a2b770179bb3c0ca242e748870a62017e2fbfd4a669a27cae94f7fe3a2357bc3

Analysis

max time kernel
150s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
Size

186KB
MD5

f42ce0e64a3d2f7354f003349e7cdf8c
SHA1

4c7ee52a1e9b7aabecf7574975a9d16823a4adbd
SHA256

a2b770179bb3c0ca242e748870a62017e2fbfd4a669a27cae94f7fe3a2357bc3
SHA512

704b352efd4fcaf4eed028b773928f085f2b643cba10ab5e92e999eecd3625b92ad0befd7a71322c949c681f4bfd607d8c8f1e1bd5f0a8701677c290443d0c71
SSDEEP

3072:VanwoG/J9JL1t2TwgplBFi7NRux1/O7cp7yVL36XaurGJO1euGi939jIhl:Wwf/vJL1E3nBFFH/O7cp7qbgaXQ1euGJ

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Renames multiple (75) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AWEQYEgU.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AWEQYEgU.exe

Executes dropped EXE 2 IoCs

Processes:

RYwEgYMU.exeAWEQYEgU.exe

pid process

2924 RYwEgYMU.exe
4540 AWEQYEgU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2924	RYwEgYMU.exe
4540	AWEQYEgU.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RYwEgYMU.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exeAWEQYEgU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RYwEgYMU.exe = "C:\\Users\\Admin\\SYIswwYo\\RYwEgYMU.exe"	RYwEgYMU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RYwEgYMU.exe = "C:\\Users\\Admin\\SYIswwYo\\RYwEgYMU.exe"	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AWEQYEgU.exe = "C:\\ProgramData\\kSYAwIMM\\AWEQYEgU.exe"	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AWEQYEgU.exe = "C:\\ProgramData\\kSYAwIMM\\AWEQYEgU.exe"	AWEQYEgU.exe

Drops file in System32 directory 2 IoCs

Processes:

AWEQYEgU.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	AWEQYEgU.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	AWEQYEgU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3972	reg.exe
4644	reg.exe
4204	reg.exe
2916
2936	reg.exe
1624
2276	reg.exe
984	reg.exe
2104	reg.exe
4520	reg.exe
2596	reg.exe
4660	reg.exe
4724	reg.exe
3740
2280	reg.exe
4736	reg.exe
3664
4832	reg.exe
2588	reg.exe
2188	reg.exe
4664	reg.exe
3568	reg.exe
1852	reg.exe
1504	reg.exe
4148	reg.exe
4148
4008
3220	reg.exe
3728	reg.exe
3724	reg.exe
4172	reg.exe
1572	reg.exe
3552
1404	reg.exe
3108	reg.exe
3740	reg.exe
4200	reg.exe
4224	reg.exe
2516
876	reg.exe
4468	reg.exe
5084	reg.exe
2916	reg.exe
1516	reg.exe
2580	reg.exe
4116	reg.exe
3732	reg.exe
3800
4136
3672	reg.exe
2276	reg.exe
3828
4636	reg.exe
2540	reg.exe
4148	reg.exe
624	reg.exe
2828	reg.exe
4468	reg.exe
1768	reg.exe
1936	reg.exe
3216	reg.exe
3800
1132
3172	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe

pid	process
4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3196	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3196	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3196	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3196	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4048	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4048	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4048	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4048	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2036	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2036	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2036	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2036	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2168	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2168	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2168	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2168	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3628	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3628	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3628	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3628	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3684	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3684	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3684	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
3684	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4788	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4788	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4788	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4788	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2644	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2644	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2644	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2644	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2696	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2696	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2696	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
2696	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4472	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4472	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4472	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4472	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4140	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4140	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4140	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
4140	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AWEQYEgU.exe

pid process

4540 AWEQYEgU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

AWEQYEgU.exe

pid	process
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe
4540	AWEQYEgU.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.execmd.execmd.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.execmd.execmd.exe2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.execmd.exe

description	pid	process	target process
PID 4180 wrote to memory of 2924	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	RYwEgYMU.exe
PID 4180 wrote to memory of 2924	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	RYwEgYMU.exe
PID 4180 wrote to memory of 2924	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	RYwEgYMU.exe
PID 4180 wrote to memory of 4540	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	AWEQYEgU.exe
PID 4180 wrote to memory of 4540	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	AWEQYEgU.exe
PID 4180 wrote to memory of 4540	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	AWEQYEgU.exe
PID 4180 wrote to memory of 2772	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 4180 wrote to memory of 2772	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 4180 wrote to memory of 2772	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 4180 wrote to memory of 3172	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 3172	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 3172	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 2064	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 2064	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 2064	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 2020	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 2020	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 2020	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 4180 wrote to memory of 1912	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 4180 wrote to memory of 1912	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 4180 wrote to memory of 1912	4180	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 2772 wrote to memory of 2828	2772	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 2772 wrote to memory of 2828	2772	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 2772 wrote to memory of 2828	2772	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 1912 wrote to memory of 2036	1912	cmd.exe	cscript.exe
PID 1912 wrote to memory of 2036	1912	cmd.exe	cscript.exe
PID 1912 wrote to memory of 2036	1912	cmd.exe	cscript.exe
PID 2828 wrote to memory of 1744	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 2828 wrote to memory of 1744	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 2828 wrote to memory of 1744	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 2828 wrote to memory of 5052	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 5052	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 5052	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 1344	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 1344	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 1344	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 1060	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 1060	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 1060	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 2828 wrote to memory of 3212	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 2828 wrote to memory of 3212	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 2828 wrote to memory of 3212	2828	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 1744 wrote to memory of 3512	1744	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 1744 wrote to memory of 3512	1744	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 1744 wrote to memory of 3512	1744	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 3212 wrote to memory of 2000	3212	cmd.exe	cscript.exe
PID 3212 wrote to memory of 2000	3212	cmd.exe	cscript.exe
PID 3212 wrote to memory of 2000	3212	cmd.exe	cscript.exe
PID 3512 wrote to memory of 3568	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 3512 wrote to memory of 3568	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 3512 wrote to memory of 3568	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe
PID 3568 wrote to memory of 3196	3568	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 3568 wrote to memory of 3196	3568	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 3568 wrote to memory of 3196	3568	cmd.exe	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
PID 3512 wrote to memory of 4112	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 4112	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 4112	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 1576	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 1576	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 1576	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 2252	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 2252	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 2252	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	reg.exe
PID 3512 wrote to memory of 4728	3512	2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\SYIswwYo\RYwEgYMU.exe
"C:\Users\Admin\SYIswwYo\RYwEgYMU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2924

