Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
-
Size
159KB
-
MD5
c5753e1861dd547017dc501d1949740b
-
SHA1
9b6904573f05a4313522f69b77988f5106486772
-
SHA256
c3a52e7cab3aae3f7d403144ea2faf5970f2145c3e71bec435c066588fba81d6
-
SHA512
697df0d2af19bd093206e33756d23ecc984179c0d37e21bbcc1a02d1c9de9e764a02107b4e1d9a92a44437ebbe38d00ee92a0430e0c3091a9752f558d42bb01e
-
SSDEEP
3072:OjyNFT0BZB8zSdKu1uAcfesiLU9RY0qO9aa4oh6SHJkyIFzVPaJbH1:7Nq8zSdKumAopeHz5aJj1
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bakYMEUU.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation bakYMEUU.exe -
Executes dropped EXE 2 IoCs
Processes:
bakYMEUU.exeEEwIcwcA.exepid process 1940 bakYMEUU.exe 4948 EEwIcwcA.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exebakYMEUU.exeEEwIcwcA.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bakYMEUU.exe = "C:\\Users\\Admin\\CCYEoIoo\\bakYMEUU.exe" 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EEwIcwcA.exe = "C:\\ProgramData\\hYEYkkkU\\EEwIcwcA.exe" 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bakYMEUU.exe = "C:\\Users\\Admin\\CCYEoIoo\\bakYMEUU.exe" bakYMEUU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EEwIcwcA.exe = "C:\\ProgramData\\hYEYkkkU\\EEwIcwcA.exe" EEwIcwcA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuUUsMMU.exe = "C:\\Users\\Admin\\FIkcAwsM\\GuUUsMMU.exe" 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aoEsQswU.exe = "C:\\ProgramData\\BqowMcYg\\aoEsQswU.exe" 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe -
Drops file in System32 directory 2 IoCs
Processes:
bakYMEUU.exedescription ioc process File created C:\Windows\SysWOW64\shell32.dll.exe bakYMEUU.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe bakYMEUU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2280 1068 WerFault.exe aoEsQswU.exe 1980 4744 WerFault.exe GuUUsMMU.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.execmd.exereg.execscript.execmd.exereg.execmd.exereg.execmd.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exereg.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exereg.exereg.execmd.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exereg.execscript.execmd.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.execmd.exereg.exereg.exereg.execmd.execmd.execmd.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.execmd.exereg.execmd.exereg.exereg.execmd.exereg.exereg.exereg.execmd.exereg.exeaoEsQswU.exereg.exereg.execmd.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.execmd.exereg.execscript.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.execmd.execmd.execscript.exereg.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exereg.exereg.execmd.exereg.execmd.execmd.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoEsQswU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4768 reg.exe 3452 reg.exe 400 reg.exe 3616 reg.exe 5076 reg.exe 1988 reg.exe 2932 reg.exe 2576 reg.exe 368 reg.exe 4776 reg.exe 4080 reg.exe 2860 reg.exe 3664 reg.exe 2916 reg.exe 2352 reg.exe 4356 reg.exe 3012 reg.exe 4940 reg.exe 2416 reg.exe 1376 reg.exe 1248 reg.exe 1992 reg.exe 4472 reg.exe 3168 reg.exe 3508 reg.exe 1988 reg.exe 2320 reg.exe 1824 reg.exe 2420 reg.exe 4884 reg.exe 1460 reg.exe 2644 reg.exe 4612 reg.exe 2144 reg.exe 3220 reg.exe 3828 reg.exe 5064 reg.exe 1260 reg.exe 4084 reg.exe 2576 reg.exe 4364 reg.exe 1900 reg.exe 3532 reg.exe 4432 reg.exe 4808 reg.exe 5056 reg.exe 4024 reg.exe 2184 reg.exe 4304 reg.exe 2436 reg.exe 632 reg.exe 3516 reg.exe 1260 reg.exe 3960 reg.exe 956 reg.exe 4284 reg.exe 4620 reg.exe 3960 reg.exe 2920 reg.exe 2520 reg.exe 2924 reg.exe 4356 reg.exe 5076 reg.exe 4284 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exepid process 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4652 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4652 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4652 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4652 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1756 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1756 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1756 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1756 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4284 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4284 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4284 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4284 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1720 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1720 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1720 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1720 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4256 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4256 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4256 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4256 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4644 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4644 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4644 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 4644 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2320 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2320 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2320 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2320 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2992 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2992 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2992 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 2992 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3668 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3668 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3668 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3668 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1104 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1104 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1104 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1104 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3940 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3940 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3940 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 3940 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 1868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 32 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 32 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 32 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe 32 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
bakYMEUU.exepid process 1940 bakYMEUU.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
bakYMEUU.exepid process 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe 1940 bakYMEUU.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.execmd.execmd.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.execmd.execmd.exe2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.execmd.exedescription pid process target process PID 2884 wrote to memory of 1940 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe bakYMEUU.exe PID 2884 wrote to memory of 1940 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe bakYMEUU.exe PID 2884 wrote to memory of 1940 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe bakYMEUU.exe PID 2884 wrote to memory of 4948 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe EEwIcwcA.exe PID 2884 wrote to memory of 4948 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe EEwIcwcA.exe PID 2884 wrote to memory of 4948 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe EEwIcwcA.exe PID 2884 wrote to memory of 3908 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 2884 wrote to memory of 3908 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 2884 wrote to memory of 3908 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 2884 wrote to memory of 3828 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 3828 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 3828 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 220 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 220 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 220 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 2188 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 2188 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 2188 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 2884 wrote to memory of 892 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 2884 wrote to memory of 892 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 2884 wrote to memory of 892 2884 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 3908 wrote to memory of 868 3908 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 3908 wrote to memory of 868 3908 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 3908 wrote to memory of 868 3908 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 892 wrote to memory of 3020 892 cmd.exe cscript.exe PID 892 wrote to memory of 3020 892 cmd.exe cscript.exe PID 892 wrote to memory of 3020 892 cmd.exe cscript.exe PID 868 wrote to memory of 4620 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 868 wrote to memory of 4620 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 868 wrote to memory of 4620 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 4620 wrote to memory of 3588 4620 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 4620 wrote to memory of 3588 4620 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 4620 wrote to memory of 3588 4620 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 868 wrote to memory of 1768 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 1768 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 1768 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 2144 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 2144 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 2144 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 5080 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 5080 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 5080 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 868 wrote to memory of 1176 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 868 wrote to memory of 1176 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 868 wrote to memory of 1176 868 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 1176 wrote to memory of 548 1176 cmd.exe cscript.exe PID 1176 wrote to memory of 548 1176 cmd.exe cscript.exe PID 1176 wrote to memory of 548 1176 cmd.exe cscript.exe PID 3588 wrote to memory of 1700 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 3588 wrote to memory of 1700 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 3588 wrote to memory of 1700 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe PID 1700 wrote to memory of 4652 1700 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 1700 wrote to memory of 4652 1700 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 1700 wrote to memory of 4652 1700 cmd.exe 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe PID 3588 wrote to memory of 3664 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 3664 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 3664 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 4712 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 4712 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 4712 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 4516 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 4516 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 4516 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe reg.exe PID 3588 wrote to memory of 4504 3588 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\CCYEoIoo\bakYMEUU.exe"C:\Users\Admin\CCYEoIoo\bakYMEUU.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1940 -
C:\ProgramData\hYEYkkkU\EEwIcwcA.exe"C:\ProgramData\hYEYkkkU\EEwIcwcA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"8⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"10⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"12⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"14⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"16⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"18⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"20⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"22⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"24⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"26⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock27⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"28⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"30⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:32 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"32⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock33⤵PID:1460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"34⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock35⤵PID:3756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"36⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock37⤵
- Adds Run key to start application
PID:2916 -
C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe"C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe"38⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 22439⤵
- Program crash
PID:1980 -
C:\ProgramData\BqowMcYg\aoEsQswU.exe"C:\ProgramData\BqowMcYg\aoEsQswU.exe"38⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 22439⤵
