69aeaec4d5c9e024ff15234ae8bc5aaf97b98f410e364fc5109a7c1c36f0a168

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
Size

190KB
MD5

213e54e8e0cfc370f9c7839facb48323
SHA1

a4eb90787752567f1f9b63e8df6ffecc758a59f9
SHA256

69aeaec4d5c9e024ff15234ae8bc5aaf97b98f410e364fc5109a7c1c36f0a168
SHA512

85795f86660741063465ba2b94f212dae3a97962df07ef995e9f62ce555cd32a7bef8d5c4702db12f608cf0b8c70608b6db582fc8826dfd5f071dcb7419a0fc8
SSDEEP

3072:eozsn4c3TJZKPMmymb6fZKnzH5zhRstsx8PhAJbPBgyjgpKa+P5cIBrVZazvn6R:nY4c3TmPM5mtvRosePgbPBTuJ+P5JJ/n

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sUIQkAwE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	sUIQkAwE.exe

Executes dropped EXE 2 IoCs

Processes:

sUIQkAwE.exeWGsskQYE.exe

pid process

2372 sUIQkAwE.exe
4616 WGsskQYE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exesUIQkAwE.exeWGsskQYE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sUIQkAwE.exe = "C:\\Users\\Admin\\lCwsksAE\\sUIQkAwE.exe"	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WGsskQYE.exe = "C:\\ProgramData\\lgYgAEcc\\WGsskQYE.exe"	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sUIQkAwE.exe = "C:\\Users\\Admin\\lCwsksAE\\sUIQkAwE.exe"	sUIQkAwE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WGsskQYE.exe = "C:\\ProgramData\\lgYgAEcc\\WGsskQYE.exe"	WGsskQYE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
404	reg.exe
3068	reg.exe
3552	reg.exe
1412	reg.exe
5060	reg.exe
2780	reg.exe
3568
3584	reg.exe
4044	reg.exe
2144	reg.exe
1800	reg.exe
1912	reg.exe
5088	reg.exe
2216	reg.exe
1212	reg.exe
3116	reg.exe
3240	reg.exe
3020
1124
1916	reg.exe
5036	reg.exe
1480	reg.exe
1828	reg.exe
3792	reg.exe
824	reg.exe
2136	reg.exe
2512	reg.exe
4960	reg.exe
4856	reg.exe
212	reg.exe
3832	reg.exe
3884	reg.exe
2772	reg.exe
1332	reg.exe
3116	reg.exe
3080	reg.exe
860	reg.exe
3300	reg.exe
4604
3056	reg.exe
4608	reg.exe
4292	reg.exe
3036
2188	reg.exe
1012	reg.exe
740	reg.exe
4292	reg.exe
3344	reg.exe
1692	reg.exe
3448
5044	reg.exe
1996	reg.exe
2124	reg.exe
5036	reg.exe
1828	reg.exe
4800	reg.exe
2376	reg.exe
408	reg.exe
2212	reg.exe
3280	reg.exe
3052	reg.exe
996	reg.exe
4352
2796	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

pid	process
3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4704	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4704	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4704	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4704	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1800	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1800	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1800	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1800	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2844	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2844	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2844	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2844	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4700	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4700	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4700	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4700	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
3988	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
3988	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
3988	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
3988	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1264	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1264	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1264	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1264	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
972	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
972	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
972	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
972	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4288	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4288	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4288	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4288	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2664	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2664	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2664	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2664	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1092	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1092	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1092	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
1092	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4460	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4460	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4460	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
4460	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2812	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2812	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2812	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2812	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2704	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2704	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2704	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
2704	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sUIQkAwE.exe

pid process

2372 sUIQkAwE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

sUIQkAwE.exe

pid	process
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe
2372	sUIQkAwE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.execmd.execmd.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.execmd.execmd.exe2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.execmd.exe

description	pid	process	target process
PID 3364 wrote to memory of 2372	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	sUIQkAwE.exe
PID 3364 wrote to memory of 2372	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	sUIQkAwE.exe
PID 3364 wrote to memory of 2372	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	sUIQkAwE.exe
PID 3364 wrote to memory of 4616	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	WGsskQYE.exe
PID 3364 wrote to memory of 4616	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	WGsskQYE.exe
PID 3364 wrote to memory of 4616	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	WGsskQYE.exe
PID 3364 wrote to memory of 3828	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 3364 wrote to memory of 3828	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 3364 wrote to memory of 3828	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 3364 wrote to memory of 3552	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 3552	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 3552	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 3036	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 3036	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 3036	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 3584	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 3584	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 3584	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 3364 wrote to memory of 4960	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 3364 wrote to memory of 4960	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 3364 wrote to memory of 4960	3364	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 4960 wrote to memory of 4912	4960	cmd.exe	cscript.exe
PID 4960 wrote to memory of 4912	4960	cmd.exe	cscript.exe
PID 4960 wrote to memory of 4912	4960	cmd.exe	cscript.exe
PID 3828 wrote to memory of 4896	3828	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 3828 wrote to memory of 4896	3828	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 3828 wrote to memory of 4896	3828	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4896 wrote to memory of 4848	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 4896 wrote to memory of 4848	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 4896 wrote to memory of 4848	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 4848 wrote to memory of 4500	4848	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4848 wrote to memory of 4500	4848	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4848 wrote to memory of 4500	4848	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4896 wrote to memory of 4808	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 4808	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 4808	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 1996	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 1996	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 1996	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 5076	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 5076	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 5076	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4896 wrote to memory of 2472	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 4896 wrote to memory of 2472	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 4896 wrote to memory of 2472	4896	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 2472 wrote to memory of 3912	2472	cmd.exe	cscript.exe
PID 2472 wrote to memory of 3912	2472	cmd.exe	cscript.exe
PID 2472 wrote to memory of 3912	2472	cmd.exe	cscript.exe
PID 4500 wrote to memory of 1820	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 4500 wrote to memory of 1820	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 4500 wrote to memory of 1820	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe
PID 1820 wrote to memory of 4704	1820	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 1820 wrote to memory of 4704	1820	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 1820 wrote to memory of 4704	1820	cmd.exe	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4500 wrote to memory of 1624	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 1624	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 1624	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 1192	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 1192	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 1192	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 1212	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 1212	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 1212	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	reg.exe
PID 4500 wrote to memory of 3116	4500	2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\lCwsksAE\sUIQkAwE.exe
"C:\Users\Admin\lCwsksAE\sUIQkAwE.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2372

C:\ProgramData\lgYgAEcc\WGsskQYE.exe
"C:\ProgramData\lgYgAEcc\WGsskQYE.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
8⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
10⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
12⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
14⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
16⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
18⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
20⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
22⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
24⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
26⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
28⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
30⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
32⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
33⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
34⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
35⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
36⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
37⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
38⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
39⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
40⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
41⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
42⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
43⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
44⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
45⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
46⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
47⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
48⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
49⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
50⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
51⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
52⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
53⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
54⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
55⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
56⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
57⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
58⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
59⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
60⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
61⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
62⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
63⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
64⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
65⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
66⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
67⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
68⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
69⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
70⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
71⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
72⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
73⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
74⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
75⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
76⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
77⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
78⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
79⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
80⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
81⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
82⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
83⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
84⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
85⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
86⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
87⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
88⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
89⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
90⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
91⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
92⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
93⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
94⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
95⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
96⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
97⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
98⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
99⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
100⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
101⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
102⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
103⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
104⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
105⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
106⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
107⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
108⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
109⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
110⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
111⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
112⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
113⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
114⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
115⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
116⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
117⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
118⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
119⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
120⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
121⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
122⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
123⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
124⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
125⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
126⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
127⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
128⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
129⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
130⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
131⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
132⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
133⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
134⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
135⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
136⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
137⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
138⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
139⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
140⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
141⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
142⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
143⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
144⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
145⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
146⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
147⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
148⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
149⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
150⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
151⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
152⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
153⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
154⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
155⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
156⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
157⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
158⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
159⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
160⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
161⤵
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
162⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
163⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
164⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
165⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
166⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
167⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
168⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
169⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
170⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
171⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
172⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
173⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
174⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
175⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
176⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
177⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
178⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
179⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
180⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
181⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
182⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
183⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
184⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
185⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
186⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
187⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
188⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
189⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
190⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
191⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
192⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
193⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
194⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
195⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
196⤵
PID:3296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
197⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
198⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
199⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
200⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
201⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
202⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
203⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
204⤵
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
205⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
206⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
207⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
208⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
209⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
210⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
211⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
212⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
213⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
214⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
215⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
216⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
217⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
218⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
219⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
220⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
221⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
222⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
223⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
224⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
225⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
226⤵
PID:4684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
227⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
228⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
229⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
230⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
231⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
232⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
233⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
234⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
235⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
236⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
237⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
238⤵
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
239⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
240⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
241⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
242⤵
PID:4860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
243⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
244⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
245⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
246⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
247⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
248⤵
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
249⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
250⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
251⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
252⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
253⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
254⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
255⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
256⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
257⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
258⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
259⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
260⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
261⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
262⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
263⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
264⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
265⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
266⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
267⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
268⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
269⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
270⤵
PID:3384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
271⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
271⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
272⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
273⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
274⤵
PID:3376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
275⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
276⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
277⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
278⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
279⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"
280⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
281⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
280⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
280⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
280⤵
- UAC bypass
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQQMAEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
280⤵
PID:1068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
281⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
278⤵
- Modifies registry key
PID:1828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
279⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
278⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
278⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IioQUIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
278⤵
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
279⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
279⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
276⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
276⤵
PID:3792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
276⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYEcIYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
276⤵
PID:2796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
277⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
274⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
274⤵
PID:3856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
274⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWQIcQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
274⤵
PID:4416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:3828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
275⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
272⤵
- Modifies visibility of file extensions in Explorer
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
272⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
272⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwMwAEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
272⤵
PID:3764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
273⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
270⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
270⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
270⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waoQwMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
270⤵
PID:1264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
271⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
271⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
268⤵
- Modifies visibility of file extensions in Explorer
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
268⤵
- Modifies registry key
PID:3792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
268⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIUMYwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
268⤵
PID:4620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
269⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
- UAC bypass
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGQIIocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
266⤵
PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
267⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies visibility of file extensions in Explorer
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:2284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
265⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
- UAC bypass
PID:2028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
265⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYkYEIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
264⤵
PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
265⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies registry key
PID:1828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
263⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkAoQIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
262⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- UAC bypass
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeMYEQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
260⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:1292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- UAC bypass
PID:4216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIkYUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
258⤵
PID:1212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
- Modifies registry key
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqgUowcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
256⤵
PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeMsQAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
254⤵
PID:592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASEMIEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
252⤵
PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:2192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKoIEEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
250⤵
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqMUscoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
248⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIQcMUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
246⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoMcIIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
244⤵
PID:3792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCYEQcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
242⤵
PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIAAoIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
240⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- Modifies registry key
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGcMkMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
238⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:3480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGQYwMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
236⤵
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
- Modifies registry key
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeIoAMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
234⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:3624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgUgIAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
232⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
- Modifies registry key
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmoswEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
230⤵
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iogQsUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
228⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYoQsgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
226⤵
PID:3632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAIscQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
224⤵
PID:4332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuUoYQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
222⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies registry key
PID:3344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCIQgsEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
220⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
- Modifies registry key
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGsAEgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
218⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGYEMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
216⤵
PID:996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sooQkgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
214⤵
PID:3544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCcsossw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
212⤵
PID:2836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
- Modifies registry key
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- Modifies registry key
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIAswwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
210⤵
PID:3564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\magQwkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
208⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:64