C:\ProgramData\kSYAwIMM\AWEQYEgU.exe
"C:\ProgramData\kSYAwIMM\AWEQYEgU.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
2⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
4⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
6⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
8⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
10⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
12⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
14⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
16⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
18⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
20⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
22⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
24⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
26⤵
PID:1996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
28⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
30⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
32⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
33⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
34⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
35⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
36⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
37⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
38⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
39⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
40⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
41⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
42⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
43⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
44⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
45⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
46⤵
PID:1936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
47⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
48⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
49⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
50⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
51⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
52⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
53⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
54⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
55⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
56⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
57⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
58⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
59⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
60⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
61⤵
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
62⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
63⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
64⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
65⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
66⤵
PID:624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
67⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
68⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
69⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
70⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
71⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
72⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
73⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
74⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
75⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
76⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
77⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
78⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
79⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
80⤵
PID:2188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
81⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
82⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
83⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
84⤵
PID:2904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
85⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
86⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
87⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
88⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
89⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
90⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
91⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
92⤵
PID:1568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
93⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
94⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
95⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
96⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
97⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
98⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
99⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
100⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
101⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
102⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
103⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
104⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
105⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
106⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
107⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
108⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
109⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
110⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
111⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
112⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
113⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
114⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
115⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
116⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
117⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
118⤵
PID:4000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
119⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
120⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
121⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
122⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
123⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
124⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
125⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
126⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
127⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
128⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
129⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
130⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
131⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
132⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
133⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
134⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
135⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
136⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
137⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
138⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
139⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
140⤵
PID:1768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
141⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
142⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
143⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
144⤵
PID:3216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
145⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
146⤵
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
147⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
148⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
149⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
150⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
151⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
152⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
153⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
154⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
155⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
156⤵
PID:2124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
157⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
158⤵
PID:3800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
159⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
160⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
161⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
162⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
163⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
164⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
165⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
166⤵
PID:1572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
167⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
168⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
169⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
170⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
171⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
172⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
173⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
174⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
175⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
176⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
177⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
178⤵
PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
179⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
180⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
181⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
182⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
183⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
184⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
185⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
186⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
187⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
188⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
189⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
190⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
191⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
192⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
193⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
194⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
195⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
196⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
197⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
198⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
199⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
200⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
201⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
202⤵
PID:2816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
203⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
204⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
205⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
206⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
207⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
208⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
209⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
210⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
211⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
212⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
213⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
214⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
215⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
216⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
217⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
218⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
219⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
220⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
221⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
222⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
223⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
224⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
225⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
226⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
227⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
228⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
229⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
230⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
231⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
232⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
233⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
234⤵
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
235⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
236⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
237⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
238⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
239⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
240⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
241⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
242⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
243⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
244⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
245⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
246⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
247⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
248⤵
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
249⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
250⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
251⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
252⤵
PID:948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
253⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock"
254⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock
255⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies visibility of file extensions in Explorer
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:4504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWsoIMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
252⤵
PID:4204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgYgcAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
250⤵
PID:4736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGUcUUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
248⤵
PID:1744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:2212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsQoQYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
246⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGskAgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
244⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
- Modifies registry key
PID:1516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIMYUcko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
242⤵
PID:632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
- Modifies registry key
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIMAIAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
240⤵
PID:3664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
- Modifies registry key
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
- Modifies registry key
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUUEAAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
238⤵
PID:3752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMIswIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
236⤵
PID:3708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies registry key
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaEYkUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
234⤵
PID:648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
- Modifies registry key
PID:4636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAcgwcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
232⤵
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:1280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmosoUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
230⤵
PID:4256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YissoYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
228⤵
PID:3168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKoAEkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
226⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:4200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCwATocZ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
224⤵
PID:3740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuYwcQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
222⤵
PID:4892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:5064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqMQUMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
220⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usQAoMMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
218⤵
PID:3800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQIIsUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
216⤵
PID:4492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:3196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:3448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
- Modifies registry key
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmUQkAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
214⤵
PID:2580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKMUUcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
212⤵
PID:3296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEoUQEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
210⤵
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:4956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:2344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmsEkUkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
208⤵
PID:4664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUoAgwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
206⤵
PID:4644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWUgAUoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
204⤵
PID:3360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqMQIEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
202⤵
PID:1860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BusocIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
200⤵
PID:4760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYYQokog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
198⤵
PID:4956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:4284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMcYwcsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
196⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekYcUMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
194⤵
PID:2580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:2252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:2816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGQsAkcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
192⤵
PID:2968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcwEYUsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
190⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsMEgsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
188⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgQkkQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
186⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:2936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwMgwIco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
184⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqcMccEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
182⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:2272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMUgMoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
180⤵
PID:4008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
- Modifies registry key
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaMUkgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
178⤵
PID:5064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKwogccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
176⤵
PID:1068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWQAYsUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
174⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:2620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:3728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUsMIgcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
172⤵
PID:4552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWQMcsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
170⤵
PID:4760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYQkoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
168⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWYokkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
166⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giIIgEAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
164⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- Modifies registry key
PID:4148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaccwwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
162⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUkccMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
160⤵
PID:3580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:3728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:4188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hecwQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
158⤵
PID:3740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcgYQosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
156⤵
PID:3672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:2276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NikQwgQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
154⤵
PID:984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:3204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsMkccsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
152⤵
PID:3404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- Modifies registry key
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAoQgoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
150⤵
PID:3048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAgIgQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
148⤵
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:1068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICMwMgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
146⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:3512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQAgYEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
144⤵
PID:2764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyAAoAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
142⤵
PID:4108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
- Modifies registry key
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEIYcwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
140⤵
PID:3320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- Modifies registry key
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKgIYAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
138⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies registry key
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOkkQUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
136⤵
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGcUwggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
134⤵
PID:4272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:2016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuccUAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
132⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies registry key
PID:2188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGEMwoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
130⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsgQocIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
128⤵
PID:1872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGwcAAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
126⤵
PID:3552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:3728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiYksQoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
124⤵
PID:3212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwQEkssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
122⤵
PID:4728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heMgUgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
120⤵
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:4572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAUoowgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
118⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEoIsgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
116⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- Modifies registry key
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWwgwwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
114⤵
PID:3204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:3376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYQkUgUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
112⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOEUUkYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
110⤵
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:1084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYEEUAUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
108⤵
PID:4000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUscAMkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
106⤵
PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies registry key
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMwwMcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
104⤵
PID:2016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies registry key
PID:3728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQIYwcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
102⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWsQYgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
100⤵
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- Modifies registry key
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYQEkQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
98⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSEkUwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
96⤵
PID:4832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:4788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUcMsQgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
94⤵
PID:2076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feUgwskw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
92⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:5084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiQgQIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
90⤵
PID:3360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:3560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tmocscko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
88⤵
PID:3296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies registry key
PID:2828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGEAcgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
86⤵
PID:3552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCoQMsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
84⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeUQsUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
82⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGEIMssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
80⤵
PID:3748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEcAAoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
78⤵
PID:3728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RicIUkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
76⤵
PID:4008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies registry key
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEcAIoUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
74⤵
PID:2600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmEQMoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
72⤵
PID:5008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeEIoggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
70⤵
PID:2384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:1504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqoUkccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
68⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEYoYQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
66⤵
PID:4112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kswocsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
64⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcUQIEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
62⤵
PID:984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:2704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pokYscgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
60⤵
PID:1828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsQoEMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
58⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYUcYIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
56⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOUUMUQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
54⤵
PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:5064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMQcwoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
52⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwYgAgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
50⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies registry key
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgoEEggQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
48⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- Modifies registry key
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyMgsMMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
46⤵
PID:4128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKMUooow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
44⤵
PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIkgwIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
42⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUokQkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
40⤵
PID:3572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuQUkoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
38⤵
PID:4128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQIMkkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
36⤵
PID:3320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQwsQIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
34⤵
PID:4664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEkEMkAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
32⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:3724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkIMUAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
30⤵
PID:3524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkcAoAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
28⤵
PID:4596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQsEQYss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
26⤵
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWAUMgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
24⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smMoYQko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
22⤵
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koUokQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
20⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgsgEwgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
18⤵
PID:4172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAgMQccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
16⤵
PID:3240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwAwcgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
14⤵
PID:780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maAgAcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
12⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkIEIMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
10⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOYUsMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
8⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIcIYUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
6⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqgkgAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqwUMIYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2036

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2016

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1564

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
317KB

MD5
559d84686240339abcbcb07466f2d7b7

SHA1
7ba9720dfc90982608a2b784973eed77030fceeb

SHA256
2436e91980767c911cca9b01598a98e126d10e60adc1f531edc460eaaed9ff6a

SHA512
6ec4843f8450ea7d4094217be4430fe6187b032c6350a6ca741c3b5c012fe013f46dc1d55881b4ff1166f194614e3ac4a4709f70bb3183feb3e14b648db17f5f

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
224KB

MD5
e17b7ebf77d03a4fe8999658b7380fbf

SHA1
401c2cf68b67d35e04ca8b539418972b58dc3533

SHA256
9000cafedaae8bda418c5ea053fbffa0595257d6a82418d3019fecd9047b0bee

SHA512
0b19da1d4b375e26bfb5ca0383dfdbc97e2abdca2315104b4f6dcbe9446dfd933d1e900e18e2c8dd4af8d332065a49c9c4ad06b02e6acd6036fb4f80dec4d1eb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

Filesize
191KB

MD5
19faae7c76faee1798eee2111f58d473

SHA1
7bdeecb490cb65275cbdaa8ce06c3619f1f01fd7

SHA256
fd21ffdf39eb596ed5b90bc694b2a38a0736a586e7aefc293733d6dcbedd9251

SHA512
b06b6f2e8381cf686c3aa5094728fae9e25c80f53472cbcd4a2be124641dad69c24ca6d9dcf466119f41ea076457c1fc893f15b9e180680869910ec56ced77a6

Download Submit
C:\ProgramData\kSYAwIMM\AWEQYEgU.exe

Filesize
189KB

MD5
da9fad050e02feec7f69d8482de23774

SHA1
7f641903cb6e91c82d8f501a814fc09647249ebb

SHA256
558d34dfbb81453d08b44ff9472dfaef2df98e6f46e9e33e3716f4d59c3bfeb8

SHA512
a5acc813d7bd47535554a8b7c4ae28de9063b52768866583d021a2458d0bef41a71e57297f64026121d2ac164260e7a09f967c0937b07332e45b222a9a798904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

Filesize
194KB

MD5
6764fa3aa4fa6e1b508fe9283d0211b7

SHA1
6f290ddaaa9f6850f2217b2b54b21d00f2de1d79

SHA256
17feb3c2ae15740c99d95d519b4773aa4558d9876f686a7ba3fe6f3ec3f8692b

SHA512
76dbd380bb44dbfa8d6c8affffa6160d07e372ef6c2a8b2ec29d552268ec1332d0cb219b9e528a3368e1f0b117d0dab1b3315c9e9eebdca69a4cfa0a51d22df8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
190KB

MD5
4f132127c48b6ec794e2c355c14249b6

SHA1
ec67f4da172bdfa7d5f533fc1737c645216b5d9b

SHA256
37b0784d389aeb015880b12daf925264a64239fa412c843cba0137d4f4908447

SHA512
d0160df9c7cdc5b191f15e9cab0d546c8f38aa83d8f300f59749fb58643b9900ebb13d32617d53e056789fc80834f91640758b0d81d9bce2efbd94215842683f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
205KB