- Program crash
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"38⤵PID:376
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock39⤵PID:1588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"40⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock41⤵PID:744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"42⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock43⤵PID:4876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"44⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock45⤵PID:4892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"46⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock47⤵PID:1588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"48⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock49⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"50⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock51⤵
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"52⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock53⤵PID:780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"54⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock55⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"56⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock57⤵PID:4952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"58⤵PID:3344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock59⤵PID:1368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"60⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock61⤵PID:4892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"62⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock63⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"64⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock65⤵PID:4440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"66⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock67⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"68⤵PID:4464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock69⤵PID:2576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"70⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock71⤵
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"72⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock73⤵PID:4884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"74⤵
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock75⤵PID:2056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"76⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock77⤵PID:1328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"78⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock79⤵PID:744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"80⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock81⤵PID:4092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"82⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock83⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"84⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock85⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"86⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock87⤵PID:8
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"88⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock89⤵
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"90⤵PID:1756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock91⤵
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"92⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock93⤵PID:4276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"94⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock95⤵PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"96⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock97⤵PID:3960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"98⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock99⤵PID:2708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"100⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock101⤵PID:1556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"102⤵PID:1868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock103⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"104⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock105⤵PID:3016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"106⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock107⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"108⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock109⤵PID:1712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"110⤵PID:1200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock111⤵PID:3024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"112⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock113⤵PID:5056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"114⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock115⤵PID:5064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"116⤵PID:3800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock117⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"118⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock119⤵PID:4768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"120⤵PID:3668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock121⤵
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"122⤵PID:3968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1123⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock123⤵
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"124⤵PID:4376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock125⤵PID:2756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"126⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock127⤵PID:4988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"128⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock129⤵PID:644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"130⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock131⤵PID:1568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"132⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock133⤵PID:2520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"134⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock135⤵PID:5028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"136⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock137⤵PID:3956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"138⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock139⤵PID:4164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"140⤵PID:872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1141⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock141⤵PID:1236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"142⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock143⤵PID:1408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"144⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock145⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"146⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock147⤵PID:1376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"148⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock149⤵PID:1860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"150⤵PID:516
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock151⤵PID:4652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"152⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock153⤵PID:4024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"154⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock155⤵
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"156⤵PID:3440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1157⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock157⤵PID:4164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"158⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock159⤵PID:1068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"160⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock161⤵PID:1044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"162⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock163⤵
- System Location Discovery: System Language Discovery
PID:3480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"164⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock165⤵PID:1576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"166⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock167⤵PID:4464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"168⤵PID:816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1169⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock169⤵PID:1720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"170⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock171⤵PID:3828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"172⤵PID:448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1173⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock173⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"174⤵
- System Location Discovery: System Language Discovery
PID:988 -
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock175⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"176⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock177⤵PID:4440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"178⤵PID:1824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1179⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock179⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"180⤵PID:632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1181⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock181⤵PID:3652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"182⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock183⤵PID:4604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"184⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock185⤵PID:4952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"186⤵PID:2704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1187⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock187⤵PID:1160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"188⤵PID:740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1189⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock189⤵PID:3652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"190⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock191⤵PID:1860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"192⤵
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1193⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock193⤵PID:4472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"194⤵PID:448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1195⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock195⤵PID:2080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"196⤵PID:1700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1197⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock197⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"198⤵PID:3524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1199⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock199⤵PID:4120
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1200⤵PID:3800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1201⤵PID:4284
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2200⤵PID:2212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1201⤵PID:3908
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f200⤵
- UAC bypass
- Modifies registry key
PID:1988 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1198⤵
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2198⤵
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f198⤵
- UAC bypass
PID:3872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYwwAIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""198⤵PID:2712
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs199⤵PID:3440
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1196⤵PID:2820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1197⤵PID:4740
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2196⤵PID:512
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f196⤵
- UAC bypass
PID:2924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiQcgcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""196⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs197⤵PID:1204
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1194⤵
- Modifies visibility of file extensions in Explorer
PID:956 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1195⤵PID:1152
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2194⤵PID:4940
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f194⤵
- UAC bypass
PID:4524 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1195⤵PID:3696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcAMkAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""194⤵PID:4864
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs195⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1192⤵
- Modifies registry key
PID:4284 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2192⤵PID:1872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1193⤵PID:1164
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f192⤵
- UAC bypass
PID:3800 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1193⤵PID:3188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rokcAAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""192⤵PID:3180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1193⤵PID:1184
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs193⤵PID:5076