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcAkMwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
206⤵
PID:4044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKsMYoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
204⤵
PID:4992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byEgYUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
202⤵
PID:64

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAoYEsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
200⤵
PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqEcwwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
198⤵
PID:3364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEQkEws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
196⤵
PID:1480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkgEYMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
194⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWEMsQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
192⤵
PID:5012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaEsUAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
190⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqYsAMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
188⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAooMkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
186⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCYEIocg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
184⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGIUoEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
182⤵
PID:1012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
- Modifies registry key
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycYAUEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
180⤵
PID:1096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIYAooAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
178⤵
PID:3660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGcwIgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
176⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
- Modifies registry key
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgMMgskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
174⤵
PID:3828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies registry key
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- Modifies registry key
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmccQoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
172⤵
PID:1832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMckgkQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
170⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuQQMAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
168⤵
PID:1336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIocoYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
166⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- Modifies registry key
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUUcUosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
164⤵
PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaYkwUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
162⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies registry key
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKsAAkoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
160⤵
PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMcowsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
158⤵
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEoUAUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
156⤵
PID:4188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwEsYgMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
154⤵
PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkYUMsAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
152⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQoMIoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
150⤵
PID:4808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmEMMcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
148⤵
PID:3932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQMEAoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
146⤵
PID:4244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gugwcocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
144⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYAQogkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
142⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaUcAwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
140⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgEQsAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
138⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYQAIcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
136⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmUYwMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
134⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- Modifies registry key
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgogoAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
132⤵
PID:2216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqIcgkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
130⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqAgYIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
128⤵
PID:4836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
- Modifies registry key
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaAsMYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
126⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqAsYowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
124⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAcYEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
122⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- Modifies registry key
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuocMIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
120⤵
PID:1260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEgQAkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
118⤵
PID:1932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqAgIQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
116⤵
PID:1212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIsIAMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
114⤵
PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- Modifies registry key
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKYsQAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
112⤵
PID:4936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmEkcIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
110⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcQwIoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
108⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOgoocsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
106⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuQYEQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
104⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
- Modifies registry key
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwwgMQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
102⤵
PID:3064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
- Modifies registry key
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUgEQoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
100⤵
PID:3780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okMUcIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
98⤵
PID:4900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAsocckA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
96⤵
PID:2796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIEEgcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
94⤵
PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQwgYYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
92⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKAQQsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
90⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmQkswQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
88⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies registry key
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psYcEccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
86⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqgwUsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
84⤵
PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwYAsUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
82⤵
PID:1012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUsUEAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
80⤵
PID:4188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies registry key
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKMMkgAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
78⤵
PID:3932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIEYEwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
76⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcEwUIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
74⤵
PID:3396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DssMAcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
72⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIEEwQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
70⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWAAYoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
68⤵
PID:3424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cosYQsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
66⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYgYockg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
64⤵
PID:3400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeYMEsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
62⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYcUgwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
60⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKEoQgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
58⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmQQQscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
56⤵
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wosYkgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
54⤵
PID:2436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wooYkMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
52⤵
PID:3444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEMQEQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
50⤵
PID:4568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSsUgEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
48⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEsUIEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
46⤵
PID:3280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKsMwIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
44⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYowQAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
42⤵
PID:3576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwYEgowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
40⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQEIQoIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
38⤵
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSsQQAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
36⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmoEMIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
34⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGwIEQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
32⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQUgMocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
30⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEIUwoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
28⤵
PID:4256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqgwcYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
26⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCswwwQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
24⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwkwQggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
22⤵
PID:1624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEkYMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
20⤵
PID:1356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkAwMAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
18⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGoIUQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
16⤵
PID:3488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgMAsAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
14⤵
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAEosIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
12⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GykksMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
10⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMcYgIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
8⤵
PID:3076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmcksoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
6⤵
PID:3116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGcQcssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUEEkosM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
229KB

MD5
cdd365df7da8d4d0bae51c1824bf7ce6

SHA1
44af0668c1fc31f48146137896e340e74570a223

SHA256
515bb101d1c7fc9f53f77add4ae3894165307bd4f61a3b2e4a6137ba2da72fc8

SHA512
106389a0237a9c2f3c5957ba6d4119883a041fa480be2a800486614facf33f08a1f8abfbda25bda0012e6ca27c4d335d06a66ce26810422f53ae8c9cd8c94cda

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
210KB

MD5
c724085431acb05a0e1e90e284bb2535

SHA1
ecdf4d987a28d2b6f18cfd1d2290f3d37a97a92d

SHA256
3f108d9be62594d488177627cb87e2f240abe6bfeeb927fd1ad260c346c482c8

SHA512
49a45c882b7770a8c1b2e3c668ad6680fce9988fa8ec6437800c89f895a9d6d458eab6ab6188a421e06cfe961eb0f8206cbadbc03146e9599f15a8da2b84b9ad

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe
Filesize
808KB

MD5
835d97c0d6a05e40fefd3f6e6db8bd39

SHA1
dfd70b3a151bed6d7f5d3c904f998e227ce199d5

SHA256
5bbf8e084bf883108429471222336fe0f538d6104102685464e0d62d51067861

SHA512
efd4892fd84a62bc7164d519917aa6345b8f9ab5d65657c65f219517df218118bea257ef3ae7bb1507183360f5b26584df18ce678b4b80ce63e2e2c1c553fd0f

Download Submit
C:\ProgramData\lgYgAEcc\WGsskQYE.exe
Filesize
199KB

MD5
fbd7e5774c2bf7038539b2e350782081

SHA1
d15a2f265e586792150bec7fd3e86ae02a608ca4

SHA256
bd048686366c62c2d91ea96aa401d0d2ae57e8b9473bb8f7e954981f777d76dd

SHA512
93ab0bcfcf815c9d4f1ce71a80a32ca2f98a6a4727d3c390d88f1ea0b81c6935112be5bc68809ea0eb6aa0657b998dbb4cfc4899d93ebc0c6ac85e95789e059c

Download Submit
C:\ProgramData\lgYgAEcc\WGsskQYE.inf
Filesize
4B

MD5
380ba586bd197cec8ffe8538f46b606e

SHA1
d41d50722927824cb31b48fad97488db49f57d47

SHA256
e6a6bd1cfe72fbdf57a22b37560fab1421bec180b9364249dfdc1a0f5a3d4d2f

SHA512
23fd377df5c16110e867a26c395e543748bd9c848310e9a1775f85ebdec51435e86ddfacbd232291c41c160b008e16227da3f665a6f62a5e785b723865a15bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
Filesize
207KB