MD5
605c9dbb499b953f9bc27ad58adc5b13

SHA1
12f2e05d7fde394ee6f83ac77986d0e6f7d1ea9c

SHA256
8269fdaef31d21d5337695e75a5f444661c0a0a7610a58b8b68763d74c9752bd

SHA512
77b972081a464e35d796f384bfed03dfff3f050a953842a7cd8846c57b3b7b719414d2c6988227ea3ba3c6f5a371878bc32cf2e4853a17abc990e08736c1e2cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
198KB

MD5
50efb292669ca714d178bb3742a62375

SHA1
ed926194d833b2a6711f3d4de024bab9f9c16af8

SHA256
343550d93732c25cd426f103af591afd01305f43446c0d02527475df0928c41f

SHA512
4b8f8041aa367af20d20e1f7e2136030de29e576356a6d9b93aabb093bcb5b96db65598d96bd8296f549e4ba2eeb40b6bb4e121a4a366e3da58926c605d23876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
182KB

MD5
f07fddd41eb2b0b60a74b228543e512a

SHA1
5b003b0bf958bfc32e279b4582c6e05c97295bb0

SHA256
0551e7ebb19996abe3edd1009439db33f19feda9e1a5af81e5db4cda2571e36d

SHA512
1df60249a3699d05c026094ba57469693d2cd1a363378af11950bb297c19e9ea107137dc71fcb73abca36a57596132f986540ae679eb9e8e06aaae6fe15d6da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-26_f42ce0e64a3d2f7354f003349e7cdf8c_virlock

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYc.exe

Filesize
181KB

MD5
ecdca17c2ac01578ce6a392c4b466135

SHA1
036df888bc55e056a39ae791734d988e004a2fe9

SHA256
84e04f382e2c89f85bcee5aef6be00832ffcfa8ba442413f9f6fe5609e0b6c09

SHA512
674ba24ad11ed90acc34685ec0f5dc577306e1960405ef77be40435ef615408913b992927957746f1cb8ffaa8094a53b2fdc944b4642376426ec972f7460b752

Download Submit
C:\Users\Admin\AppData\Local\Temp\AggK.exe

Filesize
219KB

MD5
b5fffe72d79d8ed5068a433adc54a826

SHA1
31255a643c01dfa73477f97c38e3d0841bd78fb5

SHA256
d08b5276685397f1502f080d23925de9934724875c356cc2aa8dae35c9d55a9d

SHA512
6e0351fc7cf264b4d051a2aecf7af51a062e37727b047f71d90dcab1f4175492869fcb6b6a49340353ae79eeaef65e8e493da4bf66e7be6ba6f30fed0dcb2207

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsES.exe

Filesize
216KB

MD5
8a8ad57a934468b7aafe5dd179b56b71

SHA1
3bfd2272affdb1abc4de57c4f7bcb2ed3cd8a60a

SHA256
89dbf35560706e40eb1bb56b1c670644cb07e6af001f1df729e7ad3f76a4d57b

SHA512
3811fd17e27a7969d47719bce5528e6f244f339df62d7e03453d77074fb0576c69eb6c8f1fc0fa14f5c189a7f271a3b94a4fbf6d528ae250e4a0cb7bae351b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMgQ.exe

Filesize
201KB

MD5
149fad4344ff51b6e6e2c4bac2317d19

SHA1
8a751cba415288d83cacf2cb1f42d0ff97a97acd

SHA256
21483b7379a6b65fd6d08765bf88acbfd1df2442c9740266054a8e073720bbdf

SHA512
618315a132288126a05d64aada713001849deab7c52bdd23b232af982190def3a85da2dfb25dbd0f74603168887bcfa09d7fb26fd26fc7b40938d97b3c095f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYYw.exe

Filesize
830KB

MD5
111eeff3354f17ebcca3cce5f5ce7a34

SHA1
f38556c5c109f296093d9b4b165fe8ad786a0a81

SHA256
101898dddf52939d580c60a03ada34858062ed2862e833233da3edef9a87dcba

SHA512
e3c9b801552f53389b243d79146afdd0a99a11c7e108c5a85172c9b87ef4b5923d813c1677b7eedca07e5415982be4911d814019af5ed9da5d7f3a4f171a6169

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoUO.exe

Filesize
199KB

MD5
2f640737e9c9b145bb391f6a210868b7

SHA1
33338850cc0d081e712a23f070a95dc330db4240

SHA256
e092e32612bf893bc07df846f5daaaa9aad8eecbdaa9ac71f34f4933a48f5547

SHA512
1e7643bd4439bfa705faed8c96fc2031203b11e8bb7341d9c95b5366692668c1cd5a7c709be14a531eacbcd499f2d3200fc9fdb3d10f0eede04e7ef8b8376ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwMc.exe

Filesize
799KB

MD5
e501e526fbd7488155f9bd43c7abbd34

SHA1
baf5b1ae747fc7037040a748a136ae0dd1240140

SHA256
eab91c4ce3fd4b80330e53def43eb5f023646ff3e5c74da8121b7f37aa31582d

SHA512
f6ef77f1f5a7c7a11f37b743714a04bb756793229a15379557199855b6e953b7b9d88408dee68b2a1f74a8d9ee72101dd1ef1d5be8135743c58a46b3923464c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAAQ.exe

Filesize
439KB

MD5
bd98bd1e364a43b6c753303696697080

SHA1
5375d2e70146d7f36c1351e07c479cd8d86cacba

SHA256
340541c3a601cd269a35354ab35c1daab77624a6e89f89d5c60737163cae4872

SHA512
c9f4eeed3be162dd9f0c3389126a8e78bb58785e48d9a2f0d54a458b276442c1b3b03388169bc65002aa337dc7eca70e5081c772e36e079af57fb8ad23191625

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAkQ.exe

Filesize
5.9MB

MD5
5ef435285ce91f28f1dd1bfbccb6ba0a

SHA1
22a2c92b83b15f43a86c226c993df28e3350a58d

SHA256
9901c638cfe32d565ae97ee23c74617f68bf73e19a286e19fcfbf89fc9fd9267

SHA512
44df67096dd2b20bc2bc27873c9e2dbad1ef7c276e5a0be886645421745dc6237f2c9a24c5241a73ab3000a7c218379b820ba3e073838704b3fac2843be15206

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQgu.exe

Filesize
201KB

MD5
0a8e96801dc8f9254035770b084d0133

SHA1
88e0c973477de2ec45cf54883a23aa1a8611d8d9

SHA256
b1ca4a96dbc8e0504a5b11d3ded72df90252916842a5022b07b7c32f7067e779

SHA512
814eb3d6e78c00df52e138741badd21f74b50c9d144adcd5751f1c1ff30a973a2ce4a7263764296383e594a254dae5892ca79afc10166f8a25ca47f373a90168

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQkq.exe

Filesize
195KB

MD5
2d4aef0f0ccac63f37604647728057c5

SHA1
4f922fc324201253e6710915289ee409b5c13525

SHA256
2d0ddf7e17cfb07baccd10f9286fc24f4d3bfaf7d0f0b4da7599fe1e58bc6b34

SHA512
d6011d5473613f7d788fac3f28c1164d013c085297e3839494e7b90a6fd1ebbafae18e684a68174115683d86268ec80174693076b595e72e17753d7a1127bf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUsU.exe

Filesize
217KB

MD5
d156566bf3cd7f6b16d756d0f7859293

SHA1
7917171e72ed3ad98a7082562db0f66425212434

SHA256
e4c1640e5bca03c6c0914359c3a91fe0141b85583ea54da4a8578f655fb19f38

SHA512
72ee37058a9914ba7a641d8b67bb4d9e3aedfba8ab195fd65cf4bfd580a9245ebfbac39538e8097b39a0b7bf161df138deef297773f953dac281e6642bde53dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUsg.exe

Filesize
815KB

MD5
ca365f97397f44328f4a6e3cddda4415

SHA1
c93cfe1ddccf848c4a6f583f7beddd8e0e4883b0

SHA256
cbad9e8b195517bc9a0d55823a738777ac8360e98a85c16b7e4806c53e6e1b21

SHA512
cbbfe46b2b8d60246eb7c3c3486de7d525e504d44903a28ac8c18ad7eb184ab04efede06eecf5fc3c8a0e955ac11bff49322a4f9733242beb250c88cf07664d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsoI.exe

Filesize
236KB

MD5
b62bdc0e933b307846ea3ac831c74d9c

SHA1
d7b887b5631f09ef91210c2de22476e9398146ba

SHA256
e78cac12796457771528fc0d983bbf5e5152f81394d2d2050cc07f7639a069cf

SHA512
015654c054354dc689fb2c6cae7388e1e835b63d4f847c46c46719c65107ceab17c8c8594cf5286e6454f4882e9108d54a418cf4d21df2dcb26abef83bb9a66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUgq.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwIY.exe

Filesize
185KB

MD5
468379220a581f840ce5c136fc7e35cf

SHA1
74d4ccb82160c0088068ad46df719cf621e44afb

SHA256
ec2a11a9948f8b60314859f79c2e1f174fbaf752c9d7d47c7940706c75844b2e

SHA512
751e0e4f1fad98cc1c276b50d0e764c4f58cc65fa18c0b08c9e91c5ecbf721bfe813f4a97315b5c90823966374ad98d21d87b285ce0f90494543bac3dbaa110f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwUu.exe

