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

jYAgUUsU.exe

pid	process
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe
3416	jYAgUUsU.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.execmd.execmd.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.execmd.execmd.exe2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.execmd.exe

description	pid	process	target process
PID 4044 wrote to memory of 3416	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	jYAgUUsU.exe
PID 4044 wrote to memory of 3416	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	jYAgUUsU.exe
PID 4044 wrote to memory of 3416	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	jYAgUUsU.exe
PID 4044 wrote to memory of 3572	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	ngoQUEoM.exe
PID 4044 wrote to memory of 3572	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	ngoQUEoM.exe
PID 4044 wrote to memory of 3572	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	ngoQUEoM.exe
PID 4044 wrote to memory of 2784	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4044 wrote to memory of 2784	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4044 wrote to memory of 2784	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4044 wrote to memory of 3720	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 3720	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 3720	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 4920	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 4920	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 4920	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 4908	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 4908	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 4908	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4044 wrote to memory of 3252	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4044 wrote to memory of 3252	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4044 wrote to memory of 3252	4044	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 2784 wrote to memory of 4052	2784	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 2784 wrote to memory of 4052	2784	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 2784 wrote to memory of 4052	2784	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 3252 wrote to memory of 4896	3252	cmd.exe	cscript.exe
PID 3252 wrote to memory of 4896	3252	cmd.exe	cscript.exe
PID 3252 wrote to memory of 4896	3252	cmd.exe	cscript.exe
PID 4052 wrote to memory of 3896	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4052 wrote to memory of 3896	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4052 wrote to memory of 3896	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 3896 wrote to memory of 4940	3896	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 3896 wrote to memory of 4940	3896	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 3896 wrote to memory of 4940	3896	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 4052 wrote to memory of 3560	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 3560	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 3560	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 3292	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 3292	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 3292	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 4768	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 4768	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 4768	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4052 wrote to memory of 4812	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4052 wrote to memory of 4812	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4052 wrote to memory of 4812	4052	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4812 wrote to memory of 4776	4812	cmd.exe	cscript.exe
PID 4812 wrote to memory of 4776	4812	cmd.exe	cscript.exe
PID 4812 wrote to memory of 4776	4812	cmd.exe	cscript.exe
PID 4940 wrote to memory of 4636	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4940 wrote to memory of 4636	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4940 wrote to memory of 4636	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe
PID 4636 wrote to memory of 2632	4636	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 4636 wrote to memory of 2632	4636	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 4636 wrote to memory of 2632	4636	cmd.exe	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
PID 4940 wrote to memory of 4200	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 4200	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 4200	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 1000	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 1000	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 1000	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 1608	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 1608	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 1608	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	reg.exe
PID 4940 wrote to memory of 1084	4940	2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\TKgYUgEI\jYAgUUsU.exe
"C:\Users\Admin\TKgYUgEI\jYAgUUsU.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3416

C:\ProgramData\baIIUAwU\ngoQUEoM.exe
"C:\ProgramData\baIIUAwU\ngoQUEoM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
8⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
10⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
12⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
14⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
16⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
18⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
20⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
22⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
24⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
26⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
28⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
30⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
32⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
33⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
34⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
35⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
36⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
37⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
38⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
39⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
40⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
41⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
42⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
43⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
44⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
45⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
46⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
47⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
48⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
49⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
50⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
51⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
52⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
53⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
54⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
55⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
56⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
57⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
58⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
59⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
60⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
61⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
62⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
63⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
64⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
65⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
66⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
67⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
68⤵
PID:1536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
69⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
70⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
71⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
72⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
73⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
74⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
75⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
76⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
77⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
78⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
79⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
80⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
81⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
82⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
83⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
84⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
85⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
86⤵
PID:1552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
87⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
88⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
89⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
90⤵
PID:3236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
91⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
92⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
93⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
94⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
95⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
96⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
97⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
98⤵
PID:3096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
99⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
100⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
101⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
102⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
103⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
104⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
105⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
106⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
107⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
108⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
109⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
110⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
111⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
112⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
113⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
114⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
115⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
116⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
117⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
118⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
119⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
120⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
121⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
122⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
123⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
124⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
125⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
126⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
127⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
128⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
129⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
130⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
131⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
132⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
133⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
134⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
135⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
136⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
137⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
138⤵
PID:1784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
139⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
140⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
141⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
142⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
143⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
144⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
145⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
146⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
147⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
148⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
149⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
150⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
151⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
152⤵
PID:3912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
153⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
154⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
155⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
156⤵
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
157⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
158⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
159⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
160⤵
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
161⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock"
162⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:3292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eioYgcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
162⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hikkwkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
160⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:3108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:2900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUEMYIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
158⤵
PID:3280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:4860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkAIQYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
156⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TasEAoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
154⤵
PID:2924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqowgMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
152⤵
PID:3748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
- Modifies registry key
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeYAYoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
150⤵
PID:3660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies registry key
PID:740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYkYcAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
148⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:4164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWEcYUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
146⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmsAowQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
144⤵
PID:4336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:4188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmEIsYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
142⤵
PID:184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
- Modifies registry key
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgEIAwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
140⤵
PID:2240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEAMgQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
138⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:3600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:3076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISUcEwAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
136⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaEUwAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
134⤵
PID:3560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqEokQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
132⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOYgwcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
130⤵
PID:4844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGckkQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
128⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- Modifies registry key
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWEIMwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
126⤵
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmkcAQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
124⤵
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:3696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAoIwoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
122⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQosIwoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
120⤵
PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kakEQUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
118⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- Modifies registry key
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAoYMoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
116⤵
PID:2636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWUQAUks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
114⤵
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:2376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:2896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViYkoAoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
112⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEEcsIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
110⤵
PID:1780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:3596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaMgkAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
108⤵
PID:1140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:1084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoQkwkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
106⤵
PID:1360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myskcQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
104⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuEIIcUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
102⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEwgsMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
100⤵
PID:792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqQAwQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
98⤵
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
- Modifies registry key
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCUMAYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
96⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:1864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKYQEkQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
94⤵
PID:4696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWccwYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
92⤵
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:5064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
- Modifies registry key
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsIoIUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
90⤵
PID:3032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:3344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIAYMAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
88⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- Modifies registry key
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoEIYkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
86⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOsoEggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
84⤵
PID:5064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
- Modifies registry key
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSMQskwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
82⤵
PID:1808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKQEkAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
80⤵
PID:668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgkkIskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
78⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEswkwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
76⤵
PID:3856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:4420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
- Modifies registry key
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIckAosk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
74⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:4860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWMMEgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
72⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMAkYcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
70⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lggsAAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
68⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeUQIIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
66⤵
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGIkEYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
64⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEMEAoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
62⤵
PID:4136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgYUwMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
60⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:1360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vggkoQUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
58⤵
PID:384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcooYoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
56⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laoksIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
54⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
- Modifies registry key
PID:2240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqwgMMIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
52⤵
PID:976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAwAEYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
50⤵
PID:3908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSIIAMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
48⤵
PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAwAMUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
46⤵
PID:4696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUksYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
44⤵
PID:4188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:3896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEUYEQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
42⤵
PID:3256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkcsIcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
40⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwIAYsYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
38⤵
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:1780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAAYEwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
36⤵
PID:316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUoIUcEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
34⤵
PID:3908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:3148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyYQEkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
32⤵
PID:212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOkEsYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
30⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
- Modifies registry key
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuUgEUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
28⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmwQwQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
26⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jokMwgks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
24⤵
PID:4168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWYAEkog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
22⤵
PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiEQIIAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
20⤵
PID:1140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgMcMMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
18⤵
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIgkUgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
16⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEIksIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
14⤵
PID:3144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies registry key
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGIoQsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
12⤵
PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkAgEEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
10⤵
PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGkIkAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
8⤵
PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIgIkUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
6⤵
PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwcAsQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oacgEkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4896