MD5
cb5a7ab6d23519dcd42d0920e7b3a6b9

SHA1
f824663160e63112d6ba6469e31310e2bd5fb139

SHA256
902160b6a9ff8bc160004dd06077fba9122ebac821b1497d4fce666bb86a7a72

SHA512
6412bcde18f45386281470616af66d277dcb6115079ca3a24bbb2282f9ad764e76ca13dece858568d50aace39730be24cc4c3c8fb71b5703828407e54efedc36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
204KB

MD5
d810b3750005cbfcc21fad60bfd5cd4c

SHA1
07a9e83e121f0e76ce95fde8cbec9e0ab45cc13e

SHA256
d69a1c667b7f73c1c69c82fba1f54aaeb0c99c67098c194a0d4ffb2896e94475

SHA512
ff28c532e75195e0c8a678b47da7c60e869939046518b043b8db369c0597d7ffa4f807847ea2aaa1a00e338a17dd24bed7fa7d15a9924299407ef77531d95ccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
205KB

MD5
65b621e47ad14255a0685e253d8c9a94

SHA1
5097ced65e6e8047c37233b24c5006e34ee8101b

SHA256
300da980d51cee10fcbb9b20b00b3640c87fabe18fd10d2dd0c9eac2d4a8c2e0

SHA512
661a99859c39ec35680057b5a16a14923c938a77e97d37bcba271a79f783efa079c7a2d183377bc2a9da635ef10cc7df5f100a44d5964882109b416b96710551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
Filesize
213KB

MD5
3e783b3714c410ea317579d2b6afd52c

SHA1
fca33b194a71069a7d918e617332609c8ce90f55

SHA256
53bf901da8e2236d9a4cf27aac84e6c75aaa898c385c4582d75fedc4452f7f91

SHA512
fd79969676c4bd1c4ec499720b0231bcd17f4329f8a4989acede24fedc9392074bcdc4ee69a023c653a064ef8f832cf15dc752089ff7427d4fdd9df05db5cda9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
Filesize
195KB

MD5
1229323a9e6a2c7c7e075c0d9f7f6b5f

SHA1
1ba55e4d7bf0ac6af282167efd8ffafb6e57651b

SHA256
c3457dedb212a5aff05585e1f041ce1d2b0b07cbf68ff24b920c9fb611cf1574

SHA512
bf50cee6f17789a44ac87795429ad8973cd379d00f8143dde1394b09669450a221ac91fa4123e96d5faad00bcc2be14976c2051648ff06027e4d43a23435e46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMwa.exe
Filesize
860KB

MD5
fba70f743895c869a1555ee71a500ab6

SHA1
5c87b891eb9fba25e5c97fd1cc1e1e617f859619

SHA256
a8211a21e06406e6556e3b8a896d9400e9faa064a0b3061c54a7acf005cb9c74

SHA512
65793abcd3b2c44d9641edbe966b27f15d96635c06d95f1f3eb6a641baeac0cd364e4aa995b58c068c1d8df7c8eff8d541f8674a1778460ee2b8bb3574169c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYC.exe
Filesize
193KB

MD5
8047ef3ecce5bcfab6bde4d0599c148e

SHA1
225e948bdeaf9b50d290b471f760f334d78cdcf0

SHA256
dcfb9d7ea2b5739f1d7cdefa119bc39476b43ebf861d4fe6fc33221897c474cb

SHA512
31e565f2a9ee8a10dbacb545b07da5a5b191cc7cdb17b0c1a41873c04f17552fdb86cc0e93cde7c29c31036ec37349b3556e26c1e5180408b411aa3196d6c5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUIQ.exe
Filesize
213KB

MD5
808c850b6c1755ca4a17e52480fb53d3

SHA1
e0a875a18712b6351487b6eaa692b094a43f7ec0

SHA256
8195fb1f2797f72ef63e1bc73da8ca84837b36a81d8bb02bb18656a4d895fbe9

SHA512
7ed99a312a3dc0e410f7e5c83321db0d8956aeee03b0f56f8e80ff7e0ef53c6ff326a49b190cd2f7e967d8411022ce828462e3e900d378683649e6be61711456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akks.exe
Filesize
220KB

MD5
c535cf9b52ceb037895bb203a6e25620

SHA1
3963951620aee6dac5f88e45e92efe71ce5c0442

SHA256
10fb2c82f75b98924d92e9e4677471e4740050e8140e55e61759305017141b4d

SHA512
0b850479f794721ad089ab0a3dabc33aa46d79869f656e79c220b2d9c13f1ecb11565db6d21058f653346d7463a926996de9296bed65be55272c294b54deaf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIw.exe
Filesize
425KB

MD5
7a0d2073ea0ea7d1b289a477b5145866

SHA1
2abed85b8d7af99c0e280de1e9a524bdf572b725

SHA256
12a60a169fc13d59fdcc683da93b5b7c4757ed446d61f39b76e3da4cc70aaeb8

SHA512
5b7ab26856afbbbbdc6c42374aa28429dff9e7fe69aeefc3781e50f1a9cb392c5d2e14b02586135df257effac75e9666235e27f345abe89fcf882464889955d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIQM.exe
Filesize
575KB

MD5
9079e1f681046a2d46199c0bd5801cc7

SHA1
df757700c21846d811d87621894ed8917fe8c453

SHA256
2a0f5b86d3dbd00fdd1a6b3984df6a54aac33bc0d993ce8257c0f357a6c422c9

SHA512
de56cead7bbb21e94f2db52290414150864db1cf17b64e28276caa0dc8881defdea9839babb18f1485932bb3d709276b3b6cdb719a5e6740344f41fa98bf30b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQcc.exe
Filesize
186KB

MD5
6501275b8be6176e840d49f8b203e7b2

SHA1
a17a6c5613809463c3d354770bbc66b712d66aaf

SHA256
e11862f41e0d295c62faa3f80e5622fc913821dc8f4666883b0eb1b261d5bc1c

SHA512
120bcf751d7b269e01b6fd52b8c06ba05f78b4b5bf8a6f1debceb449fca27c47968688cba8a84fc39cef424262b29992f86e567c0d882c4eba52cbeb54cc6c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgwY.exe
Filesize
183KB

MD5
63e7b37f42c3eb26f9771961d3ced6a4

SHA1
2482de767c234a820691a89cfca482379c8a4309

SHA256
6a5089f6c6fa5d0aabc6a61492ad24e2170cf131bb4316a67277c433b1807f01

SHA512
328c1a3208f220e05f6d16cb2b2d6f43eb8b53247cb43ee7c4a0c31754f5bc82df381a1d0cc231732fb24fb074ea0877136685f96ff8d51483142645cbe4870c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEgE.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYcy.exe
Filesize
804KB

MD5
080e27d174e9513a68803dac0226f890

SHA1
76baf34d63581a197515ed345e213802f17ad033

SHA256
0ba0337044e684dfd968d7d8dba0167f660bdc4aca40d18a9618eb4f5fab320f

SHA512
83b42709154ff2338da506bc573f9f582ad61d441301b77b19e70215ed3541151f4378f1e654f2cf5efb15018ddbb277eca418f24b78dada72e765a7ce5b9dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcIm.exe
Filesize
203KB

MD5
e3f5a73c84630c66cafedc84960ac95b

SHA1
366bbd6fdb67c34a50a6f34d2c98dd11f3dd604e

SHA256
9a7708533f8636973be30c7055454ed86dab78842bc5f2b516ccffbc16a43f04

SHA512
0bfa7a0b2f95eae7d6317d389bb3c0e9f53c66c44ae67ffb9de52a364013becac20cc3b8e0f46be56bae117b3bd88435a54b083c7cf5c0ae329f46218bd8c367

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwMe.exe
Filesize
201KB

MD5
1849ec73b3029922c1b4c7ce9e04acd9

SHA1
8a33b43d8458a6fcac09f9dd1f3df657af6323f2

SHA256
9ea796fb7a67fd533f552e8a71d62f55c13612f7fc22b867a43059e7e07235df

SHA512
4ac90624840d0998780febb579143dc0ffd61b96f398e55e98b840dcd0c39472b96e35c98a6c62521fe54d1899689a11191c5e30ebc03afe191753b54d8cfe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEsE.exe
Filesize
1.0MB

MD5
132e7e6836c0bbaba59b898092a3d957

SHA1
fd05e253c6fa894e58f5c0cb712ee89751637805

SHA256
a858c5a92d83016f1335d74689794b56142fb991da4d62a8ab148181b7281649

SHA512
4782d297769742baecb1b5c8baa156d945bc3980cbf9c7cc012f7ae7e6bfa5b0c45ae74de9ed40a9f7eb1916c626d3bdda73cd8d2620a720dc0b421ab11c0d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQoO.exe
Filesize
185KB

MD5
ed6830574e169a5f64d1d8267360261d

SHA1
b4f20c8d76886a433c9344e2ef1764b55933c883

SHA256
d3c057606729ffe330193176987545385d32de040adc60304d028f8e3c9c0e83

SHA512
485db60858fa23a01e5d6e8f76314c0ca17cc504efeb7d2d8b7a466d900955bb4725c0ac4b0e8cde0e6a611fc0dc30d2db27d984eb333836431e6946f6d293d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYkk.exe
Filesize
205KB