Filesize
650KB

MD5
0724cd4510e18197ec055102f7fa1449

SHA1
a2c3af288e6e331cad61dfd499842beeb25bdadc

SHA256
698eeb0483ff5542791756bfe76290a9042907397ecca3ca0ae218682bf5c185

SHA512
0a9edba16b4bc1e74f205686add2ef1c11b3135e183b8eccf751b15c6766a7daec9b280ac50b9134ff39e90ac1122f667458a7196a529b12ce99923ec8b6dcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAwq.exe

Filesize
266KB

MD5
2916c830a73dd2de8bdb62fef42f03a5

SHA1
417bde4dda81a1065b84208deef8d616441ba751

SHA256
3a7a7ede925f5478230c44a028d5e55b5ec7ee87d58a55c1702dfaebf763289e

SHA512
be362ed1e50132e886cc0f8ff71ed8f46a9a9e27b7649345a0de9fb11ff39209acbd154bcc8a84d30a6d4ad7a4338bdf07ca3758c24548a689f932a21666b40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIi.exe

Filesize
5.9MB

MD5
ae6a26b573fb718f5927e66dd008cb3d

SHA1
8096aa4874f57f108e535922dfd0733156c0c4e6

SHA256
5c61ed15d909734700e4d3ca3ce27fd3d963008e707ea08e2222b597f48fc141

SHA512
692f86838c5487cb8d8cbeec107650f96dceb9e1674f395de7def40585a81162946ec17e1031eefc7ce2563ad13b9efcc3585c58472cd9de98140c05e250d882

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUgA.exe

Filesize
204KB

MD5
55c71a9b0a7981e22b2876a622e70027

SHA1
1dcb543f8276f1ef000c423e70082cf3d2fca57d

SHA256
a1e7c3e83d15f16ed05a9a59817f1b10a126bf25cf50c6e7d559edfe0570a859

SHA512
de1e14168b77b5e17b16b579509e54eff83a92da361df86d468091dbd444257c7c5b31e1dde3d480597536ab3e17f76c2db18a384e6363490e2216bc10cd9568

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgkI.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgoG.exe

Filesize
199KB

MD5
0df18391012693915082716c8f411920

SHA1
f940bc80a350de86cbd53f5c6a2ae70535a8f0ed

SHA256
c2fc2e457b708be43867e77a5acd9b3fa2e976871aaf52ecef45d93f4c887e68

SHA512
4abebc9f09dbc077d07be61581f3ab513be0687202e5cce635fe290c7c7671849b0574c4af18a8eefe6c72db04b29ee086ba70c29aa3705e23946654654a23ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwwq.exe

Filesize
418KB

MD5
9cf517d1a23fa735b9a4fb38f3decddc

SHA1
29b5dfd1cf607076892d0833554a346ffb31df3c

SHA256
223012f58ebc25f77c41432f7df139d8546c6c45a6c41b1e30966a10c92bb9dd

SHA512
6b7cb81bacbb341c445431a50e585a13907f77ea232818167a7af2fb1125a97de9926fc41b46b8a86c5c122eb010e3461f835e04597a0243235d7499c51aa790

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAAq.exe

Filesize
207KB

MD5
4b8b63078c1b565f5d3181aa1e1b3968

SHA1
1841930dc4b0409f0f8c5934efc76d873ed7a8fe

SHA256
89648237d8c9cb0f1971f2c07550dd62e75cfa6b9326e15e5a97a4175368a143

SHA512
a1c8b626f1d3bcbf023cb38e2c695f9adf696be5e82bb6e20d728a626203884fdab0bd2a53e702e00bff86d1bc7067bbf7a8d60bb70f4a685f8e4d63cf3b6cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIss.exe

Filesize
323KB

MD5
6e322b0bc706953a58d9cbc708fae837

SHA1
d019a6b826de2f91dea664ef17a87c4ed9a930b7

SHA256
657cfb2648100f9d0c4f6ec6c52d2f07c23a371064e4669b22a41de3f071b3d7

SHA512
c178c4fb990199c9b6548043d64053b75da9e8fff4127d22b7651e50bf5922d06b8683c60355f3b8defa1d7cfa4200cc2abb394c40f2cc16a0c19fa76ccf5f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQcW.exe

Filesize
210KB

MD5
c431c08ed893b810e078e93ad87d162c

SHA1
3296492994b4258d5588dd3d9285a45b3ea3c81d

SHA256
19047cbbc5dd77e2bcd572beb406f2ad67ab6e1870cb4dc3c59e72ded612c112

SHA512
4e5d8b28fc4c48b89595eff4fdfed13c2b87988c2d9d3bad4d0777aaaf72649f30125fadab3e95c22915e20c60957f3c8f119a1e9f9e67cf2fcbae9fd2334371

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYAs.exe

Filesize
458KB

MD5
f7a86973d3f23c79bca94516b6938b7a

SHA1
f37e2a651a55239253dd08939df3e0673399a8ab

SHA256
e037428ed4e69502126c19855afb3917030d98761e7bdb40c3b5903dbbc604a8

SHA512
8d463090d0e654f48091ea22a3668b4158d00d3bf34d4f5da0cc4ea9f525cb4eea6ea73123f0c6b3b3aef233a88ac68741fcdee6bdcbc5f221a6acb1c0c08253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msce.exe

Filesize
203KB

MD5
40b63ebb3e66da59aef3cd0461910f5f

SHA1
89537603f5856ab0a1ab1f265ebac07b6b49a1ad

SHA256
d100eefd905cb6d9fe3db7a7b5e444ecfcd5bdb878618d28beb95452025ed360

SHA512
01643b828083880c0b7e79135c9bf511844dfb09a164e0e9c4fb070a00b9266b1ffa8a39143ddbe4c8d5bff0b52c0c1b369ae7477f6b79883cf48e374f6f0ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwUO.exe

Filesize
1.8MB

MD5
7c98dc6362ad3df119a1ea9dfa864b23

SHA1
082f024be9a98a1147025a7813946d5f6c3a9884

SHA256
bbbb4aec7b71163125e85d52aec2fea1cbcb1da34d55d5f190b8f2fa8f8388de

SHA512
33996897df6eab0679fc68cc73aebe7d5db1cd4075a460cca4694380b4d21c9bf36d0a018adeaea0c5e78244e08c1b44511c7a8e076dfd110c620d72a9b2817a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQYQ.exe

Filesize
651KB

MD5
26c064dcf372e4fded80cbadf1873c6e

SHA1
11a1e87375c26a9989182ffb80fc837a3071f468

SHA256
970dde7e02a48301bfcfe16b71d245427fc4235abd5e3843f3a7080eea43c64a

SHA512
2a6ee812606fb48eba9157a82fb7fdc1d69c9dc3a3cf2f1238a0ec5049ae83d92d8d816afb327e53cf7e79a3e6f4e8d5807b323a5fe2f5e057f6f2800d8158c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUYQ.exe

Filesize
831KB

MD5
8f947ace2b3c64296d97c67171c8a4cf

SHA1
18bd36f8851467acefceee9c3dc75d0bfe80ab71

SHA256
d807699c4d99b7ea893b739e665d50d0ef9005ed4266861326de43cbdc1f5784

SHA512
e37be04c8a2bb2f87858c18fed490378b1b59f2c2ff044edb99a9f3061db9023a669da8045e49559ee376fba03536e043565ce1ca823846e0499b427fb7cd4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUgG.exe

Filesize
192KB

MD5
5b0ac72b0b546eb520acd342a5173823

SHA1
88798af65b3b2546c2563b3a57772e2e5810a735

SHA256
9cf1e53ddf29d3163265264c4cd41ec6c033e1ca2543988ae923ac019982e3f5

SHA512
7302265af7a6f7235cf70a37faa9fa40b55f0bf9bdbf55336e34e2c00440350bade046a89fd5b86563ba2b23dc35e8a8c5eef8f72e47806107ae8d242b5430c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUws.exe

Filesize
540KB

MD5
c51d24ffc2fe5e484e94993dc1316e3a

SHA1
215d85350f2b90acee64feebdb1801383a91232e

SHA256
3dfaa50ea6b9515b6086fb0d425a9d98bd8465b5461d18c0056a7e252807cc92

SHA512
9cf30cf8a7adda814c3b3ad906d7c8ef1392944f64f6e60eb809be92661b1820c24771fc436924917cf5ea5e505f7030407c9343812e8917a6467a386645b829

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYkM.exe

Filesize
318KB

MD5
9874f6bf2fe641251132f767af85de1d

SHA1
ac42f0d5bb3283682879e5f96187c62d60c96099

SHA256
49efefb2d4071b5fea39e8bf2167948e2ed240989d9095684984177b3c67e590

SHA512
2451ccda31558b655545ff6a8fb4982a9b131c80b975dd729b99fe426773e0eb9e2d2da4e663bae7e3490e1690cddbc8eb8701affae323f83c4c1286478c1dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcYq.exe