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
153KB

MD5
995e22a89560ac0790b27e491250d3f5

SHA1
86b8e8ffe8253b9dfe1604fe5dfdcb9e4d73c469

SHA256
173f91f666a6c4145bf66fd46c0dfacd2b427a54af1aa4900c75b268a7b3644d

SHA512
8a7aaa07533aa24576ff200b3761c0c90deb9d7145d17846d793fe2b0f67ceee82ebc0450d0a38ffe966b3a76ea186973f83981ea43efce07407ff0a3c76ad9b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
139KB

MD5
eda9e91bf639bcb1059bbf240e156827

SHA1
4da2783307425684c1038732d1ff9a6fd530d5be

SHA256
ce91b9a50fc746d48dc897176dbc6a912059659432d3b981b2995ce7dcead2d4

SHA512
4416cbbf837694f5c819d00894b30b26e3efc97c003becd3313613b04dc8406b8e4c58f2f5d0f905b9e97acc650555c155a194a82332bd0efe4980782cc1cc0a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
237KB

MD5
001a3a2513be17f99fc020aad055fad2

SHA1
6ca5e0204b2767d7595c2ea201357199cc512659

SHA256
ba04f7c66880b93abb2863ed724d83086405daf4ff8d54be69ae06f319e9047d

SHA512
1d7e1cfd74fb7f527b24f2c8386fa2c347387864478263ae5f051c8992e0781d0a5e65a8f37e51380c6dff497f429cc107690ce5d13032a3aaca9c3f59743196

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe
Filesize
110KB

MD5
9044a7c0df1cb2882afea6c6c9d40bd9

SHA1
138bd1649f4cebb0af927406aa9e4fb226b4e0a0

SHA256
14d20312d798c9d33d52a17c4631e8bf70ca6c155e6d826b4a414c27da050ede

SHA512
2ae9f9779e4dc102c8a2a4461d6e596ff4c61ac0fd1a409d0b3502d4076f47ec343b7f1272348e211ca7b98fbaf0be1776fec2fb907953be516af89a6c1946ef

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
722KB

MD5
bad3eb09e4edc9475e05fa1a4d20f1eb

SHA1
dbfedc421dd9355fd947ff07022ea59f841829d5

SHA256
857cb4a215ca4552065f73f9b9e6cda26bb206e434015e76b9efde643c135b60

SHA512
5873d1de06f9169c67419d1dbb5b5b18ef62b24366fb7f73bfd51a5cc84cd7e5fbd56eb593145c08246b3117cea8de60bed5eb1496a0731cd0d469e820eb37f7

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
555KB

MD5
feda64325f2447aa37f2108e1ab61a9d

SHA1
0a24875d70ac83f61f60b2c8d0d29f39f14fc3b0

SHA256
ea0870af2ccf8befc3bcaca5381a1402488f772a68ec86ef66b717fdc942b7db

SHA512
c81ba4cc22470339463bbfbbf782f40b85417c8ea15c364a8c690cf249cec797d78ef6464e615b92d1611af7c831fa71eb43069edaa5398b53923bd40b604acb

Download Submit
C:\ProgramData\baIIUAwU\ngoQUEoM.exe
Filesize
108KB

MD5
1b2d296d896083779a4db33875baf89b

SHA1
2a40dc02eff89a591cc11807ca7f65505b10931a

SHA256
1ca6984150db0428c23f23e14dd0470a0345bf5c27eef0b4cd3f752e2923681e

SHA512
0057b4173dd76025caa60204cca51ee245f3473c6e6ca8588406c738a34c96780503b236125a06fed70ac492bc5e3c3992a0b0320e67a2159910cfc87d7ae4a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
Filesize
119KB

MD5
c16420ae592521c5fac1675463debe13

SHA1
8422f94be4e60f9261f778872f28d31fec16b9ad

SHA256
e3df31d0f6baaa0da8a503720d6b365a3634a0d018b8b0d7c707f7f14ee60d97

SHA512
352cf699eb43287f21706890ae01dc5f5e4a4b94b57ad067bdf820991b7d772bd42432f507656e9eb2526d77ce18e060554976994cdd38e32c4107441dd73cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe
Filesize
111KB

MD5
11b99201c81413cb390aa2de39246546

SHA1
0ad5519675dc51ecac4ff7e4eaab715542c12d11

SHA256
951c250de35d568b134a095e2d8b946098c72e06cb7b2ee1a76cf0f836062a54

SHA512
6280e7e74ea6189d5519ce400a0856261b51e8ca5d063ad29b18c53f83b1bade5bffa10989882d518fede52c124e3c5bce59568ddcc7ca58f4626d265e799908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe
Filesize
109KB

MD5
90d7c5a7951070355dda6f51727891ef

SHA1
2e03d7c6a431cef0c071817e8e07b635fb4a6fa3

SHA256
ebf29f5f7fa348c3f2507a01ecccf06ea861e546492029a938e240c9aad5ed1d

SHA512
52dac59adedc31087727db9025e960369cef53b4344f1da5167463b0161c63815be45e6baca600481fe32b0b23a8b4639bd8df164a4a02d9a440b40c720861f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe
Filesize
111KB

MD5
9a06b8e5ead6fae04aa8d69dc8877d44

SHA1
a5e8896b15acef150deb4ba64f0e478c058b2b23

SHA256
2d1d626db7f696dbe346edd94fff85f401d3de2f20d3b183e5ec1c95ed68a478

SHA512
44ec1b93f2f9d01f50e42b7a396695b0bd85c10123ebf68fa3b42d6d860531963cd3fd713ca59c229a4f06d60c79428c17cf0424af05fd97f858d795c7828ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-25_b6862b585b36fabe2dfc59188bf8cb07_virlock
Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAgq.exe
Filesize
1.4MB

MD5
05150299f595a57e26dbd9bc640efa38

SHA1
fcc1df459a2a887169c3d49466c56601f0564072

SHA256
ccf4c0709774129768a2b8f27c9d98e66b32d712efcaeb40e1ccf4425235ff1f

SHA512
55609992dec9f9e0b5258deb95137811522605878ef9d4c07685c0d334762d7d746ff97f8a0f43a82a8a5ea9cba141fbc238bf947083fbc55c738435a6827da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAkk.exe
Filesize
119KB

MD5
e10d85aed8fba74c31964946201cfeca

SHA1
420ddc49538924a399720e5598b39163ece645bc

SHA256
849376771771c7d6d989f1245b85e84f704977ff8b612f66ded55539d55b53ae

SHA512
d946a10ef069d3dffa50d326a31b2b8c4227d7539d4d5fbcd93820b607bdeb7fea9640b14dcc41bd1a5196e8330f26c5f974c84a19cab1ebb2997f08f61c129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEsG.exe
Filesize
113KB

MD5
0ffa0c9359cd7cc5f042ff624949ac2d

SHA1
646b021e13c4173eac48a03a26e7f4360d59d394

SHA256
27d2f9e519c46342366106352f97c87c25212ccb3ad38e98ab069bb48b8279ff

SHA512
84603d64445ad5c0edd616f56da5ae96e6a11bbcd0cd1e3e0b52ab97bba03a3a7cf78f3e9649dfdaf7a581f906d837e184a327adc1b7c08849e366b251e608bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcMQ.exe
Filesize
113KB

MD5
63c26bffd0b36453e8b8d70126b9b324

SHA1
2aecc881a34e60610d89d1901b0bf5cb0e1589b7

SHA256
3bc13dd999acd51469e1946c18b1b7034c1d036bece67204e0c65daca97036e1

SHA512
64aebad82a61fa31a7bf7f327cb3586d9a3fedde24373c94376c3404515a9c8b089dcef4d0997046e785d91e91c8db9ce4b3c48f59d034ad85715bd10b266273

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkAq.exe
Filesize
120KB

MD5
cc5230b7a47b63ac0e0de158df09ffec

SHA1
3c8985f3a121f01e6f5c7f5aea8f460e5da868b4

SHA256
a233310c725aabd15f22e014daaec9310723a9b25d8c70d8f8baf44447fea2f8

SHA512
618540b237a3d48e5994121c9ba5251b4217a90b8da281294e5dc0e2bde5d2bde5416e24d88406136edeb5ba915b2229d84b5015f029026fc0987d1288b54114