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1190⤵
- Modifies visibility of file extensions in Explorer
PID:1792 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1191⤵PID:1720
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2190⤵
- Modifies registry key
PID:3616 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f190⤵
- UAC bypass
PID:5112 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1191⤵PID:1756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuwoUEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""190⤵PID:2320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1191⤵PID:2920
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs191⤵PID:4468
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1188⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3168 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2188⤵PID:2884
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f188⤵
- Modifies registry key
PID:4620 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1189⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEwcccQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""188⤵PID:3028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1189⤵PID:3228
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs189⤵PID:2944
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1186⤵
- Modifies visibility of file extensions in Explorer
PID:2144 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1187⤵PID:4364
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2186⤵PID:3480
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1187⤵PID:2388
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f186⤵
- UAC bypass
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYkEYkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""186⤵PID:3016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1187⤵PID:4348
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs187⤵PID:2080
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4284 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1185⤵PID:2644
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2184⤵PID:892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1185⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f184⤵
- UAC bypass
- Modifies registry key
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMMkwIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""184⤵PID:368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1185⤵PID:2004
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs185⤵PID:3440
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1182⤵
- Modifies visibility of file extensions in Explorer
PID:1056 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1183⤵PID:4280
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2182⤵PID:5112
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f182⤵
- UAC bypass
PID:1712 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1183⤵PID:4376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYEcYMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""182⤵PID:2184
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs183⤵PID:5092
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1180⤵PID:4820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1181⤵PID:3952
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2180⤵PID:1236
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f180⤵
- UAC bypass
PID:3220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwkIMEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""180⤵PID:536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1181⤵PID:2516
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs181⤵PID:3972
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1178⤵
- Modifies visibility of file extensions in Explorer
PID:888 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1179⤵PID:3908
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2178⤵PID:3240
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f178⤵
- UAC bypass
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buswwkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""178⤵
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1179⤵PID:4776
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs179⤵PID:3756
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1176⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5076 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2176⤵PID:4900
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f176⤵
- UAC bypass
PID:2440 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1177⤵PID:4600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOowgEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""176⤵PID:1872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1177⤵PID:2452
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs177⤵PID:3800
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1174⤵
- Modifies visibility of file extensions in Explorer
PID:1616 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵PID:4192
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2174⤵PID:1204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵PID:3628
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f174⤵PID:1220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1175⤵PID:4164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYIsIAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""174⤵PID:3704
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs175⤵PID:3400
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2576 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2172⤵PID:2084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1173⤵PID:4156
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f172⤵
- Modifies registry key
PID:3532 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1173⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saEIwAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""172⤵PID:872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1173⤵PID:320
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs173⤵PID:4276
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1170⤵
- Modifies visibility of file extensions in Explorer
PID:1332 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2170⤵PID:3696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1171⤵PID:3408
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f170⤵
- UAC bypass
PID:3240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOcEYcUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""170⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1171⤵PID:2520
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs171⤵PID:3500
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1168⤵
- Modifies registry key
PID:4084 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2168⤵
- Modifies registry key
PID:4024 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f168⤵
- UAC bypass
- Modifies registry key
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUQwIEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""168⤵PID:2916
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs169⤵PID:2452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1166⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1167⤵PID:1028
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2166⤵PID:4740
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f166⤵PID:2080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgYccAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""166⤵PID:3872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1167⤵PID:780
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs167⤵PID:4080
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1164⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1260 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2164⤵
- Modifies registry key
PID:3220 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f164⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAwMcYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""164⤵
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs165⤵PID:4988
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1162⤵PID:644
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2162⤵
- Modifies registry key
PID:3516 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f162⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1163⤵PID:4768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vysYAQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""162⤵PID:388
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs163⤵PID:2440
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1160⤵PID:888
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2160⤵
- Modifies registry key
PID:956 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1161⤵PID:4940
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f160⤵PID:780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAAoAQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""160⤵PID:2004
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs161⤵PID:1616
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1158⤵
- Modifies visibility of file extensions in Explorer
PID:4136 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2158⤵PID:2188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1159⤵PID:2452
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f158⤵PID:2280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1159⤵PID:2920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgIQcEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""158⤵PID:1408
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs159⤵PID:4160
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1156⤵PID:1028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1157⤵PID:4652
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2156⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f156⤵PID:2820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skgwIcoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""156⤵PID:5064
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs157⤵PID:3616
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1154⤵PID:5076
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2154⤵PID:1164
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f154⤵PID:5092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkwIQAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""154⤵PID:4752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1155⤵PID:4392
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs155⤵PID:376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1152⤵
- Modifies visibility of file extensions in Explorer
PID:3668 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2152⤵PID:4468
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f152⤵
- UAC bypass
PID:872 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1153⤵PID:3600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCQkowQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""152⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs153⤵PID:1204
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1150⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2150⤵PID:1044
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f150⤵
- UAC bypass
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIUMAYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""150⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1151⤵PID:3228
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs151⤵PID:1392
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1148⤵
- Modifies visibility of file extensions in Explorer
PID:4464 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2148⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1900 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f148⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1149⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FecEUUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""148⤵PID:5056
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs149⤵PID:4492
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1146⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2860 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2146⤵PID:4572
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f146⤵
- Modifies registry key
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWEcsMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""146⤵PID:1992
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs147⤵PID:2004
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1144⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2144⤵PID:4156
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f144⤵PID:4612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSUsAIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""144⤵PID:4740
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs145⤵PID:2616
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1142⤵PID:1908
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2142⤵
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f142⤵
- Modifies registry key
PID:2420 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1143⤵PID:1660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoUsQcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""142⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs143⤵PID:2920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1140⤵
- Modifies visibility of file extensions in Explorer