Filesize
184KB

MD5
82683e611965179a52eb1af55b016c91

SHA1
4689033f78ec8ac299725929ce9595bce23d87af

SHA256
cbc43784eb723a06416e8ee91f0866cf0b68d39169b0067ecae8d5afb798ccbc

SHA512
9cb7001e487481237873d73ae28ed49a910bf9c9bd5e638b39a994f6426ba8ff72080c463062c229f0833717a4596a402d8f7ebc24b7e8b6d1e1243f029749b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoQu.exe

Filesize
644KB

MD5
5f9f2f26e6f211cb87c464e35b35bafe

SHA1
aa2acd5d9d9e3903a31bc58e0112e2387a93cea2

SHA256
9c1b54ddc8fcc9f4530536a645ab08b7f0ad327f24bef4aa807e74f3dfab8b9d

SHA512
1c7cd517d18c95725a6ee8aaa56e391dafbb0a2bc72bece8f85361cf4b0eb141bbf28f6188703cb75bd8eece831c259c4d76c46d88c688b71aa785e22fd0ed9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwgQ.exe

Filesize
208KB

MD5
5e4fe40c09f163ab09c789a34ca0a0f8

SHA1
9fe9075fe805a0fc2c89603a9268fa2196f889d6

SHA256
c692f2832090620361bdbc098c876fd089253d19365a1c8bbc5521ca0f9be3c1

SHA512
f827da009a03e6bc3ca927332fd521f9ab32c5d04082244cc9e5596893dea16c1c317366162baf61fd1faa00767cf5e4f1c8304763473ce026606367e1e6679a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owos.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEMU.exe

Filesize
204KB

MD5
ec1bc88ce6306a16ccf6c4967deb42aa

SHA1
185eb8ecead3e581f7659183ebb9aac19fb8653b

SHA256
7a161afce8c3c4123b46ca463c85bd0546f5e5bd488d995376f20c4fb85edb20

SHA512
a66a592a73d11575c8e55af1694297cf2fcd73fac2ef54273d9748f997500d0fc64ec81ae922ec33b5407e31b1fe9a39a9f46143e89f20f6988d56ad9444e7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsIM.exe

Filesize
641KB

MD5
29a463ed507d6b42165e7a4ea4cb9933

SHA1
6f3bd62a4ce685758f87d2ca0a1ece471bdf0b4e

SHA256
ab4800dc3e8f2fa92fae6e0d92c785f4f760de3952bd945784b01449fb9b5846

SHA512
737d3f7408e2ca7307d6754425ef70fb094257310dfbd9d63050354bd0c2bb6dce0424d3bac1c57d9822afc233a7c3c60a3b7a0b45110a2e2e261504a861d477

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAou.exe

Filesize
205KB

MD5
1f199cf837c1534904afa7c216431dd6

SHA1
292a5af9d08ae3ce7e4dd927b358349fef4d99d4

SHA256
ada546f73e52cf652aa879e7616086637ef75abcd73e8cc87dfb506438779871

SHA512
de2f0695589395762493d24a59692e05b6fcb0adc63d7b0c62a0e66b556c848ee7971cbfb8b318c1b54a9a0b5d4fb0bba407996c3c2f1b303f40ad2566bd54b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEUW.exe

Filesize
188KB

MD5
fb76358d9fbaa78dd43a24ae09b8090e

SHA1
f6870b74264ad73caead58b3689e7769ba1c25d7

SHA256
910c674326ceffa4a32c80935ad3b6c372a5232a8ef6db5915e5af8494770ce3

SHA512
0224467328de9633579218af51f454b83f28d38312f84eb4c8cb22d53f58b93b05c70df7fe72f840f42c976ff0085fa5794c3f64f8b43d409b8d8038ab3eefde

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUQI.exe

Filesize
212KB

MD5
303ef638eb4361bdd17be7a14c196b7c

SHA1
9c56e7011186a0e6e00fef353c482583a95d13bd

SHA256
4bbc472812f0cf1b9cb47ec038ed05f72f5e35d30e01f468395c72f7fc371fee

SHA512
243bbb21d8ff33f1cfa1a471e008408937f9009d86f4cfa25266e0969dbeff5c4d51e97e717e8cf40bc5d305d36e1662402fbef7655ea3db927b4e426a33252b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukci.exe

Filesize
823KB

MD5
267cf7162464d1b5a503443dd83ea817

SHA1
76373cf0a6494ead84ac13408ebeb051268c6377

SHA256
cd0fccbb58d7581d158b322fd2d997ac9f3e8b35ee3a7cca56427b6e00876aeb

SHA512
cca2eb53a066d8e1ea0c4c52c9d6e2a5293dc59b9770990c4f832fcdc87e2b3571b54afcbc879a54c9637e93deda2e3ec4a8df4a0d09c15e924ae5fe030792b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwsY.exe

Filesize
204KB

MD5
2a4e3c719b0b1ca97af509b48e3ed17d

SHA1
12a7ffff510d983d2a52e9e3151f54694259427b

SHA256
725d0392bda6fdcba1a7a79289cc2477cbeaaa6ca052d825038da39bb28e74ae

SHA512
1045694580f1a9b9fe231d1aec1fdb19b1d6cd030fae8f7e2a553ce82cc64ba7f7d61b4306143d6b8a56cbc7b690daa57ec83183e8975939b5765563f22f7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwYU.exe

Filesize
197KB

MD5
ab07eb8192c6bc889526ec4e9948a1e1

SHA1
b43e8469b3c33e5b6e355643b50befef9d9a8a28

SHA256
2985e1ac6c2510f115d4d660aeb13a899f403f27b9d829d323dc23865d743a1d

SHA512
68f0c940041489398dce6538f2d1ff965f28c34aff08e2ed5b0a7359746e50ac057ec30f82a5d19ef6f88180d0b3ea82710dbf082ffb15ac84c8f61d910e4e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEUC.exe

Filesize
592KB

MD5
2a9a2f045468feec3f068c0fb3d4b438

SHA1
0337bb36494efb488ebffb971185e70059054c7c

SHA256
3d8b770a6a45eca107bec3842744977e216eb10a924ccf43101abf347f6a361b

SHA512
435167a768178aa481927b9d6bc65659156cc60f080207203719635302deb4c4060fefd615224ccd0034d0385d1f6c5f9013c5cd36e9884a8de1945cc9b6508d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYsM.exe

Filesize
199KB

MD5
0cfd6f2fbcabff8b30e4e044c1fd6e67

SHA1
fd56592d8494074e48816e9802f472ee1b51990a

SHA256
3124bb0d4799814b458fc367745477f8133945d853d8b7a4e17fa77c8b7229ce

SHA512
abf50307597476ed46951a0ff6f4b6bc8e30fc266dd325279cac0d4275e90abd21f03ff86ca84695beff67f373807febeec4bc9a909b22453609b88de4c98daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkwU.exe

Filesize
206KB

MD5
447428ab0128c0500ad177768bfac903

SHA1
33cb0851a7b88cba849d87d164c5826f8ca34da5

SHA256
3846f18eed6de09e76e005c29bff605812b2f524d4072454b3714ae7f03293fe

SHA512
0196295d26ba2921232340bc65bdfa752950faae2c16cd5f541307aea556f85b241f4f5a6816f63aaac51a4c241791eebeebfa1868d2d75a5f5d5e7b5d289905

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoQY.exe

Filesize
192KB

MD5
3d81320c1a404249073f0956daf69924

SHA1
8835a56ba56698d4c85f06915a308eb87b6adfa1

SHA256
2ce52b27b9374821be9d68a71850c994b2d578d1e253db280bd5c8c2dc077025

SHA512
c19d31ef0973efbe1c211ba496e563e143f4950fd5f0b89f30bfd7b37d254c4df84a46eee22e5858953290b8a1fe0b556ed6f87f89f93b1ee08657732c5e722c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yokc.exe

Filesize
189KB

MD5
ca358197de6c6a37eeed009c5cbdfc9a

SHA1
eb5ecba5cb7a49cdcbf453d081ed183a835400a8

SHA256
fe1cb6049c61f85775d9762b6e94d872b84de8892dc6b1c686d056e97dfa48ab

SHA512
62ec7d486c1049d54b007d3f6bd80bb3ef5a18642df0a424aeb68368504146165593121dfe572e219a3fe06c6536d8962285a0a53b72f56fa88d3e4893859b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYIA.exe

Filesize
436KB

MD5
73f2334df8297c476d69fcba7790844c

SHA1
20cd6363c6e0c3de573d1a58ae8442987046d3bc

SHA256
ed1d4978cda8dbd0492fb8530f978e4d920036dc21dc57efa89c3b462a5bc7f5

SHA512
b386d7bb47f3ef21fb1ce4550ebb38cb773fa67d2011462d6b2deedb835d97784b32213beb2a57c5dac2eb4438633eafbd5284600c309c504de42fa66097d49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkG.exe