Download Submit
C:\Users\Admin\AppData\Local\Temp\AssS.exe
Filesize
744KB

MD5
cdbfe14a0dbdc64c6d5eb6be6841c21f

SHA1
c7deabc294db5ce5f774aa3dc6b4a7cec5ee7cb8

SHA256
13a1e8c42a832e7fb50c1388c083808cb90275f49ef6d32669874747276e8fea

SHA512
3a345fd19011a046e0b8cd310d9932dfe05ec84017300129fbc08d4792c18adf1ac3baefd84d4d88c3b0763d4f2cd29eb1a5b4790093df2a15d53073fc7ec726

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMoo.exe
Filesize
120KB

MD5
8076733309e0608cf775aa73f08222d4

SHA1
721cd84110e1e93e058e62079485cc291d5e5463

SHA256
8d875b582ec04de3fa4f805349693a26cae4f68512cf9a18726f02050a2f6d31

SHA512
d9bb0e71a79c1b29a8f21810c44d2391577951663bd2fd226af162b0293a0783372f22b295815793241d3155387777ad8955dd9468165cca171de34a38edc283

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYAi.exe
Filesize
720KB

MD5
cfbe9e81d51973f7aabfecb36a382ab1

SHA1
2bf64974770283bc044a688c125b21ec1896e375

SHA256
77c92d5515c00c518dff76502642c5854895390c566d877bfb0f5d43a012ecde

SHA512
ed6ce8e8d48559fe56aa464b7d9737d9086d1e8794a6b1502941ccd3215f2456c2faef280f9ce86771946e3816902f39e281ff9927adf7315c6a3714f4ace72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CccS.exe
Filesize
745KB

MD5
48db3640eb9379ec1f4470dcf950422f

SHA1
a830bd4e4510a803f8ee56fadbfcec9c8b7a7fa3

SHA256
30438e3753ea531e63f49a574d43dbc426b2c7813cc3e345ef5da7767cc8bee1

SHA512
1be99a7794d1af6d9525eddebcf0809560db9622117510434f586a4ec9afef29a20f74ce6dd87ab2334f0328444d38c614b19a63133d8c28b04c4c3a5cd974ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkcY.exe
Filesize
348KB

MD5
705150f30478331b0f35189b91ddd8cd

SHA1
f5dd7de6b18d512cb6dcbf3415c686e6e40ab0f0

SHA256
b175dab7e92b36cae2b7609ca1302ff023fc123fbadc7086752989c0fd662d80

SHA512
90d20d335bc64023b20fc4c6c29aa1234de96da997c380fde652cb3b204d2eaa44896fb6b1d9c4cacce7a359f7298df39b8d9e1d39e2c8e4c733e4b9f404d612

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAgm.exe
Filesize
5.8MB

MD5
2d3de598257794d66ce4eea9c82b3cfd

SHA1
418e1acc2da44004e0cff6caf8ba7df899bb4531

SHA256
dd1897ae63349a1b27131df972ffe02f37e7ed323f090250e225766c1a06b932

SHA512
8f9ad0b776105e14bd7cd34d3d96e6ba64a4c8a622c8f0d786a7664e88a911d3aea2ad9f872b8718446fd986df591e463cb5a8168f92d69bdebe810bf52ae366

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEMo.exe
Filesize
539KB

MD5
e77238cc9f7b36ae52ea0bb74744531f

SHA1
893993ee53b24060bac070f33474c8e1c7c8472b

SHA256
0c600325dea7ca6f0faf46ca180a38da6e70110211e38fa6177316df4439f306

SHA512
4773dc2cab1249760d83a5a0f20a953dbbcb5595805097fe3d52c4653127745113d88494d2894e673ccbcaea2f972c082772b8f33d7314a783236de1b2794cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQgI.exe
Filesize
720KB

MD5
f1d554ed91ae7b3094a23e7b11b181ec

SHA1
76615acdcc38680999159ec037f570997f6c2d72

SHA256
313d6781be26131dc95885c49f057b148d4168b8f5ade7ad6cb90273eec0fdf2

SHA512
1b2d23e0ecc52f96315725c10b1705240eb75fa4fc5998a32aa59bb3f6a5897b63334a58ddf15dc9534d1b1ada5e17507b4cd9cfb52175b64d797a5bf6546bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkAg.exe
Filesize
153KB

MD5
081eeb5b89fb8ade10b38876fd1cde50

SHA1
76e633d7e04c5021a16afe5360f24ebe53be1aa0

SHA256
39a78a6d6595a3bbf1b4b8ef81d99ea52bc5d523106a912463a28f86a3c3e8f8

SHA512
c9efb2f715fe7e0850efc85fe9e45aa3abe7b9f0c60bbc8d5f81627bd68dbf7eded93a39c4e0b1c1e404c9bc00c705b1af1446d1616e4d9a3c80db4d6b4720e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eoku.exe
Filesize
893KB

MD5
be1bbe62441aac0ed623c99253e91743

SHA1
43e214f15ee6e4ffa64b9b905f64e5edf112889d

SHA256
9487565f8769a6d44f277e3ecc1c566e64566d95c03cfd2f7cc23952857ceacc

SHA512
6b3e9b80bff1dba38e93aaf902a29d527f767783757800caa54a869d6aedbe08be273f05e328d46aa68c30b7fd7c316d3953f68032523ab955406b68f3fef25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsEm.exe
Filesize
114KB

MD5
beec6bdb33903a30d2ace7626f5e02aa

SHA1
932be67ea915c65b0a0dd6ee03bc430952a53e61

SHA256
5bc5e6205b320061570b26caaf894dde40e255755c97af6f0d396d60d27295e9

SHA512
6a8c2441e7e3055e6f1e435f8191d9252c0c9129aa3678f2132905fb4f04387c581266ec9b351d9f0d652ea4618de241b9c910d0722fca80c85207505c667cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEcu.exe
Filesize
118KB

MD5
1ed938df2894a9a2305ae9bdfa9ae389

SHA1
7b62bdf805e1f05ad24bd72b0025e5bda0302eac

SHA256
56fdb4ded6bd3e80c0d26f80a3ea9d71199063fc4d4ad6ae1753154b5858c25a

SHA512
f70fe93e547d29d5b5f0ba1e7419ea4a7b21f6130c7c9152c8f6a979def90f8dedc98641b57889b1bc54cc40cd6a07e121502a537adfbd2e62853fc9e2178c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIYe.exe
Filesize
555KB

MD5
782f75b7573535b5135f778d4ae1f72b

SHA1
ac75a758a4bb4a3906305805e13c217e2211d583

SHA256
0a3e7c5a4edd4b95b191e2cf014cf48858be7edb0053a4dd7e932ebb56889e7b

SHA512
d72ed341879e551724524d7954611462eda5a0da1d976cf2f5288a6cd3604b09beef4e204076d2f802c3b9a5d50e6c1450b4868a129dea88dd0ed825324af795

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYks.exe
Filesize
113KB

MD5
4ec1b6f9acb0062cd63238042d7c68cc

SHA1
6629fa19a858c9972afe27f7245c6e639c2e7370

SHA256
676e43fb2ba3011eb10df2c02234b485b1161ff57aed04abaacfd36b056baf58

SHA512
ba46e3c1bb02aab706cacca423ca4511c4b188a244351e66c23a140521ec5fc758f27ee646a373242c5fc492f77a7dec423711ce06dfb3695b593a3ce362fb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsoM.exe
Filesize
238KB

MD5
a0f5498667c637868897f02fca70ac07

SHA1
1d5749bf161f001b1ae985e7647fe024cc5c201f

SHA256
7db426b7e92a681e5beaac7a8ae6199373b39ca6067f5e463e3734c823394e98

SHA512
bc810d51f290e4aba59cc72cccdf417ed77c62d655269fd1631db34429a9f6bd320864661a226663cbee2d016b7e5530e4c8f461f212e337a6f1327e88b541d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEIi.exe
Filesize
112KB