MD5
e9f4afcd4ac0220fbc93f25e6f18c702

SHA1
f2710acd8b6a4249364a1bc6e5cc7b66f41bd934

SHA256
f9961119cc63de303c7d15dd895ad199216e3d10f9481942a16ffaee982ca10f

SHA512
9dfc0d355fdf066963cb9a05d94569e449ac392edf2bc9d9e54bc0c674ba9f6e0b9ff6f4da0d31eb4835ac8bf7ad56601a2c0d04b656b92d5a62adbe35dd82a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYoe.exe
Filesize
761KB

MD5
67ae53905af543fb77a17c52c745f761

SHA1
82280e5c9feb020a7a3c58c1ee5de9b5495e8242

SHA256
bc29fc542adbfc2adcfa58477fc0eb7db1b101f284a9a3768b9f3a30b0b2447c

SHA512
dea4e283216d17e52235325be9d8ad9c87d22bd0f058833fb7f8ad741b6901e47ebac592ccd1a09990e47f943d97545cd52d5e3b7963d93591bfdd8f66aa9e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcAG.exe
Filesize
184KB

MD5
c733260dfec9339bb8c95cc6d5c12e31

SHA1
89fd76c9e3d14756ff785a21a0ee7aa4ed5e517b

SHA256
2f79cb8b95e799f3eae3902981abcd9f7c44203e17c61642eb4a48b88f749947

SHA512
69d42194fd575e3f3eaf5dcc037e5c9494cd6026eb1b9314d5ff64d542a45ce76570b3625892d9c080a337b059f308b16af5681b1a9bf377f2cb1720f4e5c324

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgEA.exe
Filesize
1.5MB

MD5
182f76c65ee93bd01a97c57152fc25a3

SHA1
a58d0a16af46dc89efd8d1778776d03997a843df

SHA256
e26f0d6ba2104eec3ea6637f53c890d1b81a0ec544e1546f5cd3b808f45e72c4

SHA512
f86347ef0d9d0d8d55776612b5ffa87346ce9613a147013e54712853d81d235638307af74770cc1d66d1a3ab7fa197ab6e8463fb45345c776fc10a5f171c91f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GksG.exe
Filesize
771KB

MD5
8c582a3e68e6c24b2b4de6b8a3dba48b

SHA1
f7fa7fe16dc0d3b2a2eb8bb7a4f1199b2ea59c8f

SHA256
f443f34992921fe1e28f5d65af8d2bbf5ec6cef9a11b30280afc6474c0e63937

SHA512
f4854b32b1b69cd24248c256c91623453868cab547b54bf509fd8236897b48b1613858d3628a8e7b9dd06bd120306b9f62f8044bfc206eb03b16399cf5780564

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsAK.exe
Filesize
208KB

MD5
4d8f9df5081741fe4023452e432d9879

SHA1
3287ca5af4a2d1c4cbfdfdd64d6f245758850525

SHA256
e5e203ac146114e7c14954c2a27776870c40da9c42179092566e523b84e9c3e9

SHA512
cff71d787b889597e7e8771e6c7aa7c3bf1ce07bd900a0c63cf3774f007555b26cc5901241656989752c7fe62bd73b6dd4c67a18df99c53299a473954c135d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIgE.exe
Filesize
184KB

MD5
5b134a9490b0d725b3db05ba9d77558d

SHA1
4f27d544d10d543582717545d8cf94635c39aa1a

SHA256
715ef1791456e059bf781f9742bb477b23ca192b0df512a18ac8a6d961ee8a14

SHA512
fcd2880cd19b7b9d968a12cac06b4a6318c4fb3446495c67a0586a3ae3106274f0c0c3246ddc30e5d36c2ba97bcd283edf9d47fe9e2421a3f99fc5908c920908

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYce.exe
Filesize
324KB

MD5
409e4623481ff442e9775c34ac19b14c

SHA1
cd682038add5cdbe7be4b5a87655a59e4400dbd5

SHA256
61909d2748999317da07f97a736ceab9067901ab8336eeb5e021a959761cf74c

SHA512
3a2c1940df289457e580ded62bcbcb3e33704f038fd4534f81be7f5d72fdd35dd6dabf311b16c188c26690dd68dbd4f11c6f7a9ee54a4d9ce8f7e1f225dcd94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcYg.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkUU.exe
Filesize
194KB

MD5
467b3c00c58e37088c654eee1fbfe284

SHA1
1586b20ab6bc10ae52ca0e7ee5b8418d3ade278f

SHA256
05c038ffc0c84749fb4a824ae879809c787712d668b2f0159a71476b48ef15f8

SHA512
0188dc1a06cfa3e61eba457231ba85641bce707f357b77d290da0c51d74f287a8ed4c685f6ee071f07d1b52c402e3080af2bb93630913724cfb13201e80034f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEEg.exe
Filesize
221KB

MD5
b6a7650569b7d4a2e1e9578d76db3c7b

SHA1
ca2ca67a7903f4a3fe72b6c891b38adc4ed61604

SHA256
b8b41d88d11cad16cb0b42994094e5441e0c8cd0b367bfecba4100c6218c1162

SHA512
f00ff131824d3c58b24085c90acaa5301dd50aebb1f37c25a752e69a60c14e62621851c4824166c7539a26e564fc68d92390f99e9d0e78df57675b96b16af754

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQIw.exe
Filesize
188KB

MD5
dfe6fd06779a6a1d2a9d5ec651c17064

SHA1
546706e5fa3f5d3a1932586d6713ea06affda67f

SHA256
b8cbbddd2f9cc6b10bd34f782242d6ecac69674a7ef98a69ce830e8a2027b58e

SHA512
5a8c1da866e5fa5927a9584f0a9f87a8ee3679a69f412d06955f5c1679b73d4ba10285e789064b7fda153a3698ffaa64f93a00a97f5408b889741c3e98393b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkoG.exe
Filesize
713KB

MD5
449a7b879b1bd9e6f111f9b1341869ae

SHA1
0ed266655f0fbff473e6edc3f9796925af26100f

SHA256
3af801d29f26d69ea74a188f41acef53f351ae4c6295d12cf932a66013946c83

SHA512
2dec6b09c796e968a383881efbdb44820265e1efb37fbdb18baa5fda6bb3afa7bf96bad212fd9917d8d2a1fe53b82748fa26bf063b0d15c947ff4e807dbcbebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoYs.exe
Filesize
207KB

MD5
78d5b57b9c0a5669359176da0ca96c99

SHA1
cdf5ec70a45d583fff0b16484b1507b7ee006b00

SHA256
26c23bec22cf8ee123a4ef202aed5effebcb5e879af4f72ee6f44f1de8532121

SHA512
88f7c36bfc6f020cf96ddc18df33cc93eac99a8bb23b40ab48cb80dbfd39e997b786b5d2adc1556dba01eceb82ff722905c3dcc2d692a6047606344ca623c503

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYUg.exe
Filesize
206KB

MD5
7ae2cd0ebd705afc8e34f4f554a5bd31

SHA1
bafd44eca43b5e9fefb42a1f4f47ca59122108a2

SHA256
d05bd4894ae853fdd8c7041093fdc5133b21d6dcae9c0fbed5389495dc100086

SHA512
b5665d6a4a242ae621876b5482f0a5bf01a339482a47577b29c92c463f9d4beaf60c0c116d203997f9a45ec18a9043e65584f40c1cda9535b0eb05b9e5b3ebe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgAY.exe
Filesize
312KB

MD5
9b0ea57beca0fce36ff2adfe21443969

SHA1
8a0d4f93d9dc89574ee5117da5a2d607ef5c91c7

SHA256
6564514e1d31e847ae22e8d111e2527abcf7a9275753e9ae7a66c296527adfea

SHA512
edaad78fad328dc4d527a3b61dfa5a5a00d22a8a242784120bd8f57d2716ee7e6357d24f8fa5cdc4f3ee6590c8eaf67fe6b5fa20f80440a382618541eb2334bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkMO.exe
Filesize
207KB

MD5
c55147619bd34eebab95ec3a858cddad

SHA1
cb0a595a0096ba02a807a39c0fe7a62f9067e220

SHA256
79a6918d6f848350ffd9b7fd3fcf85b30d0f712aa2e61a62b9cf4a4462780039

SHA512
e896d3a2b1deadb2d270e978bd94369a6e2a213d58491b70eda88abcb10e0522a2a283f2b7d411da8de9c10092cb9ad1b3db3520574c44a45e5e005b35f8ad45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUEEkosM.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQQU.exe
Filesize
195KB

MD5
f8408edf0da1d2218609c2763ad5f185

SHA1
1ea3b020e1c27da99ce3f0abb81ac5d6b23b6006

SHA256
7634567469d9974bdac4e58b0c28c7d1aa7df68b1db93d95f0aa749b3ea676e5

SHA512
b85ce39dec1c06ed000b20f2bdc49249211719b4c34efe0c66d17f4570068fd5cfef0c2e0a1c9fa5540d0c069dd8269abc2c651663efd7b0cfb3cd3d9e5617b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAcq.exe
Filesize
183KB