PID:3696 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2140⤵PID:3952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1141⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f140⤵PID:4604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1141⤵PID:740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiwAwkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""140⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1141⤵PID:3664
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs141⤵PID:744
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1138⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2144 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2138⤵
- Modifies registry key
PID:5056 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f138⤵
- UAC bypass
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKcQYooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""138⤵
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs139⤵PID:4612
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1136⤵
- Modifies visibility of file extensions in Explorer
PID:4768 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1137⤵PID:3536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2136⤵PID:2284
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f136⤵
- UAC bypass
PID:4864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqMgEYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""136⤵PID:3524
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs137⤵PID:4144
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1134⤵
- Modifies registry key
PID:4612 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2134⤵
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1135⤵PID:1764
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f134⤵
- UAC bypass
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMQcMYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""134⤵PID:3440
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs135⤵PID:2356
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1132⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4080 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2132⤵PID:1460
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f132⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkUIMwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""132⤵PID:1260
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs133⤵PID:1368
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1130⤵PID:5056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1131⤵PID:3620
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2130⤵PID:1044
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f130⤵
- UAC bypass
PID:1056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VocYsggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""130⤵PID:4304
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs131⤵PID:3800
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1128⤵PID:1812
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2128⤵
- Modifies registry key
PID:2644 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f128⤵
- UAC bypass
PID:4280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyMEcwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""128⤵PID:2708
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs129⤵PID:4392
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1126⤵PID:2084
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2126⤵PID:1308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1127⤵PID:376
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f126⤵
- UAC bypass
PID:1092 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1127⤵PID:984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecoswEMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""126⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1127⤵PID:2220
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs127⤵PID:3800
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1124⤵
- Modifies visibility of file extensions in Explorer
PID:3480 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:1248
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2124⤵PID:4292
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f124⤵PID:3028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:3880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqYEYoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""124⤵PID:2868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:3680
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs125⤵PID:3228
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1122⤵
- Modifies registry key
PID:4356 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1123⤵PID:2020
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2122⤵
- Modifies registry key
PID:1992 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f122⤵PID:3484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1123⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCYMIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""122⤵PID:2356
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs123⤵PID:1164
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1120⤵
- Modifies visibility of file extensions in Explorer
PID:4364 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2120⤵
- Modifies registry key
PID:5064 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:3588
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f120⤵
- UAC bypass
- Modifies registry key
PID:4776 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:1616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWIgcIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""120⤵PID:3908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:4860
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs121⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1118⤵
- Modifies registry key
PID:368 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2118⤵PID:2092
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f118⤵
- Modifies registry key
PID:632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMUUUUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""118⤵PID:3872
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs119⤵PID:744
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1116⤵PID:1200
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2116⤵PID:3536
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f116⤵
- UAC bypass
- Modifies registry key
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOoMQwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""116⤵PID:3628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:1408
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs117⤵PID:1392
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1114⤵
- Modifies visibility of file extensions in Explorer
PID:3948 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2114⤵PID:3192
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f114⤵
- UAC bypass
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AScAwsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""114⤵PID:2452
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs115⤵PID:3964
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1112⤵
- Modifies visibility of file extensions in Explorer
PID:3908 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:8
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2112⤵PID:1308
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f112⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaUAYoIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""112⤵PID:1756
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs113⤵PID:1152
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1110⤵
- Modifies visibility of file extensions in Explorer
PID:3948 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2110⤵PID:3680
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f110⤵
- Modifies registry key
PID:3508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuIwgYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""110⤵PID:4732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:2656
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs111⤵PID:4464
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1108⤵
- Modifies visibility of file extensions in Explorer
PID:3400 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2108⤵PID:548
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f108⤵
- UAC bypass
PID:3168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raMosUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""108⤵PID:2084
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs109⤵PID:3880
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1106⤵
- Modifies visibility of file extensions in Explorer
PID:4392 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:4472
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2106⤵PID:1260
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f106⤵
- UAC bypass
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUkQkUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""106⤵PID:4376
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs107⤵PID:2920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1104⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4940 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2104⤵PID:376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:3236
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f104⤵
- UAC bypass
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TisAcEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""104⤵PID:320
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs105⤵PID:1200
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1102⤵
- Modifies visibility of file extensions in Explorer
PID:2520 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2102⤵PID:2020
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f102⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:3180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmIUAoUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""102⤵PID:4636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:1468
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs103⤵PID:400
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1100⤵
- Modifies visibility of file extensions in Explorer
PID:4464 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2100⤵
- Modifies registry key
PID:2924 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f100⤵
- UAC bypass
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMYogkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""100⤵PID:512
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs101⤵PID:3508
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 198⤵
- Modifies visibility of file extensions in Explorer
PID:4280 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:1660
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 298⤵PID:4916
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f98⤵PID:2884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewwIQkIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""98⤵PID:4616
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs99⤵PID:3628
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 196⤵
- Modifies visibility of file extensions in Explorer
PID:3516 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 296⤵
- Modifies registry key
PID:400 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f96⤵
- Modifies registry key
PID:2436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciYwYgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""96⤵PID:2868
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs97⤵PID:640
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 194⤵PID:4160
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 294⤵PID:4356
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f94⤵
- UAC bypass
PID:2520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCwcgMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""94⤵PID:2084
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs95⤵PID:2452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 192⤵
- Modifies visibility of file extensions in Explorer
PID:2220 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 292⤵PID:3652
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f92⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:3616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkAMQYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""92⤵PID:4472
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs93⤵PID:4376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵PID:4940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵PID:780
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zmwkgkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""90⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs91⤵PID:3932
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵
- Modifies visibility of file extensions in Explorer
PID:4964 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:552
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵PID:4712
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵
- UAC bypass
PID:1468 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:2280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkEkAkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""88⤵PID:3620
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:4120 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵
- UAC bypass
PID:2656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYkkoMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""86⤵PID:2004
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵PID:1536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵PID:3800
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵PID:4432
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aycQYUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""84⤵PID:4860
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵PID:1616
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵
- Modifies registry key
PID:1248 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵PID:3972
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵
- UAC bypass
PID:4492 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOQcIsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""82⤵PID:1092
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵PID:376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵
- Modifies visibility of file extensions in Explorer
PID:2284 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵PID:1468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:2352
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵
- UAC bypass
- Modifies registry key
PID:3012 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:2384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMoMAMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""80⤵PID:3236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵PID:2368
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵
- Modifies registry key
PID:3452 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:1184
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:3508
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵
- UAC bypass
PID:3180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiwQscwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""78⤵PID:2092
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵PID:2148
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵
- Modifies visibility of file extensions in Explorer
PID:1408 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵PID:4392
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵
- UAC bypass
PID:2684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIckscsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""76⤵PID:1724
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1376 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵PID:972
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵
- UAC bypass
PID:3188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwYcUEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""74⤵PID:4900
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵PID:1660
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2416 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵PID:552
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQYIwcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""72⤵PID:2368
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵PID:1332
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵
- Modifies visibility of file extensions in Explorer
PID:3376 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵PID:1868
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵
- UAC bypass
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueIYQowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""70⤵PID:3680
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵PID:4144
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵
- Modifies visibility of file extensions in Explorer
PID:3344 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:4620
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵PID:2684
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵PID:4080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoogogMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""68⤵PID:1616
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵PID:4156
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- Modifies visibility of file extensions in Explorer
PID:4256 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:1528
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵
- Modifies registry key
PID:3960 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵PID:4472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKcUwQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""66⤵PID:3628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:2708
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵PID:3972
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵
- Modifies visibility of file extensions in Explorer
PID:2280 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵PID:2416
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵
- UAC bypass
- Modifies registry key
PID:4356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bggYAgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""64⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵PID:4192
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2520 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4432 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:1460
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵
- Modifies registry key
PID:4364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiYUEkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""62⤵PID:4164
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵PID:1184
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵
- Modifies visibility of file extensions in Explorer
PID:3532 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵PID:4620
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwAYAckA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""60⤵PID:2668
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵PID:1152
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵PID:2236
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵PID:4092
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵
- UAC bypass
PID:2284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsQQIMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""58⤵PID:4380
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:3000
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵PID:5080
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵
- Modifies registry key
PID:2352 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:3408
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵
- UAC bypass
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiMcYMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""56⤵PID:2080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:4304
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵PID:2712
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1460 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵PID:1416
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵PID:3804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:3988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWIcAsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""54⤵PID:2732
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:1164
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵PID:3376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵
- Modifies registry key
PID:1824 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:1764
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵
- UAC bypass
PID:4160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caoAYEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""52⤵PID:3024
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:4464
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵PID:2892
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵
- Modifies registry key
PID:2576 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵
- UAC bypass
PID:4080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIQwIYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""50⤵PID:4472
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵PID:4380
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵PID:2932
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵PID:3016
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵PID:2092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCYMksgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""48⤵
- System Location Discovery: System Language Discovery
PID:4144 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:2920
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:4304
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵
- Modifies registry key
PID:4884 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵PID:988
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵PID:2420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcoQAQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""46⤵PID:3988
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:2732
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵
- Modifies visibility of file extensions in Explorer
PID:4156 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵
- Modifies registry key
PID:2916 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵PID:3228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGIUAUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""44⤵PID:1528
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:3024
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵
- Modifies visibility of file extensions in Explorer
PID:3476 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵PID:2544
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵
- UAC bypass
PID:2708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMwIMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""42⤵PID:984
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:552
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵
- Modifies visibility of file extensions in Explorer
PID:4752 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵PID:3804
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵
- UAC bypass
PID:1044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOcUgMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""40⤵
- System Location Discovery: System Language Discovery
PID:4352 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵PID:2968
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵
- Modifies visibility of file extensions in Explorer
PID:4856 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵PID:892
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵PID:3628
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- UAC bypass
PID:3376 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵PID:512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYkMEkEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""38⤵PID:2516
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵PID:3988
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵PID:4376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:4080
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
- UAC bypass
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nscUgIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""36⤵PID:4596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵PID:4644
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:3672
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵
- Modifies registry key
PID:2920 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
PID:2968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwwQssAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""34⤵PID:3408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵PID:2492
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:3344
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵PID:4464
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:2032
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- UAC bypass
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSwUgIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""32⤵PID:3980
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:3500
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
PID:3076 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:368
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oooEkQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""30⤵PID:512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:2992
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:892
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
- Modifies visibility of file extensions in Explorer
PID:2924 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵
- Modifies registry key
PID:4768 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵
- UAC bypass
- Modifies registry key
PID:2320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeIAsUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""28⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:4284
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵PID:2920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:3532
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cooIIYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""26⤵PID:4644
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:3344
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵PID:1044
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵PID:1988
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵PID:3980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵PID:3964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecYgowUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""24⤵PID:836
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:2420
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵
- Modifies visibility of file extensions in Explorer
PID:892 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:2284
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
PID:1568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCAQEIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""22⤵PID:2236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:2344
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1260 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵PID:4596
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
- UAC bypass
PID:2940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOIMkEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""20⤵PID:32
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies visibility of file extensions in Explorer
PID:1536 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:5028
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
- UAC bypass
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOUMkUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""18⤵PID:4312
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:4768
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵
- Modifies visibility of file extensions in Explorer
PID:4136 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵
- Modifies registry key
PID:4304 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSQEQwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""16⤵PID:2416
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:5064
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
- Modifies visibility of file extensions in Explorer
PID:1528 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:540
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵PID:2772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQoUYAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""14⤵PID:2080
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:4464
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2932 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:748
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
- UAC bypass
PID:956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGEoskUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""12⤵PID:512
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:3668
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
PID:2732 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:3888
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
- UAC bypass
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIIAwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""10⤵PID:32
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies visibility of file extensions in Explorer
PID:2392 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
- Modifies registry key
PID:3960 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵PID:3696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaMUQMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""8⤵PID:3408
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:3452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3664 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:4712
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWEkIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""6⤵PID:4504
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:1980
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:1768
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:5080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOoEgcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:548
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3828 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:220
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYEIUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3020
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe c34f4226b77e91cb46f990f28417cc51 BeW3/KVSSUC2vbP2A/sSHQ.0.1.0.0.01⤵PID:956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1068 -ip 10681⤵PID:4028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4744 -ip 47441⤵PID:2188
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2436
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3240
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:2860
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize150KB
MD533bfd5779c538c1097c5abb9c810a0a8
SHA12e5d2f5184f98451baa5bf6c24f34360e85dff37
SHA256698f173b98893ac426ba1e089390e00ac3b5457773e0031d0d26932bc9af84ab
SHA5128435452208d00bd60527a3c4bb042ce6d4c924661946f376c0d08da74888035c622176db7371b18337da8eeb1dfec8d54899177715dc1ae0187eae4c96c44acb
-
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize241KB
MD528a324f8965b2cfea87dc52718465c03
SHA18237326d5c9861dbf361a87fad7c5e5f306cdb6e
SHA25626432fd3412c5a26fdfed4ed5d963f587b2d5dbba112f8cac6f01f01164ddb81
SHA512f7d33a00298b90b638758c34ba3c92c1f84d0268e11bff68065336dae6da8f486e2456c64382dd8213875fa9b71f467681657dc0657599f3d82bd0525ee0bb4f
-
Filesize
698KB
MD581d886efcd3a3bdc123e21a62df7269e
SHA1ba2d94f2149a05e188bad7c770ddefe9af9fb793
SHA256cc83c821f8e7d76baf763592b2d97bbf8b9735bc980e86b81268e298175863fb
SHA51203a5a13716ec2bc7a46773c11c8b27b6f98d6ccf341ba9a9b4be6f10dc956f8ea1f6f4565022494bd59e5a40d11121cd67d34fc491f07cb14973019205ec620b
-
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe
Filesize722KB
MD567f67c3799b8d5386d274b4df0a44766
SHA19fd17e139cd1fcbf1044d5752a2b57eb86d9448a
SHA2560a70f349de6e4768972e09cdfc5988987b727ebb257bf8219737147d5042a7d1
SHA512c33ddd8014ddc9c63b3d37724e24b06bda4a577c7a5d0e697d86e45ebe645bae00c69b17a673f09d0a9244e0a048e55f1977036fa810f95709dbc1853f1d7040
-
Filesize
111KB
MD5fcfde0c7e86a28d30cae365a0c782d23
SHA1bfafcc880a07a964027e39257c383a7cb8e6227a
SHA256bd66434ed09e33445fb338c97cc4e5bdd07bf353e1a2745075c2673efad7e9c8
SHA5121347163619b8412c7c17c20fde13b5790a383e7725ba403b26eab9d6211a2b543c6fc1fe6fe622ef8e616b4d51722119b53856be3f850fd616c65d37989b918c
-
Filesize
115KB
MD5a7ef2b736bd83c4878378e53ba51d3ab
SHA13ff4c96b27b80e0352297be432ff5bb2872977f0
SHA2566f33ee12d7f98dcb198e04c0fc576590c7dcd6b2aab5007afffed5aa0004452d
SHA512b0c885a1f1f330af32b0ac074ecc45a339308fef76e9801926d92bff0e2acf08147c8517d84b21c3f57fe9b178c4ee571d8c055b2b48b131976554959b092e32
-
Filesize
125KB
MD5a5d30857b02e296d49e7858aff219ae2
SHA1f4c67a9fbfb753fdd92e46b29d6e84fe72d18c10
SHA256ba55ef47d9f0e6e2121f11ac84f2010bb76f19ec3e63fe9f311603ddbc944df5
SHA512a4ce12d59e46f6b8e7beb8682372e4ad1f6766e9161134558c38f255d10c578794cdda938c754ff2778b4934afe747ea5686173bdf91fc568202b3180d97f6aa
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe
Filesize113KB
MD5587e9422633937eb343bee73a60b997e
SHA1cb93b1960cfe942b742f5116e81c4520622139bf
SHA256d4bd5ecf611a070344ea3cb1cdd33578be252573ad87d64eb13a7a786c0aaf5b
SHA512088a6b13c992a58df2348c8afc456e91f8755bfe6d0b7f3bdf251f48f831a11207393f0894cdccd01a0760e67b5e4b5ae5b1c8ae14f53d661b71d17462cce8bf
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe
Filesize109KB
MD5bc42ea6d9914e0826b11a452142942f9
SHA1ffd3f76ff995f6a51de1961e5fc464ebcb746f2a
SHA256904ec5bf21018c52d8622a7c07e0d8537a4693c9184cfb9deec63666dd7ba652
SHA512721d39f5f8809571e514c22f3c70111148931b2b3258bcb9507fa74a4893478a32a8698a4ec67f005e392e5f77ea070e388b0097d731bb609e79eaa0fb3852da
-
Filesize
1.7MB
MD5abce14c04e1c3113e042b19f799ff267
SHA189bbeb2504efcb09f1872152833dd30426f9ff52
SHA256f57fd5afa6b7c009fbc396b2d7c3fbd22695c0e68aa09ebb85ab340962cbc39d
SHA5129075ca467f6fb93bb7376c0ed2dc99610fc4bddd6e470395cad1652b950700a6a7348ba5e1f6eeb821448bacd57c416b7f1c2524df636404a6694da85e171bf6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe
Filesize112KB
MD51d7349fd0f3f0fe1d43bf9c14dccc6ce
SHA186eb484a93be30451b4aa84ccedb4ea36ee457a0
SHA2561456bd9384780e7a6147446662294b55b889713d3d54bb0965653a6660790c6e
SHA5125a1998132b22053e14ce4973720fe32169819ee6fd6d551c2130befda532aaa73293c284c4282093e3b0aea9ff9ed4259073975b05175f48004e9107af1bb1bc
-
Filesize
48KB
MD501756f45662d7cff811ff986e2fd4e66
SHA1fd67e79512c5386dda615835a40dfe5f286437bc
SHA2561732b081443d1e292dd1a4477ecd8be81fa350cf3b3ce6dd222567b7585a8895
SHA512c78311075d33ff2a253dcb86911355ed76ab349fc2f83bc6ab042dcea56d5d092af8abb2598372cd988210549376d023f6c34e92cb8816f4736d91dad606c2e1
-
Filesize
115KB
MD5ec12daf2967c95d404b898fc76bc921c
SHA1bb170dd91e7fa3416c8b6bed6f9f14bc7eca1748
SHA25667fcc35d85f169d7056a7a23ea1e1728a1d5b9f3b11091b1cf213d91dc3d6f67
SHA512ea5163682aac3a1ce59741d79d0b7b32b3f917a11e7d09b2164404c6cfd97ffd32f60557b7389648d47bd93eb46bde8ffb099c10718b266437fe5cfbf07280f7
-
Filesize
503KB
MD5fa7bf160f0f68aa17db8b6b0221ae0e5
SHA1c45906f387782baf8f25acef83cbe058b7c2d676
SHA256e864be2de585a7c2bf23496d7bc4d96552e1dd8edb24682696010e1d1ba28aa4
SHA512520e3c04340d8b8f7d044d105e179eb03b420f490b49fcbc3544a28f3d36992ea86c49c5308fc5a928399c2d0e6fea54a11b7befbcbc95486cc3d1a70f0e0813
-
Filesize
111KB
MD5486f5cd4c1b12d6a1e46e748f4bebb9f
SHA14d0f0afb3b7998e44ee86775aa59a66275b42518
SHA256815c14f33dc6880efbbb80a43b41f42b756c8ce17b30d275d6cb89b9fbd11cd7
SHA512a40e746d8932280e2e50f88cc8155cadc8a4cae758bcd75ebd5079cb682278f40bfb329e7ecf20675a399df62ba2214f9dc22f00cd1b5e53dc94021a4cab3bb2
-
Filesize
119KB
MD53e4a140450cbeb6641f2ddd3a025fb28
SHA143c53def5226a9e2d632128d900098a8cd02aa64
SHA2560bfb31e75f7b12b6740a20b154562658086e92cba4eaaca8348ea47dea2790ba
SHA5129c2be9b1b53040ecbafaf7416603decadfa6b0f7373c0df04dbcdcb61f2f4736a9cf81d1a5ca5c65dad623870e93006d0a4367ab1eb1715f3844270ee2c61454
-
Filesize
782KB
MD5002042a8d107091f04efb0c27209c61a
SHA1b48c7e2836c9af89c7e7e81ae4cab648ac68bed8
SHA256e8b1eebf2f5c021a1193a3c3a9e8f9776962232db854b9c0dde2d5155c5e3f96
SHA51272a24b91a8e893e94be1c20b9de028a0f7ea45a5fd089203c1c1bf7eabfc3737eae53cd7993f2635e47a6ae4e67ea19c6a24f5054c9e119f709b4a740a60ac8a
-
Filesize
5.8MB
MD5f6ae53507dc6141603e651deb24dd4ff
SHA1b538798257c79650fc28f70bc17bde437b5bceb6
SHA2560c5d484b4e36907655c565bef6bd122a590169967cac5b7de06a0f7ca3ab8495
SHA5125b5cb513b1a415ca21f4ffc1f7867d2142b4052ced0796b1087ddde8bf39426e2bf3ab2eec555bf95fc1e78be1fa3bb617aea7aea3ef53dbd2ea46d846f840ac
-
Filesize
116KB
MD5c2a491235c2c8189e23cef7f4be2e9f8
SHA1340200b873e9d9cde06a84df1c8012ee21e60789
SHA2567205011bf0d7d18f2870dc8285b0c17b5e757b10794cf23d60c39382843b74a8
SHA5127fe00fa2fc8c8b15b8fbda275a7e287437b6eac1ca137ef5d02afd55afddda061d166338e1d6d1b597d6792c62eb3caa767d8efbc59557810accbd3a8cd7be21
-
Filesize
114KB
MD55bf61a07e7747bca9e6ecb4d9a91c4f4
SHA133fd551a0476d8541e090015ccff57e583c74ec8
SHA256a158775055413a931b4a14a1c8759d091c0f59789e954a60145d91cf95803f3d
SHA512155187a65e404574355a6777d5835da43212d77fd384f9bc1f75fe5053d4477069d5a0d9315762997cb5196d73b2d4353c414c26912d4ebb84c5b7feca50dcd3
-
Filesize
720KB
MD59bc1f99a99e33b155586adf609c89744
SHA1b6f42904f716edb3356b993da23ff32b33b3f091
SHA2564865186ed71183cbfc77ccc9267603c524f9a5f22512bd9171862e9f1b1c2611
SHA51290d98568908752551c6c16f95499a896a5dd2d8feec75c5b51ee7d60819673294682470b09ca2c44d36120ae585c73fcaf5b3f840305ac715459493cb60829b4
-
Filesize
111KB
MD5f01b6f6a811c57fd8ab2bbed5228e373
SHA1f32328f3dbe15bc8964de60ffbae5a57cc753893
SHA2564a684e056753f39eff7066cbd8548ac512ef9836433d98b2fb0e5d6b0ac7eb25
SHA51297aed9104a669dca0eb6c65e2c1e6758edccc01467cf8c066219ae478f90523aab4ef9c842c7987d30f95c97f2cba2a597cb9e18188c532a0e843fd8d659b52f
-
Filesize
111KB
MD5d190ffecb84d5200b842d9aeb1f56b92
SHA1cba329cbfecea5ac50b3853880a04fd7db636bfa
SHA256964c57b56a552337ceb97f393f70f76efd5130d70022925665629a6111eef09d
SHA5120b42c222395693b608a1987095cd6a431f62f9b9e9900d452b627afe62ecb17ec10cafece2994e789b74e82b49cfb8e9b64760ab8bdea47d8c2313b7117f1a35
-
Filesize
5.8MB
MD52c6908efa8f41e0b5186afbc584597a1
SHA15dd4c62c847c5ac0c1732d254fe092c92407b37b
SHA256e36ea249a0fa1a918c0f738aaab7997478f720c71d596c39e7f68a6929f537bd
SHA5123c4b2ae2924f593efb513518f34fe7d5fefe80ccb7273d34f8453bb25a6b4bd317bdd0cf488cb5f71cda5e080eaf4a1a1a4793fb710cadbb7802b0cd1616e436
-
Filesize
153KB
MD528c5f1c136b63c5a294661efc4900538
SHA1aa68d305b36450f565dcbab59b5979ab5960763b
SHA256daba5227370c6e099112cee59e0221f23a39436564feb43348c6894a3c162ce6
SHA512d4ce0c4c27a37d713165e56a7240419d0920bc90f8534ed90325e37f1959d7821743e696f00225f0ff6b214143565f90d136aa30d531cef22b2c97126eacf725
-
Filesize
236KB
MD517e002f001eedbd1f8d970422d0271a5
SHA1ac0a5b6d16993be5854284eccf0b9e104193312a
SHA256d63b226c9e6c338fe885bc11c656da0b272e91da7614d6c583215123fdad0f8b
SHA512aa99388e9044813ccc84c60349b86272787ad19d805c2bc08f8bb62ab37db4d3010db18957efa5c74326de5206580ca7ded8e04c0683a4187b702c1898f26328
-
Filesize
812KB
MD5bad64d6026c4b678e391cf34912a324c
SHA1573a957d055098676eb8e090ca85f745e82f3679
SHA256738eae3d54fde64d75d6f83e8dc0ae6fd4eb6a2ddc8fd593928b3255af470848
SHA5127fcb9c9a37d6bd85799a95348d35373376219d96ee313ebabdd74526ca5d3368b96070ae61c34a60869aa878e207938d4ca41913150c7281d02115f3b76c9d1c
-
Filesize
111KB
MD51dca32412223c64968733f1fa6c20683
SHA195c3887bda21a883fc6add935ee3343c887e67e0
SHA2567221666ad95975fc3867aab7040fdb9c89b973ae7795fb586573f76bfa680ed0
SHA51251ab45e300bc3840cce52fcc3579a7dda5d9201dc9a8571509c3bf5707c5168cb0a122c9b77770ca80365ef99b564751a333b8c346c746ef747c89f3b54522b4
-
Filesize
138KB
MD5cebfab08c0f3e113e63f79e92b2f1880
SHA1db592a7b651a8cba6749602b24974090523f6a4e