MD5
3db23dbdbce0b7f8eedc5fae16bac17a

SHA1
2ed5906c8f36557eea181277f356b69482741382

SHA256
0204a4b41c20cdbd59b23aec0652fed1b0ee789ad309883df2e03623992f17c6

SHA512
9e5d3a01559d407666a42e4cfe3a1c28730a51e22206e5092e56e224fbb9290bac83af68892d04c3e6c05aca853b57cecbd2e3a48133d5b462ce8255f604f8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEcI.exe
Filesize
116KB

MD5
5ac7eb1988c0b1a91b1ce826882c4aa0

SHA1
d2d8f6790e4a0aa8d0f57b2e0f7be3692b60f4c0

SHA256
ae05fb397d05b2b3968f757dcdc54457f2cd48f390f38835e42ab39cdba5e3a7

SHA512
473fffe891eec08a5586153aef753d50b9c85b52beea5c06a0db07c95d2ef37ffe0cebee9cab81702679371a6cc15059656729e46a42fadf4cd8b99fc894b4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQcY.exe
Filesize
112KB

MD5
60124fd102fdd59c770d1f9801e527e6

SHA1
add255b176bc1ff82997cd4cea2f03b67ac0e8ce

SHA256
127407a8a2141207a49e252be9b8011bb6b66e631adb8b4a4d2148ee1e9efcbc

SHA512
c281de19c5d0aac236d92552d64134b7bf154e89494d627f0ce8d81ced87bc4eb1d1ad8349f62b8d195da0d1a916efe6ae4fcc4e95ee1a1e1fcdb00ecd90c1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUgE.exe
Filesize
110KB

MD5
393997d1e6f685a6932fdd740e8dec5e

SHA1
35f471527931a2e8eca2efbd05c957b5ce982bc2

SHA256
aa253c5aa276bea6d714994ccd7c78ad50a1a68c455fe94c9b3df867edacd453

SHA512
b0e788f4bdbb83c76fcdc4c981ee99c613a8a25c44b9ec1bad9fdad07933f9813cebb45100ff741987860d38504a865fd1c2c6b4b8612823fa6517acb824998a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIW.exe
Filesize
116KB

MD5
a3e17edf1a7e4f93284cb01b3c73f0dc

SHA1
817448ee9376b160a2a241211b4b84ea16545530

SHA256
fee04a36b1dc3018ce6098014d57a30d734b9717ac856fef50089dd83976af69

SHA512
d8b73b95114ed3dd47050a32f355325f823e9426df25856db9039475d8cf37347249a745e8835e96f2a7df5cb503502adad81e4d5f9ea11d1dc8af5762217328

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgwI.exe
Filesize
111KB

MD5
d328400c5ac6d1d7ea71bbf772d7113c

SHA1
90c2c88e99460628d44063bb3fc3a0918d40326a

SHA256
0c1564fde967c2812977dad80795dc67f27f262588e8bd0cb431038119a496cf

SHA512
e9d4bb64393ff2c29badaf02786f22512ef7063eadd50fab46a1498ce70ae2297ba09ead9e456731d430b50896ba3b0c1e6fefc10b570d4bfdab5aa6435d3ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkAY.exe
Filesize
110KB

MD5
4c05529bab2f10a52515537eb39f3249

SHA1
5dd9bb03d470ca5f0bc28c2fe6077afb7309d84a

SHA256
83abf7abaeace925726f9029a225b8b50f7ba0500cb01fe364571948a5d807f9

SHA512
8147e5fc6a2e64aeee2335bd7632cd03f933bbc58b624f4bc4712570cd336e010b01c73d8297183b5ca556d3c23dd1c413e552773fc24bddc30cd06103068a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAki.exe
Filesize
5.8MB

MD5
ab9eb3442ef03acd75c06025aa724118

SHA1
397fb0e24d0a56f146355d027ef6be0a9890c17b

SHA256
0d3f4269d976b28e6f7d6f977f43e2a289c4a84036154fe60ab51f471a2a305a

SHA512
73c26898aa3f41ea7b20b13a0e89255a242f4044dc4cac66241fd659fd59535cccae365b4e2e04107c7d06ae008b59dc4c21473de3601fb8167e1ae16c48a74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQYG.exe
Filesize
114KB

MD5
e062448e21f62a6110662d2c15a944dc

SHA1
3109fadd71e18d43d6e109280e48a06118dcb086

SHA256
57fa324ae7eb31184e7624e4bb1ac70872d5304e14883c5c715b5bf5e749e06b

SHA512
89900cec9ef2c265384292804b4beda177324ab63b0383155892206468007cbd90bc95e938b7cda71e5d2a7e2bc8e1752e546dd0bae213c1554bcb703870cff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUku.exe
Filesize
153KB

MD5
14db52d3f72c0d3a098b6d6bf12728a8

SHA1
c0a6956d2b813798ff001d7e16a76af27929e190

SHA256
d905527b32d0ff4bf72534047d42f6463ce143086d8e09058ec94e90db8a7327

SHA512
1f793902a9d0f749681412ba74e649e8abf637aea727a5714b2ee89273fdd7a3311ded6099f0fa5acaf21537a677639fe9bd314d2aad2e03e20a9f90db84c4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\McsS.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgEo.exe
Filesize
110KB

MD5
37a66a1034de711a6a960545c9db13c8

SHA1
c4d4a55deec4f76a46a01231f465fca0ec35540c

SHA256
52f85bea19cd035abd583ea8dbd5fd39154aeb677dc31a20f1c415f8caf89429

SHA512
10c049c327141c644f6dd65cbbfc90168cea16c659f63832806ed8e34b67f7c820d19bd949abf52ce4412d5a60810ccc22d5e6cdf8560b704ea8aa6afe541dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsUY.exe
Filesize
111KB

MD5
75f2cd7cbf25b24860163ab9f4f1d902

SHA1
f2bbe23a741efc3bda81bd845d59a2f6ce6fff92

SHA256
1605266fd0487e1d873a76740f4d2e74cfe9e1cc3adbc2bc7df6319627ee3d5c

SHA512
e9ac40b2a21a8726dc1918aa1a678c318d6b25da43e9cbaeee69d5d1488acb79f2d760d4b5b3d671027ea858866601bffcd6a65be9cd23f6adcf3cff1f652501

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkwS.exe
Filesize
567KB

MD5
794a5fcfb8373ade40509ba38645ee10

SHA1
e7b7b33c5a94d3311bfdb093c1c498cc195ddd07

SHA256
904bffef8a15e820ae5c49b87d5b85127ea0aae15b6d9321905e32bce15b24ab

SHA512
04f7c80a011d0afed039d7ada790e845644df06de2fd54228cdb439ba9d59cd460304c6f59145c15757fb32fe5041a7f325cc8779fa5ba34a455ec2b9bbc10e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkYS.exe
Filesize
1.7MB

MD5
715d2b8734fff82d00c7c65261153875

SHA1
6f3e8d19522d65706c30fb81be732b3edd136f46

SHA256
455ed48bdb2f0ca2b8983c58a1b3e29b6ce0124c64f792fba32b1ae6f0a6c1b1

SHA512
6213d6cd169c02250243b5d2d6ffe39b6e3555f8887fc99ae92add8cfa5c706a036970da64bb071fe6f8234a26166e76a36fd8af51f1861b4c6fe66ba99266b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsAS.exe
Filesize
596KB

MD5
d660f35b43908d9b5ccd77233b36c195

SHA1
4724fe848fc516458b7eefad13a5d8d5e66b7c9e

SHA256
b7af96551bbf5bca77fe3bc0df3a96bbae0ac2bc14a081b40d57c100c6c54f1b

SHA512
eaf09bca7a7f5957bd378af190bd9f17e453e7d2c81621121668f48164875e156ed5199441289cabdf5c2aa359916f171f48ed17e3072a76e231b30a2d83bf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qswy.exe
Filesize
558KB

MD5
06495b846964eede83e762802e195431

SHA1
a439ee3ce6a8e950d07e94c5f382a8a45777e4e3

SHA256
ed13354c852b6b856f87895dd168b5f7ebed85079a42bc79fbd64b77b7eebd02

SHA512
bf8960614a8b05e9a716b550fc208a7b1d2dd2ca8decd573c3506387adb5446612329b4b6dad815f72baade3a01a47d47a99a3886c64a565241e6bc768db547e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwkC.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAse.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMYA.exe
Filesize
112KB