MD5
523d0762432de77b14fd646d69cc8eaa

SHA1
b3e1f7e5a0ab2dece4a06618683e7dac2871bd95

SHA256
4a7a0a1f85e6b0de7c458acb86fae506c11fd6d5c4e06aa5d76290a752a8ce8f

SHA512
95c9511ae8099bf6106f11b98fe7ded7815f55230434c7fdc40e007a275944bfb0e2e6b1c8cac91f7d7519e2828a617c77366c9b1e2a71fdf36f89d2237926b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMEW.exe
Filesize
199KB

MD5
3022f257839121d4edb757d87debe7ab

SHA1
2141497a3c522505af88eed75f40161973b04dbc

SHA256
5bc0a0009fc4bf5bd451468167134212d67106c7bd245ed5a1549f9232f849d4

SHA512
a97a7e18993176b1db9ae41c3a9750f1ddbfb43bb098104a0912a1c04311435afbcb89e0204e612ba9ea7b19bff5a0117d57138bb8830e072d7b10a89ebb6a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcAk.exe
Filesize
200KB

MD5
b967ccd07dc7712620ab9ed017eb595b

SHA1
ee6c52543423abdc07d143f4acf262f0d9e39686

SHA256
9deddf33f542bcfc6006244fe5390256e67a5b0105e8543335fc790b1c2b375a

SHA512
557d8bd5ce5741ab86e1e829ef5ea2e8a65699c52ac9279f57b70a209c2b8276306e5898fbb2e76d97cc44aa11ec6fe9e9f71500bd726d13d548d76e405c763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgQE.exe
Filesize
202KB

MD5
0ac0cf8dbf92254d3a852290da49d32d

SHA1
7625584a3a7e735d9e214552741ac3fc052744b1

SHA256
1a956ad9b0df5a5a12de857cb872b0ea17678aa9eedd2ae72fb3bced6cbb223b

SHA512
8a15ca6cc7d7a28d1c913ff9456d1e854581820f70cec4beae078135a45205f811fe9938b2cb36b531fc8e521bed6c245f6cd136ff23b0f681c319e481dc758a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQMe.exe
Filesize
204KB

MD5
8a56dc199e5aa5baeecf5f686a22ce8c

SHA1
b46ae53253f82c08c02a651f2af2a1fc61a89b30

SHA256
99872ea96620240036c07dfd54ac070474c00a80d846c17eab881152a127af1c

SHA512
bd8887c1d3b5bf882350f80af8d89ccd371a86def1da7fced42d5b60792e36654f81bd2e5ae1f1b2db34b3826f73d6911a3199638204988cfa38bdfd53531ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WosS.exe
Filesize
184KB

MD5
4b1a09b890567a659588339c66e6da46

SHA1
30479385812d12bd736f0ba63579066088531b8b

SHA256
a12035852fc7f100272192c0cba6a0d21025d55a66ee104d45ceb683724c05ed

SHA512
06a5cd43ff33184c15ae85d6861874d4f7a4df091eab1657efcb4fb5b811fe816f51c2d20fca78ffc80a2361c9e83afb7c9720d90bf5f25e6dac1b1050a4aa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwwm.exe
Filesize
187KB

MD5
ac811077e8c7adfb9fdcfa16bc332202

SHA1
5f315473f7588d8b5bc591c06ff9ded16850ccf0

SHA256
bed317e9fec72169122807d13d81bc79a601d536125dabd318a9b8aab9812075

SHA512
003b62459db92331b38e2d5b6897be4c71ad38b746c708c09fb585814437ce9fa4ca9fab0d20d352af5a0fe1b04ccd3152d6a3f1071df92b3793c6107b304b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEsy.exe
Filesize
190KB

MD5
5d5548e4c21864c389daa99e6b774955

SHA1
0fd16f27f1516c49953922fc6df01d1140a85e7c

SHA256
36efda70a3ff2f70970c26e49dd045fb6166c2c840bd4eeeab9d34fe6cf30447

SHA512
93ecfc588d66ec1f875251aba1d9b6d683b51013c404d13c50388aee727b32cceedfb4a19add9d358b5486fb56a40d08b9b5916f0a87b9c735932bdad89f622a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIUc.exe
Filesize
193KB

MD5
e982aafc5126306f90a96e323b3ec015

SHA1
1621282e7a73314bd8399814d83bf64ba8bca7e6

SHA256
6764fda83523ec62975065fcd3ed87dd0aa22d094f24114943e903c297fbdb85

SHA512
f0951d8f618c608421e2cb40b65550eb93e42d4faea99e826de829bfb3b117c73b124a1e477e6448b22cdba61e65076399b8f37ccf2fa5fa675994dce34df837

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIog.exe
Filesize
547KB

MD5
1d7dc4bda9bd51d3a8a43806e3702bc3

SHA1
af0dbee94c34a325e5a80594ce0be6b174ae9009

SHA256
8bbe17d5d462969e4d35dfb9ea36f933cc2bf8cc78fd8aafe45484402c631020

SHA512
5658b412f3e9ca14701027a62f7624f4514cb413e05b772d158bbe82f74adf8b18184f4982cd9418ef4e2e9086c6025685f68da38efcdba18614fdcb3c780b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYgs.exe
Filesize
196KB

MD5
9f1d4d4dc114c114e3643503f0abb6c6

SHA1
c00a51683cc41f1832bd52897114086d74be8c2c

SHA256
d7975b7b7b6fc835ff5beebe5f881c0185cc09aa00b561deed9c4da9dfb5e963

SHA512
0d35759d5ca472f45486bb5db323f6d52ed9602cb16e25dccf727941af15febe90ba63cd9ed4ccde7d94b4e1450a994f8e473a1f6b122c8bcce7d7e1e0cb2dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoIM.exe
Filesize
1.8MB

MD5
88495ec032577453135b58f2bb82ff5b

SHA1
484073077fcb069739a85ba68e464ae420ce5a93

SHA256
5e7b85c8fabb19755548442f5ee497461c3b9e0c1eecf6f5c27d4a6a3b9175a4

SHA512
3dd4f751b634d59fe5e57c4da4b51c146153760c7fb0f1d1d0c4868df956161701d1a210020ff201691cda6f3eca70d97b0b87ed15bdec2601634cf6dd81c174

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYwQ.exe
Filesize
1.1MB

MD5
70506b76ac9ba435c70273d13ceb7871

SHA1
8802ccfe7764fbc843ef61f63071ca3c30951324

SHA256
7f8a5c3ec70063994ff00a6357a8f49eab7e91c04942076e50321bf62c2aa57a

SHA512
bbab120a9fd8b3c1ce3bc5e811719fdb5a1c3487377039afce79d6a83f413f437e6fad3c88ac4e4579ac2165cb1dff71ebf6f05a35c119daeed9f169ac5b67f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\agQu.exe
Filesize
181KB

MD5
283713b9fa65ad809c90804f140a46a2

SHA1
78ddd1bf95e23b05ac142ffa398a66a8a8e7b0d8

SHA256
09cb9a61791fc4d468f4f2c46169058ba7b17310c48acb85bd5d61c585c68ebd

SHA512
77e603dcb45b5acb960248e4ec57873cf8272a5860fe769b20255e9a5d0eb55584f0c084dfa9d5db0f4cb9309e083e92d05ff4ec914dfeaf69b8b01089ceaf45

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAoo.exe
Filesize
786KB

MD5
cd28826a63db728bfacba350b3d5b5b6

SHA1
86fe8ab2257eca436252e4da33bae0a0c5a1b4ec

SHA256
a806896a279031dcb3256ed1f9f58aed6c00ed9701206234e8e843d4c64ece45

SHA512
4de11ec5de2dc7be77cfad3999e2c107ea69d996e56288d0a9b4e9dccee1fa799164f4ee6aaecb57a35c0c028430eee8b0949391935076fc4907bfd71e2200ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgQW.exe
Filesize
200KB

MD5
e84d6bb3e0f5f856a6bb150f56ac0727

SHA1
f5b3d5129ce548fd98e75ddb5be69a064c919d1c

SHA256
b617a1930e0441146a9877caeddd8ea45ed5909b755bdb2db4e9926ae4d3be14

SHA512
083fbfffe9dadedec033c7616633175236b8e285f5d60d38425f6d48092ddc2e05c19eb405603778b2e9019feff3bee8dc6728855e5ecaa21b90516b9faff902

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsM.exe
Filesize
970KB

MD5
a1b7b74f6eaeecbb07b2ba5a4854fcbd

SHA1
8ae40d6da474fc6387ea4bd24daed61d603aecf2

SHA256
0adee830efe1013f5726ed21a93f3a6d2c7df2c97e08893b280703712249ff12

SHA512
2673181edc891c628384b0830de7ed5c9f8a99850941418c6ccf3687a39ab3cf1e6027867c6d76c5cef83db3039a7fe454bbfdf2edc3e05bdeb9f32500797a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEAq.exe
Filesize
185KB