Filesize
245KB

MD5
dc8813490cdf98be0fe8f8bf305678f0

SHA1
2bf29d4d96ec6c9640954ac666a0f5bbcb37ee04

SHA256
23ce19c76a728d07f5f46474844570819f9441e7feccb29c1d50cd72b715ffff

SHA512
4d03aa2a635fb3f706ef058ba6992e70bcb086e16a01e31355f9b1b541d1878f8270299c2a6ca48060d126c39daab9ab35639776b607703a6fcaaab4accd6652

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQow.exe

Filesize
196KB

MD5
4994af82880405a8fb3c705f229f717d

SHA1
4935e9d53ef057e85ccfd44bf2293b57c8f702cd

SHA256
815bead9ba2f9a7be736bf1ff5ea054feac78ba69c1598ec7927c9f21fe5f539

SHA512
df1351d5c64225405a937a138bccf4a3f4fa5295dc5e309eb28c40232b694d300506dd24da02f9cd96bde68ec251b90c0de72f35f43e1054bc5f7e1f2f66b21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsC.exe

Filesize
189KB

MD5
8da7a7a1042864eeec5ce2498978319c

SHA1
19068f4705d188717bdab6ab41c61ced33300697

SHA256
e5c40786f51c8559b9e0b83afce3c862327a479e087674e881b5ad7070f4d236

SHA512
ebdcc9edf8594fe563fd3f01a998ffd99bd4818d1f85b9abc2c2ab8f3615114ac14158c6cef89d243cefea72e9f236037f1cca4c3fa704dc7513610d888d3d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUwC.exe

Filesize
194KB

MD5
e7401af2a364886741e32797368c398d

SHA1
358247708a8238f59fb1f47b2d2ba6a94b5fe34f

SHA256
0681cf094f2b426f9834850d6391ed3a1abd3876e80bd78e8d4970ac31d47630

SHA512
063e04edef6a16ed85cd3b2f70438120119899ee03de5e627b84bbe1424a37ce7d8b5729d0158772f196d0c3c984b651032b414f251899b5d42ddef1a4de021a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwYO.exe

Filesize
812KB

MD5
e793bc5b9ea52a74da0c9bf6846ddf0b

SHA1
63748dc6312ecadc4497c081f474d72ae6b2b486

SHA256
2a3b3960c9024ccf9f63a8f2bd3938d8f5125e1b141ac683aadd30f84c9e27ff

SHA512
a456763e6d89978cb315ee54fb9b9aefc060dbb253dd5d8ee9a7164e922642d4d7d18ffe2ae434d96b8c1c880bc69986e420f5740cec80841c638d9a6b26448b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIAq.exe

Filesize
307KB

MD5
e2287f0cb95ed3b0afa6ab12ae76d5ee

SHA1
38bac605d7e87b652653ef546f728a47d52cdf43

SHA256
46d2d27f2905c9701f0bbd73cbfccb4dad623b705838e90cd749505ed1502de4

SHA512
3de432e329d4ffcee0f4711262eef5d5b78436f11dd95be885cfdb45e1d20d90846c6e41bc0b4a1f54714ed4abca6c15c1994f277fb87d3a90e3f6ac4cfb4969

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUG.exe

Filesize
772KB

MD5
d07dbcddee70f38f8a9db07f462b1bdd

SHA1
b0d2c79b8013b6eb2036be36ef2e4a226b1472a8

SHA256
c57a48c81b112cb1ec78134390dff3b9412667835702832c03b14b788a2112ef

SHA512
7193c36b86a6f22e83113e3cf0fde573da59520e7de74343695476aaea692ef4284f172a235359cbc7b0c0935a134e7b28217d9b64fc972f0936c674916d4797

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUm.exe

Filesize
777KB

MD5
e486c24cb3bae2f63f3b3536163e6fa9

SHA1
71110c2c7dab9ce8dff5771713ab241a9a93436a

SHA256
4ea800d456a3dfd8b7b1520cbf3dc5fd19d5c7d97c678ccf25420c68f647ac01

SHA512
6991efa75666e325c3a469ab9d9eb5c0a6700baf79673194bbe2ee91a6c1235f1a08ba7f3a57c978672aad0cd946deb23067d3920ad83c2851a2703e52c82280

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMke.exe

Filesize
908KB

MD5
d9a626f6cbe925a2ee61024ac12b7078

SHA1
3288ccd1ca31ba18781eee018fa27e46f94e8c80

SHA256
8f3eb491df147cb518c64da3276733ed2c267199c84cc4263f352d0cb8dc81a2

SHA512
7074afaa40f6eb3bc33d372e3670af1ac371b3e45805dc872dd0fe5a369373a9c0d071d6f81e244f0508f53f90bc0b70f0787e459900a743feee73f3bb65c906

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYAy.exe

Filesize
184KB

MD5
805000cca144748238340f22cd9d677f

SHA1
26372589edf41d1f3610c8e98a906efbb7a804da

SHA256
efa388c5bf70879844c20544f0b37059cfce1758c3cbcf23080c3fc3cdec1fa6

SHA512
b0427670a8cfe2b957b51709fe0c15aef11980d2e4d1a1dc70329a30eb5fa3bb8e203221623e8c6d687d3354eb9d055866a44806084f9ce4e09abc31a83b4e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekwC.exe

Filesize
183KB

MD5
95cb7cc149af58a77d49ddf4a26688ab

SHA1
9a9a7a0f6c57f80029ee681cad32a10f4458a36d

SHA256
594412645eb6582bb7438084eff1e52a24a563009d44b5720588b2236a72b3e5

SHA512
0218a7de3bf19a8ed3b4c2428f1b0126199d9422ad40ef661050f13a16d417448a3677200e1873df9dfe63b77b2966992249500a3b69646c6399c7c195bf0096

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewQo.exe

Filesize
203KB

MD5
107b1edf09c2c03fc2638be23f803308

SHA1
03bdc2e3ad4344f43750c586e1ccd93147dc24ac

SHA256
bb7932e6abde934fa494a58ddf37198a6b788b02fbbbcb9ff7fc033b9f294b47

SHA512
03e020c3559b2bee2e97fd2519407f0c42e516a204e5d97ba292c0c6b3218b67002a45bbcdeefa6fc5649c66b7ebca25da221698dee59d30b0bbb189e82cf743

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUIi.exe

Filesize
197KB

MD5
8fc9d65fdc6f0f5a917eee72022303c7

SHA1
1b1a6dd978cbde7b1e89d54e3fa49fd255a13bff

SHA256
52cc630693278b1f9f9be7f9f61003e096033fe8f3c9acd0e48cf490b38888af

SHA512
2cc40754f3b26a89252ecc05f6e19fac283a112d311be7b02281ed4fdc3f95d9ab736a9dc7ce40ca64303ed8f43e831ba4dff20386874b0901268bf58308f297

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYsc.exe

Filesize
806KB

MD5
a9fba46fa0a34df03c921519b5939d08

SHA1
86c202424df53a4a1db4891615cdddb6550e4e86

SHA256
4bbc6d7f396a24994926f28eec0083925b899f7eec79889fa3a4aa4432048d09

SHA512
47090abf8933a1969829dee7327ffa0788a17b9c2592495daef97c58504f33e5c3270580a52af8f8a99fea0db9dc30dbc874e06dcc95f7c9d8e4e154c1436557

Download Submit
C:\Users\Admin\AppData\Local\Temp\gccs.exe

Filesize
208KB

MD5
24f7fcd2526fa4788fcceddbc369462c

SHA1
6a7fb0c11af3a4b657dae6a95423d55e32ff2962

SHA256
a05cb94a59af0c429c3b3b83431d8c47c0b60ef583f9eed44c85bd56c1b59354

SHA512
9c3545200c62cc629a6dd3224f0d680aca520542dc8423256582eb05fd0e90b6f3bdbb55a3fd39f00724c48f3c1c70e392cae9d276aba93a2fcf942ad1131cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwIm.exe

Filesize
212KB

MD5
297a8415e03cd84a98f337de8b6a5149

SHA1
ecf7cea789b5bc4acdca032fb2968aadd106d087

SHA256
b1a13b57b418f39d3fbaf7edc359e26400d3571f765df7ddf8a36a79c915d6f2

SHA512
9f317472202cc964079bac14dcfc398061a5dbcf5212aa312271a1a68b4c5ff9f163471718ab1b00381d0df5722eb1ee0f3f2034fa82c33f7719ccae7fb58f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMoK.exe

Filesize
217KB

MD5
0b94576c8255477b9bb69deddcfda9a5

SHA1
d2e4ab96d9f5fe823b2fb250e54a453e47feb8a8

SHA256
5c5c69e532287d467815fe78f8063ab04797b66eacb4cff99dafbc83d5908063

SHA512
9b447867ae74a8df152f2de6dad80351431bd505dbe07832ea30c4c73305bc419d0b1ebd301ce97107e8954394f11b54d622b2d69f3e236f2c8dd1ac20fcf6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwws.exe