MD5
6e3b9aac1ac0e166c9318b5a3ce53090

SHA1
01f7719cae75cac67267a241cd2134d3bd77fe61

SHA256
471123778bbd3b1f556892f567d950fdc9b1930a9ea7930e2041f643408571f9

SHA512
baee08962ad15059b56e1c1069430297c3795cddb7023e7ac4099ec58e1e5f85ed0e58780adbb418ee909d6258ea25f921738e0b3211e81adb7e9325ca6bfbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoAQ.exe
Filesize
112KB

MD5
11e8d7bf111669fc2fd6fbc35abe725c

SHA1
3d7c5743fd722ee907902c08b878d4b2ffafd46b

SHA256
f850004695b7112758db66de096812ffd71f12d945f8c24fb7b76fd8c4ffbbd9

SHA512
4fa74e4f97d30e1947c7f5d4a8fe44984ae97c6d2ba64ca551c237db963b884e5f02f781ce3fbcdbd140199baeb1d72466e3ee5dd90b9b17dfc2aad3c22f1c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swke.exe
Filesize
111KB

MD5
216589b602169adab1a82d6e3fdac5b1

SHA1
1ec36b5ea0e5555f291efabd552e020d32fb30e5

SHA256
56b07b114860d8d06d35a67ca41caad2fc15f476a90ac7db42dd98196f9a182b

SHA512
3d65413463781e1816d7b7398f63e302e5b2c1b676e182af6dee7999a1832e50194e5e755d81e10702bcd7ef87dfc9435658c53641ba4b39416ae9b5fd8c4845

Download Submit
C:\Users\Admin\AppData\Local\Temp\UckK.exe
Filesize
112KB

MD5
46869e18f27958f8a85c260c94ce6926

SHA1
c64fe42c52a22ae810299efd468ddd94e1339007

SHA256
62040807f2f777b80acf323206e14912cf9ce73e3353ce4d51da72fbde7afae6

SHA512
a05bbd9efc4b44342da3bc789af985f810ef8e54e3f5d2897edba525db78a1c188eaca88491605da00a7717012e45588b8e4a2aeda3f33cf19f21d69b74ec7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoQo.exe
Filesize
111KB

MD5
dd0a7c74af89f8c976dc43242b1d3b00

SHA1
4beb78b52ae54405f2b608c6aafddf659a912e42

SHA256
0461408e5d3a88adeea5e4bd0e5140247e6991739f519e8cf0bd715d86864023

SHA512
04ab035da7a14ee3e0eff3586d6fb3179a1a5f191578f632f01b848556f3ba28ce41287f504b0f5d26e2cad8c7992b5f1d329e52e9795b5daa89527c227ade31

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsAO.exe
Filesize
111KB

MD5
68b23f8db1d28200542d7b2a4f915fff

SHA1
20b2c638a5dcea51dbebe6951a5f1dbfacc8483c

SHA256
51c7b2bee3ed7af9c8f4ab283aa27b96651d10ff23be54100f105ad6ce680887

SHA512
30266bb3f0dac40e8984e716b1644ef1da8fb2e83b81e97e33a53c38c15c63dd3c76864fac4b2d677bd35c1a1e9b41ba620a002e1df3eb105e3ca04dc24e3e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEIU.exe
Filesize
110KB

MD5
54ee35c27a3a4e136e072b1e8ccf9f82

SHA1
c1be087823b9fcd2603aa67075c34f075d6f9ed9

SHA256
52e1945787c468e3dd63f4096ddbea53eb59ca5ba7b64807f1813d122fbac373

SHA512
7a8ef1b2ee51b7ab3013e70d7736107d9ed331503b659c7d96ea12cfa2e8a4588c835928f220f4c004fd552871f5b87175d0d0a4f25c1a2eadc2431c9e62e824

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEMU.exe
Filesize
698KB

MD5
9ae710abfd6b39c1b29cb8c786adcd92

SHA1
5a6660409fb6fc369bb8e73fb4f98585aa26ded0

SHA256
ee8063971410c0439ea5512a4aea7929b6bbc6f865a47857af473f00a5711982

SHA512
67d6588dc2eb71cba4585858005af08f9bacfd0ca12041d77ae1e123360730f2ec0a002271ef57258b9117155ddb1873ee54429f90499ca68a60548872796e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcYk.exe
Filesize
112KB

MD5
1f3ecb39dcbe735896d322ed5e1ea513

SHA1
98f0e08333e1a37ff953fdd1e41253f62669a67f

SHA256
bc9a10757ad22b30b250cce1e458d51c48234eb3128d88df3f5861f25588f02f

SHA512
1c012c64c553ab2c5633332a5ec77f7b4d38b9e47fe2b0d9c33fa00d1d0e2029ba3e6274d1f1a22a3cc3a4c391b4643bd42592c0d796b0f631b4620a73bc34c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcoy.exe
Filesize
697KB

MD5
1f74383e96fbcf433a5059476e46beb0

SHA1
f92ba95dbe00d0293277c58086b15933fc9b0f63

SHA256
966f6559035131885a3d6d7254e4f0fdc37c93b0086eb48bc4a0bb844b4110a9

SHA512
4b9a114fb428f2ca054e0cf406804ea3c4c96a3367563c355b79c222c4c0229c532eb1be8dbc13b3bf3bf08546f3c1b19da536d9043a239fefe24d7accf4bfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAIA.exe
Filesize
112KB

MD5
8250dd364508b513d9cf7dea8315f355

SHA1
7c829a2256b3b2d70a58c6a0b5a0f2a9b4beee0b

SHA256
4ebfc760c9de45a83bc7cde4b08f8adda883933094376b6ac7250f1b3a44e234

SHA512
289b93eb1e78509ba5bc49715a42643d3e1dd39fc7a5d48bb8a99d66cf11d4ff913ebd2f489cd46d01a0983158d81a99a7d424bb212fd1637269d5097b7959c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIYg.exe
Filesize
554KB

MD5
54e183b114a71b70a31904c6834e9b3d

SHA1
f034bd6744d39340c44d9f783612fd6a85abb8a3

SHA256
94da86d55516a6ac0f9c65a06583f53034d8f59158f94d3e0f4b7f146e188a0b

SHA512
a1103688363208c5e5f65d8121f24f515468b09bc4b56de70a8d2595714d0ce47ac52b2f42375872ec3150271cf4937e2e783d9671ca1735acdde6b9d48384d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUIs.exe
Filesize
109KB

MD5
d2fb07cdc9bad5a47148475f7c1f5c89

SHA1
a1f9c4c59c29649cae58f94c2f5ead60ea438022

SHA256
a0566493ffb18eb2a6a717b4069c737785141abeec01faa165d064d38a499f54

SHA512
c21dcf2bf9b691d40f6c4dc1a05801f2a1e004ee58271274273f6212e015ed5666cd72e135802b3ecc970d1c4c8b866dbdd95360703484ce2f83618dd4158505

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUw.exe
Filesize
126KB

MD5
c75eca0381084d9c3f191ac75e426c54

SHA1
753eaccd5e21b1089426dbe66536c578cb6f20bb

SHA256
c62694c7c9a1ee439176053085ebf1e3a9e37c982d25c67b0b719dfec3d0ab46

SHA512
ba91f2694e8100af3f5b69bee4d03aa5ffb672568dff94bc4908d31828db0d5ba29a4249cd1d12a1405dcece1cee0c37c3b6998dedc693b21d42c0106826501b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEsc.exe
Filesize
119KB

MD5
8d051e764cbb285692abe209f1103176

SHA1
b1dcda5bbc97f993b56cc8d59d46f79b773cccd8

SHA256
0f8d080bca62161fec6093e2568ed27b94b6356350a1ae9b1e6061fc145ff739

SHA512
66072c9d35fd3d61351408b2ffd9873015af041808d7005fc044f64aa3d45fe53899838642b26ce60d33a733df6f76ce192c86fca00fedcdcbc3ea7c238a77cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\akwq.exe
Filesize
565KB