MD5
09c60cdb009fa6f964621f86085b8701

SHA1
7c60b55b1028cb80e7eeb7aba70618a5b854c57e

SHA256
b06508cf06192c2458ee359a9710b28ba44c70b452d8df62568c6a9172d02381

SHA512
d5f104f474f96112c75ba4918415a894bea022b6003dcc98ce60393679702955e538a3a4691b99d742029deeded3d61a115f61da12a541b7276b0bb09ba735ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\esMm.exe
Filesize
185KB

MD5
97c876599445a374b22da87beef38270

SHA1
6baa02c0cd67afd62dd7f8ef894422c3382529b4

SHA256
4e79c19c71af402c0d5651798fcf996f1f85d0369aa2fd77e264db9c45936b19

SHA512
0539fb9ce919305101b1afea57b626e57ead3f6a2a3ce822fcb668617125fa3103cb8868df5ddaf5907da7852010305cd8cbf3284cc872a73159ff212a3bfb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewIW.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMMY.exe
Filesize
206KB

MD5
f67f8a14a6286433c95a45dabb7efa50

SHA1
34add9a767b97a1099edd196e90909794045930e

SHA256
831d32e6d191ed8edaf83ea628b6d6601565c66e27e28d991efee4bebddcc4cd

SHA512
bbbae4830ef0d5cfd1a4367f7bf98d1fb038817eac567cece380545c9c162dcd22bd82235f500906a3976450f6d3c2966e48f34334e5752896d6867e9c2da766

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMMc.exe
Filesize
202KB

MD5
1e84f83b5ac4e27530af13ba96292d4a

SHA1
8076cde37fb76f028bc4576f2a693f4e96ba854a

SHA256
ae725f2f554b9c4ab52f86b51a4715174e7710d1e743f8bf7f2dd9ec48e24a5a

SHA512
56ddc81257c0a6be74020295ed4a660523b60430ccfde622fa97bffcca25da1d1e055ac60ec01edd574090cec70de17a3fef8e30a930a4e8f3a10095f0fa925b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMgI.exe
Filesize
197KB

MD5
33c217f6cec62a013ecab0adc0cfddb6

SHA1
6185ab24e20ea294a3e01dcac6999de1ae1c3882

SHA256
a281dbca31927e93c386e7828c3623d6eca00052ebd0493e6a2873908b4df9f0

SHA512
4352c4352c941c9ed48c6540b2a08faf23b2e779660998ba6f942a4bb35144267add0a3cf4502f9109e64883ed93797f365fb4112708e7f82464910a1772e611

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQsY.exe
Filesize
646KB

MD5
f45936e36abe8d39c20a88b1c41e4af1

SHA1
473750013e39f8ba435837625e0018faf09ed426

SHA256
3c262de570cc21d232b12577aa65a663dfdd42a17917e97b0105315a47ded49e

SHA512
2e5aaa38465dbcabccacdf33acb42af3cb214d1cd8a7eb68efe6a48413f15d5f7ae3a3fe931208ddfd3a051e224b4b164488d61133724948ca3a6862aaba755f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcYC.exe
Filesize
189KB

MD5
fa5a3ad77cd79af5d441d0f051842c89

SHA1
6740f2afc379546b1298ecf2d76d7348da9fe131

SHA256
295dae555082af65d1f741f25a2da18bf7ae815c0bd7aadfb10a08d8ec63b453

SHA512
33e6f4385a655f4bf85aca235699df23adb018192ece25ed3323b3ea6df0b74b6eceacf37822162ef4bfcce476e408d34d5f4194418a1a9800a4e69ae22336ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gckc.exe
Filesize
224KB

MD5
fd8149f477cf47e22e179d6d1354c64c

SHA1
e335c836f24c2e4ad84e574600b381c500852172

SHA256
1cd8edcbd3af20f47a3935c0238f4730232968c84172d9aba6d772ad279445be

SHA512
567b489a22bbd3a193407f16513fc7018327965b62886621d90d16d2937ad874432a37e551578a93c75be1827d5146c9f2a42f645792391faeeaaf7a3b3da1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggIa.exe
Filesize
955KB

MD5
85383a09e36826ebe1a35ede9fa3d4f8

SHA1
049b43a585db65624779feefa586ba65b04f34e6

SHA256
f58e575f6c19524b8dac7cbf9b918f74d838b8ee4dcbeba37164f1626629b6e4

SHA512
215571ad9f4ab2280cff57f563dc2972060dc1cf72fbfb86d2124d0651a9cb87ce8049627e3887ff9e2fd6f32e816b22117d86c9071a6324b50bc4cc37a4f4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\goIE.exe
Filesize
1.7MB

MD5
d6073f02b424d504ff5bf648ddaab146

SHA1
191f62b16584e031788605b6883535dbb1f2ad4d

SHA256
794172ff9db9d6cd85bb22905ec886e8428ed397cb3528730abac9409d5f14b2

SHA512
ae3b2dece6b369da2e17ec4a853e12bb968ae66b0a5869fcc39287103acdadbd117bf8df17e24b3c03eab5001abfd2b2f74437c802cafc1fe9a2e98ac20f8256

Download Submit
C:\Users\Admin\AppData\Local\Temp\gogE.exe
Filesize
308KB

MD5
100d17f54ae2c0ba1557b6e3e8d26170

SHA1
6ff4486661acc1cc4c913525da00ea7c79fb64af

SHA256
84acf441f199805669f3e41f9e4478615870a07b845a704efc57aea4335ab211

SHA512
521c76c41319695d706ac45e8803a6046ff4a0fdff8bd63cc72c451b8c05ceefaa5d49ec67cdc631e4c36209eb05ea9fb5f5621132a2965d5426bc68c411f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsgM.exe
Filesize
803KB

MD5
add078017576d02e90670f32585fa19b

SHA1
be3b8b20137f2b1bd002dc64695890fe2511471e

SHA256
9737433820c99d2f31242e9c19013e2d29e2178157c460f90e9cf55906c708e8

SHA512
bdc2c4e2293dd1f582cdb8d8b3fb98a3917b244794b04b26a8e500a56e18a1a853e79e80cc9c25dfdd8f3f0b2db1188644d12987a7e556f0e320a6d74312a6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEEi.exe
Filesize
627KB

MD5
4a0cfc7144f0e5e2d2d6830825db9344

SHA1
81c50463103840143b1d55cf6ff39094389e3d17

SHA256
1688691de0d9e335a02e5c8fb9ad91f6bfbaf0c74f912af2e61e0351974b11a6

SHA512
bde7852e03026a60156e8d73b66481d8ae8b8a95f8a97b0bc70561e277a24353f5a836f29fc9f26f4507a7fc313828f9c29c2222dc615944a3bc601c94e4c2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQcq.exe
Filesize
194KB

MD5
f94eec28febe844ce22313a583790294

SHA1
4ad569eaf943b7e218c5d135625f5b87cc28f999

SHA256
a9b9a390776d93b7929733ee3bd39789c115dc621771af4573e74fe72d3c3343

SHA512
c9be1d2463e941a7349fb72aae807c8e2492b043a0c1571f0ce318959612adfa071efcfe5f19aa2b9cb849388222dcddc3c5b65fd53e5fdf7c52834143faae3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYQs.exe
Filesize
998KB

MD5
0d74ae643941b9b2291d660528282fcf

SHA1
16532ebb008f722a5fb48c862371b5a976bf6162

SHA256
11f5a59c52bab4fc0cd3f6fadc63b66cbeae68ff7cdf555b929ca3898919f34f

SHA512
377c98a993a4e3dbb0a90b67066cb96daa5f76ffe924e78fe52a92a85687227aadac05be61ae530b1343a09215506c6428d35e45a2910848dc300a4765cc25fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYUm.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\isIS.exe
Filesize
194KB

MD5
3eebd63041879f9695aa09cd3e77c62c

SHA1
d04a1fb6b5a04ee5f745be0aefcf73008bc7f04c

SHA256
bbce5600eedeb32cffe3b3a85ccd15a7b41106fdb9d3b20938fd0035d471b4c7

SHA512
3d7497f13f1894e3f3f192a26bcd6fdd612dadc3aa7247bfe2fc15333e53b98e98abbee2987e468a28b525923e08a4fb301c39a4408ed41cc178bddff50e2d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEe.exe
Filesize
184KB

MD5
506f0a4bd381c9cd9268e8622302e515

SHA1
5dea03576c876b2e32b10adaa1e92db63f3bc5b2

SHA256
fddf4aaf5a86acaaffc5906ab999ee54c168ddaf48b357f3b25e8dc4b8d97220

SHA512
ec1222a75bc0dbe956072c4f52bb90ef45a7427642910a8c21bc7298e5566c80f247f4bb65dc687c513a2b14d89b993a96bbe9c03be0bec13c04cd743f6f06f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEQS.exe
Filesize
198KB

MD5
dabf109bd0542245404146b5167ec08a

SHA1
91812ebe741cbb492179936653818e77952f44f8

SHA256
c27801e6c5b3e4d0cf3d65c288f5446ec4e0e7a35a35b694bb73551529c46397

SHA512
686c72b4ee8792e5ee04c4605f002453e139bdbbd2d4e5fafc2aab65bc2e647be32335f160562c0fed30d0dc850b622bfe64cfc767240847bc7361c1cabbda8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQsS.exe
Filesize
186KB