Filesize
197KB

MD5
e7d21d30c9ff2f4ed672664d3ac4f7f6

SHA1
fe394a01612aebd33b37936f7e06f4c0a2d7888c

SHA256
826d28cddc8acb6331cb7230490081dbe3cced8df2e8156b1a22fe015486b4b1

SHA512
61f68d640a009ed7d21b70253d42eca9277a9d08226920a34b47869ce8381a3906d043552246cee81fb692fe1e83e15b965f6d63afdcc15d1f6013d85cda1fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEQI.exe

Filesize
204KB

MD5
287bb2ddd638fd51b90b97d7a6d80929

SHA1
2b99065a1cdda98b87cd7b81d29cf3c4b43f08f4

SHA256
6920b9b626044d86aff4db6fad73299bfbe4997ff77d04884bed7559c5f6e5e7

SHA512
8ee9d4d8e83d51322a5065ce7a6ed904ce521afdbf067c1eb85e120b8d4876d7f19b325ad2178c649b2998d9b49d58e458f274a316bfbaf0117ce41fbfbe853a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEsW.exe

Filesize
5.9MB

MD5
01edf545b54ea6aed180f5935e4ed9cc

SHA1
bb5effa1c1e22d13f1f47940a1e386c57a7522d0

SHA256
ce972ae3f1ace45f0852636830e32fcc51ea469f51764c9136563d8f9cac3aef

SHA512
c89510b73e201205b4c6e6f2580adad0e6bdfa6334319adb9c62a8aefa273dab7442f2d294001819a73bd4b4ab519fe24293ea7c65de7a76d287e6f1fc0292b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIEk.exe

Filesize
5.9MB

MD5
1d8f55e1ad6996e872ef114fb98147e4

SHA1
8386b7983f9db566cdae3c869fa7a12e9e7c97a5

SHA256
2fd63acb18bb8151de1cc238b40a1320d72b130cce042eadc19d9d0d16003a92

SHA512
b494d6db9a7e4fe5241c77bebd1841e08580c9833168f79d4ab9aeef8464619eb655992454930b07b8235438815d2689e9355458baa11400b65219b9d3f7d464

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIEu.exe

Filesize
200KB

MD5
d27d3aa685ba73721aa165ab283aa88d

SHA1
7420e6c46005ec73c8e58e1b63665dd5b8847e80

SHA256
e9166e4739522d063667c140aef26692822455b73aa1df69fb59dd557a294e00

SHA512
fefa98e4e5033d94582d4732e009a640b08d564a1c18ffc0c193aaa70b5fa4b9d051aa3fdaae3458d52ec53b7efbb37454295c43af49b3d71e4ec3415a8911ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMoO.exe

Filesize
202KB

MD5
55531ae18dbdc6e3aa1207ab1d40676b

SHA1
8ebd42430aa3a09fcb36f44d6f62f28c8bf389fa

SHA256
7d1f3acd515424f348b7db305bc0900a16646b8a3f170beb3ce6b8b8a30fad0a

SHA512
b0609621bf316df5483945f8caf74569a30092f07cbabf6cdd009fb05dc94bb81033aab4745d684802fd26b6cf9cf5ee433cc0627a759f33e36c3af1b08f604b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQIC.exe

Filesize
640KB

MD5
8408d17e512cb921b77ddc37726030e4

SHA1
cd341c80364500bf55eb16f94aa63c9fd44c7f42

SHA256
656dc9cf4fdc7e21fe4cb83826d25c365e64ef8a616e92561acf58c8f10b75cf

SHA512
96d9502d5853bee46e807d3a2ccc2b51418755eeb4aa680909212de39ca735934a9801c42cbd61643458a75de0055780d6f040dafde7021433c8aa3f56881f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIMC.exe

Filesize
199KB

MD5
40a73931ccf6a389075e14c58cb6ce36

SHA1
93fe8ee9b1029375bbacc8c88f0b916994cd7931

SHA256
92544c060c9dd8f40ccebe08572f0f797430a5957e6a56c3bc8ecd68acbcf1c1

SHA512
1fb7a44a10beef637ca3fe421d2c3824c742d3845564a4c31bd8a395441e40dc5264268b63197ae45da92b03cc58b9060499b957cac088285a1ba10888563e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMUA.exe

Filesize
190KB

MD5
89140f017bc9785e2eba93028b71b94b

SHA1
98ee2bd4f97cc58ad9bc856d443989fea53a3d3d

SHA256
b4947b0184f98f5c8173fe3a2ccd47e7829fd6a2971569f6adf956ad7d369a74

SHA512
c3effd97111b13669897ccaa8ce64171775db2e41ee46bb4d01aa23ee62df30e545515864d32793e854ff73f0b484a776e059c3cc4be82d37f0a6aa1cd39053a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMgm.exe

Filesize
228KB

MD5
ec6213e187dafab0ce7a97255933f3bf

SHA1
ae2f2ef12e3dd5c71467544d29694b58526df166

SHA256
5849330db5f1421590f1338f04c114a9f71984f8c291103a27722adeeaa7c51d

SHA512
c7a1f1cbb2f1a007ce2f06111d79ae54a6b20fad80134ba023ddb39d20367e506ff5a47dec9acec1a03b44c086f70262151245dbf95d355f5eb46d93edd5c20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMoC.exe

Filesize
204KB

MD5
4577f5a967211ec84405a343453bc529

SHA1
ca3c26176c8bb79781cb0e7b8232d6427694df92

SHA256
acdcbc5885a6784c0c118c9b7999a6f83fb7335eb0142f022ea05560387dc3f7

SHA512
a61635b58e0d634c8bd0c09c13971a4892cc16013e9780e0adad240807c74ad17f236a8457fe66610f37ed2b3abec043313c1149837ba7cec510a1bff40417e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYQa.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcMI.exe

Filesize
209KB

MD5
e1534bccad680fef78936ebf766c2fd9

SHA1
5e10749537735e0aeebce6516cc26aff5f85e9b7

SHA256
e6849acf6c6d1c662c521d7b9b5259569e1b226fe5c305615f2e0b7518da69b8

SHA512
ef85c044a3d2ab76166b296590e0c962ab8bea734a86774d4f78f8b70088021102a7ce9cacf6afe5aab0f535ee5fb7a31a6db04e5e428561860be14995af7693

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEwm.exe

Filesize
552KB

MD5
bfe77a2b7573266cb7d4f1006c4191ee

SHA1
8ed2dd397e7fcd79c39e62a273aa098c54ddd135

SHA256
cd2397e9bd9ffce6a65448f36fb6b62c5edd8869322aeb553d8b550a19a23358

SHA512
11663a73b5cebaef9c8d349dd8aa31ce4aecc60a2379b2121551a3549472f636913d74103f8a5aa7285fc20d8abb1ad1f39ff7051b7545dbc5b6ed3614f8e152

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQAS.exe

Filesize
189KB

MD5
91139712ad1ceb8514565b32cb274142

SHA1
240959b92d5a73a29c851220e368bfe7cc0bf3a3

SHA256
297ec14917eb35688848ce67957f84835f8ab00cca1741491971cd2205c287a2

SHA512
93a15ed631f9677a2621f98b2223c4b93a022e4f91dc29027d913422ee96196b5ce3b320faa65afa29506f69fdef59b31cb3fdbd3b68582b9c7dbeb37ad19b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQwO.exe

Filesize
452KB

MD5
6a4568a87d2114cdc7b501937d183a44

SHA1
7b7ab9ebc6f15b0ea8c4a7b5d0c4549208170cd9

SHA256
eb2c4205d80170da67ae3a86849086f4ddd74b25b0ce77a796d0f21d1e9a5d1a

SHA512
303f908016a4eb7d86fbfac0f17ed587d86eae14c308e4f4e59900d46842d704c0a10262ff91437b83cf57e19e8c5d15afa003ea12ebd71c35f3bc44ff1c61c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUQC.exe

Filesize
204KB

MD5
85439c9ce341dca2b59115ff3054e76a

SHA1
3f5edddcf11b6efb4d00729eb1830718778d8ab9

SHA256
748142dcc47bcec45897dbceb82fd7b972db48bd371389105b5d73bf5b3b0111

SHA512
0c560bb4647ae53ee848b1fe700d092935ed4441433cdb4bd50f838fbfc5e37709489ebdaf5a7df9c3d9c58c2acf666e44bafbc06665a4dfc1a4ed8ae8f1030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwku.exe

Filesize
205KB

MD5
34e55e0f69fec29b720e7c096927efc0

SHA1
894db24acbbac6bf9c00a0c104d8cf82dce85552

SHA256
a930d8127298ef5e9860779172e8ae7645f41976766686c0aa605fcf908c9bba

SHA512
a66d853bfe15566cf08f601606afd4b5a536cea12458cd7903462173b16b3fdd147cb1c14475c98119ac87ca3e7222446121953c1f1cf16b1c98bb7e5cd9819a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAUa.exe

Filesize
183KB

MD5
1251e9c3558a66fc36b9ee1948eb5f0a

SHA1
6d616bc4db6f2b66b0a72c35f58fbe00587f1d59

SHA256
57ec54f41724a6b58aa2fb0fc5ebe308c68ea97b1c84dff19a591405e08ee6c8

SHA512
21270970847f700bcc3428cc620b2641e1da9b17bc7b5bf30db9e156fdc2b15f2635022b243a413090ef867bd588c80e4fb3915a0093e51a45989949c31c4f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYUC.exe