MD5
a962a4c1c572b9ed4e882e27614d5661

SHA1
a3118266ad7d7140c93f2b6e648e7b50791a91b5

SHA256
237de9eed020ea8c104d54d8bfaaa0e4e889dba3f1045fc6f30687c384f0678e

SHA512
26d9c3e50a586fd433b6756b65e9dc22d2ce13328aff92a46726445027626e5e992fbd8ebf5cc31b68789890bd77416093e33c2e7399774f61771038ed8a2ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\awMU.exe
Filesize
691KB

MD5
8c64a72ad1ddb043b71af5a0e4e081ef

SHA1
b5c8e51bf7026d98eb04690c3cf6778a567ba8a1

SHA256
b3e41687f2e912859bec4b5fa04150aa81c116991505e36a43093f7150ffc6ba

SHA512
5fcb761ab1087cef7f64afd6829e805034b97c89a22dc7817efe53db389346cd567ec9e2b42622ece1494e23279cb4411d3e4a06efe85474ba6b5a63a2b5155b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMEk.exe
Filesize
114KB

MD5
4aa3c20338457af96aef20e19a646dca

SHA1
4fb7705ab64578f5b59317ce704508624b2b4fbf

SHA256
38aeb0468587af983dab9df30d2b4e78fc9b94d7fa44074bdd6fc59e26e0a892

SHA512
a5a7e36def2c124bc7ab5488f5e47d343ed2b1d7e9a38c7757239b40d9f5da63ebaea59528f62742d096ff96425ceca60010f130542ed842b44afa0f7ae703a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYUs.exe
Filesize
112KB

MD5
68b0af2535761aa3a612cdb4d1d55560

SHA1
b40e2ac24e505619791be31d93022388ee8a4516

SHA256
63a5d5cb1597d5e73432a3ef19cc84ce1d4f41a03f21248b7b08f16996f1dd82

SHA512
a03a1fa423068045fb309b89e635a08d360bde15efda4b0aa554078328bec75b6444c8cdc4e7537ec0d2ad4ff0e5b67702fe15231559dcf5a47a70fcd0341f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYgi.exe
Filesize
112KB

MD5
b3d16842a12a78b045bd378c3a261e22

SHA1
8e9d6544995fd3383a86419471b2bc41bdf8fb50

SHA256
2b4a023cb13f621759604c4e23ca2bc30bea3eeade0457ee818336e8f9e0bccd

SHA512
ea9504752c5b1036ba90cadbaad00d05ab250d6fd6d18affcec6f823abecedab9fb057ea5ea546e6bb229340feb130eba2a454cb1983ecf706651ecc152b00b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccAc.exe
Filesize
120KB

MD5
96947f02c2d0645d7631000e9f08d42b

SHA1
a8476223a6b4305c15e21c7aac8f63c46e428300

SHA256
d9648df69a13f27b40af18fab74a4b0b2c89ef65c53198854af4eb42651687a3

SHA512
a40a64af290eb36bf0197a66324a57526816f6772a8cbd1cfb5fac9c279d1570526a2bac365059eda75f0620958ccb427c7ed4185851b4cace8299ade23c2e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cswy.exe
Filesize
112KB

MD5
049236ca682d6f5fefe376c890f36bb3

SHA1
6e08b616e6e01b5edfe91c401a63d2b43f57f1ee

SHA256
70ee7072d240cfb09ae46088929554d52177af4de54a12bde72c3b8bd9969235

SHA512
a25512a71800f08b10c69afe8c444699815cb5d76ba430121f57eeb2cc38ec49a106c69b86a6b8783d0a93cd88fbe426c86cc24ee04d3b95109c235691a56365

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAUI.exe
Filesize
116KB

MD5
3d74b63d299fb6df26c24d371ae447fa

SHA1
757c78651227c0dd4470670126a72d3d96ce77d1

SHA256
4521882c5a7adccc9780c947122f257bda0dfa130c50e57b01af8fcae9768189

SHA512
36a1b5a4b56c03ae08101212bb8d0796b34f3ec9ed0c8ef27f43209d5403919ce8cc5ec9dd854c2bfca9800805fb6e0e8de3dd2144e33d19d45a858b65130766

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEcG.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQAC.exe
Filesize
111KB

MD5
147aef80731e6b6ef6890c9e3d606df3

SHA1
bd585bd3f10c17f4cb68dbcc20dc5c17201d70d4

SHA256
ebbac8b9c87e4c36c593120ec638e7aa611fc99fa22b31263fc1a14e827d5946

SHA512
a4dc10f55229b5188074e46f9faf8800e61d1d43fb546f67384296c92d37c93cd9222bedda9da15251a60b5c865c8e646a2f45c72e79cc3cddd18d2ec40c4a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eccu.exe
Filesize
111KB

MD5
b3baa834513eb70c378956e820ff9c59

SHA1
fa603b326994a9593236c2ecc9b507a08af01860

SHA256
af34ffaa3a154272ce4d2d6f6b171a140c8f9af7019aba065c6dba9bdc12424b

SHA512
a84df53dc36901f9e557a1a4630a3318fdf7c2b3ea094285d74285190731c4bd748f952de7cd4ea18e9a8dd5a79126259a849c6d885e9731bb9650c0bd7301f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewcg.exe
Filesize
120KB

MD5
f8b3b608af003bafebd85c9d997baf73

SHA1
e92b21d1b28b6f079e01129afc92580795372112

SHA256
36c3ff3d29fa6805aac459e88a41aa5dba8ffa4961d4c9d52572703ea689d4d6

SHA512
fe0c24d01eb90433ffe782af1edfd26c09523d5a0a99014c4242dbbb3f7e6a3bbda7414493914c1ba6a1ebc4f40cf89c4b68587040069ec86824c96b077dbb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAgs.exe
Filesize
701KB

MD5
ae567706ad0684acfb99c5f1b7e7bb6f

SHA1
3fc6f177f8fa70ea89725f7972765066ce35dce1

SHA256
b66f07fc46b7cd9498c63371b94c51bdfa7f3d3403706b78dedee540d3a9c7d5

SHA512
cb407349b2e4969bc4db873f11aabbabcf876190dec5d988e2ecca224a6b2073bde6cb12de82aaedc942f66f50bb8abc2b568686e84bd8d3b940b9eb713dd718

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMUY.exe
Filesize
112KB

MD5
985574186ed970667a72d8b9825a3d36

SHA1
e9229bece28ab21c6d119903b5afbd5de1ea009d

SHA256
7be930b4601bc09d6c9b5b0c343ce10ba9c87e268d49b50842f8f353c9febc63

SHA512
42abe257f68ee45a21aa50e1c63219e3ac6bc6faf5c33b43741afd90a427a2b5ed17742d9e795f1fe13cb82c07ab7a327829590481ebe52b595de3f0c4e76e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQQe.exe
Filesize
237KB

MD5
26f3fce34a4f95da12ed2b67b818dd1a

SHA1
af0d448ad0502759a73d440140c04266593b8422

SHA256
616b098f6d1d375dd64bf05ea4b0d6e675a807f7d5f65927b0b88787c625abac

SHA512
ad212ad84069cf995c696bcfdd762f60c497fa66ab2c7140435c598aea2eb347cbbdb8682cdf2a95dcfb9fec2dc9fe04304813e1ccab52e7ddf046c266b6e8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUMO.exe
Filesize
567KB

MD5
cc6285b37a93db6b5cc79239bfb939d8

SHA1
6c709eeb64a2e7ea18c62c210a63d5b76ddeed8d

SHA256
10fa9220987edddc47b2df7882f5da7cd93b2424a96586f2448b3368d4b21c16

SHA512
e0b66a355ed0b980f39bb976fe48b5703d8b386200b1850d7ec0463c57f741e5b3ddb0fc1c8ea0ae318d73030dedb3f7d39786e2980f0eaedc5c63801611d23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUcG.exe
Filesize
112KB