SHA256aa1f59d2f5452278ae51b7e499705e2e42e465a7624686559bc982c8220761a0
SHA5120bb09f827c166c8b2a765e5352e6c6befb6f11f528f0c38a5c6856ade6b07d8f20c409098e83592d6d5fd3b00c725ecf1ca7edbca5da9c9b18fb9ff3a4c3bc22
-
Filesize
555KB
MD503db3b9d7d658873a7092c96278dca13
SHA11a7147c8863663233a6aea1e2900c597ab2778c8
SHA256032c2a785be2622adac526bce6f05a35bb9f471d07eeb3e7d9f1f386c5794510
SHA5122415c31bde086634c68b4d59b13879335c864215af38a46af2362d2ac663f0a7db1be44df0972313161dcb7e71e81d7a5894ed4dd0cd55ebc1c246518b5433ed
-
Filesize
4KB
MD5f31b7f660ecbc5e170657187cedd7942
SHA142f5efe966968c2b1f92fadd7c85863956014fb4
SHA256684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA51262787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462
-
Filesize
564KB
MD5a3c0a6bec05a6742f9943349483da87d
SHA119e7dfac79e3b0d8db7603db1a37a9cf0abad8e4
SHA2560ca17b804c5987be09879291415cfcec4df429c05647ed9d4fc1e82826a393b6
SHA512e763cc78b60ef199ccdf7c582d113dd439ebeb547b510cad46c8869a96ec0ecd7cdcda60b975daa9b627b3d7fc66a874048cf2a14ef131037572579c8f9e3a58
-
Filesize
4KB
MD5ace522945d3d0ff3b6d96abef56e1427
SHA1d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA5128e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e
-
Filesize
236KB
MD5c64d1f1d29452f37f2a22a694c9f87ec
SHA18cc73a9ba9c4d7bffc1e63c73dffb414035003f6
SHA256bfd2d49afa1204e4b9276dda4099f62243303f1e65f1f624a00b478f985ee2af
SHA512b896b4b75e6997cacbe0274e32313afe3aafc7b14f6e243ec62225d4a4e6da8f5dccc7821415c9d009080a186b241281c7cac15478bc4aabbe6c54dc0989fa6b
-
Filesize
111KB
MD5745eeca3476e228266da6bad89c06303
SHA190399b2b3f65bd2086a3685f3eb03c4fe55af481
SHA256ae32caced67a95128aefe83c8a3417bd4e6a8277fe466397157b20ce2bb67ce5
SHA51267ca4980517d46ccfd3a02d53e8bd344b02e0b3fd562ceabffc4a42fe39f8147d5d2fa1baee77f60b9e531a37b2a0357769d6c8e9984a36d8b7555e2046daefa
-
Filesize
565KB
MD5e8afc065e097c6f16e9411149d62e225
SHA169f83d89d13c888da858d697b0f5bcf214d1229b
SHA256fd25020e196fcd0c7a9ef4adc1206031ecc3678fd0936e29df08bcb30973e2ec
SHA512cc70f61772398312f2d016f991c991be6102bf554798cc199f51c6c18c5bbd822be896daae42b444d80249a9bc3145ad6d06025afc9f6118087a17cdaa902367
-
Filesize
743KB
MD5ac5d9ddd8649fecfab072b0ee492eb88
SHA1872d4d43bfbd971c87f4c9b03649db029ec2c78a
SHA2561b9ca658a46233d6a30dc1bafd96274725cbff84af2f058d81f17e2612c6bb11
SHA512afe68c19aeab778b949960e9aa6075ae052c09708c2e0ff146c846b19f05297621ff28aaf2c63040c19d2eb2cdbf6338a3e3b0c0b75ee488bf9040a2ab04a79d
-
Filesize
148KB
MD56f2cf5bd0b758d8cd7e072d1229f1854
SHA1964c721198fc23a3f9b25e84d19035498ca7250a
SHA256097abc9d6fa095b281628fe602dadbfe6a764f03d1b42a6bd7e5445499cf5bbb
SHA5126ed05b906d490c4f2e168f629d22549d695f05b963061974118e3e905691f8f5a7abca410b49d1e5eae3d0404f1d390a09043b4e938f1accf3b7c2aba3cade0c
-
Filesize
116KB
MD5e6b7a00465b909473f97c7ec0e88d145
SHA1be92cd6b2f905c90c0f1ab0a785169e1d048f50a
SHA25613f0bc95d7470e51d4f366e50a13fcfd56fd84c1bfe17989f5c3d6590eeff69b
SHA51281d1447bbaae5337c0e129b29e4c1b6caefe8b6fa2888ce1433cfd75632bfc619ec6140c32a83207bad62428d1817ee24aee5a9631420ef233fba83442d80800
-
Filesize
112KB
MD54094a58f94832525ccc3ea269d63023e
SHA13bcfd53831f91819131708028dddb88fe729cb10
SHA2565e0498e2cc81618fb8f857dbc90e636da94d1a2c97304ab6be14bd0cc57a6b71
SHA5128864d75c325365ff2fe7600e294a93e7216993057d48b14126ba998c13b3561b2df8d6fd9005af3a38116386a183a58a780407ecd3522d8679ae70d694497e53
-
Filesize
484KB
MD53ef1d4d6fc2376bd8324fa9d88106316
SHA151db16f9e348cc2fbb434ed67c87f6e7dcd807cc
SHA256725954be6e0de6a84bb04e994c31be96d665691ffdfa0a82738d13a0ebdbb0bc
SHA51242911040978d15a7fd8a227b2661e00d211b3b4f6528a9f075bacd4c47f373f3156fcffeb6633e3d4b1a936ae5cb81ab36baf997891002ba2eb8993179409eea
-
Filesize
703KB
MD5d3c389afccdc226ccf378770f19b1b8f
SHA11382c4b2ce9de8501eeea76a9191c232bf4c6d7d
SHA25601092c718c6435f5607c3dc85c7132b7f5ae1385301f3359d489df35fc9d38cc
SHA512b2d6387bd8d877af7762727bd2f3c18379c9243177e70e19c45efc986d4144fd27f6916b569d0ed76cbb5820af3bcc386bc5821a8ed5bf9ce25b2f9bb5897545
-
Filesize
112KB
MD5c664c09fe9a36bda8fc7aa50f9c4c17f
SHA12425d3e199db911826fb757a0ceae40ed105ddc4
SHA256b0a071f977ecfa5382441427528e3bce3ddf292da3942956e7eed77db113e474
SHA512ebbf20d9817995f341e7de6b3a752a3b889cd4b1eba290912ff954756c7aa28fa178472362cf836a4496d95ba6aa1c305bf9bc9181871cde4c9dfda0ca845145
-
Filesize
117KB
MD5d9d1e44bddda5ab319ab3184c694f505
SHA1a9b499856906a9591dd8948d2f903cc45f3533fa
SHA2566901b0ac1479e4a42894c11534aca045d95f4785445bf3e29389995a6026edd7
SHA512e95f5d5c2fc39eca21d2844d9ce37492a3b8bb7b81d4ab781649575466dbd667b2557199e87d71da098663762f7d781c2dfed6e95f3958f7d2a35e13b02a6592
-
Filesize
112KB
MD529bdf205834fbf79811a69d75a0dc420
SHA1e48d90e87efdd205abd5aef47d6d6a56a474b67d
SHA25667ce297126412d05471f1ff0203648d0459bca0ee1da0b84a3c71e4fa41d1bd1
SHA512848c288421dc46651b7ae8a024685134010206016637071f3e62f5159db7d76e79b3834fe889c06ae2b1954cfc7cd458bc5eb07320d99962e7853d3bf684f249
-
Filesize
113KB
MD5da1a31fe616d8118fa51730c5c412700
SHA1f74f54c8da196eccd25f1710e8f9c6cc53916573
SHA256ee362dc8e331d336bcdaf34ec8278016f9fa92a9642798b01121715abb61dcc4
SHA512186eea26b95e3e5a3d8b0bba944279b02f97815cfc7c4e76aa11fc0b360faa3f05d44f9a7b3484500a912a849505d00a95ab6cad7b8c3b66442539ccec93e712
-
Filesize
114KB
MD5cb4d331b57c115c2e4c9747c326d9692
SHA1c7eafb5644a42315936bdfdbeb3853cd81368add
SHA25634fab833cd3e2f3fd2b487d1a640a4120a368fd1faf129c96fabe197af35fe34
SHA512ec03b48ca976ec5c060120787d794c74660df1681a2e1e4843cb123b572bff74b994e1c5cd89b64a6d9c506d367e285f5d9a7e9e2699f69072e52fe84a53fc24
-
Filesize
112KB
MD5028fcd38adab4eae2fa958d5dddc188c
SHA1ada20bea52e84edc3ec4b800e85dbdbde236ef64
SHA2566ae030b481cbf2d1f4631e6b441365530c78d65d91f7a30bc5a85bec904f7ef5
SHA5123891b157ce153c8cd876429436c7b613e2e4044ee2b5e87b2f94292509c8cac500e631117c321c25bf127ebd489a92bad8505cb7262a2652d4496d083e4a4995
-
Filesize
555KB
MD58277c39e9ffd74f86e46734640ab56b2
SHA1ac562937a4cbfb7de4ad1d3875d953cd42fafe1e
SHA256d0f5a49b6232f5afd6e12e6345bd8442b9c9b5ff1707435d629616ca4730c140
SHA5129e77a56b27161f884a7a0d19a24342c312a4235a21bc4cb722f1e0e5795906175aeed6132e859604a8d0d85bec26cc492ee978ee8a43f8e53254da6f32f2bdfb
-
Filesize
137KB
MD5be37189179c6239033b76a50a6bed3b7
SHA191f711d379856b3acdb8b3b0067a05313c26e608
SHA256449d095b8e813109e14dad6b584b2cdc694e24f4b1b93dd9eaec62cf7c598abe
SHA512c2d6d0f67d8fcf1e0b208570e88084c4927add51dd2aaaea552d0ee64c01fb5a8ee10529837e54a31e2400108438c5e189b453d90db52ec1fce05ce3b9daed72
-
Filesize
785KB
MD59ef1c6bf317235cad6e55f2ed4acd5f7
SHA168de1a17118dd568920f5018428cd917ccad0af3
SHA256bd6aeff29176c7ef8058ba94ffb507b362500790cbfaba48446829e39ebcf447
SHA5124ea5e859db0aec101b07025e2de711597978ebada44f37b0dec74bbd37c8ea21fa586986aeca719386798f6791d77ac7175dff4e104f0a041acfa3905d500cc6
-
Filesize
849KB
MD535efc104130e785770dfe885cb24dedd
SHA17357c17be2c9f52066e202cedc0c4b97a37d86d0
SHA256606b574cebe5f031958acea5e63fc1c41136b17567591bc23deef6a4d0f129aa
SHA5129b10076567107116df381224bf5c78800f523a984877f1831b9d462d00daa25e30c083fea6c1c2a959d270638b16ebbca3ac8ab955966903e83ee0298ab019dd
-
Filesize
118KB
MD54c0ab1f06939241c80682795f193bb22
SHA1a2392aad6fb1b64816ecdd739a9b7c55174071a2
SHA256c63913089d87a59e740a5c5e7a19eb2f1e5ee83efada96a5a80c40497d223315
SHA512a34bb50c2e7560a614075fa6870fe5003a78bf3580a75782a5508d780dde3ae83e8d9185e5a646358c97383e710c5a2200e941658c954f625aaddc2fd364de62
-
Filesize
112KB
MD51d5002f006b33d3534dbe76454928766
SHA126de9277373ea042b3abd5f25ff316275929234b
SHA2564929bd1ecae656bc7d2d83f6af7cd670f4b04b93bb2f6fdac6751c42034f4304
SHA5125b5bc6a83f220c8ac6464512c0c2afd94b37353dad6fe5e7a87c9eeb9a7f180b4b6304d5d83cdaed563638306ec1fdfeab6007c73728f0e733d173e9b227f02b
-
Filesize
113KB
MD553102eed2509aec1633f562197daa382
SHA1f8e0100cd886c902b902c204276b677997e6eb45
SHA256576c2cee23f1ab01b03cad4bab42764ccdaadaf37e215e26e99558a9db40772a
SHA5128630c2a5fe60ba17abeb83fa0254dffcef0884c951c1d4a7284ef28681d6af02b9125568e49433246cfd252c6c2ae6c744b2192f3997f32ede2f031391053317
-
Filesize
154KB
MD5eb79cfebd61464cc69a4d124ad8c3dfa
SHA1677383340d46abaff2442b444e771b2c673ecc7e
SHA256d574865fcb1c944df9e9e180f5ee460bde9b80335f0f948f32e93167fb2cdfdd
SHA5123260af3fd5c0d60db5e48730ac992cebed2fbf77e7fc3a2f9acf03e741d3cb74cd54c40ec18d3f44bc3b98e86639730f87d2a46a6af7ded4f6ef88cdd2c905a9
-
Filesize
113KB
MD5416e6334885dfee05f8202d0ad629283
SHA1654c983ea0b832952d39ce514147ddd13cc5b0ae
SHA25610726c75b3dc028d77903bf90da7dcca4fae69456700da313d587d31d40fe357
SHA5128b94ae2a45687a93b69ff614740b61441d4844f25b2f6a60c6a8519ca893faf0e4d5d6b62488cf54ec4ebc6aac12678673e0bf0b8ae3e41195983aa5b096a2be
-
Filesize
649KB
MD54e8d9e6964c05e24774aefca3a3176f0
SHA194829561a1d6141d0b40bc3f23c4de4a67ba7a9a
SHA256207f24be707f32846f0b59e874c3e63b223671c37c170f2d496bb590140f0f1d
SHA51258b9d3a177d90a91e4d031c42572912def8581eb1dfa1dc336dce2c764af72ef08fb55f5ce909da761932490e2c423362e9128ce55c6cc899e10ecbaab5df806
-
Filesize
123KB
MD5bbe08ce4cfbc3200b29178ceb478f5c8
SHA104bd7053aa53985816f5ded8b26e0466defb0fe1
SHA2566b073d190a2036a2befe7dd6d038b7a328b048650384d68290761bea1b30155d
SHA5126fef01317e7963214c375e112d9d5a04edf49043e7bbb8c7578c9203853ecc96e3b3e9fc3cdaa637e4f1765982a4a17ee0e726f0fa085bccfd1048f1bd2879dd
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
903KB
MD5013a5383af407dcacb356b279d76ebe8
SHA1cee735aa82f066c605ae6b6e70173f05f03bd29c
SHA256cd0ed61ab8e9f34bac33442577124378f1057ef5a31edc8c74fb3cb0be40324f
SHA512bde4613db245ea60d4c000eee43c5a149382475e9404dc56a22157847f1b2e360ac116d59814be3c833b203dbadd4edee288948f4c6c40c5dd76181681426db1
-
Filesize
112KB
MD5365e7dd0ea3569d264882c92268b03ec
SHA15792fd33b69847e851f01b0dcd3e0efec3f96b18
SHA256c64ace960179923013f2ec782c59ecf9a0c197113c3f8dc7729f5bcba245126f
SHA512b6b46e9b8c18a257259f339aabac1a76af0ebdf13c08493f174271ca3e3fe6d907acce8c172bac8b2aeb3d911c5769c1803034ed47bf6ab53ad2424cef79e5e5
-
Filesize
112KB
MD5f191f3682689c85378447c96c14af122
SHA1fc03339faaecd777391182159edcd3bc66f9b077
SHA2563ff89d4f8fea15077d324851d0dcd5647280ae7a81a6437406fa6637fae9a2d2
SHA51226efac31fd513f520360d661c7a55a9c14a95e2a6a3da0f9af4d11a29c3ba3cd161d6757649a7da17dbc2b87b9d378925a5140e9b5c490faa4a55b40763cf7be
-
Filesize
117KB
MD542d524b09395e6e310cfe1affc483ba1
SHA106d2d22a51cc92d415d462d615c7a262f482c99b
SHA256736fb085137e85eb1fcda83048713822ff7492b75771026d00e0d3f84624b530
SHA512939db92c930d884a0a342c66ee1a339375cb8aea64df77ca6fe32cefd3d85751604c081cd2a0aa9a6b25fd93e5e8f44286595928bea8543fa7c93d5a118fe0f8
-
Filesize
733KB
MD53771f1a7a73034ebafe2b369c26c0034
SHA1414edb92b939440aba4ca4d4a662ec01ace1f3d5
SHA25654ae1ce20ae707046bd77c7735937667c7d35f2d49fc4065d2d872359546a654
SHA512f3f1d1a91fdd6377af0532fe8d3b63b89747b5ca278bab331f310a52101601287f69bd354090dae895d84a75b0df0aadbccaf2af90f504bcff6b8df6001385ec
-
Filesize
110KB
MD58579811f29b8282a167526ef36192591
SHA1326c7b7243979872514b7b3815fb87305174b0f8
SHA25697cf8dd76acf7db57026661f591ee3fb4cfa3924040708d5345d18edebcdc9dc
SHA51229ab6cd3c50b32122f3dba7af52f0714f1f118b66cfd175dfe0590b8f30d3a1a02fa0fff1fdfc78dabdd0f3837e2537d7ca3ce7e2c9f6915c0c1ed6dd74b0cda
-
Filesize
743KB
MD53714315920771ae1dc915583d347a8b1
SHA1de7f79cc3b1dc81acc03aa8c1d760cdd33626453
SHA2563ce717d043a5703861f903bdb798e75e83035fbb8ed8c4cc461e51bf2a1d565c
SHA51286e51ab3125671c2c6db1e7b160126ba0be62678cf0754ab4ccefb971a45f9021dbc06b55fd886740c683886d43e7d8b181ab178c3c9a9f8972c5bb12acd59b9
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
237KB
MD5d4a3ea28413ff48517f306b54f966415
SHA10ae9e7944e9b7b11a94f8331aca5213c968250a9
SHA256a9027e8032513a0cd18b50a4c2b4d20f71478dcee34a9165db2dc7de6de36299
SHA512d01e639ff343b5255f2a143e0c8870e757e02c150a45cd3d6ef2b27fadd93f37b7e7a8d3b132463264efc53644fb6dcac1f9eda01e2648843a93087c12167a17
-
Filesize
122KB
MD502413ccd6e608a097f110aca73a0d368
SHA17e05a1e37cf149fd1560a5b8a55ed4c6df445fb2
SHA2566766d89848c08126d606b78f0ab6953bf6e50747a6cd76319518872fda122246
SHA5124def3b25aa2f6cca4906fb0a72c8b25c97511ee45086920e38363d498731c60dd7a88b8ad9670619e921be2e8dd29269910a03170032f72f8ea0c460c0e02652
-
Filesize
111KB
MD50211ae46973d577f2728c9b6c97bb450
SHA1f3c904b16f7eeae54490d1b2f2efaf6c013405a0
SHA2567159f3f8ee6fa56309406aaefcbc56e2f7e6c11e8a66b825f3de3f3fc57e3bdc
SHA5121a0fba899f27f8b5888dc1e4ca0ecc79630e75f4aa7e763288add6a3beeab044fb697130d59175e89efa32e03ef32068b6ff86327f9ba152cc6ee18fa2d762a6
-
Filesize
110KB
MD5eb80285a27f8d0827856b6018a81d6b6
SHA19682093146ad3680f569566467389bd5b1b00c97
SHA256919dba24c076cd7e9f32f9ac82f7ba061f4495225419fee2baa5825969bf801d
SHA51231e2b8f9be91b1e4e5a13fc7102e7ed4f51166459c13a537782fae1ac9a212ba305ed3ce447f66a2bd78bcb8f9c737d8c5dab03462c21d93a044e13a8a1d0a6d
-
Filesize
109KB
MD510051abba6fff77feb163748e2b24c9c
SHA1f870443e296663a9ef5596f8e634074fc3dbab25
SHA256ba8cfebf3b5118a0703dea684d91f69c5303a7cd8870905e7f3f2ff0dc762e5c
SHA51242050dfb36e03e3dbcd4ee7dc52d37824adc8cfeac6f7533479113e37e5585f858215d6e2ac199c4e9f92d9fe932f60bde7aecbe6eefc4c48422dd7345e89c62
-
Filesize
109KB
MD5090ea9dfe984e286070dd3a76a7d029e
SHA1c151b999a8885ca90a3015e2393e3d87004a202d
SHA256edaeaf588e875934036d33c122d5ea728c726f1647a10432e0841ba181d78f33
SHA5122422180182aa18ece09573d43dc2058da49c3a1cb2bcd6b6313daa3a9f09146dbddb458a9086bdbc1709b7ec6ae4e600502f77181e7d100b3fd2444286ff5d07
-
Filesize
113KB
MD55ad6719f8f82f79cb1f1a9877a472fc1
SHA13c679bf029b1c11769f9be7dda5bd7b50dfa111d
SHA256e33f6a93d688c48952789b9f3665f11231084fa4edf1425607b5df5004826c4b
SHA5121e2f82caad70a78cb38a3354d1a4771cf24735de1db2900437668472c88f56d865a57121d836e4e7af1fa159ef9c95baacb6040f4fbe0923e357cfb186dc3535
-
Filesize
117KB