MD5
b6d6c6602c4ba315979d71231bf68492

SHA1
603144b3c9c36268fab9ea7bc91fe3f30b81a56b

SHA256
0a8b9ca8b32f88e2feba365a7290083fdd7148b2059e4c2caf486a0e39ab8328

SHA512
b1fc335363417960027cc2f2b247b4700fbe80ff6595d9d671f3e357ade0983f87f7fb3ff165c71d06f8eb5f8e038ffd0c46cbd7ddcce050f6d33ca176654de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUUy.exe
Filesize
202KB

MD5
c4245d435a53ef7ca0a758ddfbe54b6b

SHA1
47aab24114c04ca657e28b91438b6617beafdcff

SHA256
7ee2cc6d45bf72393e55e336b561e524e44ddb1a1e7c7a1318fadbdc0b547455

SHA512
557bb079683dc5f4fde6d628962c73df3a70a365b3ef84b4f7fb2b785225dee4006bebf1c0e43555baa5adef9e464d8e61636e61fabe34db4c897b30b74ce657

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkUM.exe
Filesize
657KB

MD5
a05dd84fd0c5bc441ae9006774ef4ab1

SHA1
5adba4a3033f6d4bd2aec44657caa3b6b5dbf86b

SHA256
87e99b9ce47bc16eae4be479205106c967dc0a54e119bf35a035a15e0ac2cc96

SHA512
b1f62f3732b9b40bb24e0ed175460ea9eec62eeed003b1408720100a97b9991a6d3858bf7e8f2ba24599f08cbe739f5f4e6fde3841bbc0a8dacee7b6c705251c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAkk.exe
Filesize
185KB

MD5
f3cda372f03f5f8b78c2eafce8b7f0d0

SHA1
27c706c151787f658a91c8cd1ec5fcd0f0616575

SHA256
f4e8ff58d6a8c0b2d0dce461ee82ef397bd4c7ae8b72ed0796127a14433f4884

SHA512
410be8de5da9d0a6e5f74e32f5713a0c4df670d11b92df132e8c2c155368d0a698431c95d497c7f898cca97b72412a697f4fc2bb17f63dde0f64322522a8b6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYUU.exe
Filesize
210KB

MD5
aa34f8de4e7ae1634158225f2557c408

SHA1
235e497e56174571365ba5ee7b934981f9fe49da

SHA256
dc43f68452bbf11a8f8498be65d6e0a2f514ea5749a042c1a9568559cc70538d

SHA512
6bf4076098eb6bede01c51857326be19c0d7909b00a4f36d04705c4a3a0d78f61e9fab95e139d9d3d84e6ac50070685a9b6584e7f74e423ea1aca266853a6d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\mggW.exe
Filesize
204KB

MD5
ea524904fd423e1e9e935e9b6f2e0049

SHA1
216f5af00234b5516dd990407b36ea55a3c84532

SHA256
4f1ac6e5069ce9961e28a40bd8f846bc471ed5aabfbce191fe0f61a12922bf57

SHA512
52325daa5f2daed9923a9ccdb8703a24d0c81fc4b7f85b8a47aa9c364a51f488241a360249ea16d3ce02f61c205b434864db3a5e491d84e11cfea11ff5a41c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEUI.exe
Filesize
185KB

MD5
e35ed3e2331dd443ceae13616407b8a0

SHA1
3ec5864ae500da66a425900d4993c6d2d48f095e

SHA256
6859a7faf3e9f5f3201c93e81af93a6a9874d8215fac755a3b55b564c79134e8

SHA512
dfd25e6373db5325c9fd4581fe34cd901889d812adc5bb62fad26c816c7f6b0f7e43da966d6254721d8bcaac5c26b7e9ef1b5168ab5f1a7cb268241823c31022

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQcW.exe
Filesize
228KB

MD5
9b45c0bfce631ee37a9637db9a82dc33

SHA1
c7f7480781c98835d31d0fa8c20e795b23e76eab

SHA256
d058473eb1483351eadc1afbae18379882c5e447d82cb31bf6c15e052acdadd9

SHA512
fb8c16717b29bdee4cd439b8ebcb46f20ebdaa5370650abe87964382c66a323c223d7b60020ddacf5f84dfc673131f461c2d941be3490ebcb309d54d9de13602

Download Submit
C:\Users\Admin\AppData\Local\Temp\occU.exe
Filesize
817KB

MD5
57d73a8f0e96f6ea22b0c9050dc0a69c

SHA1
ec86e1485744b7e5549ece58c282add2a9283c7d

SHA256
313e6b662ba542d2f0e2126dff9a0fbcf0597dbff4d1ba542d332eece9ccd689

SHA512
2e2adc622bee16c4b893278fa94bb4c8051dc562c6541ea8dfbd32c3d76c8a73c4b69ff28988550a68815a83f2f415708f83235d7734672597c326a1025008b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocgG.exe
Filesize
209KB

MD5
3297bb52f89a1600613c4c88cb7a3007

SHA1
c4b0c1ddc4dc87617097b79ccbc2043beb414d5a

SHA256
9afafd9bb958250fb156a6360f001c39227f325f83919fc8f279f2d8f8b96326

SHA512
62cf81b5867924fb0e8741bb41f2707e121c9414b5656422a8b050e3121b4ce4589e325e03cd4f82ddde3810918068e989dc5a4af9103a630e73ae06863d599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogMW.exe
Filesize
234KB

MD5
a5505a5d82d37c265ceff9c3e96b2f56

SHA1
5f68cdffe2814736d602f4074a8bf8bf4982a34b

SHA256
4622ff3b726ae342d42193ba7acfcd5f8efee4b98d5121f37cb832047943e913

SHA512
a11c77b3e6bf09c6e2659ecc64291214ebfbb9de6c5a0d023c9396c5de04b0cd2a2491d85e97069d2ed317ee2384eabf6dbb6f68695e25628171bae4c720cff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\owEK.exe
Filesize
634KB

MD5
515960044dd0d75efb548920f53c33aa

SHA1
cdf5c0fd375d7781d1eef39702b00845db68b8b7

SHA256
b70acc64d6fddac7eba9ab934a53598c746ba8712ea32d63e5d435e9cb662368

SHA512
cbe25e95e0eb5d263cdd632259a9030f7ac8d0cd14e596ab581f990b69ad3743edc54acf963f7976987a5c5365821906fb8a5eb4a2b875207c4020178aecc377

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEQM.exe
Filesize
310KB

MD5
d6febc49fab81247e99d86bf2e967ee8

SHA1
14d50109d2443010ffa6a9394e1dc38cedf3b8ac

SHA256
d12ed2d810301716665aecf96c1a13f238ffffe5db671ae3d9da5fda48f68545

SHA512
b07e56925b897c018847e3e223b52b4d9fe77f4670f75163798b36c9b95924cf0bae0ecb731c4c952a0393b7dc0ddcb40bf9cd994c7e48a7a3971e37e0ec5d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIkc.exe
Filesize
210KB

MD5
d604483b0f3946f934ac2380ef477bdd

SHA1
95fbc7f23b3e26469ee280443f0b5963312cc500

SHA256
982067988591789c44d822b1c0a62f9c3bc1910273bb22f86a223f8981080e83

SHA512
351edf47c8e1dec1caf8a0791981dcd4d5890dd129fe659905c36ae405a703e1219b86a24abce0563144a1af38a216cdfe046b41fbf5075519816683e726a367

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMQw.exe
Filesize
814KB

MD5
220dfcfaeeadfbd3dac61d1b1cc6f00d

SHA1
151e1072582e93338d5c4da659ac57b42f9f1c2f

SHA256
4f534fbf6ee8080aaefb946f97251aad73994049e8fff33d62bfd9a5477acfe1

SHA512
afc4f1276d6bd9731b34087afea5bde323de3ce448450bf2bd6a447a1c7e210826f5db8669e5c9d95d6a0a7e5889e638d020dd24201b58059d13943d13fd8062

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQMi.exe
Filesize
188KB

MD5
b8f45516e912cb8a0b8d7b2b7acd192b

SHA1
e3ef1ba850d07b1d1e7d89380d73125e9b994d2f

SHA256
fca9cb022eb878df16670bf0edfcf30a5b6bb076e5354ac6a86f07f0a7916eb9

SHA512
297114a345f89efd29f2433a74b5033658413531387e607ee68cd7b1d8a8c19478b70514d2e345a38bd817fc971944e90d26edf29b277829cc478d387c625148

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgcA.exe
Filesize
237KB

MD5
42cc4c48bd4c67e2aec0d2b9404fa47a

SHA1
4de0a552e68d4f0814dbb007d1e45b358ab1215c

SHA256
59f5e72afca8f6495b84febfd3f222d137855abf5fd6636e8a39a09b34048c3f

SHA512
1a839bccbc32e5c8bf5f21160d41df4d53386560707c964f5191a240c4df092199af154ce385b0c9110317fdf1d2f4927e1c977854d5808a91e4da4dd90cb93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgoG.exe
Filesize
197KB