MD5
96561fbf8c23c97b00f62d1fc53a5d18

SHA1
f8f48ba5b302cd6ace5a3e88a23cbf1465ae0d51

SHA256
1547e5de8bb9dda915796ccaee5f59bee18d94e120c122010cd865e47105f1c6

SHA512
3335bc13aee1f9e4d2a803b352a34cb05f9cfb038f7da17fee21f099732873425880e7c7b56c023de449808d5f324a1278427e7700c457c4e94494a89dbf5979

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcUO.exe
Filesize
112KB

MD5
63c774436da59da28d847d247972d2fe

SHA1
a08a1639e3bb4000c35eb202ac59b46f19c345d0

SHA256
98c2958ea19702ae23df9dde277406271a009087dc00e68637d1ccff7fd3ceea

SHA512
6fc286415d131c87ab0b5377b6676b7aa704c9abadab82dbbcd853eb83d26c1a20e4fa52e1ca95c52328a1837ebeb926051fc40853fec1310e343945a9f88fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQYa.exe
Filesize
114KB

MD5
ecbb5e587faf0513f49ba9206d2e5d32

SHA1
8d15312bbfe5a3187803e781caa10bfa79691707

SHA256
a9f547a7a477133d46191fb27f03a9c873e549fe4ac94d431a69ca992223e343

SHA512
2a6b18b7bbf585e3815de0e14e34bc170ffc700b48bd41ba747ee419ec431f408ce17ee09730c6a4d7001d9ae4ab10eab04fcab6a6a0631d96c9f3a5ca4b30ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioIu.exe
Filesize
139KB

MD5
e31db2cf6208c349de170b28f84f4c28

SHA1
6c06795bb9e42eaad77c189028494554d8d6ef8b

SHA256
bc18cacce5a3445a6e71400a3ecd5f48eea4c46271efd5cc288ffbb9f6124101

SHA512
de2cf1f2aac8f3c6ec05298138d848697b70cf763813e006714c0f3231d50932c33521237123bf64875f2f9792678bca8320ac8b5a155ca53342dd3b72b83f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\isYk.exe
Filesize
806KB

MD5
0f446d4097d024d9a58ed8d65a55c1b4

SHA1
c21dc845e480f94849025c37c50705bb9c10ad0c

SHA256
30b05d32388231397f07f12b3d260ca3a67c957c65dc84355b3427bc66622860

SHA512
10104da2a8816ae15cb581f100c160553e324a4f821d671f1d6a92190c0002d31403f09c84ea53f0b328d5f4baf4b52cc9479475444fcca00a1f7a989715d85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQUG.exe
Filesize
110KB

MD5
33a5e52e7ef9bf210771a3c19375aaba

SHA1
1817b8c5f56081e1ee085f3eb92bffa8e7bcdd90

SHA256
d393f1bbfd9d096aa202f6e26f6de618ff6bf720030c1c1a9d25c9618bd15fbc

SHA512
8e372b81f0e50fbb4684092e912c94d00aca8c36dd3625935bf6ba7d13c4ca8e34aad5f4d2de1de1dcf3758465cf803c27df05e606dd49ec15b1088ddea7749d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQsg.exe
Filesize
484KB

MD5
ac2185d5d9c1cbcdee63aa182b30f549

SHA1
da20a6b8785124e3e74d27e0bcca1fe6a9eb4555

SHA256
868da87bb348c023862fc82154a357973f5cbdd2b2b28b01bb06ea6df58e6e6d

SHA512
f97876ed0e3c7b9c3333cd4c802313251cfdad201785b9e49f7edc1f632ff4eb2f5c25a21ef647452d12d37bbd3aa20ef75299d65821f6efa2e1ef3ccf97a733

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQIk.exe
Filesize
139KB

MD5
1128c4d0f505c7efec1eebde7786daa7

SHA1
5125129994eab74f497353d9d2b638be6c71d2e8

SHA256
c3ae43755bbb0019d66aa0f76304293a7229498186151783ae109c34b1b33da4

SHA512
f05fb9e15f964b3f707e7e6c5ddd42af1952b35cf414e384b39069f83e8be11c22874f71ac3952199b776fd246bd3ad01b6ca28c2cd5508e8e89ac1007d9f2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAYm.exe
Filesize
112KB

MD5
bc000c2dd4d586b24c3d504049d2a62f

SHA1
fa75173c397139775116a690348be91bf3fbdde3

SHA256
47e5421c702157fbbd00634a9cb007c36e168a7050ea14b9d11e18b7142a983a

SHA512
2702ad7c0d3943bcfafc7eed7ea374186de10d21df1aa73f4dfb996363154abf3089da86f38de516b41f0217a0a6cb835e5ba42b7a872167aa00bf2c8f570a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUIg.exe
Filesize
111KB

MD5
dccc9bf7c0ea44daa1f4e849c673ae76

SHA1
47a221cce75b4a56b4980710c625b080b09198e3

SHA256
f5f5bd9d51ac6f4c1fd00133035e942a96ca95718a440a697bcb57261972fba9

SHA512
ddf1290879a2310ecb450bd960edfdf06ee7b39bf7794492c37140db4f35319071df0026ef76401600e403f682401b9476111b935712aa5b5e222c04df41b6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\oacgEkEs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYs.exe
Filesize
236KB

MD5
d040fdf7f5a44dcc8d21479c3b7d5121

SHA1
6bc24324c97cddf35496d9911d6114d1fe78e95b

SHA256
351833fa174f3df9fedbb2f89a0eede085462f24723a3f22ae8481d050ef2051

SHA512
ea26a8558a6dbe7eb80110cffbffa7c7c85ec0f76a4377ac084a54b9f2f6044067d2417dd1047643b1d07c912aa586d6dd59ed9d89c02595b5ff94c8e1c291f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMki.exe
Filesize
115KB

MD5
594e7aaf3655bdf012183b2a15251e2a

SHA1
8d9f7bd532529da612cb52353ceb4fad63d853ec

SHA256
01b556d5d0abf1cb1c2c96d0cfd78f1f499461203a41013e09e77fcba80b834b

SHA512
19ca966bddf58ecfe6cd2b7302562d8f504668ee262b8ddee5e875507fc76eee1171a0c8e956820f3d74993bfedb9cafda8f5f7d466471eebcbb776c6957758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYkY.exe
Filesize
149KB

MD5
62939f13460e472122403dd8a9383612

SHA1
9ad6a562db2cd5ba7724eaf2e44f6c7d0cb8a8b6

SHA256
f758301dbc53780693f0365c15029aca83edca5101de79d23bea496c912cad25

SHA512
e6f2c405be48159bed476f88afc6a5a73e44b5c58e5e934d049d18a3e08920b250dbac3333a57eb9da543bfab3510da0af9ebacb34185b63a843b83faca6b316

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEAc.exe
Filesize
111KB

MD5
d9b3f22c370747eb5c31ce8bfb3d2bd2

SHA1
ef4e369da06a135d029c591d8f1fef3d38feb217

SHA256
f1531854e3846546faeb6784fc3d95a2767bbdb3887cc5adbcd4990ec4cefd1b

SHA512
d146af174bbcbdbafdc5c07bb01381d3b172c5aaecfb887d5d8e19094ff2025ec7d7754ade8024b80c013a6aa09afc35e10a9905fe3fb859fe3f32aa6ef220b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQgO.exe
Filesize
138KB

MD5
8008213e958d730b9d2e963bbcfb0dfd

SHA1
ec39cf052ef3d287a967183f36b4b63ff86fd683

SHA256
a46ec1134b567ca42408653dd80d80ea02ba6201259112f628df28e9e852f3c6

SHA512
ea88f5eeab9be058b4a71659c694a5e83f7caef57d45ecbc31eb95d498a06d632d98b689580dcc23e50f842e73ab0ae8f480db2b5280dea4eab5b2cfbafe47f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQoi.exe
Filesize
119KB