MD5cf55ac3dcd38772d2a4214188273678e
SHA1084c348ad520da04e2210dea0c0461c585b569f4
SHA256bfbedce3bf2d9c3d6dd81825fbacc6c1fdc7c147c7f8d1e5497804d75d5d5795
SHA512c74f47ecad513e1ee0767ae221916c278f10f8b4717d4d8bc7ffe6a529cafc273f36d5066e83d64616a4b476f662e70da21581109dddc765cad2064111bcc877
-
Filesize
110KB
MD5834871371126eeb0750dd4256a671122
SHA1447ff2caf04748276d363240632d79d2f7dd7939
SHA256c916cdb4986623f6c3639762002ec084f1fe81a00ea082e7d35707ad17f72610
SHA5121a3779673e7273be53fc0d6e50c39bb2fd6d53a6e94736169ebe5575d8c1699f8fde77fefa46e29f806fcd01857c2eaa8462411150705f29ad5a22bb81bae548
-
Filesize
117KB
MD578094e4f9c70e3fde982a1681189bcc7
SHA1406d69496de5f544cbcbbd552b69bff317252a07
SHA256c18836053e74743eb304ed2803b390d5a529e7fa0ed43c19806b578e02e359c8
SHA51224546b8676ecec8f9fc0c82ddec621516146840cf3c748da516c5f2a9a2c52dd7616dfca089e9baec2539b4f6ac9bfffd6cb30d0072bf97e5d004fc57de924cd
-
Filesize
140KB
MD57ea72467193cba34e2ceb58b0729c9dd
SHA15c71c2e31332c1b71894281b531aff2949b2bbd0
SHA256acdb76470ef8fcc9d060b8de88513e4fbd109afeb29b0f0d469520cc8da11f4e
SHA512941ed7e114389e21215b9562cbb5b2d1cfe87d7e9b5437c8ae153fadbb2e69bb7a754826100063f60a37d544f292d6e06c6dcd68b30b957f2d4a3b79e129473c
-
Filesize
114KB
MD58d5444ac7215932657999280ce29dff1
SHA1388441f832d9fb48ac2e75e614a9b5dba64feca9
SHA2563aed4e3f4cac85ea1c132e6e08167c936ce02998752ca07b9644adb80f264683
SHA512d600b9b771cbd603f7b616d8eaa24ff344c04917e21c180f41478d4acf08bf1e416d73251f0871a77ac897376db22ebc54c58568cf4b5d3f8f9ec9ac99256c80
-
Filesize
699KB
MD5675ed7d56764aa3ff4ae81d28a0e1811
SHA12a1ba0568c7bd6428b0e899f37d6db98c5544f70
SHA2560b350dd5c437a1b175cb36578ec0c921e0b4a74982b79d25d1a35a0697ae03f2
SHA51216234dcb31f74317c223de9bf6d19a963247de633e655cd590b5433fe32ca7830a19d1da19a6994303d02f09797fed5f00ba939d4228c71d24ccce3e143b12d6
-
Filesize
111KB
MD5e53d34752a3835640e0d027a9bb12b1f
SHA1f5419ade1f940fdddf1da691e7b51de3a5a8c39b
SHA256025817a80ad64842fc13ad5df52174a75d8ba4b2941c1658ea9602cf4e3c157f
SHA5126a638152f70a1f4d0c2356bb725b5cfc4207d886ef9e4ed77b42cfaa75a4a03a28dabd949b7dd2aebb865b7ff697819f0e507953e1f10ec926dc64bcbecad5d8
-
Filesize
4KB
MD56edd371bd7a23ec01c6a00d53f8723d1
SHA17b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA2560b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA51265ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8
-
Filesize
110KB
MD59db4d00aeb103a3453f24afa4d728125
SHA1de2af8350a5eaf3d986f299fc57dcf09ec5fe6a9
SHA256fa2e551703108e381afd16d3e719de98a474eb6d27ce4fe5adb0dd4e6c166c0d
SHA5124d5cdf6829021d01cd632dc6e18902389045d00ce317d3ab91ceb8b79624016c2e5ab371e32987ea84f0662b368716d26ee593304f1a12f4f23e12bf01fe2911
-
Filesize
111KB
MD5a8a94d61a24c2c17a3ed3693d8384ca3
SHA137bf13d87bf6cd94add7affb1458e9feda17f473
SHA25629d95e423bc4b6071287aeaf24eda5658cf77e5ddd899dbc1607bda6a5c7c144
SHA5124a3efcb31b245d6678cb64c2160f3fd9faa7190a7bc80bec321df33db9262924c4c1a43f7f3d93c63fd5805b69bd0b5b5405280ab464b0f497877bedbd6eb44a
-
Filesize
120KB
MD5a8c2b80e927ef7b825993320bdccd770
SHA15c4637c66388d2657339fd684abdea77f1a1505b
SHA25643877baf658766b336cbf88e8c079b98cf828dd9484de6d69d840e9957d58f1c
SHA512a32d3270d95238a8f5d60f0c16a8e484ce6644253e37a33d04e623a9c3d01d118b2f4dc84b601b52895a56f797daa5cb9a41045653ac6cfa43aa69e63d1c3e55
-
Filesize
349KB
MD53dd1a51f9cb3a40b9bebc10d3ba0699f
SHA1a4f2f71f4e0cf228bc8bc79d9054810bdec6b9bb
SHA2564f7e77b733051ea82bf789458ecd0003c74fa7aaa7cbe2c0c854d4dd19afbaed
SHA51252a19788b991940c18687bf1e94ccc9430d4cb7648f33fefb0f4cdd3abd7d3a39f8ee7819417e5e14a11d65e5580fb5c046cbfab9a48a3d20ab0385a604cd475
-
Filesize
117KB
MD51bc5ea38e086fef8e873e7974d1724db
SHA12959ede22b87e483e8de408ab891d6255d4bb25c
SHA256becabab50c86db037f9621d941718eaede122126e4cd11ff8310e77d4a3d84f6
SHA5126f954e239ecd912ff063ec7c071782922fb96b73aa5b7feee37807d2b15f1124af5b880fac7f61284e89927c64e1b51dbeff036b0ba4b13ec364ca0bb6f9f481
-
Filesize
4KB
MD5ee421bd295eb1a0d8c54f8586ccb18fa
SHA1bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA25657e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897
-
Filesize
109KB
MD54d80740ffc97404e3e0587b42e0d0436
SHA1420d563d7b2193cba5374ca686fec381fc626988
SHA25676b662c4110cfa63ed3b8fe789046f0d2a587291692db4f3691074b109ecda5e
SHA512384a8b65ac3b9df818105774f6429f9ff56a8fbaa378b84bbece84a84dc7834adeef187a899a001c8014ac30fcc7b2c4fb12fafe2e214d0d113a35e2b45e1462
-
Filesize
111KB
MD586c97e97ad42496d914c44bcd179a419
SHA17392ee364b76e7dc7828a1d0ac49146df46582a7
SHA256f3f7e12fc986ad79baf61aeda25a5f4f0ad0b3f372d47ae9e47a2d5c28ede3cd
SHA512fd708620db7bb30b795500576b97fa251629215adb910e27dea1ad5068522b0221c8f062ab32dbfc65434757e304beb0471ae4c5b84a9a1258dfbe0b408bd084
-
Filesize
564KB
MD524dfa51586dc2c1629bfb17fcd7494d4
SHA16639c0df7cd493c56ebda2596b6292f6aa79c02c
SHA25694a71fe22811c91f8f7d364cd3d00b5983a9bc66372ead8a1891930cb5f0bc4b
SHA51289bcc767ee91bc09baff941838a23ade1b6014407553f7ea125aa2556dd556e9fab5c72a4f1db2c7236e94e3ba64a8b27f1901ae12e56c6e8a3bdda7412ebbc4
-
Filesize
110KB
MD5cd9fc923aaabf9867457d13bb730d0d7
SHA1d21c00fffddaac5ca8e776b869b13019d7474a2c
SHA256775be9c0b3bc11492f69590ef92e8a5eecd86f249df33102c9bdc2df5ec71594
SHA512e562a4ac8f9405105c13f5d7c38f2155314c7659603965302550eb7258b6d538105000e3e8bdcd493c3e2103dc51f451467f1072941e4b046df75d5bca623b36
-
Filesize
466KB
MD575659bfc7b0bd74ac6dd0781d87c7db3
SHA1563d70450ea174745b999e92f0483a50be08db29
SHA25644bb10f6693ddea83469bb9c411ec4ce96290e731311acc4336c965bc8688290
SHA5120b08f7f0db498ff38f05a69dcb82c9c6a98ee10a7f7e9dc53c16ebaaeb541bdf8fde35d4c30e7200ed75dc18241f7e43fdc404d44be47073fb0669c3da9dbdb7
-
Filesize
109KB
MD51b41c4180b7f370f84bbf9748137c76c
SHA10b40ceeab7b6e33a460de4a18225af5762ff4b41
SHA256d167c201179429e00c235416526a4c6bc061ceb64835967a1d8ced1da1fa3871
SHA51287bcdf73027d1dbf7bcdf6ddcb191453edf47ee311b749b7bf5e02a4a6cefdb36d633957d6e0ec482fea3cbf98652105a36d2c3a0f5b4e346a971dc0c37bcaa8
-
Filesize
111KB
MD59eeb76d71b5954143f17478274d4a5eb
SHA15daa97f24c82734bf56ba40f583977393f3406b5
SHA2560a7a995d980168f90305b65134141d18ae9ca80da6dd954554d2fe6e944b6402
SHA512c0c8edded22b9f334205271d11b672ca3a951ec88a87c61a07797020936cf65383a419623c08209b7e14afa41522d0142556fdeeb355edfdd3ec2554cbf302b6
-
Filesize
424KB
MD53a13a81f3361aed84446566575cea242
SHA1842a4054d6e4cee3d097872a8c7e77cb92d8547c
SHA256e98d086d2ec18aa241337ba89290a236c912dac37776b9df3d823da0487d2357
SHA512c1d26d6c9a5742338c43df32f035f341d7134a06f91828212da4ecdb7e092626d525886dccebaab5310892d5e3ae63f15dd3b6e7aaf9f8751be613397a42aceb
-
Filesize
111KB
MD51a08f00d662746e3c14d653cc294d323
SHA14df2cc0fb897cba31925c19bd62469c55da5ca0a
SHA256b6e20df3bea6de5c146e2457637d371f4b6a57d3108c65f442b1403fc8830243
SHA5121d52d3f86b05033f38cf7115fad6a5ac8798223467db2bbf098737e61e23d6e8941f2b1d335835960309fea7f68b99448b87927bbe03af425b3f48c46e4858da
-
Filesize
112KB
MD5363a4bd323836bee9c460899112246f9
SHA11a68edc47bb94595e1e7106151d87f5e71c41eb2
SHA2566147024258610f756dc8afea302578a87bdb9dc972d03240304b4b6d256378a4
SHA5123af91dbcef7692c6d62f771d4d979a348cf22f446c28c62ac011bc56307cc22680be46b51bf0719ffb20ae72559723960d49b9734a91185fff61fa15f8c9e1a1
-
Filesize
116KB
MD58ba40f5a2c3b1de3c527565fbadf7e2c
SHA135476ec7f98f6c12ec1bc827ffa946a55cef22a7
SHA256ddd848ecf009d6a3bc46d8554b4a5f103a68d12ff89b7d88d3e19756d66daaa8
SHA51263a25ed2f154acff39ea865e1e5c307d2dec70d2948ca37a7c764f42a7507fea3d4f2868029d5f93551b98c98aa4ae2ad594a468983f32fefd6986e32d901ea1
-
Filesize
136KB
MD579bbb44bef830a264425b4579d4bedd6
SHA119cd31bcccf6de4ec9d2cc373159684d75ef8cfb
SHA256d0281b696a24c220d26dfbde2473c198396475454522381f36cac7938c5410b8
SHA512924831e62d842e90cdf0490b246ca1504afe4d1fe6ad059302bddb6e7fd7fd9997dac748409df93a37427c7cec976fb011a8d31639d0b95428653899e2bc4422
-
Filesize
116KB
MD57caf10e1984bd93d6843d6d9588bd427
SHA15253a002200214a0474d7d54771047830c75a2cc
SHA25698aeb02d5bda30780d9f96f622f3dc88412237148b82507ec0fd011a512af36e
SHA512c861124fd8de6f8dad3fe1c04cc924bb5e8c2b2d6fbad41bdf38df5b9573c61a3e54a2ee94d3ba73cfdadab9f3693b77d71cf426f217ceaae00bf51bc025dc85
-
Filesize
119KB
MD592a57f5900f7eaef4f1836a9aad1c16a
SHA12c28314b4c5f8b239cece2311c00b7b495902e4f
SHA256a65404861f64ee5c091bd2b4e464b4de1f842aa50997f2571bc813e31dfed513
SHA512b43cc6871dd257875a7d40ed8d724123ae83a53173952a736bfa9e124ce766ca9971d4127499ed413f1ad336e2f415313d15544cafe220219d3a837a3626f7e4
-
Filesize
119KB
MD581a3abd6e34cc9fe47b198b88b87479c
SHA1f0533e5bf99de19812ba23216c13c0fc4508efcb
SHA256852dc22da3c64730c70baab369a8d50ed142e99b30debc18c27d6f1fc1fc5ee8
SHA512d4bd83631eda37939e84680dcfb9eca446e35a6eab49c4c6a2555bfbd62af40108f49e31c1b40ebdc8615c8178c8f81dfdbee16b47801ffba83b727f9837be16
-
Filesize
111KB
MD580980ecd836a30d99f3f1594d47fc3e5
SHA18f401836066c9a9cb9569bf0532b04d6b634244f
SHA2568ccd53db3ad89eec727e61c9cbcb6b8cd9389ab7e8e9a52a860a315487699f47
SHA5127885a4e8f162e26625f2bd553b34f1c311148f68862b94612debbbaff88ceab937e5efcddf38cb580e5ff4d582f47d7a6c48b3ed447afff7c6d57fe5a540f282
-
Filesize
112KB
MD5451bd514e016209dbadec94d961a5db2
SHA1b7dc88967f11c5d63440f400afe9d550fb9ed4ec
SHA256945c012232f53ad85acdac55336bfc4a165113ad8596aaed4267aeec5a7b8698
SHA51268baf0a773001e82085a60b6c56bea931e2376aec1478047c94f640d25e4435d3c1cda3bec5eb8ce89e97eb0bcc7cbbbf341519127b190aa3bcf8ee62c6cb633
-
Filesize
721KB
MD555b74a6aa48352276720110b120e962e
SHA17202161087aa3b0cc3ab460f0a45930547e59a15
SHA2564a97066dde71fce482989b47e86f825a1f0dde79ff0603728917fbb1e2563eae
SHA5125571e1a8697f002bcf5aa35572f0eb2716c88e5baaa793fcd7f41ec9791d39857a33056f6c1ea8d392bb7c56746fa3e171cfd397164a997bd274641238f51ebf
-
Filesize
409KB
MD567583457b826d8bf7908d73e6de8b0fa
SHA1412c32fe0130171a1f9d8af959faa1fe4821456c
SHA256e48655f4e1948a44720c9ef27b4ba277fef2176fc61fee28b58ddfb39c37f4e9
SHA5123af3435e4d694b10bbf65b8214c5f2cf6f964850d693aeaa9c34aa79382d44fb680946e4846c25aa8c12ba0908f836277c2ef966a839db87f67c9a76d4afcb0b
-
Filesize
658KB
MD514ac46ace16eddb53f665892b273120b
SHA1890b51308ac22a63354bc62d80cadd8dfae7caeb
SHA2560eb3953cafd3df5c9f113c824d15e1ff787596f4bf46d842fb0067ef1dbf47a8
SHA512e72e6aeea31015b0cd5f70a22f52e71b90aba37824c8419cea87d95744f448dce7760609f7eea97955ef69f8ab27eb933e008a11b5aa39cee793e05d4b7dd981
-
Filesize
111KB
MD594b7f96f5ee846b73afdee6203727886
SHA1009b3f684e86680f52f31f8dc032ebb7169df068
SHA256529269e62f7dc209d7e118b9d5e60a2eee69a9f9781a11dfb3f54eb2770df5cd
SHA512f4ed3cd4fabb3654542148a2fd74df85a7bdc6515c952d2685dec3b067f9c167db6cafd88b56758303540bf38cb0c7738debadf43df55b1ff93bc55c5b59df3c
-
Filesize
138KB
MD57fb2937f8cd3ba3d44126618bd7c1680
SHA16920a1d12b834209a01bc75104b29864b80e122a
SHA2564cc4994f1d78842bfbed8e23ffbe83bb0d4ced21f5620ddf925adc165d2325e7
SHA512cf86fb70c4c962c9b059187dbbecb3d027fb9369d7524b562b8f0fd61b5699dad2b9fccd72249ca002dab0c96ff277f449d30989a2e66f5c747337168360c49d
-
Filesize
110KB
MD5abb3176d4b1825f49df85035b865268e
SHA1c465d34c165df2769605d221afb52ad7cf6ba593
SHA2562709d930427343f385bc65a9da0db559052a51dbbadac14aaca4e3616076ab21
SHA512ba609ffebd66466c73235564a2c4352ececcd6f632b5f210a2bf7fcab3918ec2339c3d1ea73d3fcedbd2442137e1e72a83ca2107e306b7ea567a0a9970bdce6e
-
Filesize
116KB
MD5f93a6b5816277864cc69c95dd9e9d32b
SHA12656be153989878a5dfa16fcba884ae4022f625f
SHA256041fc1dc4a22d64a2416adc7754f4011dc09373fd5c2fa278f424fc68fb2138c
SHA512270fb0aa88b499030c9eb4a8eb6399362273bf86f4d366101d9964062815c6661625c2b268e72e0c62470044d1a0b9ac827831438a4cff44811232d8320935ee
-
Filesize
112KB
MD521992c6d8ed721a518a438e70f876dfe
SHA17a3556b66ced4518fe56c1d9f8282be425848e21
SHA2569759b9a0ae2e44c617f45f1730771bd09681af66fbaa8f3051175475ce694b70
SHA5122af62c593aa82eb7709338655cf380d7d5d867a7e55f384c618cda05138b3af1bb129ef4fad8b2a2e5a7927c4f6ce1f32c183976eff9f26cc043a5dae48fb557
-
Filesize
736KB
MD5a67be8326d71d77e0b80a3ee4289e22b
SHA1d0e6f45f49f96527b836eb17a030ff3d2aa74502
SHA25611a5e53664f09c98c8b20fcd830a6084fb86137904f558c294f6ce27b7599883
SHA5122f4bec455a1045faa2e28ad0eff64114ba8345da8e184b82960582458a48e918baf5a42cc0901dfa679debc25173fba59f27e44a7286a191ec3d83aeea1700b3
-
Filesize
688KB
MD50d42b09f70c7acfc6709faf3724f197e
SHA1ddb4e077f1d7e590a1852908e19874d36b0ebdfb
SHA256a6085565fe0a2d3c8c4f569d03ebe658b7d458644a23f34d885fb8009fff791b
SHA5123629e29c1952615c9772f6f88a65960e8eb4debb5057011a6ecfda7dac28ffeacca44ca92cc95b0a4456b89bb46c73b903988fee917f965eab53f6faa1608197
-
Filesize
611KB
MD511d85b8389660f72d3ac965b713fab3d
SHA1d4af3461b7895258472af03f2ff8c059cc48eefd
SHA2562d19bbfc9f56fa73f72ded496dc13d1ff45bf94cbc21377637618ee7e9530a56
SHA512a9262a090439574a924d105ca42f0893b33d3a93f596c1ff2d8645ab50f281312982eb6459226b62801c8c4b672759fc66df0a35410cb4e29953a2ebaf939144
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
629KB
MD5e2d24d652fc72b6da374083c8bcb07b9
SHA140cc2a52d1d803992789b7d51b015a8649a15cfd
SHA256cf9ad883789e34da46308d095a2422278844cab6414ec0fab2cb70bce26a5388
SHA51276916a7eb4ab44801791e24a3ac893c44996377e74d31d9a21eb74157c175e4d91c928587ea1487f1bb17498dbe7da30a559df55d5b30136caeaf2b24b946342
-
Filesize
110KB
MD54aaa628ddb2438ee63baa60966fff2f0
SHA1423a5d5ac66f1b39f9576c85d5dbe50cd3615885
SHA2568a708e2c7aef0a9950779b87a505c147387f4a1675a985022274ba370d9c1070
SHA512bdf6a93b526538b4fcb2e43368e3cba011d1b69da5c8d6878088243cae6a82786ff69e3892c637488d88b425e3215056a8eeff09bc19cf44eeede009c3e3a1ae
-
Filesize
539KB
MD5b432533be40781a88aac00607233078f
SHA1e4ea3aff641857a91534a24fb040936b91af10f8
SHA256aceab3b09c3b0704cc0d491c2acdb6b2a2c5970717c45b965ded9397828c62b2
SHA5121dc1389df98ad0940ee269627360c3aa91e2bfe3707ad767f561cdf4ed436135ea2d0f923be4935c532a2043b66acf7c8ebae5604c2a5f6767d134cd40192e8b