Filesize
192KB

MD5
4aa8cfb0f65bc42d19c3c1e81e675b4e

SHA1
18e1843c39f13274c603bc548427e09fac80428e

SHA256
739badde05db6f25aa0ec52d36e5d2fa927a6252e3c103f35ff318385a741e2a

SHA512
a503a433b9909e497a896e8239987ac0f3ffab78bd66609e38c2bdafd56d7dfae19c02416043912d716d07e21bc8bd6969180138a858ad48a30688bbd86d6650

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssIW.exe

Filesize
186KB

MD5
a4ad95a8010f7eb8f5406a5619ce57fd

SHA1
5605cef143bc7c9c1b620ddc6f2aead595adee52

SHA256
63dd5592dcf02b84bec69c48d33154436bceb35cb1676afeaae2bb082658b29d

SHA512
b9767530c23fdd2d22952e5e52322a4aa826ba37f283d4b4422db6e3c0223e00119a3ebd676549cef5c4d3f7a68c73ad6c3012b3197953006c56e57657ecede3

Download Submit
C:\Users\Admin\AppData\Local\Temp\swkK.exe

Filesize
196KB

MD5
717f5cf9f80adbf53e34f233363be1eb

SHA1
fdec6ffc04bb079470cb05fd2d67fe298b586499

SHA256
4cb22292636beb421f03f63b6de8ef2bcca6f861845846ddda7964e8507af0d6

SHA512
47ef13b71d6c1a2789480111d03d8f909d253e58cd185db2f0a0dee9ddd69ba304f7a603f77e24c523331670c021423de592ca7f7f741ccec64470969cb9985a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqwUMIYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uocc.exe

Filesize
212KB

MD5
9f62a95d71030f87bae2df8f38746178

SHA1
3d85dbe20107cd142526dc5a92840a04d7a46957

SHA256
2c2deb1c5ed0f8e7793b99951b3211df76a508eea26f5b55a1b462b48c5ff2a5

SHA512
121fcba47469be7ecefb48c876a90241049021295b0b615740453aba1940c8edec09ab0563aad00b5a8b1aa32b59ac114a0a2c27f88f1d95ad1e2a1f7a59c432

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYK.exe

Filesize
194KB

MD5
17c2a9d5a01eba1d455aaed7422e3067

SHA1
1d103faf3c6587a57867e36255de6961c17e5d8b

SHA256
9e6c0e2926379babf7afd3398e4b0aa86bc62e84ebc7462fda7c33c1537aba54

SHA512
2a770d7f39cf0f347bc79bd7aa9e7972b217f34487eaf14fe17d78946233d2fbf7496ea77c5ce8fe6c1a05688e03eb2981aa806029071138df6d5d55969f1ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUIe.exe

Filesize
200KB

MD5
1e2fdf5298281b990d307b3040fa4067

SHA1
feaaaefe0e783986fd5d232923f694a1a11317c1

SHA256
20ce41573027fcadf7d9f48b3639d4a0dac200675a8c89b115adf01577f188d0

SHA512
89dd9dce7d431c15ca346eacabb614b4fe75ae75f63b6b0a19aa5057ad37dcd816eed21dea6e0f9038e7d75bea7dab07ec898ca8149f9e378dbabfd01ac4bbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgYE.exe

Filesize
208KB

MD5
bca51193b9fdfcd974878e1ac1d19ee1

SHA1
c05cf41d85896b5f7f2f8d0ee04560b6d43d3267

SHA256
4625b52c8f11433bfcf6ee4214e2036b0cd36973d4a5c76db9db7826c46aaca9

SHA512
0c45b7b22bd31b63d19e9c219c6c60c888727801da3e92f118318a44d90c8ddaf22949cb59775dadf9811d6f8be3b92011f49f877b64b58778174dc4a327e752

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwYi.exe

Filesize
197KB

MD5
208ff2cdaf35a47abb3c52eca39eaa73

SHA1
84314f6e6930325f7813058e2131ad0ee264892d

SHA256
796daea40a78c24363715316a72dac566e301a20361af2ec0e51eca01c2a1195

SHA512
e605972177a059bed14d24d629483426008e848dd41e2a986bb3f3c8e573bcff51e9fb81d0f2e2f0b7e25fe7df03027fff3350a3d95bda464134326aebf30e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIYO.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykou.exe

Filesize
645KB

MD5
c0a07e133b4cc8318035fd4eced3b114

SHA1
6ecd6553eb62d1f2aebcec2c2582343f5a3f0d1c

SHA256
099bfa468c18a008b79ecf43c0414046f197b10c740e6d7444e4e94cadc3c081

SHA512
adc926ffa7a0a40919bc4ba476dc40073068c3963e7f0f4f7ab2a29de5cff7d5d84b1e122c84193612d3f969677d733199d29768cbae4c9569e326e00cc73974

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywYW.exe

Filesize
189KB

MD5
fcea9e18dca63ec18bbf2bfcc94ad4ad

SHA1
41cc14a6f2b5d53011ba1c8f04aadccc154bd656

SHA256
0a7b051098df8b135dd3518b41327d4897ff07985c8c2421d7e02a8e87344b98

SHA512
fd8cc7dc6eb96aeb67990bed50ae5dac2c2a7af39767d67eb9abc286bde9fb98e16f47609f753ac4114c409ed634c7754e5daf4542595d50eb5ea09e63e70703

Download Submit
C:\Users\Admin\Pictures\RegisterLock.png.exe

Filesize
514KB

MD5
b3047b7116532068fc21eddaef77e2c9

SHA1
4f758fc40f7acf3359c448693063d32a77decd5e

SHA256
d2f7b0aa1044ce3352a61a1bd9a142d6b2a11f6dd69246671d08164635b350f9

SHA512
07fd7ca61c7d679160e5b671e4978525ba4df062b0b0c7a74a62a3d7b0d43681c356793bd835832c75c900750ba5107d663fbda0f70221678c0500827ea41098

Download Submit
C:\Users\Admin\SYIswwYo\RYwEgYMU.exe

Filesize
200KB

MD5
fb434fff6745169d8549244d85e26893

SHA1
c74a41738ff0f28f44b40c6df0eb75e8163ae671

SHA256
d4249521c3b51b2e459dbae8064bde17505d8846481a0a781b97608a410db733

SHA512
eed8fb376ffbca33de6eae397886e1d713a02f0b90e94aa396540131958811be8ddef5b3933293dff10616143b7dd046436ab2ddb7bec85a1eae0694609c16a0

Download Submit
C:\Users\Admin\SYIswwYo\RYwEgYMU.inf

Filesize
4B

MD5
b808f95aabc24e42718573f20aa41403

SHA1
f8915f5bb4adb1c1fc6b0fbd40851f46f9b01b97

SHA256
62cff88e2233ba9841462bd5b1abeae23d07f50319717894c8bec059fa50a205

SHA512
577b69e81bfd59ec344696edfe2e1da6c841f29b107550c703316311bf1e132e9f70940f1d30a27c1fdaa26176303416cac7a5a0f03e73394576c0b837352d6d

Download Submit
C:\Users\Admin\SYIswwYo\RYwEgYMU.inf

Filesize
4B

MD5
f23db70029d57c5afc7549d7a9af4e4b

SHA1
e2a1402ab7fdbc633caf69cbe43fef6192bf3d17

SHA256
e82c80c959489f0bc44ccab174d8eba7fa576ce892d19d259da6050492f9d7c0

SHA512
e09874643c5970dc700fd85d1a6ff6ef5f16e879e220a6acc7ef74d51e6f7f42dd3c47820bc22a48f538cfc278c0249adcd7ebad2757744e09646003b9172e2b

Download Submit
memory/116-578-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/332-353-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/332-368-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/512-294-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/512-131-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/512-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/512-115-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/512-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/512-285-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/644-377-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/644-364-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/876-479-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/980-345-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/980-357-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1080-488-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1084-267-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1084-251-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1160-558-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1160-572-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1588-255-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1680-421-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1680-432-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1744-502-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1744-516-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2036-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2036-81-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2168-107-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2168-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2396-319-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2396-243-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2592-395-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2592-383-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2644-169-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2644-406-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2644-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2644-393-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2668-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2696-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2696-182-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2764-386-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2764-373-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2804-484-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2804-412-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2804-424-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2804-497-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2828-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2924-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-276-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3196-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3196-263-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3196-44-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3260-524-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3496-533-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3512-45-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3512-33-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3628-119-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3684-128-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3684-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3740-348-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3740-336-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3916-530-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3916-543-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4048-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4068-461-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4068-449-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4068-303-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4140-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4180-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4180-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4280-330-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4284-493-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4284-507-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4468-273-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4468-443-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4468-284-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4468-433-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4472-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4508-311-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4528-470-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4528-457-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4528-561-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4528-551-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4540-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4572-552-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4660-326-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4660-339-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4664-581-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4664-571-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4788-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4788-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4884-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4884-232-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5000-452-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5000-415-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5000-403-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download