MD5
86dd942ec08844ff8aec7d19538c2c98

SHA1
f05c81d7a11f519f98c3f9e15d917c9943e5ad49

SHA256
ad4eaf8556fa2365d0a549aabf11c4de76dd4af20c72652c14fe950710ceca53

SHA512
96a9ef2723b732c80e36bd9cafda085b1e5bea079a7ff9c5d56663cba41fd7676bcce510d7a29f78233218a0a327f47f095675be1080ddccf211f0a22b0065be

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYgy.exe
Filesize
114KB

MD5
f446bd1834908b2eb3c2e73a1c4f7b99

SHA1
48ce9c861f58daa80d14c169bbbfaa57fdd83266

SHA256
ca30a5064f91960ef64d3e368fecb613531ce6f522f14d7da14565a4f0129e79

SHA512
4aaa181289adc4ea89c61cec19ad1072251d6b03052858784d11257dbe92465e56cdcbad98249fdca67a0c2b7e39c41a8d92bbc5e26356ad5e83d910253624d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAUo.exe
Filesize
5.8MB

MD5
8b30811402f927549e08e8fa92a86569

SHA1
b348297742145d8fdf7ac3437d9b666053a992e2

SHA256
ab7656227f7dfe96d380503b779642a701b9a75348100d26e82e5dc4cfcd9d5b

SHA512
74b9ea2ca91159cc981969f9d1cc240405beac76035ee6ee9387dc5f622343c52e34a1e23aaff471e8196d1080f12cfe1aad0a70e0e9dddbe78beb45ea233cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEUm.exe
Filesize
113KB

MD5
1190a11de99f1d3d4d0413bf94877ce1

SHA1
e8c7f74328e45c45b4728f420d2a1c30e30651b5

SHA256
22ea5a73b410973222cd88aedff1240b4a4d4f14885767628ea9cb603e5a45e5

SHA512
5188367fdcd59b71f1c526caa1fe8a355dcbde3c33007929b24a56d1d76f58e71aee638b3e14e45e7ef33042ab01c11a6aae15c66d4f7453c47fa27926e9a8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUAC.exe
Filesize
120KB

MD5
403fb432d0d9ac3090e344e6b7666841

SHA1
b1a0df7b19cb9632110ab1065761baf23d4af5af

SHA256
0cff808443f4def145bab2a3f610b32db70f73f11e82332cbec59a68fd0312b6

SHA512
4cccd93eb759ca662322bd41adc23e0daedddb5428aa0c0a60e55806a65a1a73ac5d4f6afda48387ca46b905d034fbc2c89080c36c6e360bb1084bfd3fa4e53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUIS.exe
Filesize
143KB

MD5
c9a1818953f283ee81a7248f4510a764

SHA1
a8517e40bf3162fe8dede3e2371c1e7b13c365c2

SHA256
e46c99c72e71343a02c83aa51190e82f1c8727f4d3383b743a56fb930d835c45

SHA512
7fd01574f1e254775188a69142c16a9c7637513334424cb7e12bc5dbb01bc278afc865f7f8521658fd94ccbe349f0094a1f0020a57799c5e2c0b292c49289349

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUgA.exe
Filesize
115KB

MD5
a07294893fd9de0c29faa77ebfc32bec

SHA1
4a7ec33c3804d0165053aff67aa9005e24df2b7e

SHA256
c85ed106f98667c62e462ac76b846f00f4e10be8e2766e2e90c00bc630045015

SHA512
7558648fea4aadf02a6175a4b51c00aa67ca90a1d014e5414ddbf241906a9815518a97c012dc590d27a55bdb670543e1334948361d7e43446d7055b736042026

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYks.exe
Filesize
112KB

MD5
d0908b7d181c7ae94533009c96b3c2a8

SHA1
ab0f9904e1430b6f3823b1147feeb41f5327253e

SHA256
b520cf95dfc0b467ef833b0718736487adeeb913d371f55ea8b665f8687c5f41

SHA512
f264be00781ccf45a38f7056594f69526d7dada8954ad92609a58f1319ee5f16de0bb4193e10608054d4649fbfd2ebe4bb598a7b92b28c44df929a37bb9c51dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcwy.exe
Filesize
112KB

MD5
584eb40acabfbb34a0c716613c7f017b

SHA1
a0a038f06ca178b812b04470f7deba44e85d1389

SHA256
b8db61d431acdd43f3d589fae4b0c7fd48eb00cc37c8f674ee030e684244bd74

SHA512
2bffba76c0689779bae5b3445988e99ab19a4ee4556c40f132b927e6ae1fc6b2e3c79e18d9af81f9de05f50f358b2ac8104603953c0ea7e570864c7723f915a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwks.exe
Filesize
113KB

MD5
c7362aa7d092fddddef525a84c22dac1

SHA1
9e70f8f7ef8c355a7f14fb5f42896668dbe74763

SHA256
a98b54027aae0d0d1e5694a394dbaedbde19670f3a0bbcb10a8db155e1ad3169

SHA512
0c9b7bba0e77f2fce1f70b7faa886fc160447af291cdb943490cb14d1407ac3903bac2f88ee09150110e102f7fffd1111eae297a91c0d62ed42dea18f5a08b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQYq.exe
Filesize
110KB

MD5
cfeef3349fa5462f533a3e715e32bcf4

SHA1
b1c325c82cac2c6ce28ba4d87b2fb40dd32b4544

SHA256
4e7db99524d5877dcff9c51c64a148e9810a6aa8c3367518f00d33d59c1b2dd2

SHA512
fec222be051a5b2300397e204267b0aef7c7d4da6e105eaab8664d86e0d9db81ee9d368b633744310844bd7dcd7176d60b8a59c07226454fdd2102e0e157f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykIy.exe
Filesize
116KB

MD5
781916203742e2e980ded88fd09ef59d

SHA1
bd89a7414a9521c5f7ca3eb05197ec2534c53777

SHA256
d73dfc04d6aeb4339a78f0f7580301800b9322bf9d79ea4e2e8327719e4a4d02

SHA512
cbaee0421358fb1b4372e2deda8ad138827f9442b42e7233bd436ed3169a2f654c89a67467257853794509f657a264ed10429999aa0cb61005efbb610ea60f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywIe.exe
Filesize
970KB

MD5
9e360d79683c6dccbacd7b76ee067662

SHA1
a00792c2e7c5cdf42a53864f54514041893a50b8

SHA256
116af98d85f469816ddf59dcc37624a80bc2f88028db948d86aa240783c59de1

SHA512
0d28ab60e9d4eb677b595698e4de33ac9180bfb7ad4fa9a7fb16bd464e56e206d43959e39d4d52a7db435812c219c34bf57a02094c972b5e73e8b723735e89d4

Download Submit
C:\Users\Admin\TKgYUgEI\jYAgUUsU.exe
Filesize
110KB

MD5
15e8198b017c53e3c5acfdfc1a74ef57

SHA1
227e63aac719a9cb5eb75290d6cf2371275a9cae

SHA256
00feb786b7aec906682cc9cab1a851eb56592d39967227d589d7e5b360298bb6

SHA512
ca547f49c4bbdc9bf670d38e473da8286ea63e463ac924efe60ad152ad85d4f913b8b80bb53f74fe416731870bb85c4b9f85670ea1466f5dbb444fd61af7accc

Download Submit
memory/224-392-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/224-404-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/396-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/396-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/400-457-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/448-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/448-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-528-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-520-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-357-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-370-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1824-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1824-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1876-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1876-361-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2444-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2444-421-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2444-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-507-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-519-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2472-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2472-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-423-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-430-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-413-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-405-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3024-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3024-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3076-511-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3076-498-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3144-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3252-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3252-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3280-492-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3280-480-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3332-467-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3332-474-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3416-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3476-502-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3476-493-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3488-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3488-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3492-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3492-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3524-79-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3560-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3560-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3572-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3656-475-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3656-484-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3676-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3820-448-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3820-436-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3900-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3908-453-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3908-465-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3912-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3912-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-375-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-387-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4052-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4052-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4136-431-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4136-440-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4340-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4340-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4560-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4560-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-343-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-331-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4700-366-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4700-379-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-396-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4852-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4852-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4908-111-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4908-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4912-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4912-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4940-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4940-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5032-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5032-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5056-352-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download