MD5
065f66435ccef4cdc0a960023722d101

SHA1
08714794c85c521a0c95d8f876bf5da0c47b32fb

SHA256
5409b69ee94b78eee126a5305dbb3f69c03b4995e489d1374a4ce89f3a3ef12d

SHA512
846aa3a1c76832bfc7dcd0a364dbff5282bd242e54bba10594da495bef9483e2f23a3fff6390a06780474b5d0f74a1cfd850448e81c7cc878d4c4fe2766a7b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEcs.exe
Filesize
635KB

MD5
4bd457aede676a1809a91704ca258657

SHA1
66986394b40f6e696ed4742062002d1c0cd6a365

SHA256
bd8b85db4e221d942933c1969180a3cfc6a2aeb5d47ade96c0913bf64dbdd325

SHA512
f1819b9007ea224a33c2b732d31ff2e36f8af83b6ddae118cfc3a2f08364ba26791bbaa7989cf127b20ec4305a9d41c196491473a28f3d2c300af7f8eda460fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEww.exe
Filesize
192KB

MD5
56c670d2a2d55e2b313eb89372b1283a

SHA1
138adf841c37e9173a57642c65ea21c6020f8fe7

SHA256
55c0383f09775a640b75406e46f502f4ad28027ef119f0fa6090972d0ef6bc4c

SHA512
c7ecef0ac09b535f47373e6a1bdc203c99a2c0ca6a8d5f3f5b252afd0aecac5f3a13b18b3e6b4d3726bc91ebbb5f3c7d3c4c29c099c8baa2d445c642e8e8af55

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIwO.ico
Filesize
4KB

MD5
915b89b32206268168c5789d7c55f7f0

SHA1
37aa8ac4a21bfd3756457063f300caf5150d9cbe

SHA256
1aa540b0acfa68f313963ae32ca68a5b3cefb49217cbf3b9e0b9eb98b9b94b6a

SHA512
35ed5562ec9fcefca9bc1644dd8fd7c28ead223eea2100eee38c51224332cc071cb7a122f750144d1d2b38b3580dfd8025cc59e0942a97f729ac39bf3fbfb9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMcm.exe
Filesize
1.1MB

MD5
e9b52690677f0ffa27343c730dcb39ed

SHA1
7a66e6797685f1aadbef800a17667a5611f3ab79

SHA256
3217ee6c14ae98266cf9d5b7c9de794f356e2e85540f703a551b792d9291bb9e

SHA512
f5d4220e231dba8bacbc4e8eb925d1e7ecd7d7c432f22e54586495b53af386b32c2a86baa805a507dea6bad14bae741be54378e5f843eb70a1a861f504761f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\scsG.exe
Filesize
251KB

MD5
5d309fef71a9ca425d76790aa37da0ce

SHA1
a8cfa9d78823bd9223b2cd08914f8328943d7c75

SHA256
1d20edbe73ece3fa63b6a0c61831a31ce8e414d74e28ca857572c30c2363bfb8

SHA512
5c1fbe47d7db957a9cc6dd017753b0f3d778defd0505980f806a4e5bb16088ac79c59aa45639890744abbb11183d93255c4e6380b6d54a59b6953010c03638b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwA.exe
Filesize
799KB

MD5
48a77b1342b76139b3663983a0c9915e

SHA1
de0a30d6fe252a15716dce769d49e37e9812fdea

SHA256
a3d3d5e433c97f55169dc1ebdd8fa3ed7c3225e9801e85e737c9b75f17025e90

SHA512
1a974ec7556bbae7573c6a73ebafa718011312584ee63fc0c24c99ecf360e02e0f4d3974b1bc2feb0f253df36c6e9e8f5a81c97cf020e2d8ea223f31f8015f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucUa.exe
Filesize
188KB

MD5
2a92cb9720381a2e7c9677e35fa6409a

SHA1
6a2e1ddb0199b5531587cf7bc0fc56ef3a64e30a

SHA256
078ec5d49e398b0c11dbb73aa00f0b70111000c51f9154f857601c90945cfe67

SHA512
2120b3da3a0a4f5a2a039873799483830daf6ac9033b63771280d8e00fc66390d883f382049aed213afe51947c546a811e3c6eeece208510410b8a65e5e10dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwa.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMcE.exe
Filesize
190KB

MD5
565c3722edaf39e68af5e21ea561f717

SHA1
4e06b8643571aa17053de0069144284aa3b10c4e

SHA256
24c6a5a080a687a2c7c8f9b293c7b30b299634d8f6c74d21e37afe377497889a

SHA512
7cac132150cc7f5cf7007b563a635c952ca21ed6f8b3e4599ce778a16ddd62f2ff221267cdee1a05d19d6e29b764a6c96cd3b16bfb4478c6cae4bb265e9f12e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUkE.exe
Filesize
204KB

MD5
daac1b5b26a4cd2da2efd743fa4310ef

SHA1
3f9c89a5f985140a03a38e774cf5c72e7fda0c52

SHA256
03399a228fc28c53212eb20354ea07a9eb7dc9e200539408c96afe42a6fe436c

SHA512
dd83ebbe5a670859d40e7af371917d8c869c96dbb06deaeebff6eeee90a2272d8f4ffd5c3db5fa2ca11fc22aeb9c2d9235265bc1dbd79e521953514bd58bef6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wokW.exe
Filesize
2.0MB

MD5
2e4293a210f674e10c93d68c4d578da5

SHA1
6b8b6dcbe541ac587b5b57cc1475a8b802cea724

SHA256
a3c8d22c31a4fca2f7bacb608f3d1ea5a265939cfa93417c1a79970ab92766dd

SHA512
7c714361618494a86bf3dcd778782cde25faa33174b05c4cc9a7f5377b4d4e1860e10938ea2c1e42b7db0510a3764b8c21c506583f6aae085f48fa63f8f8229e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMcy.exe
Filesize
202KB

MD5
7b9706bf8afcf5587f1b94cc6288afa2

SHA1
3f67fb7a945a866df9a27df075a8efc4b418d1c7

SHA256
aca92ad49fc977146bb50134669b07dbb21467b44e1b05f726a7f81758859dcb

SHA512
f6d4ea9da488c6bf4117eda4d569d8af90ac255c4afe4dac89a63933ba424db9e3c7223f54eb709cf8221bbbda2601c391ee43fcf9d52d2df489e8fac10450f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykUq.exe
Filesize
552KB

MD5
69cd308afbec297865ffaaaf880ce093

SHA1
2c8780f6f748408dc5588d6d362684a9a52e2deb

SHA256
3b7c27795879a3188303978d439d7c33d324ddd7956aeb11154d18c387124f37

SHA512
6904b7c823eb2de4b5ac16a08126c8ee054d4563c45c726e2403b02368f0a90468221087f8af7c6ecd605eb1b64ecc90604d3d753b8c28abf05dcd12a63827d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysQA.exe
Filesize
185KB

MD5
6a98e101817a198b2a080a5eea7e3e0b

SHA1
ec7e0bc21982a299f7602ad2469584e131d8f41c

SHA256
da1103f834365f14bcdadf8f93f064985618f33c477b368ae036844f1b80449e

SHA512
477a37a8b838a66549c23f08a1261aad4422f3ffab03f1f42bee1141b7793db993a31e0b93b4f16819946dd949455f4e5fc0ae27a5fcadb37a4e3851613d22ee

Download Submit
C:\Users\Admin\lCwsksAE\sUIQkAwE.exe
Filesize
178KB

MD5
62de8deb65263f37257f0516d6442362

SHA1
379a53dd57e7d313d49090b55f25a96322c0cc97

SHA256
3292336536c67141895f451f0d8b18589360d84c3a86a649ba63f2c1bd4ff7a1

SHA512
681f37a8a0be8e31de5fc36c57518c4f464ea25b2c8bac44ad540761f031e7bc2523200b00d9355a14acb4ad167e6c71f2ceefaa5441cee345f051bb87c7320e

Download Submit
memory/368-372-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/368-380-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/740-355-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/740-363-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/804-401-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/804-409-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/972-117-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/972-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/996-495-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/996-503-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1092-170-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1176-420-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1212-278-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1212-266-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1264-121-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1372-556-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1692-425-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1692-438-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1800-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1800-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1832-464-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-270-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-548-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-299-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-512-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-257-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-307-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-499-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2252-381-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2252-392-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2372-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2604-326-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2664-141-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2664-156-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2704-205-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2704-190-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2804-298-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2804-290-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2812-194-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2812-178-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2844-72-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2844-84-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2936-327-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2936-335-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3036-316-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3036-308-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3048-220-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3048-206-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3116-434-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3116-446-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3364-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3364-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3528-429-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3528-416-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3684-279-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3684-287-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3908-523-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3908-508-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3912-354-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3948-479-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3948-493-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3988-95-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3988-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4280-400-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4280-389-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4288-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4288-129-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4460-169-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4460-182-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4500-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4500-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-229-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-244-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-485-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-344-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-474-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-337-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4616-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4700-96-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4704-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4704-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4804-456-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4896-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4896-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4944-519-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4944-532-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4952-216-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4952-232-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5060-473-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5060-465-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5084-528-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5084-540-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5088-240-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5088-258-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5088-371-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download